Paralys Posted January 11, 2007 Posted January 11, 2007 Ok, I'm sitting on a rather large network right now and I'm slowly working on getting into it and creating a new account with administrator rights. The account im using on it isnt my own so thats not to be worried about. The admin of said network is stupid (I won't say too stupid, nor will I underestimate anyone) but he's not too bright. I have a command prompt which he had originally removed from the menu (which coulda been harder to get to if he had killed off the Run option too, but I just wrote a quick .bat to open it @ echo on command @ echo off Now, I'm in the command prompt, and I know this sounds a bit black hat, but I need to kill a task, one by the name of Mcshield.exe (you probably can figure out what it is if you think about it.) Killing tasks is disabled through Task Manager, though I think it'll work through command prompt. Hope this doesn't get me flamed. (Trust me, I'm being smart and not doing anything malicious, this is just out of curiosity to see if I can do it.) Edit: :x It's blocked in this too, i found the command tskill and its still blocked, If anyone has any suggestions, then throw em out there, if not, delete this thread. Edit 2: Well, the BIOS isn't blocked so I can still get into that. Theres an option in there "System Event Log" which I can look at, clear and mark all the entries as read. Will this log tell if i boot in safe mode? (I need to clear it afterward if it does.) Edit 3: (Yeah, lots of edits, I'm updating this as I'm doing it.) Well, Edit two is the only one that matters right now, everything above it is irreleveant, when booted in Safe mode with Networking, the box doesnt even start Mcshield.exe, meaning I don't even need to find a way to work around it. I still need to know if that system log will record me logging into safe mode, which is what I'm about to check, also, I need to know if NT and LM password hashes for the entire network can be accessed if you're on a box that is on the network and have admin privelages. Still hoping I don't get flamed for this one, I gotta let my hat get a little tinted every once in a while huh? :D Quote
Sparda Posted January 11, 2007 Posted January 11, 2007 I would discourage doing any thing on school computers that might be considered misuse. In about 1993, Cambridge University had a few rooms of 486s, for use by members of the University. You could get into the rooms at any time of day if you had a key, and the site security would walk around every hour or so at night.One policy, introduced after a few too many noisy games of network Doom, was that playing games wasn't allowed. One evening, however, I saw someone using eXceed (an X-Windows server for Microsoft Windows) to run Motif. Apparently he was doing something on one of the UNIX machines over the network. The security guard came up behind him, and the conversation went something like this: * Security Guard: "Could you stop that -- you're not allowed to play games in here." * Student: "This isn't a game." * Security Guard: "You can't fool me. That's not work." * Student: "Yes, it is. I'm a computer science student -- I've got a deadline later this week." * Security Guard: "That doesn't look like work to me. I'm going to have to ask you to leave." * Student: "What? I'm working. I'm working quietly. Why do I have to leave?" * Security Guard: "You're playing a game, and you're lying to me. Out. Now. Before I turn this machine off." Even the other two people in the room couldn't persuade the security bloke that it wasn't a game. Quote
nickisgod1 Posted January 11, 2007 Posted January 11, 2007 can you use the at command, sometimes less then smart admins will forget to turn this off, if so use the at command to launch a command prompt, and you will have a command prompt with system level access Quote
Paralys Posted January 12, 2007 Author Posted January 12, 2007 I would discourage doing any thing on school computers that might be considered misuse.