Hacking Windows 95, Part 1

During a CTF game, we came across very-very old systems. Turns out, it is not that easy to hack those dinosaur old systems, because modern tools like Metasploit do not have sploits for those old boxes and of course our "133t h4cking skillz" are useless without Metasploit... :)

But I had an idea: This can be a pretty good small research for fun.

The rules for the hack are the following:

1. Only publicly available tools can be used for this hack, so no tool development. This is a CTF for script bunniez, and we can't haz code!
2. Only hacks without user interaction are allowed (IE based sploits are out of scope).
3. I need instant remote code execution. For example, if I can drop a malware to the c: drive, and change autoexec.bat, I'm still not done, because no one will reboot the CTF machine in a real CTF for me. If I can reboot the machine, that's OK.
4. I don't have physical access.

I have chosen Windows 95 for this task. First, I had to get a genuine Windows 95 installer, so I visited the Microsoft online shop and downloaded it from their official site.

I installed it in a virtualized environment (remember, you need a boot floppy to install from the CD), and it hit me with a serious nostalgia bomb after watching the installer screens. "Easier to use", "faster and more efficient", "high-powered performance", "friendly", "intuitive interface". Who does not want that? :)

Now that I have a working Windows 95 box, setting up the TCP/IP is easy, let's try to hack it!

My first tool is always nmap. Let's scan the box! Below I'm showing the interesting parts from the result:

PORT      STATE           SERVICE       VERSION 139/tcp   open            netbios-ssn 137/udp   open|filtered   netbios-ns 138/udp   open|filtered   netbios-dgm Running: Microsoft Windows 3.X|95 OS details: Microsoft Windows for Workgroups 3.11 or Windows 95 TCP Sequence Prediction: Difficulty=25 (Good luck!) IP ID Sequence Generation: Broken little-endian incremental 

The first exciting thing to note is that there is no port 445! Port 445 is only since NT 4.0. If you check all the famous windows sploits (e.g., MS03-026, MS08-067), all of them use port 445 and named pipes. But there are no named pipes on Windows 95!

Because I'm a Nessus monkey, let's run a free Nessus scan on it!

Only one critical vulnerability found:

Microsoft Windows NT 4.0 Unsupported Installation Detection

Thanks for nothing, Nessus! But at least it was for free.

Next, I tried GFI Languard, nothing. It detected the machine as Win95, the opened TCP port, and some UDP ports as open (false-positive), and that's all...

Let's try another free vulnerability scanner tool, Nexpose. The results are much better:

• CIFS NULL Session Permitted  
• Weak LAN Manager hashing permitted
• SMB signing not required
• Windows 95/98/ME Share Level Password Bypass   
• TCP Sequence Number Approximation Vulnerability  
• ICMP netmask response
• CIFS Share Readable By Everyone

I think the following vulnerabilities are useless for me at the moment:

• Weak LAN Manager hashing permitted - without user interaction or services looking at the network, useless (I might be wrong here, will check this later)
• TCP Sequence Number Approximation Vulnerability - not interesting
• ICMP netmask response - not interesting
• CIFS Share Readable By Everyone - unless there is a password in a text file, useless

But we have two interesting vulns:

• CIFS NULL Session Permitted  - this could be interesting, I will check this later ...
• Windows 95/98/ME Share Level Password Bypass - BINGO!

Let me quote Nexpose here:

"3.2.3 Windows 95/98/ME Share Level Password Bypass (CIFS-win9x-onebyte-password)

A flaw in the Windows 95/98/ME File and Print Sharing service allows unauthorized users to access file and print shares by sending the first character of the password. Due to the limited number of attempts required to guess the password, brute force attacks can be performed in just a few seconds.

Established connection to share TEST with password P."

The vulnerability description at MS side:

http://technet.microsoft.com/en-us/security/bulletin/ms00-072

For example if the password is "Password" (without quotes) and the client sends the password "P" (without quotes) and the length of 1, the client is authenticated. To find the rest of the password, the attacker increments the length to 2 and starts guessing the second letter until he reaches "PA" and gets authenticated again. As share passwords in Windows 95 are not case sensitive, "Pa" and "PA" will also be accepted. The attacker can continue to increment the length and guessing the next letter one-by-one until he gets the full "PASSWORD" (as the maximum length is 8 characters).

I believe all characters between ALT+033 and ALT+255 can be used in the share password in Windows 95, but as it is case insensitive, we have 196 characters to use, and a maximum length of 8 characters. In worst case this means that we can guess the full password in 1568 requests. The funny thing is that the share password is not connected to (by default) any username/account, and it cannot be locked via brute force.

Luckily there is a great tool which can exploit this vulnerability:

Share Password Checker

Let's check this tool in action:

W00t w00t, it brute forced the password in less then 2 seconds!

Looking at a wireshark dump we can see how it is done:

As you can see, in the middle of the dump we can see that it already guessed the part "PASS" and it is brute-forcing the fifth character, it founds that "W" is the correct fifth character, and starts brute-forcing the sixth character.

