Hacking Windows 95, Part 1

During a CTF game, we came across very-very old systems. Turns out, it is not that easy to hack those dinosaur old systems, because modern tools like Metasploit do not have sploits for those old boxes and of course our "133t h4cking skillz" are useless without Metasploit... :)

But I had an idea: This can be a pretty good small research for fun.

The rules for the hack are the following:

1. Only publicly available tools can be used for this hack, so no tool development. This is a CTF for script bunniez, and we can't haz code!
2. Only hacks without user interaction are allowed (IE based sploits are out of scope).
3. I need instant remote code execution. For example, if I can drop a malware to the c: drive, and change autoexec.bat, I'm still not done, because no one will reboot the CTF machine in a real CTF for me. If I can reboot the machine, that's OK.
4. I don't have physical access.

I have chosen Windows 95 for this task. First, I had to get a genuine Windows 95 installer, so I visited the Microsoft online shop and downloaded it from their official site.

I installed it in a virtualized environment (remember, you need a boot floppy to install from the CD), and it hit me with a serious nostalgia bomb after watching the installer screens. "Easier to use", "faster and more efficient", "high-powered performance", "friendly", "intuitive interface". Who does not want that? :)

Now that I have a working Windows 95 box, setting up the TCP/IP is easy, let's try to hack it!

My first tool is always nmap. Let's scan the box! Below I'm showing the interesting parts from the result:

PORT      STATE           SERVICE       VERSION 139/tcp   open            netbios-ssn 137/udp   open|filtered   netbios-ns 138/udp   open|filtered   netbios-dgm Running: Microsoft Windows 3.X|95 OS details: Microsoft Windows for Workgroups 3.11 or Windows 95 TCP Sequence Prediction: Difficulty=25 (Good luck!) IP ID Sequence Generation: Broken little-endian incremental 

The first exciting thing to note is that there is no port 445! Port 445 is only since NT 4.0. If you check all the famous windows sploits (e.g., MS03-026, MS08-067), all of them use port 445 and named pipes. But there are no named pipes on Windows 95!

Because I'm a Nessus monkey, let's run a free Nessus scan on it!

Only one critical vulnerability found:

Microsoft Windows NT 4.0 Unsupported Installation Detection

Thanks for nothing, Nessus! But at least it was for free.

Next, I tried GFI Languard, nothing. It detected the machine as Win95, the opened TCP port, and some UDP ports as open (false-positive), and that's all...

Let's try another free vulnerability scanner tool, Nexpose. The results are much better:

• CIFS NULL Session Permitted  
• Weak LAN Manager hashing permitted
• SMB signing not required
• Windows 95/98/ME Share Level Password Bypass   
• TCP Sequence Number Approximation Vulnerability  
• ICMP netmask response
• CIFS Share Readable By Everyone

I think the following vulnerabilities are useless for me at the moment:

• Weak LAN Manager hashing permitted - without user interaction or services looking at the network, useless (I might be wrong here, will check this later)
• TCP Sequence Number Approximation Vulnerability - not interesting
• ICMP netmask response - not interesting
• CIFS Share Readable By Everyone - unless there is a password in a text file, useless

But we have two interesting vulns:

• CIFS NULL Session Permitted  - this could be interesting, I will check this later ...
• Windows 95/98/ME Share Level Password Bypass - BINGO!

Let me quote Nexpose here:

"3.2.3 Windows 95/98/ME Share Level Password Bypass (CIFS-win9x-onebyte-password)

A flaw in the Windows 95/98/ME File and Print Sharing service allows unauthorized users to access file and print shares by sending the first character of the password. Due to the limited number of attempts required to guess the password, brute force attacks can be performed in just a few seconds.

Established connection to share TEST with password P."

The vulnerability description at MS side:

http://technet.microsoft.com/en-us/security/bulletin/ms00-072

For example if the password is "Password" (without quotes) and the client sends the password "P" (without quotes) and the length of 1, the client is authenticated. To find the rest of the password, the attacker increments the length to 2 and starts guessing the second letter until he reaches "PA" and gets authenticated again. As share passwords in Windows 95 are not case sensitive, "Pa" and "PA" will also be accepted. The attacker can continue to increment the length and guessing the next letter one-by-one until he gets the full "PASSWORD" (as the maximum length is 8 characters).

I believe all characters between ALT+033 and ALT+255 can be used in the share password in Windows 95, but as it is case insensitive, we have 196 characters to use, and a maximum length of 8 characters. In worst case this means that we can guess the full password in 1568 requests. The funny thing is that the share password is not connected to (by default) any username/account, and it cannot be locked via brute force.

Luckily there is a great tool which can exploit this vulnerability:

Share Password Checker

Let's check this tool in action:

W00t w00t, it brute forced the password in less then 2 seconds!

Looking at a wireshark dump we can see how it is done:

As you can see, in the middle of the dump we can see that it already guessed the part "PASS" and it is brute-forcing the fifth character, it founds that "W" is the correct fifth character, and starts brute-forcing the sixth character.

If we are lucky with the CTF, the whole C:\ drive is shared with full read-write access, and we can write our team identifier into the c:\flag.txt. But what if we want remote code execution? Stay tuned, this is going to be the topic of the next part of this post.