(Really long Cambridge story) Thanks for the heads up Sparda and I realize the consiquences of my actions. I've read all the other threads, and I've heard the "Expulsion, Youth Prison, etc." lecture just as much as everyone else has. I'm being smart about what I'm doing and when I said stupid admin, I mean an admin whom goes into the mouse settings to try to find our IE history (true story). I don't understimate anyone, but this is how it's set up as far as privilages goes at our school. Adminstrator (The mouse settings guy) / Staff (Teachers and such, all have equal privilages, the only thing blocked on thier's is changing other accounts.) / Students Now, I already have at least 2 staff passwords. I'm being smart about it and found a universal account (username: Student). So I'm not identifying my own account with ANYTHING. Nor am I dumb enough to change the privilages of my account. As for using any staff acouunts, many of the students that the teachers trust (students that are teachers aids, teachers children) use those accounts all the time but are too tight to tell anyone the passwords. So most of the instances where a staff account is used, the Admin just ignores it. I realize it's risky, maybe stupid in some peoples opinions, if anyone has any suggestions as to what to do with the network please post them (NOTHING MALICIOUS: this includes no changing grades, attendance, and other n00bish crap). If no one has any suggestions, I will probably get the password of the Administrators account and then just stop bothering with all of it. It's for the challenge, grades/attendance are still kept on paper, changing them will still get me in trouble. Thanks for the concern Sparda. Quote
Freakish Posted January 12, 2007 Posted January 12, 2007 You could enable msn, it's nothing evil. Quote
Paralys Posted January 13, 2007 Author Posted January 13, 2007 Ok, after a bit of work I've gotten around 2 staff passes, a good amount of student passes (will give exact numbers later), and my buddies myspace password (which bugged the hell out of him, but made him laugh, and trust me, i can trust this guy, I've known him for years and he's kept my ass out of more trouble than this.) However, I need help now. I've been noticing something about the network. The only logs that are kept is our IE Histories, Logs kept by the Anti-Virus (which doesn't run if the system is booted into Safe Mode w/ Networking) and then logs about keyboard errors kept in the BIOS menu. Thats the extent of the security. (What you get when you hire a freshman science teacher as an Administrator that hasn't got a clue how to use a computer.) So now I got a problem. I need to run some tools on one of the machines. However, due to time limits and um... the prying eyes of other students who would log on and be like "Wow, what's this icon?" I need to use Cain and Abel, Ethereal and some other tools but a lot of times when these are ran from a Jumpdrive (I use a 2gb mp3 player with a tip that pulls off to turn it into a sort of flash drive, good for music and doesn't draw much suspicion when running tools from it.) However, when I try to run these tools from a flash drive, many times I will get the error telling me I haven't got WinPCap installed (I think thats the name of it. Haven't had enough time to write it down when I get it but you should know what I mean.) Anyone know how to fix it to where I can put WinPcap(or whatever the name of the program is) on my jumpdrive too? Should I just install Cain and Abel directly to it? Thanks everyone, once again, if theres any suggestions to what to do afterward, please make them non-malicious, doing this is teaching me a lot, and thats all I really want to do is learn. I'm passing everything so no need to change grades or attendance or anything stupid like that. Quote
VaKo Posted January 13, 2007 Posted January 13, 2007 This ain't technical advice, but keep your mouth shut around your school mates and parents. And don't do anything illegal or in breach of the schools TOS, if the admin is as you say he will be dumb enough to call the cops for "HACKING1111" Quote
Paralys Posted January 13, 2007 Author Posted January 13, 2007 This ain't technical advice, but keep your mouth shut around your school mates and parents. And don't do anything illegal or in breach of the schools TOS, if the admin is as you say he will be dumb enough to call the cops for "HACKING1111" I knew that this thread would draw such comments after a little while. At least it's not flaming. I understand what you're saying VaKo, and thanks for being concerned and warning me. But in all honesty, and I'm not trying to be a n00b or offend you, but chances are, I'll follow this through to the end because I've learned a bit so far and I wanna see if I can do this. Lock the topic if you want, I will understand completely why you did if you decide to. Thanks for the concern. --Paralys Quote
VaKo Posted January 14, 2007 Posted January 14, 2007 Hell no, I'm not going to lock this, and your not being a n00b. I honestly think that as long as your not violating your schools TOS in a obvious way, your not taking the piss with there network and your subtle you can get away with a lot. Its just going to look worse if they catch you selling myspace access, than if they found you engrossed in a bunch of SSH sessions. If you can install winpcap, and get away with it, your sorted. Its just that without that, your kinda screwed with windows. It needs that driver to do its stuff. Quote
