Botnet Q&A

THIS WAS WRITTEN FOR EDUCATIONAL PURPOSES ONLY!!!
Just something I compiled quickly. I'm also posting my bot setup guide soon.
If you want any questions or links added to the Q&A, please ask and I'll add them.


Q: What's a bot?
A: A bot is a malicious program which has several purposes.
They are usually told what to do by a botnet admin although many of the features now are automated.

Q: What's a botnet?
A: A botnet is a network of infected computers that all connect to one area where they are commanded by the botnet admin.

Q: What can a bot do?
A: Usual features of a bot include...

• P2P Spreading (Limewire, uTorrent, etc.)
• IM Spreading (Sends to contacts on MSN, AIM, etc.)
• DDoS attacking (See "what's a DDoS attack?")
• Spam mailing to lists of emails (Often used to spread)
• Collecting personal information (Passwords, bank details and the like)

Q: How are bots told what to do?
A: Bots are usually commanded through an IRC channel by the user. Commands are built in and the bots listen for them.

Q: What's an IRC channel?
A: IRC stands for Internet Relay Chat. It's like a group messaging thing although you can also speak to people privately. To use IRC you need a client like ChatZilla, XChat or mIRC. You then connect to an IRC server and choose the channel you wish to join.

Q: How do I get a botnet?
A: First you will need a source code and the programs required to compile it. Most bots are programmed in C++, but you don't need any programming experience to compile your own. There is usually one file named "Configs.h" or something similar that you have to edit, that's where you edit the bot names, the IRC channel and any other necessary information. Look for bot sources in the botnet section here and they'll usually come with some form of instructions.

Q: Which bot should I use?
A: I recommend IMBot v4.1, it's pretty simple to compile and use, I'm sure there are tutorials here for it as well.
You can download IMBot here. (Clean download, it's mine).

Q: Is this illegal?
A: Yes. Mass-spreading a bot illegally and stealing information can get you into real trouble if you're caught. 99% of the botnets that are shut down have over 10,000 bots, though, and I wouldn't expect anyone here to reach over 5,000. You will have to make sure your IRC server is secure and that your bot stays undetected.

Q: Is it true I can make money from this?
A: Yes, potentially. You could make the bots visit referral sites or download files. A lot of people sell the accounts they've taken from their bots for a price cheaper than the original. You don't have to do any of this, but as your botnet grows you will need more money to transfer to a professional IRC host.

Q: How can I secure/hide my botnet?
A: Offshore hosting first of all. Something in a country such as Sweden, for example. Dedicated hosting would be best, because that way you aren't sharing your hosted server with anyone and you can hold a much larger network. A password on your IRC channel is also recommended. Be sure to use a bot that is undetected, whether you have to crypt it or not.

Q: What do most people use botnets for?
A: The majority of them are used for DDoS attacks against websites when there are a lot of them. Many people set up large botnets just to sell their bots, though. With the rate they spread at, you could sell a large amount of bots to someone for a nice profit with only a small amount of work done.

Q: How can I spread my bot?
A: Most bots are spread through torrenting websites or warez boards. A lot of bots also have auto-spread features, so you could have 50 bots and then gain 150 more through the auto-spreading without doing any work at all. A lot of people also buy bots off other botnet admins to start their botnet off with a nice amount.

Q: What type of bot would be best?
A: Java bots seem to be the most popular right now since a lot of them are still fully undetectable, but you have to bear in mind that your slave will need Java. The same with bots coded in VB.NET, your bots will need the .NET framework. Some VB6 bots may also need missing .ocx files, so in my opinion the best choice of bot would be one coded in C++ such as IMBot.

Q: How much should I pay for bot installs?
A: A good price would be 10 cents per bot, which works out at $10 for 100. Some botnet admins may charge you more, but I don't think it's worth paying much more than that. Another risk of buying from other botnet owners is that they still keep the bots to themselves as well, so be sure to find someone trustworthy. Bear in mind that some may not be able to remove their own.

Q: How do I configure my bot to connect to my IRC server?
A: Most bots come with some sort of instructions text file. There are also a lot of tutorials for different bots here at HF, just search the name of your bot. If you can't find anything, there is usually a file named "config.h" (C++) or something similar. Open that and edit the parts that you're supposed to, it should be clear which parts to change.
Example: //"server","pass",6667,"channel","channelpass","-ix"; needs to be your info in that order.

