Hacking Windows 95, Part 1

During a CTF game, we came across very-very old systems. Turns out, it is not that easy to hack those dinosaur old systems, because modern tools like Metasploit do not have sploits for those old boxes and of course our "133t h4cking skillz" are useless without Metasploit... :)

But I had an idea: This can be a pretty good small research for fun.

The rules for the hack are the following:

1. Only publicly available tools can be used for this hack, so no tool development. This is a CTF for script bunniez, and we can't haz code!
2. Only hacks without user interaction are allowed (IE based sploits are out of scope).
3. I need instant remote code execution. For example, if I can drop a malware to the c: drive, and change autoexec.bat, I'm still not done, because no one will reboot the CTF machine in a real CTF for me. If I can reboot the machine, that's OK.
4. I don't have physical access.

I have chosen Windows 95 for this task. First, I had to get a genuine Windows 95 installer, so I visited the Microsoft online shop and downloaded it from their official site.

I installed it in a virtualized environment (remember, you need a boot floppy to install from the CD), and it hit me with a serious nostalgia bomb after watching the installer screens. "Easier to use", "faster and more efficient", "high-powered performance", "friendly", "intuitive interface". Who does not want that? :)

Now that I have a working Windows 95 box, setting up the TCP/IP is easy, let's try to hack it!

My first tool is always nmap. Let's scan the box! Below I'm showing the interesting parts from the result:

PORT      STATE           SERVICE       VERSION 139/tcp   open            netbios-ssn 137/udp   open|filtered   netbios-ns 138/udp   open|filtered   netbios-dgm Running: Microsoft Windows 3.X|95 OS details: Microsoft Windows for Workgroups 3.11 or Windows 95 TCP Sequence Prediction: Difficulty=25 (Good luck!) IP ID Sequence Generation: Broken little-endian incremental 

The first exciting thing to note is that there is no port 445! Port 445 is only since NT 4.0. If you check all the famous windows sploits (e.g., MS03-026, MS08-067), all of them use port 445 and named pipes. But there are no named pipes on Windows 95!

Because I'm a Nessus monkey, let's run a free Nessus scan on it!

Only one critical vulnerability found:

Microsoft Windows NT 4.0 Unsupported Installation Detection

Thanks for nothing, Nessus! But at least it was for free.

Next, I tried GFI Languard, nothing. It detected the machine as Win95, the opened TCP port, and some UDP ports as open (false-positive), and that's all...

Let's try another free vulnerability scanner tool, Nexpose. The results are much better:

• CIFS NULL Session Permitted  
• Weak LAN Manager hashing permitted
• SMB signing not required
• Windows 95/98/ME Share Level Password Bypass   
• TCP Sequence Number Approximation Vulnerability  
• ICMP netmask response
• CIFS Share Readable By Everyone

I think the following vulnerabilities are useless for me at the moment:

• Weak LAN Manager hashing permitted - without user interaction or services looking at the network, useless (I might be wrong here, will check this later)
• TCP Sequence Number Approximation Vulnerability - not interesting
• ICMP netmask response - not interesting
• CIFS Share Readable By Everyone - unless there is a password in a text file, useless

But we have two interesting vulns:

• CIFS NULL Session Permitted  - this could be interesting, I will check this later ...
• Windows 95/98/ME Share Level Password Bypass - BINGO!

Let me quote Nexpose here:

"3.2.3 Windows 95/98/ME Share Level Password Bypass (CIFS-win9x-onebyte-password)

A flaw in the Windows 95/98/ME File and Print Sharing service allows unauthorized users to access file and print shares by sending the first character of the password. Due to the limited number of attempts required to guess the password, brute force attacks can be performed in just a few seconds.

Established connection to share TEST with password P."

The vulnerability description at MS side:

http://technet.microsoft.com/en-us/security/bulletin/ms00-072

For example if the password is "Password" (without quotes) and the client sends the password "P" (without quotes) and the length of 1, the client is authenticated. To find the rest of the password, the attacker increments the length to 2 and starts guessing the second letter until he reaches "PA" and gets authenticated again. As share passwords in Windows 95 are not case sensitive, "Pa" and "PA" will also be accepted. The attacker can continue to increment the length and guessing the next letter one-by-one until he gets the full "PASSWORD" (as the maximum length is 8 characters).

I believe all characters between ALT+033 and ALT+255 can be used in the share password in Windows 95, but as it is case insensitive, we have 196 characters to use, and a maximum length of 8 characters. In worst case this means that we can guess the full password in 1568 requests. The funny thing is that the share password is not connected to (by default) any username/account, and it cannot be locked via brute force.

Luckily there is a great tool which can exploit this vulnerability:

Share Password Checker

Let's check this tool in action:

W00t w00t, it brute forced the password in less then 2 seconds!

Looking at a wireshark dump we can see how it is done:

As you can see, in the middle of the dump we can see that it already guessed the part "PASS" and it is brute-forcing the fifth character, it founds that "W" is the correct fifth character, and starts brute-forcing the sixth character.

If we are lucky with the CTF, the whole C:\ drive is shared with full read-write access, and we can write our team identifier into the c:\flag.txt. But what if we want remote code execution? Stay tuned, this is going to be the topic of the next part of this post.