Paralys Posted January 14, 2007 Author Posted January 14, 2007 Hell no, I'm not going to lock this, and your not being a n00b. I honestly think that as long as your not violating your schools TOS in a obvious way, your not taking the piss with there network and your subtle you can get away with a lot. Its just going to look worse if they catch you selling myspace access, than if they found you engrossed in a bunch of SSH sessions.If you can install winpcap, and get away with it, your sorted. Its just that without that, your kinda screwed with windows. It needs that driver to do its stuff. Thanks for understand VaKo, however I don't plan on selling myspace access, I only accidentally found the myspace password of one of my friends who was using a proxy to login to it. I don't plan on doing anything even remotely malicious or obvious to the network, only finding the password for admin level access. Once again, thanks for the heads up on the consequences of my actions. My friend that I was talking to at this time has kept me out of far worse trouble than this and is probably the only one that I would trust with this information. I have not told anyone else, nor do I plan to. As for the WinPCap, I am still curious if it will work if I just install it to the Jumpdrive with Cain on it. I apologize for my last post sounding slightly annoyed. I misunderstood the post I quoted above at first and it sounded much more hash than it seems to be after re-reading it. Quote
VaKo Posted January 14, 2007 Posted January 14, 2007 Its a driver, to the best of my knowledge it needs to actually be install on the host PC. There is something there doing with CACE but the sites are down atm. packetstuff.com is worth keeping an eye on, and have a google for PSSDK and usb drives. http://www.cacetech.com/products/toolkit_f...ition/index.htm Quote
Darren Kitchen Posted January 14, 2007 Posted January 14, 2007 Just wanted to say I'm down with this thread. Paralys seems to be going about this right. Check out SmartSniff, supposedly it doesnt require winpcap. http://www.nirsoft.net/utils/smsniff.html Also keep an eye on http://www.packetstuff.com/ It had USB versions of ethereal, nmap, etc but seems to be down Edit: Found this linked from http://www.winpcap.org/news.htm http://www.cacetech.com/products/toolkit.htm has a toolkit of open source net admin tools that have been recompiled for windows with the winpcap driver built in. they have a trial version which includes 7 programs as well as paid versions. Edit 2: here's the portable version of nmap from the now unavailable packetstuff.com site. http://www.hak5.org/temp/nmap-381.zip Quote
VaKo Posted January 14, 2007 Posted January 14, 2007 You could also do what some of my work mates did, ie hide a old PC with a Debian install behind a bookshelf and just ssh into it. This could be why the purchasing system gifted them with P4's while the rest of us are using P3's. Quote
Deveant Posted January 14, 2007 Posted January 14, 2007 ok a few questions, hpw is ur network managed, ie. Windows Active Directory, Novell, other? oh and if u know what type of Internet Authentification program are they using, ie. Sonar, Novells, umm dont know much others :S I ask this just to help you out with some log problems that you may end up facing. The other question i have is which functions for Cain were u wanting to use? saying that u have already gained a few (seems to be more than a few...) passwords, it doesnt seem u want it for hashs. Just checking becuase theres alternatives to sections of Cain. I havnt had time to read all the post, but it seems your way of killing tasks hasnt work, so a little googling goes a long, http://www.google.com.au/search?hl=en&...iewer&meta= turns up a nice result first up. umm, yeah seems thats about it for me... oh, u say u cant install Wincap on the host? any reasons? Quote
