Thursday, October 18, 2012

How to Hack Your School Network

So, a lot of people here should want to hack his school's network.It can be really easy, and it can be quite difficult if your scholl have actives network administrators.

Anyway, you can do it following my tutorial, there are a lot of possibilities but I will explain the most efficients methods here...

So, Let's started !

#### Gain local admin privileges ####

It's very easy to gain admin privileges.

1st method :

(cmd not blocked)

How to open CMD?

-Press Windows+R ==> type "cmd.exe" in the box
-create a new text file, just write it inside :

@echo off

and save it as "something.bat"
just click on it.
In cmd, type :

net user *nameyouwantfortheaccounthere* /add

(dont write the stars)
and now type :

net localgroup Administrators *nameoftheaccount* /add

note :
For non-english computers, the group "Administrators" could not be the same, on french computers, it's called "Administrateurs", so for check what is the name of the group, just type "net localgroup" for see the list of groups on the computer

Now you can connect yourself on the local machine with an admin account.

2nd method :

Just burn ophcrack on a dvd
ophcrack can be found here :

If the BIOS of the computer is password-protected, go here and look for the software solution

Now boot the computer, and when you got the motherboard message, press a key for enter in the BIOS or in the boot-order menu (the key you have to press is different on a lot of motherboards, but it's generally DEL or F2, it's will be displayed on the screen)

Change the boot order and move the DVD to the first position.

Now normally boot the computer and ophcrack will started, in 95% of case, it will find the admin password of the computer.
If not, go to the 3rd method

3rd method :

Ophcrack didn't find the admin password? It's not a problem

Just boot on a linux live CD (i highly suggest Backtrack 4 for the following of the tutorial) the live CD can be found HERE

Just start on the CD, and wait for the command prompt appears
now type in :
fdisk -l

and search for the windows partition, basicaly the biggest
We will say that the partition is called "dev/sda2" (It can be different on your computer!!!)
now type :

mkdir /mnt/xp
mount /dev/sda2 /mnt/xp
cd /mnt/xp

Now you are in the root of your windows partition, without any restrictions
just type :

cd WINDOWS/system32
and remove sethc.exe
rm sethc.exe
and copy cmd.exe with the name "sethc.exe"
cp cmd.exe sethc.exe

and you're done.

Just reboot the computer and on the winlogon screen, just hit SHIFT key five times and the cmd prompt will appears. Now just follow the 1st method and you can access to an admin account.

#### Gain Network Admin Privileges ####

Ok this must be the hardest part, but you can do it

So you need to know how is built your school network,it's not a problem, just go, with local admin account, to start>network or go to the control panel and look at all the computers in the network.

You'll certainly find a lot of computers, search for a computer called "server" or with a name different to others In my school, the server is called "server 1" try to click on it, it will certainly ask you for username and pass, you can give the pass of your limited account, and you'll certainly access only to the "normal" files that you can access in normal time when you connect to the network.

So, you need admin passwords, you can successfully do it easily

1st method :

If you can access to a computer that is used by admins or teachers, just uninstall the AV on the computer (easily done in control panel) and install this great tool, fakegina
downloadable here

Just move fakegina.dll into C:\WINDOWS\system32
and now press windows + R
type in : "regedit"

go to : "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
and create "GinaDLL" in "REG_SZ" with value "fakegina.dll"

OK you're done, just wait for someone connect to the computer, and the usernames and passwords of the users will be stored in "C:\WINDOWS\system32\passlist.txt"
wait for an admin connect to the machine, and voila, you got his pass.

passlist exemple :

in the format domainname\username password

2nd method :

No privileged users are connecting on the computer, it's not a problem, just intercept the packets send by the users to connect to the server.

Just download and install Cain & Abel
Now just Google for ARP Poisonning and snif SMB packets, it contains the login informations of the user connecting, just decrypt it with cain and you're done.
You just have to wait an admin to connect on the network

3rd method :

Ok it's not really a skilled method, but it works well.
Just try to watch an admin or a teacher connecting to the network, try to see what is the password typed. If it's only numbers, it can be a birthday date or something else Social Engineering is also a good way to go.

#### Gain Full Access To The Main Server ####

Okay, once you've got an admin password, you'll want to have a fully access to the main server.

1st method :

Normally, the administrators are using remote desktop for having access to the main server.
Just try to connect to it : Start > accessories > remote desktop connection
And then,type in the box the name of the main server, in my school, it's "server1"
If you got access to an windows login screen, it's good!
Just try type the admin username and pass.
If it works, you're done, welcome to the main server of your school, you can do what you want Biggrin

2nd method :

If it doesn't work, the server only got one account that can access to the server interactively  generaly called "administrator"
So just try to find the password, maybe the same as the admin user.
if you don't find the password, use Cain & Abel and snif for RDP packets.
This packets are used when someone use the remote desktop for connect to the server, and they contains the username and the pass of the admin user that can access to the main server with remote desktop.

If you successfully find packets, great, just open it and search for the password
And when you got it, just connect to the main server, and you're done

3rd method :

If you don't find any packet while sniffing, you can pentest the server.

Just use a backtrack live CD, use metasploit and autopwn the server (there are a lot of tutorials  all over the internet), there are a lot of chances that the server isn't updated, so enjoy and try to find any vulns to the server

If metasploit succesfully find a vuln, you're done, and you'll access to a shell, ENJOY

#### What To Do With The Main Server ####

A lot of things...
But the first thing to do is to dump the hash of the server, Google for fgdump and use it to dump the hashes of the server. Now crack them with Ophcrack and you'll gain the password of all the accounts of your school, enjoy

Now you got all the powers, I recommend you to not do "funny" things and don't let any tracks, don't touch at the accounts, just access to the teacher's files (some of them store theirs test in their account folder) just enjoy and increase your grades

Do it silently and all will be fine