By: icanbe
Getting administrative rights in windows nt/xp
first of all remember that it is very easy to find the password of an nt machine. in this tutorial i will be looking at the different ways on how to gain the administrative rights in an nt machine.
1. if you want to have administrative rights in an nt machine the very first thing to do is to check whether the administrative account is password protected. normally windows does not show the administrative account in the log on screen, so boot the computer in safe mode. in the log on screen you can see the administrative account. if the administrative account is not password protected you can log in as the administrator now. remember this only works if the computer administrator has not applied a password for the administrator account in other words if the administrator is stupid!
2. now lets see. what if the administrator has put a password. now what are we going to do.if we can log on to the machine on any other account then what we are going to do is really simple. for this we will be using a tool named SECHOLE.EXE. this tool will make you an administrator instantly.so the first thing you have got to do is get the required files (i.e SECHOLE.EXE and ADMINDLL.DLL [i think you can get these files from http://www.ntsecurity.net). copy the two files on any directry and run the file SECHOLE.EXE. after the file is run the system will crash. but the damage will already be done. then simply reboot the system and you will find that all the non-admin users now belong to administrators means you have the admin right now! Feels good huh??
3. what if all the accounts are password protected and the guest account is disabled but you have physical access to the machine. for this we will have to get the sam file( sam file is the file which windows used to store the password of the accounts. this file cannot be removed, copied, or altered because the file will be in use all the time.) of that machine. to do this we can either load another operating system, use a linux boot disk, use a windows 98 startup disk or use NTFDOS. if the victims machines has an NTFS format drive windows 98 or windows 98 startup disk will not be able to read the drives. so in such cases we use NTFSDOS and copy the sam file to a FAT32 or FAT16 device. the sam file is normally located in c:\windows\system32\config\sam or c:\windir\system32\config\sam. after copying the sam file we need to find the pass from the hashes in it. for this we will be using LC4 (L0pht Crack 4----- get it from http://www.l0pht.com). LC4 is quite good at getting password. it is better if i tell you how LC4 does it. so let me try. windows use LM ands NTLM hash to store the passwords. LM hash is 112 bit and NTLM hash is 128 bit and both uses one way encryption algorithms. LM hash is a very weak hash which was actually made by IBM and it divides the password into two halves of 7 on each side and then make the hash of each side separately and then attaching them together. you just import the sam file to LC4 and it will brute force the password. it will take time but it is very reliable. you can also use CAIN NT VERSION for this purpose.
4. now what if all the accounts are password protected and you dont have physical access to the machine. now what are you going to do. well we still can find the passwords. but first we need to find the ip address of the machine. to find the ip address is upto you! there are lot of tutorials based on how to find the ip address of a machine and most of them are good. so read them if you dont know how to find an ip address of a machine. so after finding the ip address what are we going to do? the first thing we have to do is to find whether the victims's system is alive. to find so, we will use Pinger ( you can download it from http://www.packetstormsecurity.net) Lets suppose if you try pinger but the destinations machines are stoping ICMP trfaffic or a Firewall is stopping you to send ICMP traffic then it won't be possible for you to ping them and check them weather they are alive or not. so we can use NMAP and specify port 80 to check as port 80 will be most probably active at your router or firewall so packet can still travel and check the destination machine. After finding whether the system is alive we need to find the user name of the administrator of the computer(cause normally administrators used to change the name of there administrator account for security reasons). for this we will use DUMPSEC ( get it from http://www.indianz.ch --- a very cool site). a very nice tool. but before you use this tool you need to make a null session with the victims machines. to make a null session type the following command at the command prompt. Net use \\XXX.XXX.XXX.XXX\IPC$ "" /user:""
(XXX.XXX.XXX.XXX is the ip address of the victim) if it is successful in making a null session it will say "Command completed successfully"
now use DUMPSEC and find the name of the administrator account.
after obtaining it we will use another great tool to find the password of the administrator account.that is NAT(Netbios Auditing Tool). below i will explain on how to use NAT
NAT requires 2 files for input before it gets to start its wonderfull work. the first file consists of the administrators username and the second file contains a bunch of passwords known as a dictionary file. so the bigger the dictionay file the higher the probability of getting the password. below is the command to use NAT
NAT –P Passlist.txt –U Userlist.txt XXX.XXX.XXX.XXX
passlist.txt should contain all the passwords and the userlist.txt should contain the name of the administrators name and give the victims ip in the XXX.XXX.XXX.XXX area. that's all!!! now NAT will try every password in the file until it reaches the end of the file or until it reaches the correct password.
the end
Getting administrative rights in windows nt/xp
first of all remember that it is very easy to find the password of an nt machine. in this tutorial i will be looking at the different ways on how to gain the administrative rights in an nt machine.