Paralys Posted January 16, 2007 Author Posted January 16, 2007 Sorry for the slow update everyone, was a bit ill over the weekend. Anyway, after sorting through everything, I have 2 staff passwords and 10 student passwords (besides mine of course lol) In our library, there are like, big wooden booths lined up with computers sitting in them, one of them needed to be fixed (admin couldn't figure out how to get a virus off of it) so there was an empty booth with an cable laying there, so i plugged in, set what I needed up, ran Cain, closed the laptop and laid my coat on top of it and let it run for the entire hour long class and a 2 hour long tutoring program we have there because I had a meeting during it. (unfortunately it was only able to scan the library) so I didn't get as many passes as I had hoped. Though I'll be scanning a bigger room soon. This was from one session too. I had more than 2 hours, just sitting there on their network with my laptop closed sitting under my coat talking to the one guy that I mentioned before. Thanks for all the support so far everyone, Just wanted to say I'm down with this thread. Paralys seems to be going about this right.Check out SmartSniff, supposedly it doesnt require winpcap. http://www.nirsoft.net/utils/smsniff.html Also keep an eye on http://www.packetstuff.com/ It had USB versions of ethereal, nmap, etc but seems to be down Edit: Found this linked from http://www.winpcap.org/news.htm http://www.cacetech.com/products/toolkit.htm has a toolkit of open source net admin tools that have been recompiled for windows with the winpcap driver built in. they have a trial version which includes 7 programs as well as paid versions. Edit 2: here's the portable version of nmap from the now unavailable packetstuff.com site. http://www.hak5.org/temp/nmap-381.zip Thanks for the support, I've not gotten a chance to look over all these tools but it looks useful. You could also do what some of my work mates did, ie hide a old PC with a Debian install behind a bookshelf and just ssh into it. This could be why the purchasing system gifted them with P4's while the rest of us are using P3's. Nice suggestion, would love it if i could, but can't afford putting a PC somewhere and just praying it isn't found lol. (my desktop is my only up to date computer. and I only have it and my laptop). umm, yeah seems thats about it for me... oh, u say u cant install Wincap on the host? any reasons? I probably could install it and get away with it. It just seems kinda risky in a way. Not something I'd be a hundred percent comfortable with. On that point, is there anyway that an anti-virus or anti-spyware could pick up winpcap for one reason or the other, mainly McAfee because thats what they're running. As I said before, I can boot into safe mode with networking and run what I need without the anti-virus starting, but I don't want a million "Your computer is infected" or whatever boxes popping up for whoever sits there next. As far as what software its running, I can't tell that it's running Novell or anything. Looks like they're all just networked together. The only program I can find that may not have originally been on the boxes is McAfee and Microsoft Office. Nothing else is different, no weird processes running or anything. Thanks for all the support everyone, I'll keep this thread updated as I gain more passwords/information about the network Quote
Paralys Posted January 23, 2007 Author Posted January 23, 2007 Well, I know the topic was pretty much dead, but, I figured I'd update it one more time and tell everyone that I did it. I have the admin's password and tons of others without getting caught. Here's how I did it (rather disappointing btw, I was hoping this would be more of a challenge) oh well, at least I managed to get it. Anyway, there are two admins in a sense, one for the library, and one of the all the other computers (each monitors whats going on) the library admin, whom was just the librarian and knows NOTHING about computers, only relies on the antivirus to make sure no one gets viruses on them, so I used Cain often on my laptop, when one day I saw my chance, the main admin was in the room talking with some other employees, (my laptop still under my coat running Cain) and decided he would show someone something on the net... yeah, thats all it took. No one noticed. Well, as far as I know, I'm done with this, unless someone has some suggestions, I'll probably just leave the network be, nothing of any use to do with it anyway. Still kinda disappointed in how easy it was, but hey, at least I didn't get caught and I did learn a thing or two along the way. Thanks to everyone for the support. Quote
Sparda Posted January 23, 2007 Posted January 23, 2007 I suggest you don't tell any one and delete that post before I take a screen shot of it and save the html and send it to your school Just kidding ;) Quote
Paralys Posted January 23, 2007 Author Posted January 23, 2007 I suggest you don't tell any one As far as telling anyone, don't worry about that, I'm not even about to. and delete that post before I take a screen shot of it and save the html and send it to your school ... You know, we should start telling that to the ones that get on here talking about "H4xz0ring |/|y sk001!" Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.