วันเสาร์ที่ 29 สิงหาคม พ.ศ. 2563

Hacking Windows 95, Part 2

In the Hacking Windows 95, part 1 blog post, we covered that through a nasty bug affecting Windows 95/98/ME, the share password can be guessed in no time. In this article, I'm going to try to use this vulnerability to achieve remote code execution (with the help of publicly available tools only).

The first thing we can do when we have read access to the Windows directory through the share, is to locate all the *.pwl files on the c:\windows directory, copy them to your machine where Cain is installed, switch to Cracker tab, pwl files, load the pwl file, add username based on the filename, and try to crack it. If you can't crack it you might still try to add a .pwl file where you already know the password in the remote windows directory. Although this is a fun post-exploitation task, but still, no remote code execution. These passwords are useless without physical access.


One might think that after having a share password and user password, it is easy to achieve remote code execution. The problem is:
  • there is no "at" command (available since Windows 95 plus!)
  • there is no admin share
  • there is no RPC
  • there is no named pipes
  • there is no remote registry
  • there is no remote service management
If you think about security best practices, disabling unnecessary services is always the first task you should do. Because Windows 95 lacks all of these services, it is pretty much secure!

During my quest for a tool to hack Windows 95, I came across some pretty cool stuff:
LanSpy

But the best of the best is Fluxay, which has been written by chinese hackers. It is the metasploit from the year 2000. A screenshot is worth more than a 1000 words. 4 screenshot > 4 thousand words :)





It is pretty hard to find the installer, but it is still out there!

But at the end, no remote code execution for me.

My idea here was that if I can find a file which executes regularly (on a scheduled basis), I can change that executable to my backdoor and I'm done. Although there is no scheduler in the default Windows 95, I gave it a try. 

Let's fire up taskman.exe to get an idea what processes are running:


Looks like we need a more powerful tool here, namely Process Explorer. Let's try to download this from oldapps.com:


LOL, IE3 hangs, can't render the page. Copying files to the Win95 VM is not that simple, because there are no shared folders in Win95 VM. And you can't use pendrives either, Win95 can't handle USB (at least the retail version). After downloading the application with a newer browser from oldapps, let's start Process Explorer on the test Windows 95.


Don't try to download the Winsocks 2 patch from the official MS site, it is not there anymore, but you can download it from other sites

Now let's look at the processes running:


After staring it for minutes, turned out it is constant, no new processes appeared.
Looking at the next screenshot, one can notice this OS was not running a lot of background processes ...


My current Win7 has 1181 threads and 84 processes running, no wonder it is slow as hell :)

We have at least the following options:
  1. You are lucky and not the plain Windows 95 is installed, but Windows 95 Plus! The main difference here is that Windows 95 Plus! has built-in scheduler, especially the "at" command. Just overwrite a file which is scheduled to execution, and wait. Mission accomplished!
  2. Ping of death - you can crash the machine (no BSOD, just crash) with long (over 65535 bytes) ICMP ping commands, and wait for someone to reboot it. Just don't forget to put your backdoor on the share and add it to autoexec.bat before crashing it. 
  3. If your target is a plain Windows 95, I believe you are out of luck. No at command, no named pipes, no admin share, nothing. Meybe you can try to fuzz port 137 138 139, and write an exploit for those. Might be even Ping of Death is exploitable?
Let's do the first option, and hack Windows 95 plus!
Look at the cool features we have by installing Win95 Plus!


Cool new boot splash screen!


But our main interest is the new, scheduled tasks!


Now we can replace diskalm.exe with our backdoor executable, and wait maximum one hour to be scheduled.

Instead of a boring text based tutorial, I created a YouTube video for you. Based on the feedbacks on my previous tutorialz, it turned out I'm way too old, and can't do interesting tutorials. That's why I analyzed the cool skiddie videoz, and found that I have to do the followings so my vidz won't suck anymore:
  • use cool black windows theme
  • put meaningless performance monitor gadgets on the sidebar
  • use a cool background, something related with hacking and skullz
  • do as many opsec fails as possible
  • instead of captions, use notepad with spelling errorz
  • there is only one rule of metal: Play it fuckin' loud!!!!

