Blog ini non-partisan dan terbuka kepada semua tanpa mengira fahaman politik. Emel atau MMS ucapan / rayuan / keluhan / pengumuman anda ke tamanperpaduan.terusblog@blogger.com untuk tulisan anda tersiar di blog ini serta merta. Gambar juga boleh disertakan dan tertakluk kepada syarat.
Posting tidak sepatutnya akan dinyahsiarkan.

Ahad, 28 Januari 2024

Hacking Windows 95, Part 2

In the Hacking Windows 95, part 1 blog post, we covered that through a nasty bug affecting Windows 95/98/ME, the share password can be guessed in no time. In this article, I'm going to try to use this vulnerability to achieve remote code execution (with the help of publicly available tools only).

The first thing we can do when we have read access to the Windows directory through the share, is to locate all the *.pwl files on the c:\windows directory, copy them to your machine where Cain is installed, switch to Cracker tab, pwl files, load the pwl file, add username based on the filename, and try to crack it. If you can't crack it you might still try to add a .pwl file where you already know the password in the remote windows directory. Although this is a fun post-exploitation task, but still, no remote code execution. These passwords are useless without physical access.


One might think that after having a share password and user password, it is easy to achieve remote code execution. The problem is:
  • there is no "at" command (available since Windows 95 plus!)
  • there is no admin share
  • there is no RPC
  • there is no named pipes
  • there is no remote registry
  • there is no remote service management
If you think about security best practices, disabling unnecessary services is always the first task you should do. Because Windows 95 lacks all of these services, it is pretty much secure!

During my quest for a tool to hack Windows 95, I came across some pretty cool stuff:
LanSpy

But the best of the best is Fluxay, which has been written by chinese hackers. It is the metasploit from the year 2000. A screenshot is worth more than a 1000 words. 4 screenshot > 4 thousand words :)





It is pretty hard to find the installer, but it is still out there!

But at the end, no remote code execution for me.

My idea here was that if I can find a file which executes regularly (on a scheduled basis), I can change that executable to my backdoor and I'm done. Although there is no scheduler in the default Windows 95, I gave it a try. 

Let's fire up taskman.exe to get an idea what processes are running:


Looks like we need a more powerful tool here, namely Process Explorer. Let's try to download this from oldapps.com:


LOL, IE3 hangs, can't render the page. Copying files to the Win95 VM is not that simple, because there are no shared folders in Win95 VM. And you can't use pendrives either, Win95 can't handle USB (at least the retail version). After downloading the application with a newer browser from oldapps, let's start Process Explorer on the test Windows 95.


Don't try to download the Winsocks 2 patch from the official MS site, it is not there anymore, but you can download it from other sites

Now let's look at the processes running:


After staring it for minutes, turned out it is constant, no new processes appeared.
Looking at the next screenshot, one can notice this OS was not running a lot of background processes ...


My current Win7 has 1181 threads and 84 processes running, no wonder it is slow as hell :)

We have at least the following options:
  1. You are lucky and not the plain Windows 95 is installed, but Windows 95 Plus! The main difference here is that Windows 95 Plus! has built-in scheduler, especially the "at" command. Just overwrite a file which is scheduled to execution, and wait. Mission accomplished!
  2. Ping of death - you can crash the machine (no BSOD, just crash) with long (over 65535 bytes) ICMP ping commands, and wait for someone to reboot it. Just don't forget to put your backdoor on the share and add it to autoexec.bat before crashing it. 
  3. If your target is a plain Windows 95, I believe you are out of luck. No at command, no named pipes, no admin share, nothing. Meybe you can try to fuzz port 137 138 139, and write an exploit for those. Might be even Ping of Death is exploitable?
Let's do the first option, and hack Windows 95 plus!
Look at the cool features we have by installing Win95 Plus!


Cool new boot splash screen!


But our main interest is the new, scheduled tasks!


Now we can replace diskalm.exe with our backdoor executable, and wait maximum one hour to be scheduled.

