Hacking a local network running * win 2000 / XP

Hacking a local network running * win 2000 / XP (by Rel4nium)

Local networks connected to the Internet in our time are very raspostraneny.Ni one school can not do without
LAN and of course the most common OS running on LAN is win 2000 / XP. I'll tell you about how to hack
Network running windows OS, specially for this I chose a small network (20 computers) in one of the computer
Clubs. Note that I have access to a computer and to the network (for 20 hours :) It is easy to break this network, but the main goal
Put by me - this will stay in the system.

[Theoretical hacking plan:

+ Computer definition
- availability of antivirus (update)
- presence of a firewall
- ip address of the computer (you can see, for example, antichat.ru, ip.xss.ru)
- Subnet detection (leader.ru)
+ Software development
- selection of AMA
| | | Exploring the packer, finding an unpacker, unpacking
| | | Finding a crypter (whose signature is not in the databases of the antivirus)
| | | Crypt file
- additional techniques (crypt notepad)
+ Upload to a free server of prepared files
+ Finding a computer with an installed CMS and with a bin shell
+ Use of information, resources of the hacked network.

First of all, let's see what software is installed to protect the network. It turned out to be antivirus Kaspersky and Dr.Web, antivirus
The bases were updated every day and it was not possible to attach a troy to the car.
The firewall was not), it was very pleased, because unwanted traffic is certainly not cut and no ports are filtered,
The task is slightly simplified.
Knowing what is installed on the machine, (antivirus) and not on each machine), 3 users, 2 of which are endowed with rights
Administrator, and 3-rd simple user, without special rights.
Now we need to prepare for the hacking process. To do this, we need: triple (CSA), analyzer, anchaker and crypter.
------ ------ ------
SAS is a system of remote administration (RAT).
Analyzer - Analyzes with which packer the program file (PEiD) is packed.
An unpacker is a program that unpacks a program file (for example, QUnpack).
Kripter - the program crypting (encrypting) the code of a file.
------ ------ ------
As sua I'll take RAT X control, because the size of the server is very small. Merge new anti-virus databases, scan
Server part of server.exe, it is defined by the caster (KAV 5.0.156 with new databases). The task now is to
Hide the trojan file. I'll take a closer look at the process of encrypting the trojan from the antivirus, since it is considered very little (and if
Considered that method is no longer valid).

[Hiding:

- Determine what is packed with server.exe (using PEiD) it turns out that UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
- in order to crypt the file it must first be unpacked, for unpacking we will use simple UPX (I have
1.25). We unpack it this way:
Upx.exe -d server.exe
Upx.exe - upx program
-d - tear off with which we unpack the file
Server.exe - file to unpack
The server was successfully unpacked ... Once again I tested PEiD and Nothing found * the size of the unpacked file was only 17 kilobytes
(Before it was 9.50 KB) we test the server part for operability. (Run the server)
At startup there are no errors, we look at startup, we see Xflash, we look in the manager of tasks, we see xflash.exe,
We attach ourselves to the client, the hook was successful, hence the file is in working order, the decompression was successful. Now delete
It from autoload (server), we terminate its process and delete it from
C: \ WINDOWS \ system32 \ file xflash.exe.Orly just go to your client, go to the tab system and click delete
(After clicking this button, the server will be removed from both startup and system32)
After the deletion, we try to cry out the file server.exe (unpacked).
- I've tried a bunch of crypters, protectors and packers, but since their signatures are already in the bases of Kaspersky
If they were not, then the crypting procedure was not successful) they were either determined, or simply did not want to be launched. But
Nevertheless, the crypter was found, from deNULL. The crypt is not very new, but apparently it does not exist in databases and it was not defined by Kaspersky.
Of course the file is crypted, it is not detected by Kaspersky, but it is hanging in processes and is visible in system32 (my friend sent me
The old version of the trojan, which can not be seen either in the startup, in the processes, or in the systems32), after I appeared
Version RAT 1.3.5, I made the same operations with it, and it became invisible. Almost invisible the three is ready.
Now it remains to think about how to install this trojan.