Q: Is it easy to set everything up?
A: It is usually easy to configure and compile a bot, but setting up your IRC server, keeping it secure, paying for larger off-shore hosts, managing your bots and staying hidden are not easy tasks for beginners. Once you've done it all several times it will be easier though, as with anything. There are usually people here who would be able to help you out if you're having any problems with your bots.

Q: Can I have a botnet without an IRC?
A: Yes. There are other great bots. Some can connect to PHP pages to read commands, some can be commanded over MSN and other clients, and some come with their own clients, e.g. DDoSeR. http://ddoser.info is a nice place to start if you're not sure what you're doing. It's really simple to use and only $35.

Aircrack

Introduction

First and foremost, Windows is virtually useless for wireless activities due to the huge number of restrictions. The restrictions do not come from the aircrack-ng suite so please don't ask for enhancements.
Here is a quick recap of the limitations:

• Very few supported wireless cards: There are very few wireless cards which will work with the aircrack-ng suite. Most laptops come with Intel-based cards and none of these are supported. See the following links: Compatibility, Drivers, Which Card to Purchase and Tutorial: Is My Wireless Card Compatible? for more information. It is also important to note that there is little or no documentation accurately describing which version of the third party drivers you require for each card.

• Dependency on third parties: The Windows world is highly proprietary and thus the source code for the drivers is not available publicly. As a result, no troubleshooting or fixes are available from the aircrack-ng team for these third party drivers. If there is a problem, you are on your own.

• Limited operating system support: The Windows version works best with WinXP. It does not support Win98, some people have reported success with Win2000 but many have been unsuccessful with it and Vista is not supported. There is some evidence that a few people have aircrack-ng working under Vista but most people report failures. So basically, your best chance of success is under WinXP.

• Passive capture of packets: Most people want to test the WEP security on their own access point. In order to do this, you must capture in the order of 250,000 to 2,000,000 WEP data packets. This is a lot of packets. With Windows, you can only capture packets passively. Meaning, you just sit back and wait for the packets to arrive. There is no way to speed things up like in the linux version. In the end, it could take you days, weeks, months or forever to capture sufficient packets to crack a WEP key.

• Limited GUI: Most of the aircrack-ng suite tools are oriented towards command line utilization. There is only a very limited GUI available to assist you. So you must be more technically literate to successfully use these tools. Thus, if you are used to running a Windows installer then clicking your way to happiness, you are going to be exceedingly unhappy and lost with aircrack-ng.

• Technical Orientation: Dealing with wireless requires a fair amount of operating system, basic wireless and networking knowledge. If you don't have this or are not prepared to do your own research, then you will find the tools and techniques bewildering. Do not expect people on the forums or IRC to answer basic knowledge questions. It is up to you to have these skills before starting out.

If you truly want to explore the world of wireless then you need to make the commitment to learn and use linux plus the aircrack-ng suite linux version. An easy way to start is to utilize the Backtrack live distribution. This distribution has the aircrack-ng suite plus patched drivers already installed which jumpstarts your learning process. BackTrack information can be found here.

Installation and Usage

OK, you have come this far and still want to proceed? Just remember that there is an expectation that you have done your homework and have some base knowledge. Again, do not post questions on the forum or IRC that are dealt with in this tutorial or on the Wiki.
Here are the basic steps to install and use the aircrack-ng suite under Windows:

1. Get a compatible wireless card: See the following links: Compatibility, Drivers, Which Card to Purchase and Tutorial: Is My Wireless Card Compatible? for more information.
2. Install the drivers: Based on step one above, install the drivers per these instructions.
3. Install aircrack-ng suite: See these instructions.
4. Use aircrack-ng suite: See Part 1 - Cracking WEP with Windows XP Pro SP2. As well, the Wiki has documentation on each command. The commands need to run via the Windows command prompt or via the Aircrack-ng GUI. You have to be in the directory which contain the commands on your PC.

[WINDOWS] Wardrive, Crack WiFi Passwords, Spoof MAC address, and capture data. [AIO TUT]

 THIS WAS WRITTEN FOR EDUCATIONAL PURPOSES ONLY.
Here is everything you will ever need to know from start to finish about Wardriving to find a network, Capturing packets from that network, Cracking the password to the network, anonymously accessing the network with said password, and then ARP/APR poisoning the network to collect cookies, USERNAME:PASSWORD combos, etc...