If we are lucky with the CTF, the whole C:\ drive is shared with full read-write access, and we can write our team identifier into the c:\flag.txt. But what if we want remote code execution? Stay tuned, this is going to be the topic of the next part of this post.

More information

1. Hacker Tools Online
2. Hacking Tools Usb
3. Black Hat Hacker Tools
4. Hack Tools For Mac
5. Hack Tool Apk No Root
6. World No 1 Hacker Software
7. Github Hacking Tools
8. Computer Hacker
9. Hacker Tools 2019
10. Hacker Tools
11. Pentest Tools Github
12. Pentest Tools Find Subdomains
13. Hack Apps
14. Pentest Tools For Mac
15. Hack Tool Apk
16. Hack Tool Apk No Root
17. Install Pentest Tools Ubuntu
18. Hacking Apps
19. Hacker Security Tools
20. Hacking Tools Kit
21. Hacking Tools Free Download
22. Hacking Tools For Games
23. Pentest Tools Linux
24. Hacker Hardware Tools
25. Pentest Tools Subdomain
26. Hacker Tools Online
27. Pentest Automation Tools
28. Tools For Hacker
29. Hack Tools For Ubuntu
30. Hak5 Tools
31. Hacker Tools For Mac
32. Hacker Tools For Ios
33. Pentest Tools Linux
34. Nsa Hack Tools
35. Ethical Hacker Tools
36. Hacking Tools Free Download
37. Game Hacking
38. Pentest Tools Subdomain
39. How To Hack
40. Hacking Tools Usb
41. Hacking Tools Free Download
42. Pentest Tools Subdomain
43. Hack Tools For Pc
44. World No 1 Hacker Software
45. Hacking Tools For Mac
46. Nsa Hacker Tools
47. Hacking Tools Windows
48. Pentest Tools Bluekeep
49. Hacking Tools For Pc
50. Hack Tools For Windows
51. Hacker Security Tools
52. Hacker Tools 2019
53. Black Hat Hacker Tools
54. Hacking Tools For Windows 7
55. Bluetooth Hacking Tools Kali
56. Hacking Tools
57. Pentest Tools Free
58. Hacking Tools Online
59. Hack Tools Mac
60. Pentest Tools Android
61. Pentest Tools For Windows
62. Hack Tools Online
63. Hacker Tools
64. Pentest Tools Bluekeep
65. Hacking Tools For Kali Linux
66. Hack App
67. Hacker Tools Free Download
68. Blackhat Hacker Tools
69. Hack And Tools
70. Pentest Tools Github
71. Nsa Hack Tools
72. Hacker Tools For Ios
73. Hack Tool Apk No Root
74. Pentest Automation Tools
75. Hacking Tools Free Download
76. Android Hack Tools Github
77. Pentest Tools Github
78. Physical Pentest Tools
79. Termux Hacking Tools 2019
80. Game Hacking
81. Hacker Tools Mac
82. Hack Tools
83. Hacking Tools
84. Hacker Tools
85. Top Pentest Tools
86. Top Pentest Tools
87. Best Hacking Tools 2019
88. Hacking Tools For Windows 7
89. New Hack Tools
90. Hacking Tools Windows 10
91. Hacking Tools Name
92. Pentest Tools For Windows
93. Hacker Tools
94. Pentest Tools For Mac
95. Nsa Hacker Tools
96. Pentest Tools Port Scanner
97. What Is Hacking Tools
98. Tools 4 Hack
99. Hack Tools Pc
100. What Is Hacking Tools
101. Pentest Tools Open Source
102. Hack Tools For Ubuntu
103. Black Hat Hacker Tools
104. New Hack Tools
105. Underground Hacker Sites
106. Hacking Tools Free Download
107. Pentest Tools Online
108. Hackers Toolbox
109. Pentest Tools Framework
110. Hacker Security Tools
111. Pentest Tools Download
112. Hack Tools Download
113. Hacking Tools For Windows Free Download
114. Pentest Tools Port Scanner
115. Nsa Hack Tools
116. Hacking Apps
117. Install Pentest Tools Ubuntu
118. Hacker Tools Windows
119. Hack Apps
120. How To Install Pentest Tools In Ubuntu
121. Hacker Security Tools
122. Pentest Tools Free
123. New Hacker Tools
124. Pentest Tools Bluekeep
125. Hacking App
126. Pentest Tools Apk
127. Hacker Hardware Tools
128. Pentest Tools Linux
129. Pentest Tools Review
130. Pentest Tools Apk
131. Game Hacking
132. Pentest Tools Url Fuzzer
133. Install Pentest Tools Ubuntu
134. Hacker Tools For Pc
135. Termux Hacking Tools 2019
136. Github Hacking Tools
137. Hacker Tools Apk Download
138. Nsa Hacker Tools
139. Hacking Tools For Games
140. Hacking Tools Windows
141. Pentest Tools Port Scanner
142. Hack Tools For Ubuntu
143. Hacker Tool Kit
144. Pentest Tools List
145. Hack Tools Download
146. Hacking App
147. Pentest Tools Subdomain
148. Pentest Tools Online
149. Hacking Tools Kit
150. Easy Hack Tools