Wednesday, October 13, 2010

How to hack a LAN PC

How to hack a LAN PC
In this short Tutorial i am going to tell you how to hack a PC on a Local Area Network. Everytime We use Internet in Office, School or Wi-fi Spot, We are connected to a series of computers on the same netmask under a single gateway, the whole process of inter connecting these computers is called as Local Networking and the the these Network is called Local Area Network, In Local Network we can share files, folders and printers or local web server. Suppose we are using a PC named "Attacker PC" with the ip of 192.168.0.4. If we navigate to our Network and Sharing center in windows control panel, we could see few other computer names which are connected in our LAN, but this is not the appropriate method to see the users connected in our Network, because if any user have turned off Network Discovery or has chosen Private Network instead of Home Network then his PC name will not show in the Network and Sharing Center. So to discover number of alive hosts that are connected in our Network we use simple Tcp/Ip Scanner, there are hundreds of free IP Scanners available on internet, namely Angry Ip Scanner, Nmap etc.
Suppose we scanned our Local Area Network, and after scanning our Network we found 4 hosts alive, We are'nt interested in all of the four hosts, rather we are interested in Hacking Cutie Lisa's computer, but at this time we dont know the Ip address of Lisa's PC, so we utilize the cool feature in Angry Ip Scanner which resolves the PC name, so after resolving host names of all four computer we found a computer named "PC LISA" which must be Lisa's PC, and has the Ip 192.168.0.8

1.1 Sniffing Remote Connections

Sniffing is the method in which you spy all the flowing network packets, and analyze the flowing network traffics, the software or hardware which logs the flowing traffic packets and data streams is called Sniffer. Sniffers are also known as Packet Analyzer or Network and Protocol Analyzer. Sniffers are handy tool for Network Administrators to keep the workers under control by analyzing their Internet activities, but Hackers use these tools to steal data's flown across the network, by keeping sniffers in promiscuous mode hackers can capture all the packets transmitted through the network, and analyze the contents. Sniffers can log the Email username and passwords, Cpanel Passwords, Bank passwords etc some famous sniffing softwares are Cain and Abel, Ettercap, Wireshark, Ethereal etc, these softwares are available to download on internet, and all these are freeware.

How can these Sniffers help me in Hacking Lisa's PC ?
Well, we are not only interested in Hacking Lisa's PC, but also we are curious to know her Internet activities, like what site she often visits etc, so we use the tool called Cain and Abel from Oxid.it which has several good features like Sniffing, Arp poisoning, MITM, Hash Cracking(Dictionary + Rainbow Table) Windows NTLM password cracking etc.
read this PDF to know more about Cain and abel

[PDF] How to Sniff password in Cain and abel from paranoid, download PDF here

Well we have monitored few sites which Lisa visits, and may be we got username and password of some sites, but we have a problem in Hacking Lisa's Hotmail, Yahoo, Facebook etc, and that is because Cain and Abel doesnt sniff packets sent over SSL, but dont worry this is not end of the world, We can still sniff SSL packets by using some other tools, the best tool i would recommend is Wireshark and Ettercap and SSLstrip, Wireshark outputs a bunch of logs which a newbie would find hard to understand, and Ettercap one of the best and my favourite tool which has a bunch of features, plugins and unlike Cain, Ettercap is also availabe for Unix system. To learn How to use Ettercap I would recommend you all to watch Ettercap Video from Infinityexists.com
http://infinityexists.com/2008/08/03/epi...0-ettercap

Hope now you have learned something about Sniffing the Local Network. and if you have followed the infintyexists tutorial I bet u know how to DDOS the remote user and Isoloate him from the network etc.

1.2 Hacking Local Network PC

Now after learning Sniffing, lets move to something much more exiting than sniffing, now i will tell you how to Hack the Local Network PC. Hacking the PC means not sniffing, DDosing or port scanning, but spawning the Victim's Shell, this is not an easy task but neither is harder. There are lots of automated tools like Metasploit, Core Impact which comes with pre coded exploit and payloads where we can spawn a vulnerable system in just 4 clicks, is'nt that amazing? But where is the fun if the automated tools does the world easy for you ? Don't you want to make your hands dirty? yes, sure we do ! So lets Hack Lisa's PC and copy her pictures !!

Well, all that we need to Penetrate into Lisa's PC is to know her Windows logon password, if we know her logon password we can remotely enter into her PC by Telnetting to port 23( if she has telnet server running on port 23 by default) SSH ( ssh server should be installed i.e port 22) or Remote Desktop ( Should be enabled ) ftp etc.. Cain and abel logs remote computers NTLM hashes (rarely), but if not lets try some other ways.

Reconnaissance: This is the process in which we identify weakness in information disclosure for particular user or company, the basic idea is to gather much information of target user, company as possible. In this case we check Lisa's desk if she has written her password or checking her sticky note's for passwords, or asking her co-worker or friend if she/he knows her password. Well if none of the above methods succeeds then just guess the passwords or make a common dictionary words and try to logon to her computer using Dictionary Attack, a very known tool which is tested and working is TSgrinder, TSgrinder queries the dictionary for username and password and tries to logon to the remote computer.
Watch this video of Tsgrinder to learn how to use it

If this does'nt work then lets move to one step further, here we scan for open ports in Lisa's PC, then Enumerate the Service, find vulnerable service, Exploiting Vulnerable service, Privilege escalation.