To begin with, download the pack I have accumulated.
http://www.multiupload.com/MURL68MY3K
Antivirus results
AhnLab-V3 - 2011.04.20.00 - 2011.04.19 - -
AntiVir - 7.11.6.187 - 2011.04.19 - -
Antiy-AVL - 2.0.3.7 - 2011.04.19 - -
Avast - 4.8.1351.0 - 2011.04.19 - -
Avast5 - 5.0.677.0 - 2011.04.19 - -
AVG - 10.0.0.1190 - 2011.04.19 - -
BitDefender - 7.2 - 2011.04.19 - -
CAT-QuickHeal - 11.00 - 2011.04.19 - -
ClamAV - 0.97.0.0 - 2011.04.19 - -
Commtouch - 5.3.2.6 - 2011.04.19 - -
Comodo - 8402 - 2011.04.19 - -
DrWeb - 5.0.2.03300 - 2011.04.19 - -
eSafe - 7.0.17.0 - 2011.04.18 - -
eTrust-Vet - 36.1.8279 - 2011.04.19 - -
F-Prot - 4.6.2.117 - 2011.04.19 - -
F-Secure - 9.0.16440.0 - 2011.04.19 - -
Fortinet - 4.2.257.0 - 2011.04.19 - -
GData - 22 - 2011.04.19 - -
Ikarus - T3.1.1.103.0 - 2011.04.19 - -
Jiangmin - 13.0.900 - 2011.04.18 - -
K7AntiVirus - 9.97.4428 - 2011.04.19 - -
Kaspersky - 7.0.0.125 - 2011.04.19 - -
McAfee - 5.400.0.1158 - 2011.04.19 - -
McAfee-GW-Edition - 2010.1D - 2011.04.19 - -
Microsoft - 1.6802 - 2011.04.19 - -
NOD32 - 6055 - 2011.04.19 - -
Norman - 6.07.07 - 2011.04.19 - -
Panda - 10.0.3.5 - 2011.04.19 - -
PCTools - 7.0.3.5 - 2011.04.19 - -
Prevx - 3.0 - 2011.04.19 - -
Rising - 23.54.01.06 - 2011.04.19 - -
Sophos - 4.64.0 - 2011.04.19 - -
SUPERAntiSpyware - 4.40.0.1006 - 2011.04.19 - -
Symantec - 20101.3.2.89 - 2011.04.19 - -
TheHacker - 6.7.0.1.177 - 2011.04.19 - -
TrendMicro - 9.200.0.1012 - 2011.04.19 - -
TrendMicro-HouseCall - 9.200.0.1012 - 2011.04.19 - -
VBA32 - 3.12.16.0 - 2011.04.19 - -
VIPRE - 9062 - 2011.04.19 - -
ViRobot - 2011.4.19.4418 - 2011.04.19 - -
VirusBuster - 13.6.312.2 - 2011.04.19 - -
File info:
MD5: 7f559a6468aef4216301800a00c6356a
SHA1: 6afd93231127af25acc50971226a1c94d3753f7f
SHA256: beb9f1b2f7c97968e4d68baa7faaddacde923d5a1d90d6c443c4c782071638a6
File size: 34383 bytes
Scan date: 2011-04-19 18:26:37 (UTC)


Begin by installing the WinPcap drivers.
Reboot.
Navigate to the Passmark WirelessMon 3.1 (trees) folder and follow the instructions for the crack.

Now, go ahead and open up Wirelessmon. It's simply a scanning tool :)
Walk, skate, or drive around until you find a network worthy of your time.

When you find the network you want, right click on it and select connect. Then Copy the Mac address of that network into notepad and capitalize all of the letters. Also, Note the Channel that network is on.


Now that we have our target, close out wirelessmon and install CCleaner (ccsetup305.exe).
Open up CCleaner, Click on registry, and Scan for issues. If you have installed Commview for WIFI in the past be sure for "Fix the issues", then scan again to make sure it is gone.


