NTblackhat.doc

????>?? 


????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
 ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Root Entry????????
?F@???
?WordDocument
????????9
CompObj????????????n????????????
????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????attack would be to get all the names NTblackhat.doc

????>?? 


????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
 ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Root Entry????????
?F@???
?WordDocument
????????9
CompObj????????????n????????????
????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????attack would be to get all the names of the applications used on the remote ports of the target machine. In order to do this, using a telnet-client would be enough. Telnet manually to every open port that you've founded, and write down the name of the application. And then after that, surf to some big website on the internet which features a lot of exploits, advisories etc. And type in for a search of the names of the applications that you've founded on the target machine. Get the desired exploit for the desired port running the certain application. It can be anything, exploits such as IIS 4.0 (webserver running on port 80) which can be exploited using eEye's buffer overflow or maybe even ColdFusion if you have founded out that they are running an older version of it (below 4.0) having the /cfdocs directory enabled with the Expression Evaluator over the internet etc. You can get more info concerning the IIS 4.0 buffer overflow at http://www.technotronic.com/microsoft.html And you can get more info about the ColdFusion CGI-vulnerability at http://www.l0pht.com It's not necessarily that the hacker has to use exploits, he might try to use brute-forcing techniques using certain programs as well. There are programs out there which brute-forces ftp's, telnet daemons, http authentications, etc. One of the programs which does this is called Brutus. You can get Brutus at : http://www.ducktank.net Another way of gaining access to the server is through NetBIOS, this subject is fully explained in the document i've written called " Windows NT Security", you can get this at: http://packetstorm.securify.com/Win/NT/papers/NTsec.doc DoS Attacks: There are countless ways of doing DoS attacks. The current popular DoS attack is called DDoS - Distributed Denial of Service. This is simply a program which acts like a trojan, it needs servers to be infected into the computers called slaves. The master, which is the original attacker, sends out a packet with the command that tells the slaves (infected computers) to flood the targeted computer. All the slaves that the master (original attacker) had infected, will flood the targeted computer. In other words all the comps which has the slave installed will gather together to get high capacity of bandwidth in order to knock down the targeted victim. Attacks like these, had knocked down websites like yahoo, amazon and e-bay. The DDoS was based on taking advantage of the bandwidth, there are lots of other attacks which are using the same concept like this one (except using several computers to attack one). Search on the net for KoD, Ping of Death, IGMP, OOB (Out of Band), flooding, nuking syn-flood, land, teardrop, smurfing etc. Other kinds of DoS attacks are sometimes totally different, you have attacks which can be done to ftp-servers, by connecting to them and trying to get an unexisting directory called /con/con. This only affects Win95/98/SE computers. After that, numerous of variations of this exploit has been released. One of them is called flog.c which will knock off a Win95/98/SE webserver by issueing a GET command with the /con/con exploit. For more information concerning the /con/con exploit check this at: http://packetstorm.securify.com or http://ellicit.org/~neonlenz/advisories.html Third Attack: Ok you're in or you've downed the server, now what ? It all depends on you, you can either steal the information if you are working for a company, or maybe even do damage by deleting all the accounts of the company including all data. You need to be sure that you have deleted everything, so in order to do that you might need passwords of other accounts as well. So you will eventually look up for passes which are saved in the registry, or passwords of certain services which are being used like RAS, Frontpage, Databases, etc. Other passive options which you can take are by placing sniffers, keyloggers, trojans etc. The options are endless once you're in. Just be smart and don't leave evidence which leads to getting busted. Ok this is about the second part, you've downed the server,?e#? ?o)9|&,8l,8l88

