Hacking Windows 95, Part 2

In the Hacking Windows 95, part 1 blog post, we covered that through a nasty bug affecting Windows 95/98/ME, the share password can be guessed in no time. In this article, I'm going to try to use this vulnerability to achieve remote code execution (with the help of publicly available tools only).

The first thing we can do when we have read access to the Windows directory through the share, is to locate all the *.pwl files on the c:\windows directory, copy them to your machine where Cain is installed, switch to Cracker tab, pwl files, load the pwl file, add username based on the filename, and try to crack it. If you can't crack it you might still try to add a .pwl file where you already know the password in the remote windows directory. Although this is a fun post-exploitation task, but still, no remote code execution. These passwords are useless without physical access.

One might think that after having a share password and user password, it is easy to achieve remote code execution. The problem is:

• there is no "at" command (available since Windows 95 plus!)
• there is no admin share
• there is no RPC
• there is no named pipes
• there is no remote registry
• there is no remote service management

If you think about security best practices, disabling unnecessary services is always the first task you should do. Because Windows 95 lacks all of these services, it is pretty much secure!

During my quest for a tool to hack Windows 95, I came across some pretty cool stuff:

Internet periscope

Winfingerprint

LanSpy

But the best of the best is Fluxay, which has been written by chinese hackers. It is the metasploit from the year 2000. A screenshot is worth more than a 1000 words. 4 screenshot > 4 thousand words :)

It is pretty hard to find the installer, but it is still out there!

But at the end, no remote code execution for me.

My idea here was that if I can find a file which executes regularly (on a scheduled basis), I can change that executable to my backdoor and I'm done. Although there is no scheduler in the default Windows 95, I gave it a try. 

Let's fire up taskman.exe to get an idea what processes are running:

Looks like we need a more powerful tool here, namely Process Explorer. Let's try to download this from oldapps.com:

LOL, IE3 hangs, can't render the page. Copying files to the Win95 VM is not that simple, because there are no shared folders in Win95 VM. And you can't use pendrives either, Win95 can't handle USB (at least the retail version). After downloading the application with a newer browser from oldapps, let's start Process Explorer on the test Windows 95.

Don't try to download the Winsocks 2 patch from the official MS site, it is not there anymore, but you can download it from other sites. 

Now let's look at the processes running:

After staring it for minutes, turned out it is constant, no new processes appeared.
Looking at the next screenshot, one can notice this OS was not running a lot of background processes ...

My current Win7 has 1181 threads and 84 processes running, no wonder it is slow as hell :)

We have at least the following options:

1. You are lucky and not the plain Windows 95 is installed, but Windows 95 Plus! The main difference here is that Windows 95 Plus! has built-in scheduler, especially the "at" command. Just overwrite a file which is scheduled to execution, and wait. Mission accomplished!
2. Ping of death - you can crash the machine (no BSOD, just crash) with long (over 65535 bytes) ICMP ping commands, and wait for someone to reboot it. Just don't forget to put your backdoor on the share and add it to autoexec.bat before crashing it. 
3. If your target is a plain Windows 95, I believe you are out of luck. No at command, no named pipes, no admin share, nothing. Meybe you can try to fuzz port 137 138 139, and write an exploit for those. Might be even Ping of Death is exploitable?

Let's do the first option, and hack Windows 95 plus!

Look at the cool features we have by installing Win95 Plus!

Cool new boot splash screen!

But our main interest is the new, scheduled tasks!

Now we can replace diskalm.exe with our backdoor executable, and wait maximum one hour to be scheduled.

Instead of a boring text based tutorial, I created a YouTube video for you. Based on the feedbacks on my previous tutorialz, it turned out I'm way too old, and can't do interesting tutorials. That's why I analyzed the cool skiddie videoz, and found that I have to do the followings so my vidz won't suck anymore:

• use cool black windows theme
• put meaningless performance monitor gadgets on the sidebar
• use a cool background, something related with hacking and skullz
• do as many opsec fails as possible
• instead of captions, use notepad with spelling errorz
• there is only one rule of metal: Play it fuckin' loud!!!!