More info

1. Pentest Tools Windows
2. Hack And Tools
3. Pentest Tools Nmap
4. Hack And Tools
5. Pentest Tools Subdomain
6. Hacking Tools Online
7. Free Pentest Tools For Windows
8. Pentest Reporting Tools
9. Pentest Tools Framework
10. Hacking Tools For Games
11. Hack Tools For Mac
12. Pentest Tools Github
13. Pentest Tools For Mac
14. Pentest Tools For Android
15. Hacker Hardware Tools
16. Hack Tools 2019
17. Game Hacking
18. Hack Tools
19. Best Pentesting Tools 2018
20. Pentest Tools For Mac
21. Hacks And Tools
22. What Are Hacking Tools
23. Pentest Tools Apk
24. Hacker Tools Hardware
25. Github Hacking Tools
26. Hack Tools For Windows
27. Hacker Techniques Tools And Incident Handling
28. New Hack Tools
29. Hack Tools Download
30. Best Pentesting Tools 2018
31. Hacking App
32. Pentest Tools Free
33. Hack Tools For Games
34. Hacking Tools Github
35. Wifi Hacker Tools For Windows
36. Ethical Hacker Tools
37. Pentest Tools List
38. Pentest Tools Linux
39. Tools For Hacker
40. Hacker Tool Kit
41. Hak5 Tools
42. Pentest Tools Url Fuzzer
43. Pentest Tools Linux
44. Wifi Hacker Tools For Windows
45. Hacker Tools Free
46. Ethical Hacker Tools
47. Pentest Tools For Windows
48. Hack Website Online Tool
49. Nsa Hack Tools
50. Hacking Tools Windows
51. Kik Hack Tools
52. Underground Hacker Sites
53. Github Hacking Tools
54. Hack App
55. What Are Hacking Tools
56. World No 1 Hacker Software
57. Hack Tools
58. What Is Hacking Tools
59. Usb Pentest Tools
60. Hack Tools Github
61. Pentest Tools Download
62. Best Hacking Tools 2020
63. Nsa Hack Tools Download
64. Pentest Box Tools Download
65. Hacking Apps
66. Pentest Tools Online
67. Pentest Tools Port Scanner
68. Hack Apps
69. Physical Pentest Tools
70. Free Pentest Tools For Windows
71. Pentest Tools Apk
72. Hacker Tools 2020
73. Best Hacking Tools 2020
74. Hacker Tools Mac
75. World No 1 Hacker Software
76. Hackers Toolbox
77. Game Hacking
78. Pentest Tools Find Subdomains
79. Easy Hack Tools
80. Hacker Tools Apk Download
81. Hacking Tools 2020
82. Game Hacking
83. Pentest Tools Windows
84. How To Install Pentest Tools In Ubuntu
85. Hacking Tools
86. Hack Tools For Games
87. Hack Rom Tools
88. Nsa Hack Tools Download
89. Hacking Tools Usb
90. New Hacker Tools
91. Hacker Tools For Windows
92. Hacker Tool Kit
93. Best Pentesting Tools 2018
94. Pentest Tools For Android
95. Hacker Tools Free Download
96. Pentest Tools Android
97. Hack Tools For Pc
98. Pentest Tools Tcp Port Scanner
99. Hacker Techniques Tools And Incident Handling
100. Hacking Tools Github
101. Nsa Hack Tools Download
102. How To Hack
103. Hacking Tools Windows
104. Best Pentesting Tools 2018
105. Pentest Tools Tcp Port Scanner
106. Hacker Tools For Ios
107. Hack Apps
108. Pentest Tools Alternative
109. Pentest Tools Download
110. Hacker Tools Apk Download
111. Kik Hack Tools
112. Pentest Tools For Android
113. Pentest Reporting Tools
114. Black Hat Hacker Tools
115. New Hacker Tools
116. Hacking Tools Name
117. Wifi Hacker Tools For Windows
118. Top Pentest Tools
119. Hacking Tools Kit
120. Github Hacking Tools
121. Pentest Tools For Windows
122. Pentest Tools For Mac
123. Nsa Hacker Tools
124. Hack Apps
125. Pentest Tools Find Subdomains
126. Hacking Tools For Pc
127. Install Pentest Tools Ubuntu
128. Hacking Tools Online
129. Bluetooth Hacking Tools Kali
130. Bluetooth Hacking Tools Kali
131. Hack Tools
132. Hacker Tools 2019
133. Hacking Tools Kit
134. Hacker Tools List
135. Termux Hacking Tools 2019
136. Hacking Tools For Windows
137. World No 1 Hacker Software
138. Hacking Tools For Pc
139. Pentest Tools Android
140. Hack Tools
141. Game Hacking
142. Pentest Tools For Mac
143. Tools For Hacker
144. Pentest Tools Nmap
145. Nsa Hack Tools Download
146. Hacker Security Tools
147. Pentest Tools Website
148. New Hacker Tools
149. Pentest Tools Alternative
150. What Are Hacking Tools
151. Install Pentest Tools Ubuntu
152. World No 1 Hacker Software
153. Hacker Tools
154. Tools 4 Hack