8
?I(8?8?8T?8ITimes New RomanSymbol Arial Arial ArialNT Blackhat Paper by Neon-Lenz of The Cyrax Security Research Team I've written this paper for people who are interested into penetrating NT-servers for fun or for profit. I'm pretty honest concerning hacking and computer-security, me, among "most" of the hackers out there have started hacking whether for fun or for some sort of a profit. Whether meant for their own or for the company they are working for. Sabotage plays the main-role in those hacking attempts which is not a new thing, lots of the DoS-attacks which had damaged or downed servers are most of the times company-rivals which has hired hackers in order to sabotage each other in order to gain more profit for themselves. I have written this paper was because I wanted that whether companies or hackers to protect themselves for such kind of attacks or maybe even counter-attack the attackers. (But remember, do this at your own risk) --------------------------------------------------------------------------------------------------------------------------- Intro: This document was written in a step-by-step manner in order to let the reader understand what an intruder would do in order to hack into your NT-server. Or maybe even DoS your NT-server. Let's start with our first step an intruder would take in order to hack your NT-server: OS Fingerprint: This is the first thing a hacker would do. To do this simply telnet to port 80 or 21. This requires some good brainwork of the hacker. It's very simple, for example if you see IIS 4.0 running on port 80, the hacker automatically knows that it can't be a Solaris or Linux machine. And if you telnet to port 21 of a different machine and you see ProFTP 0pre 1.2 server running, then you know that it can't be a NT server as well. You should try to connect to few standard services to see what kind of applications are running which are being used by one certain type of OS. Another example would be noticing that 135, 137, 138 or 139 ports are open, so that this will determine that it's either Microsoft Windows NT/95/98 or maybe even Windows for Workgroups (3.11). (Although some of the Unix and Linux-variants have Samba running, still, most of the computers out there running on the ports i've mentioned are usually Microsoft machines.) First Attack: First of all we need to know which ports are open on a certain machine in order to penetrate. If there are no ports open, you can't hack it. But concerning every computer on the internet or network needs ports (sockets) in order to let the applications to communicate to each other, there will be ports eventually, (generated by the applications) to make those kind of connections. So get a portscanner like 7thsphere, Ultrascan or Corescan. One of the best canned hack-tool is Ogre by the guys of rhino9. This does allmost everything, a portscan, NetBIOS information gathering, net view, etc. So if you're like a very lazy hacker, or you want to test a very good program in Windows :-) , i would recommend you to get Ogre by Rhino9. It's available at http://security.ellicit.org/tools/ogre.zip Note: The scanners mentioned above are for Windows 9x/NT. For *nix based OS i would recommend Fyodor's NMAP. For people who want to know how it started with canned hack-tools should look for Dan Farmer and Wietse Venema's SATAN scanner. I've noted this just in case that people are going to e-mail me and ask me why i was recommending lame windoze programs instead of recommending NMAP or any other elite *nix based OS scanner. Remember, this document was meant to cover NT only. 2nd Note: I wrote this document actually some time ago, and i've re-read it. And i saw that i wrote that NMAP was only meant for UNIX. But that's not true anymore, you can now download NMAP for NT. So just to make sure i won't get any flames from anyone. :) Second Attack: The second what will you do next ? This also depends on the intruder, he might DoS the hell out of the server everytime the computer is online again, or, if the hacker is not malicious he would e-mail the webmaster or sysadmin concerning about the problem. But if you're blackhatter and reading this i would assume you would do the first thing i've mentioned =) NOTE: DoS-sing the remote computer wouldn't be of any use if it's not a big important computer like yahoo or e-commerce sites like zdnet or amazon. The comp will come online again eventually, and doing frequent DoS attack will notice the sysadmin or webmaster of suspicious attacks and what happens then ? The sysadmin will fix it, and the fun is over for you. So why bother with DoS if you can gain access ? And if you can't gain access, you could try social engineering as well, which is mental hacking. More on social engineering can be found at The MHD (Modern Hacker's Desk Reference by rhino9.) This was Hacking Windows NT - Step by Step (NT Blackhat-Paper) I hope you've enjoyed reading this. If that's not the case you should read this paper over and over again for about 10000 times, and if it's still not enjoying enough for you, then you should delete it from your hard-disk or encrypt it with PGP and send it to the FBI tell them that you've tried all the techniques that were mentioned in this paper on the target called www.pentagon.gov and they'll give you one hell of a good time ! (well I'm sure that you will not be bored anymore !) Greetings, Neon-Lenz. http://TheGovernment.com/Cyrax Cyrax Security Research Team e-mail: This email address is being protected from spambots. You need JavaScript enabled to view it. P.S. : All the techniques and attacks described in this paper were real, so please do this all with caution and most of all with permission. Still, this paper should not be taken too seriously, cause my intention was to put some humour-value into it. Thanks for reading. ?567????????????}~???
&'(????????????????????????????????zvrnje`U
]aU
]a]a]a]a]aU
]aU
]a]a]a]a]aU
]aU
]a]a]a]a]a]a]a]a]a]a]a]a]a]a]a]a]a]a ]ac ]ac ]ac U
]^
ac U
]^
ac0$?????????????pqr?????#$89:???:;rst?????????????????????????????????}yuqlgc]aU
]aU
]a]a]a]a]a]a]a]a]aU
]aU
]a]a]a]aU
]a]a]a]a]a]a]a]aU
]aU
]aU
]a]a]a]a]a]a]a]a]a]a]a%?]^_???~??????????!?!?!b#c#d#?%?%?%?%?%?&?&?'?'?'?'?'?'?'?'??????????????????????????????}yuqmie]a]a]a]a]a]a]a]a]a]a]a]a]a]a]a]a]a]a]a]a]a]aU
]aU
]a]a]a]a]a]a]a]a]a]a]a]a]a]a]a&?'(((7(8(@(V(W(X(A)B)f)g)h)i)j)k)l)m)n)o)????????????????????]a]a]a]a]a]a]a]a]a]a]a]a]a
U
]^
a
U
]^
a]a]a]a]a]a]a?67????~??'(???????????qr????????????????????????????????????
































!?$9:??;st??^_?????????!?!c#d#?%?%?%?'?'?'?'?'?????????????????????????????????
































!?'(8(W(X(g)h)i)k)l)n)o)???????????










?o)?o)|&????????55
K@??Normala "A@???"Default Paragraph Font??@
??
???? ?FMicrosoft Word 6.0 Document
MSWordDocWord.Document.6?9?q