Instead of a boring text based tutorial, I created a YouTube video for you. Based on the feedbacks on my previous tutorialz, it turned out I'm way too old, and can't do interesting tutorials. That's why I analyzed the cool skiddie videoz, and found that I have to do the followings so my vidz won't suck anymore:
  • use cool black windows theme
  • put meaningless performance monitor gadgets on the sidebar
  • use a cool background, something related with hacking and skullz
  • do as many opsec fails as possible
  • instead of captions, use notepad with spelling errorz
  • there is only one rule of metal: Play it fuckin' loud!!!!
More information
  1. Hacking Tools For Kali Linux
  2. Hack Tools For Ubuntu
  3. Android Hack Tools Github
  4. How To Make Hacking Tools
  5. How To Install Pentest Tools In Ubuntu
  6. Pentest Tools
  7. Github Hacking Tools
  8. Hacking Tools Windows
  9. Hack Rom Tools
  10. Tools For Hacker
  11. Pentest Tools Nmap
  12. Free Pentest Tools For Windows
  13. Hack Rom Tools
  14. Hacking Tools Software
  15. Bluetooth Hacking Tools Kali
  16. Pentest Box Tools Download
  17. Black Hat Hacker Tools
  18. Hacking Tools Free Download
  19. Github Hacking Tools
  20. Hacking Tools And Software
  21. Hacking Tools For Kali Linux
  22. How To Make Hacking Tools
  23. Best Hacking Tools 2020
  24. Hacker Tools
  25. Blackhat Hacker Tools
  26. Pentest Tools Nmap
  27. Hacking Tools
  28. Hacker Tools Mac
  29. Pentest Tools Nmap
  30. Hack Tools Github
  31. How To Install Pentest Tools In Ubuntu
  32. Bluetooth Hacking Tools Kali
  33. Hacker Tools For Windows
  34. Hacking Tools For Pc
  35. How To Hack
  36. Hacker Tools For Pc
  37. Hacking Tools For Windows
  38. Blackhat Hacker Tools
  39. Growth Hacker Tools
  40. Pentest Recon Tools
  41. Bluetooth Hacking Tools Kali
  42. Growth Hacker Tools
  43. Hacker Security Tools
  44. Hack Tools Mac
  45. Hack Rom Tools
  46. Hack Tools For Ubuntu
  47. Hack Tool Apk
  48. Hacker Tools 2019
  49. How To Install Pentest Tools In Ubuntu
  50. Pentest Recon Tools
  51. Hack Tool Apk
  52. Termux Hacking Tools 2019
  53. Hacking Tools Free Download
  54. Pentest Tools Free
  55. Hacker Tools Free
  56. Hacking Tools For Mac
  57. Hack Tools For Games
  58. Hacking Tools Hardware
  59. Hacking Tools Hardware
  60. Best Hacking Tools 2020
  61. Hacker Search Tools
  62. Top Pentest Tools
  63. Hacking Tools For Windows 7
  64. Hacker Tools Online
  65. Pentest Reporting Tools
  66. Pentest Box Tools Download
  67. Hacking Tools Windows
  68. Pentest Tools Website
  69. Hacker Tools 2020
  70. Hacker Techniques Tools And Incident Handling
  71. Hacker Tools For Pc
  72. Hacking Tools For Windows Free Download
  73. Hacking Tools For Kali Linux
  74. Hacking Tools Mac
  75. Hack Tools Download
  76. Nsa Hack Tools
  77. Hacking Tools For Windows
  78. Pentest Tools Tcp Port Scanner
  79. Hack Rom Tools
  80. Hacker Tools
  81. Hacker Tools Apk Download
  82. Hacker Tools For Pc
  83. Hacking Tools For Beginners
  84. Pentest Tools Windows
  85. Hacker Tools 2020
  86. Hacker Tools For Pc
  87. Hacker Security Tools
  88. Hack Tool Apk No Root
  89. Hacking Tools For Windows 7
  90. Pentest Tools Url Fuzzer
  91. New Hacker Tools
  92. New Hack Tools
  93. Hacker Search Tools
  94. Nsa Hacker Tools
  95. Growth Hacker Tools
  96. Hacking Tools Online
  97. Pentest Tools Port Scanner
  98. Hacking Tools For Pc
  99. Hacking Tools 2019
  100. Hacker Tools
  101. Hacking Tools Free Download
  102. Beginner Hacker Tools
  103. Hacker Tools Github
  104. Usb Pentest Tools
  105. Kik Hack Tools
  106. Hacking Tools Usb
  107. Pentest Tools Find Subdomains
  108. Hacker Security Tools
  109. Best Hacking Tools 2020
  110. Hacker Tools Free Download
  111. Pentest Tools Free
  112. Nsa Hacker Tools
  113. World No 1 Hacker Software
  114. Hacker Tool Kit
  115. Pentest Tools Port Scanner
  116. Hacker Tools List
  117. Beginner Hacker Tools
  118. Physical Pentest Tools
  119. Physical Pentest Tools
  120. Pentest Tools Subdomain
  121. Computer Hacker
  122. Hacker Security Tools
  123. Easy Hack Tools
  124. Hacker Tools Free Download
  125. Hack Tools Online
  126. How To Hack
  127. Hack Tools For Windows
  128. Pentest Tools Open Source
Disiarkan di Masyarakat Taman Perpaduan jam 4:06 PTG

Tiada ulasan:

Catat Ulasan

Langgan: Catat Ulasan (Atom)