1. if you want to have administrative rights in an nt machine the very first thing to do is to check whether the administrative account is password protected. normally windows does not show the administrative account in the log on screen, so boot the computer in safe mode. in the log on screen you can see the administrative account. if the administrative account is not password protected you can log in as the administrator now. remember this only works if the computer administrator has not applied a password for the administrator account in other words if the administrator is stupid!
2. now lets see. what if the administrator has put a password. now what are we going to do.if we can log on to the machine on any other account then what we are going to do is really simple. for this we will be using a tool named SECHOLE.EXE. this tool will make you an administrator instantly.so the first thing you have got to do is get the required files (i.e SECHOLE.EXE and ADMINDLL.DLL [i think you can get these files from http://www.ntsecurity.net). copy the two files on any directry and run the file SECHOLE.EXE. after the file is run the system will crash. but the damage will already be done. then simply reboot the system and you will find that all the non-admin users now belong to administrators means you have the admin right now! Feels good huh??
3. what if all the accounts are password protected and the guest account is disabled but you have physical access to the machine. for this we will have to get the sam file( sam file is the file which windows used to store the password of the accounts. this file cannot be removed, copied, or altered because the file will be in use all the time.) of that machine. to do this we can either load another operating system, use a linux boot disk, use a windows 98 startup disk or use NTFDOS. if the victims machines has an NTFS format drive windows 98 or windows 98 startup disk will not be able to read the drives. so in such cases we use NTFSDOS and copy the sam file to a FAT32 or FAT16 device. the sam file is normally located in c:\windows\system32\config\sam or c:\windir\system32\config\sam. after copying the sam file we need to find the pass from the hashes in it. for this we will be using LC4 (L0pht Crack 4----- get it from http://www.l0pht.com). LC4 is quite good at getting password. it is better if i tell you how LC4 does it. so let me try. windows use LM ands NTLM hash to store the passwords. LM hash is 112 bit and NTLM hash is 128 bit and both uses one way encryption algorithms. LM hash is a very weak hash which was actually made by IBM and it divides the password into two halves of 7 on each side and then make the hash of each side separately and then attaching them together. you just import the sam file to LC4 and it will brute force the password. it will take time but it is very reliable. you can also use CAIN NT VERSION for this purpose.
4. now what if all the accounts are password protected and you dont have physical access to the machine. now what are you going to do. well we still can find the passwords. but first we need to find the ip address of the machine. to find the ip address is upto you! there are lot of tutorials based on how to find the ip address of a machine and most of them are good. so read them if you dont know how to find an ip address of a machine. so after finding the ip address what are we going to do? the first thing we have to do is to find whether the victims's system is alive. to find so, we will use Pinger ( you can download it from http://www.packetstormsecurity.net) Lets suppose if you try pinger but the destinations machines are stoping ICMP trfaffic or a Firewall is stopping you to send ICMP traffic then it won't be possible for you to ping them and check them weather they are alive or not. so we can use NMAP and specify port 80 to check as port 80 will be most probably active at your router or firewall so packet can still travel and check the destination machine. After finding whether the system is alive we need to find the user name of the administrator of the computer(cause normally administrators used to change the name of there administrator account for security reasons). for this we will use DUMPSEC ( get it from http://www.indianz.ch --- a very cool site). a very nice tool. but before you use this tool you need to make a null session with the victims machines. to make a null session type the following command at the command prompt. Net use \\XXX.XXX.XXX.XXX\IPC$ "" /user:""
(XXX.XXX.XXX.XXX is the ip address of the victim) if it is successful in making a null session it will say "Command completed successfully"
now use DUMPSEC and find the name of the administrator account.
after obtaining it we will use another great tool to find the password of the administrator account.that is NAT(Netbios Auditing Tool). below i will explain on how to use NAT
NAT requires 2 files for input before it gets to start its wonderfull work. the first file consists of the administrators username and the second file contains a bunch of passwords known as a dictionary file. so the bigger the dictionay file the higher the probability of getting the password. below is the command to use NAT
NAT –P Passlist.txt –U Userlist.txt XXX.XXX.XXX.XXX
passlist.txt should contain all the passwords and the userlist.txt should contain the name of the administrators name and give the victims ip in the XXX.XXX.XXX.XXX area. that's all!!! now NAT will try every password in the file until it reaches the end of the file or until it reaches the correct password.
the end
Comentários
Postar um comentário