Hello everyone this is my first post and yeah... it might come in handy for some people. This is the method I used on my school but you're school is probably different so you will have to have some basic knowledge so you can adapt it to your situation. This is designed for penetrating local Windows 7 machines, so there wil be extra methods which I haven't mentioned for XP and possibly Vista. I assume you have a bit of knowledge, so if you don't understand anything just ask.
STEP 1 - Try to access command promptDepending on your school this could be easy or hard and in most cases pretty pointless (to begin with) but you want it so when you have admin rights you can use it without restrictions and it also gives you a good idea about the level of security. First try creating a shortcut to the local System 32 - 'C:\Windows\System32\cmd.exe'. If that didn't work try one of these (there are probably more methods but just google them):
- Create a .bat file - in notepad type 'start' and save it as insertnamehere.bat.
- In Microsft Word create go to 'Inset' > 'insert object'. in 'Create from file' type cmd.exe and hopefully you should now have a link to cmd.
If you successfully got into a command prompt then good for you. Experiment with a few commands to see what the restrictions are and just roam around the local directories. Use net user to find out the local admin account and then a classic command is to try and change the admin password. The only problem is you need admin privileges to do this... but you might as well try it anyway, you might even find there is no password at all - The command to change it is
- Code:
-
net user Administrator *
Step 2 - Access the local Admin / get password through NTLM the LM hashesThe best way IMO is to get the password instead of just gaining access, because the password often will get you into many more places and is often needed if you want to do remote shutdowns (my favourite
) and other stuff. Plus its just generally easier. The typical method is to extract the hashes and crack it either by brute forcing it or using rainbow tables to crack it. First try using pwdump or OPHcrack do extract the hashes while you're logged in but this often fails miserably. The next way to get the hashes is to boot from a live cd or usb, but this is probably the hardest part.
-
Find a vulnerable bios. This could be very simple or hard. What I found in my school was two things. Firstly most of the computer's bios's are locked down pretty tight, but not all of them. They either have no protection what so ever or they limit you from changing only some settings. So if that is the case try to change the order to boot cd or dvd/usb first. After testing every available computer you now have another option, which is simple but often overlooked. Even though the bios may be locked, the default boot order hasn't been changed from default or the admins are just stupid... Anyway this means that a DVD or usb will be ahead of the HDD in the boot order. If that still doesn't work your can try and find out the backdoor bios password (google it) or use a program that will reset the bios (DE-CMOS2) but I've had very limited success with these
- Now you found a vulnerable bios you need to exploit it, obviously. But there are many options now. First I would either boot up into my favourite linux distro (puppy linux for me) and copy the 'config' folder from 'C:\Windows\System32\' onto a usb (or somewhere locally accessible on the local machine - this is where cmd comes in handy). The easier/noobier way is to use OPHcrack live CD/USB to get the hashes and either write them down, dump them to file or take a picture of them. If you are running XP try to crack them on the spot using the default OPH tables, it worked for me, but if you are running 7 and the school has a decent password, there isn't much point. Take the hashes or the config folder home and try to crack them using rainbow tables, an online database/decryption service or bruteforce it (popular programs are Cain and OPHcrack). Normally these will work after you give it enough time, but like for me now the school upped the password complexity after I got caught, so the password is just pointless to try and crack.
If you give up trying to crack the password, don't. But there are other options you can use while you wait for the password to get cracked.
- Boot up into your favourite linux distro again (that's capable of NTFS writing) and go to C:\Windows\System32. In here you should find a lot of files... but we only want to find two. First find 'cmd.exe' and duplicate it (copy/paste) then find 'sethc.exe'. Either delete or rename 'sethc.exe' (I normally rename it to 'sethc_b.exe') and then rename the duplicate of 'cmd.exe' to 'sethc.exe'. Reboot the computer and before the log in screen press shift five times. A command prompt with SYSTEM privileges will appear. Now do what ever the hell you want to trash the computer... or you could change the admin password.
Unfortunately that doesnt solve the problem if you can't bypass the bios - so what are the other options? Ok so first pretend to be a noob and claim there is something wrong with the computer. Hopefully one of the admins will get of his arse and come and look at it by logging into the local admin account. Two ways you can take advantage of this:
- Film him typing in the pasword or something, a hardware keylogger would be good for this but not everyone has one
- What happened at my school (unfortunately after I cracked the password) the admin might accidently type his pasword in to the user name box... at this point you can just laugh at his noobiness.
STEP 3 - What now?Well at this point you will either have the password or your own password to the local admin account. From this you gotta decide if your going to attack the server or just mess around with the local privileges. Attacking the server is risky business because if you are caught you will probably get expelled but if, like me, you don't cross the line, then you will just end up with a very large warning, serveal talkings to, and no school account... Anyway here are a few ideas:
-
Remote shutdowns - Use 'shutdown /i' in cmd - This is great for pissing people off and you can shut down whole rooms at a time, but this only works if admin password on yours is the same as the target computers (so wont work if u manually changed the password). Also if rumours are spreading about you then some dick head little snitch will arise, so be careful.
-
Keylogging passwords - This is slightly more advanced to get this working for log in passwords, but I used a standard keylogger and use the 'sethc.exe' hack and instsall the keylogger in System32. Great for getting teachers, friends and enemies passwords so you could potentially change your grades etc.
-
Sniffing the Network with Cain - Use cain to get the hashes to peoples accounts as they log on. The only problem for this is that I found the hashes too much effort to crack
-
Get into the server - Personally I didn't do this but try finding the server in the network tree/listing or get the real Admins account password. Use either one of these to RDP to the server, and then, well... Do whatever you want but be warned you will piss off a lot of people...
So have fun but be cautious to not get caught, and this often means not to tell anyone unless you properly trust that they won't gossip. Also unless you don't mind getting expelled, just don't touch the freaking server - I warned you