Now this computer is clean of all traces of Commview that I know how to find. We are now going to install Commview For WiFi in a very specific way.
1. Disconnect from the internet. Be it Wifi or Wired, disconnect it.
2. Start the install of Commview for WiFi 6.3 until you choose what kind of license you want. Select "Standard".
3. On the "Additional Settings" Page, un-check "Launch Commview for WiFi once the installation is complete", then continue until finished.

Now go back to the notepad you have that mac address in (Remember should look like "00:1A:2B:3C:4D:5E") and copy it to your clipboard.

Now, the following must be done fairly quickly.
Open Commview For WiFi
Go to "Rules" tab and click on MAC address rules
Check Mac Address rules, and select "Both" and Paste the MAC address of the target network into the box and add it.
Click the Blue "Play" button in the upper left
Select the channel that the network it on and click capture.
Click on the "Logs" tab and check the auto saving box.

I know of no other way to better describe what to do, but if you don't understand PLEASE WATCH THIS VIDEO AS AN EXAMPLE.
.avi 48.2 MB http://www.multiupload.com/N0W60Z0Z9R

Now, minimize Commview. If you click on it again it may say your evaluation period it up, so keep it minimized. What you do now is wait while you collect packets. This can take a while so go eat a sandwich...
BREAK
Now that that's done, navigate to My Documents-> Commview for WiFi-> Logs and make sure there is a decent amount of logs in there. If there isn't, go eat more food. Eating is an important part of hacking ;)

After you have enough logs Copy them to a separate folder and close out commview. Then go to CCleaner and got to the Tools Tab. Uninstall Commview for Wifi. Then Scan the Registry for commview entries and remove any that are found. Now, Reinstall Commview that same way as before, but this time once you open it hit "CTRL+L", this opens the log viewer without clicking. File->Load Commview Logs-> Select ALL of your logs. Then File->Save as-> .CAP

We are now done with Commview :)
Now navigate to Aircrack-ng->Bin->Aircrack-ng GUI.exe
Under the Aircrack-ng Tab browse to your .CAP file
Now you can use Aircrack-ng as you would in any other situation. I do not feel like writing out how to use aircrack, so please use the search feature to find the many tutorials written by others.
*You go read another tut on aircrack, crack the password, then come back here*

Now that we have the password what can we do with it other than connect? How do I stay anonymous on their network?
Install Technitium Mac changer - http://www.technitium.com/tmac/index.html
Follow the instructions on their site, poof! You now have a spoofed MAC address.

Next step is to connect to their network. If you don't know how to connect to a wireless network, you're an idiot.
Now install Cain (ca_setup.exe) and Wireshark (32-BIT-wireshark-win32-1.4.6.exe or 64-BIT-wireshark-win64-1.4.6.exe)
Start up Wireshark and hit CTRL+I, this will bring up your interfaces menu. The one with packets going up is the one you want to "Start".

Now Minimize Wireshark and open Cain.
Click "Configure" at the top of the window and unde rthe sniffer tab select the device that has an active IP address. Apply changes.
Go to the sniffer tab and click the "Sniffer" button (top left, microchip with arrow)
Then wait for a router to show up on the list. Then right click it and Say "Scan Mac addresses". Scan all possibilites. All other computers on the network will show up. Next go to the APR tab at the bottom and click the blue "Plus".
Select the Router on the left hand side, and the IP of the computer you want to steal from on the right. Then click "OK".
Now activate APR (Radioactive looking symbol in top left).

You are now APR poisoning that IP so that all network is routed through your computer.
Collected Usernames and Passwords will show up in the Passwords tab of Cain.
Want their cookies isntead? You're in luck! Since all network traffic is being routed through your computer, Wireshark has been capturing everything! Open up Wireshark and search for "http.cookie". It will bring up all the collected cookies. Simply use a addon for Mozilla (I prefer Add 'n' Edit Cookies) to create a cookie with the information found in wireshark and then navigate to that site. You will be logged in without the need of a username or password.

This concludes the (brief) walkthrough of how to Wardrive using Windows, Crack WiFi Passwords using Aircrack-ng and a bypass for Commview for WiFi's evaluation period, Spoof a MAC address for anonyminity, and steal cookies and login info to top it all off.

If you are afraid that someone may be able to see your data, use Anonbrowse (Included in the package).

Cain and Abel

THIS WAS WRITTEN FOR EDUCATIONAL PURPOSES ONLY!