Continue reading


  1. Hack Tools For Mac
  2. Best Pentesting Tools 2018
  3. Wifi Hacker Tools For Windows
  4. Hacker Tools Windows
  5. Ethical Hacker Tools
  6. Hacking Tools Free Download
  7. Hacking Tools Software
  8. Hacker Tools For Mac
  9. Hacking Tools 2020
  10. Tools For Hacker
  11. Hacking Tools For Windows 7
  12. Hacking Tools For Games
  13. Hacker Tools For Pc
  14. Hacker Tools Apk
  15. Black Hat Hacker Tools
  16. Hack Tools Pc
  17. Pentest Tools Download
  18. Android Hack Tools Github
  19. Pentest Box Tools Download
  20. Hacking Apps
  21. Pentest Tools
  22. Hacker Tools 2020
  23. Pentest Tools For Android
  24. Hack Website Online Tool
  25. Hack Tools Github
  26. Hacking Tools For Pc
  27. Hacking Tools Mac
  28. Android Hack Tools Github
  29. Hack App
  30. Hacker Tools For Windows
  31. Android Hack Tools Github
  32. Pentest Tools Free
  33. Hak5 Tools
  34. Pentest Tools Url Fuzzer
  35. Hacker Hardware Tools
  36. New Hack Tools
  37. Github Hacking Tools
  38. Hacker Tools Free Download
  39. Pentest Tools Website Vulnerability
  40. Pentest Tools Online
  41. Termux Hacking Tools 2019
  42. Tools Used For Hacking
  43. Github Hacking Tools
  44. Beginner Hacker Tools
  45. Hack Tools 2019
  46. Pentest Tools Online
  47. Hacking Tools Online
  48. Hack And Tools
  49. Hacker Tools Software
  50. Physical Pentest Tools
  51. Install Pentest Tools Ubuntu
  52. Hack Tools For Pc
  53. Hak5 Tools
  54. Hacking Tools Software
  55. Termux Hacking Tools 2019
  56. Termux Hacking Tools 2019
  57. Hacker Tools Online
  58. Best Hacking Tools 2019
  59. Best Pentesting Tools 2018
  60. Growth Hacker Tools
  61. Tools 4 Hack
  62. Hacker Tools Linux
  63. Hack Tools 2019
  64. What Are Hacking Tools
  65. Hacker Security Tools
  66. Hacker Tools For Ios
  67. Hacker Tools Software
  68. Hack Tools For Ubuntu
  69. Pentest Tools Online
  70. Pentest Tools Alternative
  71. Pentest Tools Website Vulnerability
  72. Hacking Tools Kit
  73. Hacking Tools Windows 10
  74. Hack Tool Apk
  75. Pentest Tools Subdomain
  76. Hacker Tools Free
  77. Pentest Tools Nmap
  78. Hack Tools For Games
  79. Hacker Tools For Windows
  80. Pentest Automation Tools
  81. Pentest Tools Android
  82. Pentest Tools Port Scanner
  83. Nsa Hack Tools
  84. Pentest Tools Apk
  85. Pentest Tools Alternative
  86. Black Hat Hacker Tools
  87. Hacker Security Tools
  88. Hacker Tools Linux
  89. Hack Tool Apk No Root
  90. Pentest Tools Review
  91. Nsa Hacker Tools
  92. Hack Tools
  93. Hacks And Tools
  94. Hacking Tools For Games
  95. Hack Tools Pc
  96. Hack Tools For Games
  97. Hack And Tools
  98. Hack Tool Apk
  99. Hacking Tools Kit
  100. Pentest Tools Find Subdomains
  101. Tools Used For Hacking
  102. Pentest Tools Linux
  103. Hacking Tools Windows
  104. Hack Tools For Pc
  105. Nsa Hacker Tools
  106. Hacking Tools Windows
  107. Pentest Tools Windows
  108. Kik Hack Tools
  109. Nsa Hack Tools Download
  110. Hacker Tools For Pc
  111. Pentest Tools For Windows
  112. Hacker Tools For Mac
  113. Growth Hacker Tools
  114. Pentest Tools Online
  115. Install Pentest Tools Ubuntu
  116. Pentest Tools Review
  117. Hack App
  118. Hacker Tools Apk
  119. Pentest Tools Port Scanner
  120. Hacker Security Tools
  121. Pentest Tools Android
  122. Hacker Tools Linux
  123. Nsa Hack Tools Download
  124. Pentest Tools Framework
  125. Pentest Tools For Mac
  126. Hacker Tools For Mac
  127. Hacker Tools Github
  128. Pentest Tools Github
  129. Hacker
  130. New Hacker Tools
  131. Hack Tool Apk
  132. Hacking Tools For Windows Free Download
  133. Hacker Tools Online
  134. Pentest Reporting Tools
  135. Hacking Tools Name
  136. Best Pentesting Tools 2018
  137. Hak5 Tools
  138. Hack Website Online Tool
  139. Pentest Tools
  140. Github Hacking Tools
  141. Pentest Tools Website Vulnerability
  142. Hacker Tools For Pc
  143. Top Pentest Tools
  144. New Hack Tools
  145. Hack Tools Download
  146. Kik Hack Tools
  147. Hack Tools Online
  148. New Hacker Tools
  149. Hack Tools Pc
  150. Hacking Tools Windows 10
  151. Hacker Tools For Pc
  152. Hack Apps
  153. Hacker Tools Free Download
  154. Pentest Tools Android
  155. Pentest Tools Linux
  156. Hack Tools For Ubuntu
  157. Hack Tools Pc
  158. Pentest Automation Tools
  159. Hack Tools Mac
  160. Hacking Tools Pc
  161. Hack Website Online Tool
  162. Pentest Tools Framework
  163. Hack Apps
  164. Hacking Tools Kit
เขียนโดย ที่

ไม่มีความคิดเห็น:

แสดงความคิดเห็น

สมัครสมาชิก: ส่งความคิดเห็น (Atom)