Hacking a windows PC (The Manual)

Intoduction
=
This tutorial is about hacking windows with local access only! Do not expect to learn how to remotely break into a computer. Everything in this tutorial is based on a windows XP machine.
This tutorial is best viewed in notepad with character loopback on. The author (Blademaster) is in no way responsible for any acts based upon descriptions in this tutorial. Any mistakes in english are transmission errors the author can't be held responsible for.
=

---

1. Gaining access
=
First thing, we want to gain access to the windows box. I don't want to explain this very thorough, as there are a lot of tutorials already explaining this. The following methods for home PC's badly configured.

1. On win9X, try hitting alt-F4 or close the login window as soon as it comes up. This should get you right into the guest account. An administrator can disable this, so it might not always work.
2. On winNT based systems: Try booting into safemode and use the administator account (unpassworded). The account might be passworded by a system admin.

Other means of getting a password to the PC.

1. Sniffing the network for unencrypted authentication traffic.
2. Social engineering.
3. Trojaning.
4. Brute forcing. (Guessing obvious passwords).
=

---

2. Privilege escalation
=
2.1 Bad configuration
=
On many PC's, bad configuration is very common. Bad configuration can be anything, from guest or non-admin users having privileges they shouldn't have like power to browse vital directory's, to being able to download and install to C: or root disk.
=
2.2 Privilege Inheritance
=
Privilege inheritance is about programs getting the same privilege as their spawning parent. A common mistake like this is log viewing in server applications. For example, program X is a server for streaming music, it is run as "Local System" with full privileges. X gives it's users the capability to view log files from the application itself. Hacker Y opens the IDE for the server and presses the "View Logs" button. A nice open dialog shows itself and Y browses to C:windowssystem32, right clicks cmd.exe and chooses the option "Open". Hacker Y has "Local System" privileges over the computer now because program X forgot to lower the privileges of cmd.exe to the actual user privilege.
This action can also be made with a simple shatter attack to win32hlp.exe's open dialog box.
If a program has a higher privilege then the current user the attacker is on and has some kind of file interaction, it is definetly worth to check for a privilege inheritence attack.
=
2.3 Shatter attacks
=
Win32 platforms are build on two mechanisms, API's and Windows Messaging. The last one is the one we are interested in. What the windows messaging structure does is send actions and happenings to a program using the SendMessage() function. win32 C++ programmers will recognize this from the callback function required for a windows application to work properly. The message system controls a lot of functions, such as dropdown boxes, timers, dialogs and user input. The problem with this structure is that there is no way for the message structure to see where the "Message" came from, so the user can send any message and achieve the same results as explorer.exe would. (not up to date, Mcft has kind of locked functions like timer functions, to keep memory jumping from happening). Simple exploiting: look up the SendMessage API from msdn.
=
2.4 Auto start-up exploiting
=
Any instructions that windows uses on what applications to execute at a user log-in are insecure! Any user can edit regedit and put a file in the Mcft directory, or any other way of starting up. This means an attacker with a guest account can edit the registery to open a bot that edits or makes a user account with elevated privileges. This can also be used to copy whole secured directory's, or phising for a password from the administrator.

Article written by AUTHOR_NAME

WRITE_ABOUT_YOURSELF