What you will need:

1. current version of Cain from www.oxid.it

2. Windows 2000 or Windows XPSP1 configured workstation

Getting started:

Cain and abel will need administrative privileges or greater (SYSTEM). So we have to exploit WinXP for that.


1) Start > Run type command
2) type at (the a minute ahead of the time it is, in 24hour format) /interactive cmd.exe
Example: at 15:22 /interactive cmd.exe
3) a Command prompt running with SYSTEM privledges will open up in a minute.
4) Use command prompt to open Cain. (Navigate to the cain directory)
Example : c:windows\program files\cain\cain.exe

Hacking Security Forum

1. Enumerate the computers on the network

2. connect to a computer and install the Abel remote app

3. Harvest user account information

4. Crack user account information passwords to get the admin account

5. Login to the target machine with the admin account

6. Install the Abel service on the target server

7. Harvest all of the hashes from a server and sent to the cracker

Once we have the admin account on the server, the rest is up to you.

First things first, after you launch the application you will need configure the Sniffer to use the appropriate network card. If you have multiple network cards, it might be useful to know what your MAC address is for your primary connection or the one that you will be using for Cain network access. You can determine your MAC address by performing the following steps:

1. Go to “Start”

2. Run

3. enter the “CMD”

4. A black window will appear

5. Enter the following information into the window without the quotes

“Ipconfig /all” and then Enter

6. Determine which one of the Ethernet adapters you are using and copy the MAC address to notepad. You use this to help determine which NIC to select in the Cain application

With the Cain application open, select the Configure menu option on the main menu bar at the top of the application. The Configuration Dialog box will appear. From the list select the device with the MAC Address of Ethernet or Wireless network card that you will be using for hacking. While we are here, let’s review some of the other tabs and information in the Configuration Dialog Box. Here is a brief description of each tab and its configuration:

1. Sniffer Tab: allows the user to specify the Ethernet interface and the start up options for the sniffer and ARP features of the application.

2. ARP Tab: Allows the user to in effect to lie to the network and tell all of the other hosts that your IP is actually that of a more important host on the network like a server or router. This feature is useful in that you can impersonate the other device and have all traffic for that device “routed” to you workstation. Keep in mind that servers and routers and designed for multiple high capacity connections. If the device that you are operating from can not keep up with traffic generated by this configuration, the target network will slow down and even come to a halt. This will surly lead to your detection and eventual demise as a hacker as the event is easily detected and tracked with the right equipment.

3. Filters and Ports: Most standard services on a network operate on predefined ports. These ports are defined under this tab. If you right click on one of the services you will be able to change both the TCP and UDP ports. But this will not be necessary for this tutorial, but will be useful future tutorials.

4. HTTP Fields: Several features of the application such as the LSA Secrets dumper, HTTP Sniffer and ARP-HTTPS will parse the sniffed or stored information from web pages viewed. Simply put, the more fields that you add to the HTTP and passwords field, the more likely you are to capture a relevant string from an HTTP or HTTPS transaction.

5. Traceroute: It is what it is, trace route or the ability to determine the path that your data will take from point A to point B. Cain adds some functionality to the GUI by allowing for hostname resolution, Net mask resolution, and Whois information gathering. This feature is key in determining the proper or available devices to spoof or siphon on your LAN or internetwork.

Ok, So now you have everything all set and you are ready to rumble, as it were. Now, after I select the adapter on the sniffer tab, I generally set the sniffer to start on start up and then select apply. Do not enable the arp poisioning at this point, you will not need it and if this is your first exposure to Cain and or hacking, you will just get yourself caught with the ARP stuff. I generally stop and start the application at this point to get a clean start and reload the application with my intended settings.

So, launch the app and make sure that the first icon on the Left that looks like a miniature Ethernet card appears depressed. This indicates that the sniffer is activated. At this point, it is time to get a cup of coffee and let the app just sit. Yep, that is right, just leave it running and don’t touch anything. The reason for this is that not every device is talking all of the time and some protocols only talk on specific intervals. You will need to wait at least 300 seconds to ensure that the Cain sniffer has heard from each protocol at least once. This is most germane to routing protocols, but I have seen it take this long or longer to see all of the hosts on a LAN.

NOTE: The next section makes the assumption that you have properly configured your Ethernet interface with an IP address that is correct for your network and that you have logical connectivity to the target hosts.