Related news

1. What Is Hacking Tools
2. Nsa Hacker Tools
3. Hack Rom Tools
4. Pentest Tools Online
5. Hack Tools For Ubuntu
6. Wifi Hacker Tools For Windows
7. Hack Tools For Ubuntu
8. Hack Tools For Ubuntu
9. Hacking Tools For Windows Free Download
10. Hacking Tools Usb
11. Hacking Tools Software
12. Hack Tools For Ubuntu
13. Best Hacking Tools 2020
14. Pentest Tools Bluekeep
15. Tools For Hacker
16. Black Hat Hacker Tools
17. Hacking Tools Kit
18. Hacking Tools Free Download
19. Hacker Tools Apk
20. Hacking Tools For Beginners
21. Growth Hacker Tools
22. How To Install Pentest Tools In Ubuntu
23. Pentest Tools Online
24. Hack App
25. New Hacker Tools
26. How To Hack
27. Pentest Reporting Tools
28. Computer Hacker
29. Hack Tools 2019
30. Pentest Tools Alternative
31. Hack Tools Download
32. Hacking Tools Name
33. Hacker Hardware Tools
34. Hack Tools Pc
35. Hack Tools Online
36. How To Hack
37. Growth Hacker Tools
38. Hacker Tools Apk Download
39. Pentest Tools Alternative
40. Usb Pentest Tools
41. Pentest Tools
42. How To Hack
43. Hak5 Tools
44. Hack Tools For Pc
45. Game Hacking
46. Hacking Tools For Beginners
47. New Hacker Tools
48. Hacker Tools Free
49. Github Hacking Tools
50. Hack Apps
51. Pentest Tools Website
52. Hack Apps
53. Hack Tools For Windows
54. Hacker Tools 2019
55. Hack Tools For Pc
56. Hacker Tools Apk Download
57. Free Pentest Tools For Windows
58. Beginner Hacker Tools
59. Growth Hacker Tools
60. Hacker Tools Windows
61. Hacker Tools Mac
62. Wifi Hacker Tools For Windows
63. Nsa Hack Tools
64. Pentest Tools
65. How To Install Pentest Tools In Ubuntu
66. Hacking Tools Mac
67. Hacker Tools Hardware
68. Hacking Apps
69. Physical Pentest Tools
70. Hacking Tools Windows 10
71. Hacker Tools Apk
72. Hacking Tools Github
73. Hack Website Online Tool
74. Hacking Tools For Windows Free Download
75. Underground Hacker Sites
76. Hacking Tools Mac
77. Hacker Tools Hardware
78. Game Hacking
79. Hacking Tools Name
80. How To Make Hacking Tools
81. Hacking Tools Windows 10
82. Hack Tools Mac
83. Hack Tools Github
84. Hack Tools 2019
85. Github Hacking Tools
86. Hack Rom Tools
87. Pentest Tools Online
88. Pentest Tools Bluekeep
89. Game Hacking
90. Termux Hacking Tools 2019
91. Pentest Tools Open Source
92. Hacking Tools Mac
93. Pentest Tools Website
94. Hacking Tools For Kali Linux
95. Install Pentest Tools Ubuntu
96. Wifi Hacker Tools For Windows
97. Pentest Tools Port Scanner
98. Best Pentesting Tools 2018
99. Tools For Hacker
100. Android Hack Tools Github
101. Physical Pentest Tools
102. Hacking Tools Software
103. Pentest Tools Website
104. Pentest Tools Tcp Port Scanner
105. Termux Hacking Tools 2019
106. Hacker Tools For Windows
107. Pentest Tools For Windows
108. New Hack Tools
109. Hacks And Tools
110. Hacker Search Tools
111. How To Install Pentest Tools In Ubuntu
112. Hacking Tools Software
113. Hacker
114. Hacker Tools For Ios
115. Pentest Box Tools Download
116. Github Hacking Tools
117. Hacking Tools For Windows 7
118. What Are Hacking Tools
119. Hacker Search Tools
120. How To Hack
121. Hacker Tools Online
122. Hacking Tools Hardware
123. Pentest Recon Tools
124. Hack Tool Apk
125. Hack Tools Mac
126. Hacking Tools Hardware
127. Ethical Hacker Tools
128. Easy Hack Tools
129. Hacker Tools Github
130. Hacker Tools 2020
131. Pentest Tools Windows
132. Hacking Tools For Pc
133. Hacker Tools Apk Download
134. Hacking Tools For Windows 7
135. Hack Tools
136. Hacking Tools And Software
137. Hacker Tools Apk
138. How To Hack
139. Pentest Tools Nmap
140. Hack And Tools
141. Free Pentest Tools For Windows
142. Hacker Tools
143. Hacking Tools Usb
144. Hacking App
145. Hack Tools For Windows
146. Pentest Tools Nmap
147. Hack Tools For Mac
148. Hacker
149. Pentest Tools Apk
150. Best Hacking Tools 2019
151. Hacking Tools Name
152. Black Hat Hacker Tools
153. Growth Hacker Tools
154. Pentest Tools Nmap
155. Github Hacking Tools
156. Hack Tools For Mac
157. Pentest Tools Apk
158. Hacking Tools For Kali Linux
159. Hacker Tools 2020
160. Hak5 Tools
161. Pentest Tools
162. Hacker
163. Hacker Tools Hardware
164. Pentest Tools Download
165. Nsa Hack Tools Download
166. Hacking Tools Windows 10
167. Pentest Tools Nmap
168. Hacking Tools Kit
169. Kik Hack Tools
170. Hacker Tools Linux
171. Pentest Tools List
172. Black Hat Hacker Tools
173. Tools For Hacker
174. Hack Tools Pc
175. Game Hacking