WINDOWS HACKING

NetBIOS

NetBIOS stands for Network Basic Input Output System. It allows your LAN or WAN to share drives, folders, files and printers. Gaining access to a computer through NetBIOS is very simple and easy. The only thing required is for the target machine to have file and printer sharing enabled and to have port 139 open. Below I will show you an example of what a hacker would do to gain access to a Windows machine through NetBIOS.

1. First the hacker would search for a target. A common tool used by hackers is Angry IP Scanner . Download and install it.
2. Next the hacker would insert the IP range he would like to scan. If the hacker was connected to a WLAN (Wireless Local Area Network) he would scan the local computers like I have shown below.

3. Since the hacker’s goal is to gain access to a system through NetBIOS, which runs on port 139, he will choose to scan each found host for that port. Click the downward arrow on the right and check the Scan ports box. A popup will come up asking you if you would like to select a new port. Click YES.

4. Type in the port number 139 into the first box and click OK.

5. Click start. The program will begin scanning and when it’s complete a box with the results will come up.

6. As you can see 224 Ips were scanned. Out of those only one was alive and luckily it has port 139 open.  

7. Open the Command Prompt by going to Start -> Run -> Type in cmd -> <ENTER> .
8. Now the hacker would run the “nbtstat –a TargetIPaddress” this will tell us if the target has file and printing enabled. Without it, this attack is not possible.

9. In the above image DAVIDS-MACHINE is the name of the target computer. If you look to the right of it you will see the number <20>. This means that file and printer sharing is enabled. If there was no <20> then you could not go any further and would have to find a new target.
10. Next the hacker would run the command “net view \\TargetIPaddress”. This command will display any shared drives, folders, files or printers. If nothing comes up, you won’t be able to gain access to anything since there is nothing being shared. In my case, I got the following:

11. In my example, I have two printers shared and one disk named SharedDocs. The hacker would be able to take control of my printers and view everything in my SharedDocs disk.
12. To gain access to my SharedDocs disk, the hacker would have to map out the drive onto his computer. If successful, the hacker will have all the contents of my drive on his computer.
13. To map out my drive onto his computer the hacker would use the command “net use G: \\TargetIPaddress\DriveName”. So in my case I would run the command “net use G:\\192.168.1.101\SharedDocs”. You can use any letter in place of G:\\. This just tells the computer what to name the drive on your computer.

14. What’s this? Looks like I already have a drive G. To avoid this problem, go to My Computer where it will show all of your current Drives. To fix this simply change the letter G to a nonexistent drive letter.
15. Once the command is completed successfully, go to My Computer and you should see a new drive under Network Drives. Double clicking it brings up all of the targets documents.

Cracking Windows Passwords

To crack Windows XP and Windows Vista passwords, we will use the program called ophcrack. Ophcrack is a Windows only password cracker, and it uses rainbow tables to get the job done quickly. It cracks passwords for both Windows XP and Vista but it is more powerful on XP because Vista fixed the security hole that allowed XP to crack passwords easily. Windows uses a couple a couple types of hashes. One of them is the LM (Lan Manager) hash. If a password is longer than seven characters, then it is split into seven character chunks, made into all uppercase, and then hashed with the DES encryption. Because it is split into parts and made all uppercase, the total number of different password combinations goes down significantly, and makes it easier for hackers to crack the password. The Windows password hashes are stored in a couple places:

• In the C:\WINDOWS\system32\config directory where it is locked to all accounts but the system account which you don’t have access to.
• In the registry: HKEY_LOCAL_MACHINESAM where it is also locked for all users.

So you might be wondering, how can I get a copy of those hashes? There are a couple ways.

• Boot from a Linux live CD and copy the SAM file onto a USB or floppy disk.
• Use the PWDUMP program that comes with ophcrack to trick the registry into giving up the hashes.

1. First download and install ophcrack. As you can see there are two versions. In this example we will be using the program itself in windows, so download the first option.

2. Once you have it downloaded, install it. When the option comes up to download rainbow tables, unclick them all and just install the program. It is better to download the rainbow tables separately.

3. Once it is installed, go to the ophcrack website and click on Tables in the navigation. This will display all the tables you can download. As you can see, the more characters covered, the bigger the table gets. Choose the correct table for your operating system.

4. In the example, I chose the largest possible free table. Next run ophcrack and click on tables. Select the table you downloaded and click Install to locate the file on your computer. Hit OK to continue.

5. Next we will be running PWDUMP to obtain the password hashes. Make sure all of your anti-virus and anti-spyware programs are disabled because most anti-virus programs mistake PWDUMP for a malicious program since it accesses the system files. If you don’t disable the antivirus program PWDUMP will fail in retrieving the hashes.
6. Click Load and select Local SAM. This will load all the password hashes for all the users on your computer and display them.

7. Next click Crack and the program will begin to crack the password hashes.
8. Once the program finishes cracking, you should see a screen similar to the following:

9. As you can see, two out of three of my account passwords were cracked in a matter of a couple minutes.
• Bob : lolcats
• David M: not found
• Pushkin: Christmas02

Ophcrack LiveCD

The next method to crack the Windows hashes I will show you is through an ophcrack LiveCD.  

1. Go to the ophcrack website and choose the correct operating system LiveCD to download.
2. With the downloaded .ISO, create a LiveCD the same way you did with the Ubuntu LiveCD in the Linux chapter.
3. Put the CD in your CD-Drive and restart to boot from the CD.
4. You will see the following screen:

5. Hit <ENTER> or wait six seconds to boot into the Ophcrack Graphic mode. If something goes wrong and the screen won’t show the Graphics, restart and go into the Ophcrack Graphic VESA mode. If this also fails, go into Ophcrack Text mode.
6. Once it ophcrack loads completely, it will automatically get your Windows password hashes and begin the cracking process.

Countermeasures

There are a couple things you can do to prevent NetBIOS and Ophcrack password cracking attacks.

1. To keep computer from being a target of NetBIOS attacks, simply disable file and printer sharing. In Windows Vista, it is disabled by default but you must do a little work in Windows XP.

• Go to Start -> Control Panel -> Network Connections.
• Double click on your active connection. In my case it is the Wireless Network Connection 2.
• Click on Properties.
• If File and Printer Sharing is selected, deselect it and click OK.