warl0ck7
June 30th, 2003, 11:16 AM
Hi everyone,
In this article i am going to discuss all the methods(almost :)) of obtaining administrative privelages
on a winodws box.
A. WIndows 98/95/ME
These do not have any restrictions but still if don't want those login window do this
1.When windows boots prees F8,this will show a menu. Select "safemode command prompt"
2.Type deltree -y c:\windows *.pwl,this will delete all the password files
3.Yes this is it !!! :-)
Note: If you don't want the people pressing F* and getting the startup menu do the
following edit Msdos.sys in the root directory and add a line BootKeys=0
B. Windows NT
1. GetAdmin
This expoit adds a user to the administrator group.It works by exploiting
ChangeNtGlobalFlag(GetNtGlobalFlagPtr()); and DLL injection.
Get it from
http://packetstorm.linuxsecurity.com/NT/hack/getadmin.zip
simply type getadmin aor getadmin <user_name> and enjoy
2. Sechole.exe
This exploit by exploiting existing Windows NT services, an application can locate a certain
API call in memory (OpenProcess), modify the instructions in a running instance, and gain
Debug level access to the system, where it then grants the currently logged-in user complete
membership to the Administrators group in the local SAM database.
Get it from
http://packetstorm.linuxsecurity.com/NT/hack/nt-sechole2.zip
Simply execute sechole.exe
If your machine hangs reboot and observe that a user will added to the administrators group.
C. Windows 2000
1. PipeUpAdmin
This exploit uses the Named Pipe Vulnerability.As Windows 2000 uses predictable named pipe
names for controlling services, any user process can create a named pipe with the next name
and force a service, they can start, to connect to the pipe.Once connected, the user process
can impersonate the service.
Get it from
http://content.443.ch/pub/security/blackhat/WinNT%20and%202K/pipeup/W2KPipeUp/PipeUpAdmin.exe
Simpy execute PipeUpAdmin and logout and log backin, you will be added to the administrators
group.
2. NetDDe,GetAd
This exploit uses a security vulnerability in Windows's NetDDE that allows local attackers to
gain arbitrary privileges, this by causing the NetDDE to execute arbitrary code.The exploit
code and binaries can be found at
http://imm.uinc.ru/getad/
Executing getad will spawn a shell running as SYSTEM.
D. Windows XP
1.NetDDe,GetAD2
This expoit is brother of the Windows 2000 GetAD exploit and yes it works.Get it from
http://imm.uinc.ru/getad/
Executing GetAd2 will spawn a shell running as SYSTEM.
E. Windows NT/2000/XP
1. Booting into Alternative OS and deleting the SAM file clears the Adminstrator password!!!.
One can use a Linux floppy with kernel's NTFS read/write support or you can use NTFS dos
professional for DOS. Visit www.bootdisk.com for more...:-).
In this article i am going to discuss all the methods(almost :)) of obtaining administrative privelages
on a winodws box.
A. WIndows 98/95/ME
These do not have any restrictions but still if don't want those login window do this
1.When windows boots prees F8,this will show a menu. Select "safemode command prompt"
2.Type deltree -y c:\windows *.pwl,this will delete all the password files
3.Yes this is it !!! :-)
Note: If you don't want the people pressing F* and getting the startup menu do the
following edit Msdos.sys in the root directory and add a line BootKeys=0
B. Windows NT
1. GetAdmin
This expoit adds a user to the administrator group.It works by exploiting
ChangeNtGlobalFlag(GetNtGlobalFlagPtr()); and DLL injection.
Get it from
http://packetstorm.linuxsecurity.com/NT/hack/getadmin.zip
simply type getadmin aor getadmin <user_name> and enjoy
2. Sechole.exe
This exploit by exploiting existing Windows NT services, an application can locate a certain
API call in memory (OpenProcess), modify the instructions in a running instance, and gain
Debug level access to the system, where it then grants the currently logged-in user complete
membership to the Administrators group in the local SAM database.
Get it from
http://packetstorm.linuxsecurity.com/NT/hack/nt-sechole2.zip
Simply execute sechole.exe
If your machine hangs reboot and observe that a user will added to the administrators group.
C. Windows 2000
1. PipeUpAdmin
This exploit uses the Named Pipe Vulnerability.As Windows 2000 uses predictable named pipe
names for controlling services, any user process can create a named pipe with the next name
and force a service, they can start, to connect to the pipe.Once connected, the user process
can impersonate the service.
Get it from
http://content.443.ch/pub/security/blackhat/WinNT%20and%202K/pipeup/W2KPipeUp/PipeUpAdmin.exe
Simpy execute PipeUpAdmin and logout and log backin, you will be added to the administrators
group.
2. NetDDe,GetAd
This exploit uses a security vulnerability in Windows's NetDDE that allows local attackers to
gain arbitrary privileges, this by causing the NetDDE to execute arbitrary code.The exploit
code and binaries can be found at
http://imm.uinc.ru/getad/
Executing getad will spawn a shell running as SYSTEM.
D. Windows XP
1.NetDDe,GetAD2
This expoit is brother of the Windows 2000 GetAD exploit and yes it works.Get it from
http://imm.uinc.ru/getad/
Executing GetAd2 will spawn a shell running as SYSTEM.
E. Windows NT/2000/XP
1. Booting into Alternative OS and deleting the SAM file clears the Adminstrator password!!!.
One can use a Linux floppy with kernel's NTFS read/write support or you can use NTFS dos
professional for DOS. Visit www.bootdisk.com for more...:-).