Related articles

1. Hack Tools For Games
2. Hack Tools For Ubuntu
3. Hacker Tools For Pc
4. Hack Tools Online
5. Pentest Tools Port Scanner
6. Hackers Toolbox
7. Pentest Tools Bluekeep
8. Android Hack Tools Github
9. Tools For Hacker
10. Termux Hacking Tools 2019
11. Hacking Tools 2020
12. Hacker Tools List
13. Pentest Box Tools Download
14. What Are Hacking Tools
15. Pentest Recon Tools
16. New Hack Tools
17. Hacking Apps
18. Best Hacking Tools 2019
19. Pentest Tools For Android
20. Android Hack Tools Github
21. Pentest Tools Android
22. Beginner Hacker Tools
23. Pentest Tools Linux
24. Termux Hacking Tools 2019
25. Pentest Tools Subdomain
26. Hacking Tools For Windows
27. Hack Tools Pc
28. Hacker Tools Hardware
29. Hacker Tools
30. Android Hack Tools Github
31. How To Hack
32. Hack Tools Pc
33. Hack Tools For Ubuntu
34. Hack Tools Online
35. Hack Tools Github
36. Pentest Tools
37. Hack Rom Tools
38. Pentest Recon Tools
39. Nsa Hack Tools
40. Hack Tools For Games
41. Hacker Search Tools
42. Pentest Tools Windows
43. Hacking Tools And Software
44. Pentest Tools For Ubuntu
45. Hacking Tools For Windows 7
46. Pentest Automation Tools
47. Hacker Tools Free Download
48. Hacks And Tools
49. Hacking Tools 2019
50. Hack Tools Pc
51. Hacking Apps
52. Hacker Tools Mac
53. Hacking Tools For Kali Linux
54. Pentest Tools Review
55. Pentest Tools Website Vulnerability
56. Hacking Tools Free Download
57. Hacker Tools For Windows
58. Hacking Tools Free Download
59. Hacking App
60. Pentest Tools Find Subdomains
61. Hacker Tools Online
62. Pentest Tools Kali Linux
63. Usb Pentest Tools
64. Hacker Tools Linux
65. Pentest Tools Github
66. Hack Tools For Windows
67. Wifi Hacker Tools For Windows
68. Hacking Tools Download
69. Hack Tools
70. Pentest Recon Tools
71. Pentest Automation Tools
72. Hacker Hardware Tools
73. Hacker Tools Github
74. Hack Tool Apk
75. Hacks And Tools
76. Underground Hacker Sites
77. Hacking Tools Name
78. Pentest Tools Framework
79. Hacking Tools Free Download
80. Hack Tools
81. Best Hacking Tools 2019
82. Hack Tools Github
83. What Are Hacking Tools
84. Hack Apps
85. Nsa Hacker Tools
86. Hack Tools For Ubuntu
87. Pentest Tools Website Vulnerability
88. Hacking Tools Windows
89. Hacker Tools For Ios
90. Tools For Hacker
91. Hackrf Tools
92. Hacker Tools For Mac
93. Ethical Hacker Tools
94. Pentest Tools Tcp Port Scanner
95. Hacking Tools Pc
96. Hacking Tools Hardware
97. Pentest Tools Port Scanner
98. Nsa Hack Tools Download
99. Hacking Tools For Windows Free Download
100. Hacker Techniques Tools And Incident Handling
101. Hacker Tools Windows
102. Beginner Hacker Tools
103. Hacking Tools Kit
104. Bluetooth Hacking Tools Kali
105. Hak5 Tools
106. Pentest Tools Port Scanner
107. Pentest Tools Github
108. Hack Website Online Tool
109. New Hacker Tools
110. Hacking Tools Github
111. Pentest Tools Review
112. Hacker Tools 2020
113. Pentest Recon Tools
114. Hack Tools
115. Top Pentest Tools
116. Hacker Tools Apk Download
117. Ethical Hacker Tools
118. Hacking Tools Hardware
119. New Hack Tools
120. Hack Rom Tools
121. Hack Tools 2019
122. Hack Tools Pc
123. Hacking Tools 2020
124. Tools 4 Hack
125. Hacks And Tools
126. Hack Tools Pc
127. Hacker Hardware Tools
128. Hacking Tools Software
129. Hacking Tools Hardware
130. Hacker Tools Apk Download
131. Hack Tools Mac
132. Pentest Tools Windows
133. Hacking App
134. Hacking Tools For Games
135. Hacking Tools Windows 10
136. Hacking Tools For Games
137. Hacker Hardware Tools
138. Hacking Tools Kit
139. Hacking App
140. Nsa Hack Tools
141. How To Make Hacking Tools
142. New Hacker Tools
143. What Are Hacking Tools
144. Pentest Tools For Mac
145. Hacker Tools Windows
146. Android Hack Tools Github
147. Hackrf Tools
148. Hacking Tools Mac
149. Hack App
150. Hack Tools Mac
151. Pentest Tools
152. Easy Hack Tools
153. Growth Hacker Tools
154. Hacking Tools Online
155. Hacking Tools Windows
156. Easy Hack Tools
157. Hack Tools Mac
158. Beginner Hacker Tools
159. Nsa Hacker Tools
160. Hacker Tool Kit
161. Beginner Hacker Tools
162. Pentest Automation Tools
163. Hack Tools For Games
164. Hacker Tools Windows