[Installing the Trojan:

] Vulnerabilities in ie (for example, it rallies Ani exploit), but it is grazed by Casper, so this option is truncated.
] Vulnerabilities in RPC dcom and others (kaht2, RPC GUI v2 - r3L4x, smallsoft LSA) are not bad, hacking can be done
Remotely, and using ftp download and run the troy file.
] Simply fill the file in a free service such as www.webfile.ru and sitting, pretending to download a lamer and run the troy file. Variant
Can be even the most optimal, because to use the exploits you need to know the ip computer in the network, + open the ftp,
Pumping the file .. it's a long time, so I'll stop at 3 point.
Now everything is ready for hacking the network, but in order to already be sure to gain a foothold in the system (since who knows, the signature
Crypters may soon get into the anti-virus database). I want to use the method described by the proteus in his article
(The ideal way to spread the "evil" code). How do you think which file nobody will think of deleting from the system?
To be a notebook, a calculator .. everything is limited only by your imagination. We do everything as
Wrote a proteus, in the download section there is an appendix to the article in the form of multi-threaded banding + the date section torn from
Him LordPE (ngh.void.ru/soft/d/bind.rar)

[Finding a computer on the network after hacking:

Find a hacked machine on the network is simple, first go to www.leader.ru punch through all your computers on the network.
And after changing the notebook file, and installing the server part of the trojan, the computer can be found by scanning all the addresses in the
This subnet (we take the ip of any computer on the network and go to the leader.ru)

General Information
Hostname
Namehost.ru <host name
IP
195.19. ???. ??? <Ip address (which we check)
Preferable MX
Mail.server.ru <mail server

Network Information
Name
Name <name
Address Range
193.18.166.32 - 193.18.166.79 <the thing that interests us! (The range is taken from the bald)
Owner
Name, etc.)
Location:
Rick, 50a, REd street, postal code city, country
Contact Information
Name, surname, telephone number, etc.

Domain Information
Name
Name.ru <site address
Owner
RED <owner's name
Name Servers
Ns.1.ru, ns.1.ru
Status
REGISTERED, DELEGATED

Leader's Whois module v 4.0 (C) by Alexander K. Yezhov,
[email protected]

In my case the range is 193.18.166.32 - 193.18.166.79, now it remains only to scan to the open 4444 port (on
This port is hanged by the shell shell, built into some inconspicuous file)


[ Breaking:
It's simple, you go into the room with a broken local network, you sit down for an hour "into the chat"), merge uploaded files to
Www.webfile.ru, this is a cryptic server for the trojan and a "slightly modified" notepad. Run the troy file, replace the notepad
New file. And with a spooky soul, after sitting out your time you go home, you go to the local network (how to find out the ip above)
And you use a compromised machine for your own purposes.

[Protection
And to protect yourself from hacking is very simple, you just need to cut off the main paths for the burglar. Updating the anti-virus database each
Day - is not a panacea, so the firewall (I advise Agnitum Outpost Firewall) - this is what you need. The firewall makes it difficult
The above operations, writes everything that's happening in the log. Therefore, hacking exploits, for example, for the RPC is not possible, because
This port is filtered by the firewall, downloading the file with a bug in ie is also not possible + the firewall has an invisibility mode
(At which the computer, as it were, is not on the Internet, it does not respond to ping, etc.). Administrators of local networks have of course heard
That there is such a firewall, I do not know what prevents them from using (maybe there is no money for the license, and they do not know what a crack is :) or
It just happens because of the natural laziness of the administrator. But if fire was installed, then in the future it would be a problem
Much less than without the installed firewall.
If you really do not want to download, install, set (although it can be done in 5 minutes) firewall, that is
Alternative, just install the patches (patches) and from the RPK, and from other Windows bugs), how do you think how much will it weigh
All these patches? And How many of them in total? According to the results of scanning XSpider, found that you need to install sp2 (sp2 - set
Patches + some kind of "fireball"), if you do not install, you need to install about 13 - 14 patches (from a remote
Command execution, buffer overflow). The size of 1 patch is more than 5-6 mb (fire weighs 5 mb) and install them longer than
5 min) => install outpost and everything will be in order.

Requirements for preserving the security of the local network:
- update the antivirus at least once a week
- Installing the firewall, tracking logs and open source
- installation of patches (if there are serious vulnerabilities that will not be saved by fire)
- User rights (administrator password is not in figures :)
- Look after the users, or install a monitor program with which you can see that the user in this
The moment does on the PC.