At this point you are asking your self “Are we ever going to start hacking…?”

Let’s hack then. Go to the network tab and double click on the Microsoft windows network under the Entire Network navigation tree. After a few moments, the tree will expand and show each of the workgroups and domains that are accessible to your network card. From here select your target network and click the “+” symbol to the Left to open the tree.

Understanding that servers generally, or are supposed to, have more security than the other devices on the network, it is generally better to go for a workstation over a server out of the gate. Also, some servers will have monitoring agents on then that could detect what is going to happen next.

Double click on the All Computers object in the tree under the target network section of the tree. Now look at the names of the all of the devices listed. Many times the administrator will name the servers with some naming convention that will single them out in not time flat. Try to use the naming convention to your advantage and look for a pc that potentially is used by multiple persons. Key giveaways are names like scanner1, or receptionist, or lab. These machines will have several accounts on them and one of them is likely to have an admin account on it. These machines are key targets for two reasons. One, they are generally set up in a hurry when the company first sets up the network during a time when security is an afterthought, and as such they are likely to have default configurations for the local admin. Secondly, they generally have several apps on then and lots of people use them. With multiple applications, excessive rights are often granted to all users to ensure that every one can use the app that they need. Anyway, back to the hack….

When you click on your target, you will see 4 new objects in the tree under your target. These will be Groups, Services, Shares, and users. “Users” is what you want first. Double click on the users object icon and select yes to start the user enumeration. Caution! – Do not go for the history information at this time, we will get to that later. After all of the user accounts are enumerated they will be listed in alphabetical order and the local administrator will have a large red A in front of it. Ok, here we go. Go back to the computer object of the computer that you just enumerated and right click on the object. Select the connect as option. Just for fun, if the administrator account has not been renamed, it is likely that it will have a blank password or be something fairly simple. Try to log in with the user account administrator and a blank password. In about 70% of my experience at this point, the hack is over for the local machine and you are in and can start playing. If it did work, then right click on the “Services” object for the device that you have just logged into and select Install Abel. Cain will install Abel.exe and Abel.dll into the %systemroot% on the local machine. Collapse the computer object and then re-expand it by double clicking on the computer object icon and you should see a Black square with a Blue A in the middle directly under the computer object in the tree. (I get excited just thinking about it). At this point you have the keys to the castle, you just need to see which key goes where. First lets get the hashes and get the ready to crack. Double click on the users object in the tree. Say no to the history pop up for now. Select all of your users by right clicking on an account and selecting “Send all to cracker.” Leave them for now, we will come back to them. What you have just done is load a portion of the application with all of the NT and NTLM hashes for every account on the target PC.

Now, if you have been following the book, you will remember the endless posts on hackerthreads that talked about using the command line to get at certain directories on a target machine, well here is where they will come into play. (If you are not too familiar with the cmd line, please refer to the Glossary of this book and review the command line hacking section. There are many useful tools like adding users and computers to domain security groups.

Let’s go over our options:

Console: This is the command prompt on the remote machine. Anything that you can do on your pc from the CMD prompt can be done from here. Examples include mapping a drive back to your pc and copying all the files from the target or its mapped drives to your machine for later data mining, adding local users to the local security groups or anything really. With windows, everything is possible from the command prompt.

Hashes: Allows for the enumeration of user accounts and their associated hashes with further ability to send all harvested information to the cracker.

LSA Secrets: Windows NT and Windows 2000 support cached logon accounts. The operating system default is to cache (store locally), the last 10 passwords. There are registry settings to turn this feature off or restrict the number of accounts cached. RAS DUN account names and passwords are stored in the registry. Service account passwords are stored in the registry. The password for the computers secret account used to communicate in domain access is stored in the registry. FTP passwords are stored in the registry. All these secrets are stored in the following registry key: HKEY_LOCAL_MACHINE \SECURITY\Policy\Secrets

Routes: From this object, you can determine all of the networks that this device is aware of. This can be powerful if the device is multihommed on two different networks, but you read about all of that in chapter 5 – Heard, but Not Seen, Right?

TCP Table: A simple listing of all of the processes and ports that are running and their TCP session status.

UDP Table: A simple listing of all of the processes and ports that are running and their UDP session status.