When we Scanned the network earlier and resolved the host name, we found that Lisa's PC has the ip of 192.168.0.8, so lets scan for open ports in her PC.
Scanning : process of scanning the host for open ports, we use famous Nmap coded by fyodor
download nmap from nmap's official site http://www.nmap.org, Nmap is multi-platform scanning tool, and also has the cool GUI interface known as Zenmap.
so lets scan Ip 192.168.0.8 in nmap for open ports.
if you are using command line interface type "nmap 192.168.0.8" for port scanning



after scanning for open ports note the list of open ports



after listing open ports next step is to find what service is each open ports are using, this step is called Service Enumeration or fingerprinting.

Service Enumeration: Process of finding daemons running on open ports, this can be done by Telnetting to the port we want to enumerate the service, this can be done by typing "telnet 192.168.0.8 21" in cmd prompt. this step is also called as banner grabbing. Another simple way to do is by using Nmap
query nmap by "nmap -sS v 192.168.0.8" //stealth scan for open ports

After the Scan, Suppose Nmap scan result shows that port 21 (i.e ftp is)running ProFTP v2.9.

Vulnerability Assessment: Now we know the open port, service running in open port and Version number of the software, next step is finding vulnerabilities for the exact version, in our case ProFTP v2.9, sites like milw0rm.com, exploit-db.com, securityfocus.com has huge number of exploits, well suppose that we have found Remote buffer overflow vulnerability for the ProFTP v2.9 (http://www.exploit-db.com/exploits/9508 )

Exploiting Vulnerability : Now that we have found buffer overflow vulnerability in ProFTP v2.9 lets exploit that.
what is buffer overflow ?
A buffer overflow is vulnerability occurs when a program attempts to store more data into a buffer, or a data storage area, then it was meant to hold. Because the buffer was only meant to hold a certain amount of data, the extra information overflows into other buffers causing them to be overwritten with malicious code created by the hacker. Once this code is executed, the hacker can receive full control of the server.

Buffer overflow exploits are written in many languages like C, php, Perl etc. so choose the precise exploit, compile it and run against the Lisa's Pc.
This should spawn a shell, well there you go ! now start playing with her computer, put and get files etc etc..

Well that's it for Exploiting Remotely, I have missed to cover a lot of topics, hope i will write few more articles about this topic in future, visit site http://www.hacklearn.com for updates about this topic.

Now what if we failed to do it remotely ? Sad
Well, again don't get disappointed if you failed, haven't ya heard the famous quote "try and try till you succeed"? lets apply this quote here, Now lets choose another way to gain access to Lisa's PC, this time we trick her to download an executable file binded with our trojan horse server.
What is a Trojan horse ?
A trojan horse is a malicious program that can be used to do silly things to a system like changing its desktop, mess with the user interface, and take control of your mouse. It can also be used for some serious things like accessing your data, erasing your files, stealing your passwords, and capturing your keystrokes, popping webcams etc.
Well before binding trojans, make sure it is undetected by Anti-virus, Crypt it with a good crypters, or compile from the existing source code if you cant write on your own. There are plenty of scantime+runtime crypters which can make your trojan server completely undetectable from Anti-viruses. Choose your favourite RAT(remote admin tools) aka Trojans, few famous RAT's are poison Ivy, Cyber-Rat, sub7 ( released latest version after gap of 2 years , visit sub7 official site )
Its all your skill how you make her to run your infected executable file, read social engineering tricks from E-books available on internet. If the victim is connected to your LAN then the easiest way is to make them run your server is by spoofing the dhcp server of your LAN, and create a fake site looks like microsoft and put a link to your trojan server saying to download critical vulnerability update or any other tricks.

If you have physical access to her PC, then the task is simple, simply run your trojan server, this gives you a backdoor to access her pc at later times.

What if you Have physical access to her PC, but you dont know the logon password ?
Well this would be much easy than what you might think, Download Copy of 0phcrack and burn it into a cd, 0phcrack uses rainbow tables to crack windows password. It takes less than half an hour to crack complex passwords. [note: 0phcrack succeeds 95% of the time, if the password is high complexed then chances are you might not have luck in cracking them]

Try L0phtcrack which cracks local and remote PC passwords.

last but not least hirens boot cd, which disables NT authentication, so you can login without knowing password, or use backtrack( Linux Distro) to crack windows password using JTR ( John the Ripper)

Note: I havent talked in details about cracking password, hope i have spoken much enough for you to google for specific topic, if you are not used to google, then help yourself to get familiar with it, remember google is hackers no1 tool.
Few topics i havent covered in last part is Keyloggin, Stealers and botnets.browse this site to find tutorials on these topics.
my next tut might be on dhcp spoofing and buffer overflow exploitation, encourage me to write new tut's by commenting to this thread . ty
Some Nmap queries
nmap -sS v stealth scan for open ports
nmap -O -vv Os dectection
nmap -sS -O port+os
nmap -oS -O -vv -PN
nmap -oS -O -PN
nmap -V -sS -A -sV
nmap -A

No comments:

Post a Comment