Ok, back to the hack, for those of you that did not get in with the admin account with no password, another trick is to try to login to each account in the list with the same password as the username. For example, right click on the computer object in the tree and try to login with on of the user account names and use the username as the password. If that does not work then try each one with no password. I have only run into one network where these two things did not work. Also, the LSA Secrets tree object will dump the following user accounts in plain text for you if they are present:

$Machine Account

Aspnet_WP_PASSWORD

L$******************** (this is the currently logged on user with the password)

L$******************** (this will be every user that has logged in up to the total number of cached logons.

RASDAILPARAMERTERS (these are present if RAS is configured and has been used)

Backup user accounts

Misc other accounts

Note: when you see the account in plain text, it will have separators. When you type the password into a logon, omit the extra “.”. ie. The password Ramius!@# will show up as R.a.m.i.u.s.!.@.#.... All that you will type the Ramius!@#.

OK, so far we have accomplished the following goals:

1. Enumerate the computers on the network

2. connect to a computer and install the Abel remote app

3. Harvest user account information

We still need to finish the hack by performing the following steps and then move the hack to a server or more valuable target.

1. Crack user account information passwords to get the admin account

2. Login to the target machine with the admin account

3. Install the Abel service on the target server

4. Harvest all of the hashes from a server and send to the cracker

5. Crack all of the accounts

Well, we learned in chapter 2 that staying focused is the key to hacking, so lets get back to it. In the Cain application, lets to the “Cracker Tab” and have a look.

The cracker tab has two basic parts. On the left are all of the hash types that Cain will crack for you. On the right are all of the associated hashes with their usernames. What we need to do is determine the password from the hash.

Note: Now would be a good time to copy the rainbow tables and password lists from the CD’s found in the back of the book to a directory on your local machine. The use of the rainbow tables will greatly increase the speed and efficiency of the cracking process as will the dictionary files included on the CDs.

Cain provides three options for determining the password from a harvested hash; these are Dictionary guessing, Bruting and Cryptanalysis. The preferred method is Cryptanalysis as it is by far the fastest if you have the tables generated. As stated in chapter 1, it would be a good idea to have tables generated for all of the possible variants for passwords from 1-7 with all possible combinations of letters and numbers and symbols. Dictionary cracking is by far the easiest of all configurations and every hacker should have extensive lists available to use.

In this appendix we are going to explore all three options.

First, let’s look at what we can tell so far from the hashes and the Cain application. One of the columns heading looks like this <8. This means that any password with an “*” symbol is less than 8 characters. These will be the easiest to brute as they can be bruted in about 5.5 hrs with a marginal processor and memory. You can sort all of the hashes by size by clicking on the header bar at the top of the column. On the PC that I am hacking for this tutorial, I have 13 hashes and 7 of them appear to be less than 8 characters so we will start with cracking first.

Dictionary Cracking – Select all of the hashes and select Dictionary Attack (LM). You could select the NTLM but the process is slower and with few exceptions the NTLM and NT passwords are the same and NT cracks (Guesses) faster. In the Dictionary window, you will need to populate the File window with each of you dictionary files. (Move files from the CDs to your hard drive or it will take significantly longer than necessary. Check the following boxes: As is Password, Reverse, Lowercase, uppercase, and two numbers.

Dictionary Cracking

Click start and watch Cain work. The more lists and words that you have, the longer it will take. When Cain is finished, click exit and then look at the NT password column. All of the passwords cracked will show up next to the now <insert your name here> owned accounts. Voila!

Take a second to look carefully at the accounts and passwords in the list. Look for patterns like the use of letters and characters in sequence. Many administrators use reoccurring patterns to help users remember their passwords. One time I found a network where the passwords were the first three letters of the first name and the three letter month abbreviation of the month that the password was set. Example: Ramius password reset in November would have a user account of RAMNOV. If you can identify patterns like this you can use word generators to create all possible combinations and shorten the window.

Cryptanalysis attacking

Alright then… Resort your hashes so single out the accounts that you have left to crack. Now select all of the un-cracked or guessed accounts and right click on the accounts again and select Cryptanalysis (LM). Add the tables that you copied from the CD to the Cain LM hashes Cryptanalysis Sorted rainbow tables window. Click start. This should go pretty quick. Voila! Take a second to review your progress and look for additional patterns.

At this point, I would grab a program like sam grab that has the ability to determine which accounts are members of the domain administrators group to see if you have gotten any admin level accounts. Once you move to the next step, which is bruting, most of what you have left are long passwords that are going to be difficult and time consuming. Any time saver applications that you can find will be helpful.

Bruting

Repeat the same process for selecting the accounts. Here is the first time that you will actually have to use your brain in this appendix. Bruting can be extremely time consuming. Look closely at all of the passwords that you have cracked and look for patterns. First do you see any special characters in any of the passwords cracked. How about numbers? A lot of all upper case of all lower case? Use what you see to help you determine what parameters to include when you are bruting. As you will see, the addition of a single character or symbol can take you from hours to days or even years to crack a password. The goal is to use the least amount of characters and symbols to get the account that you need. So lets finish it off. Select all of the un cracked accounts and follow the previous steps and select Brute Force (LM). The default for LM is A-Z and 0-9. This is because that is due nature of LM hashes and the way that they are stored. Another note is that sometimes you will see a “?” or several “????” and then some numbers or letters. This is also due to the nature of NT versus NTLM and the method that NT used to store passwords. If you read chapter 2, you already know why this is. If not see if you can find a repeating structure that is based on the number 7. Anyway, based on the other passwords and those accounts with an “*” in the <8 field on how many characters to specify in the password length pull down box. Make your selection and have at it. Holy crap Batman … 123749997 years to completion. If you see this, then you should rethink the need for this account. However, working with the application, rainbow tables and password generators can help your narrow down to reasonable time frames to get the job done.

Ok, so now we have our admin account and are ready to finish the hack. Go back to the network tab in the Cain application and select the Domain Controllers object under the same domain where the PC was that you harvested the hashes. Double Click. Now look through the serves in the domain and select your target. If you find one with PDC or BDC in the list, pick that one. Right click on the server and select connect as and enter the “Hacked Credentials.” Now go to the “services” object and right click again and install the service. Voila! You have admin and likely every other type of access to the target host!

Now you can repeat the steps to finish the hack

And this concludes our hack as we have accomplished each of out goals.

Some things to consider:

When you exit the Cain application, all of the password hashes and cracked accounts will be saved and can be hacked later in a remote location. They can also be used against you in court as evidence.

Also you can export all of the hashes to an .lc or text file and open up the file in Excel to perform some additional sorting and the like.

All of the devices that you infected with the Abel.exe and Abel.dll will have the Abel.exe service running and because the list is alphabetical, it will always be on top of the list. Any admin, even poor ones will question the presence of a new service. And there are ways to trace the install time and originating IP and MAC address of the installing machine back to YOU. Read Chapter 5 – Heard but not seen! Covering your tracks… It is everything. Here is a hint. Enable the telnet service and connect to the hacked and from the command prompt you will use the following commands

Net stop abel.exe

Cd %windir%

Del abel.*

CD %windir%/system32

Del abel.*

Exit

Once this is complete, you will have to reinstall the Abel client app to reconnect through Cain. Oh, and there is that bit about the event and security logs…. But that is another tutorial……

( I will update this portion later, it is getting late, but check back cause there will be a ton of references and additional links)

Definitions:

MAC: Media Access Control - In computer networking a media access control address (MAC address) is a code on most forms of networking equipment that allows for that device to be uniquely identified. Each manufacturer for Network Cards has been assigned a predefined range or block of numbers. The structure and other uses of the MAC addressing are defined in the Intro to networking appendix at the end of this book. Information about manufacturer assignments for MAC addressing block assignments can also be found at the following site. http://standards.ieee.org/regauth/oui/index.shtml.

Sniffing: Sniffing is the act or process of “Listening” to some or all of the information that is being transmitted on the same network segment that a device is on. On an OSI Model Layer 1 network, even the most basic Sniffers are capable of “hearing” all of the traffic that is sent across a LAN. Moving to a Layer 2 network complicates the process somewhat, however tools like Cain allow for the spanning of all ports to allow the exploitation of layer 2 switched networks.

ARP: Address Resolution Protocol – Address Resolution Protocol; a TCP/IP function for associating an IP address with a link-level address. Understanding ARP and its functions and capabilities are key skills for hackers and security professionals alike. A basic understanding of ARP is necessary to properly utilize all of the functions that Cain is capable of.