Monday, January 22, 2024

Hacking Windows 95, Part 1

During a CTF game, we came across very-very old systems. Turns out, it is not that easy to hack those dinosaur old systems, because modern tools like Metasploit do not have sploits for those old boxes and of course our "133t h4cking skillz" are useless without Metasploit... :)

But I had an idea: This can be a pretty good small research for fun.

The rules for the hack are the following:
  1. Only publicly available tools can be used for this hack, so no tool development. This is a CTF for script bunniez, and we can't haz code!
  2. Only hacks without user interaction are allowed (IE based sploits are out of scope).
  3. I need instant remote code execution. For example, if I can drop a malware to the c: drive, and change autoexec.bat, I'm still not done, because no one will reboot the CTF machine in a real CTF for me. If I can reboot the machine, that's OK.
  4. I don't have physical access.
I have chosen Windows 95 for this task. First, I had to get a genuine Windows 95 installer, so I visited the Microsoft online shop and downloaded it from their official site.

I installed it in a virtualized environment (remember, you need a boot floppy to install from the CD), and it hit me with a serious nostalgia bomb after watching the installer screens. "Easier to use", "faster and more efficient", "high-powered performance", "friendly", "intuitive interface". Who does not want that? :)






Now that I have a working Windows 95 box, setting up the TCP/IP is easy, let's try to hack it!

My first tool is always nmap. Let's scan the box! Below I'm showing the interesting parts from the result:

PORT      STATE           SERVICE       VERSION 139/tcp   open            netbios-ssn 137/udp   open|filtered   netbios-ns 138/udp   open|filtered   netbios-dgm Running: Microsoft Windows 3.X|95 OS details: Microsoft Windows for Workgroups 3.11 or Windows 95 TCP Sequence Prediction: Difficulty=25 (Good luck!) IP ID Sequence Generation: Broken little-endian incremental

The first exciting thing to note is that there is no port 445! Port 445 is only since NT 4.0. If you check all the famous windows sploits (e.g., MS03-026, MS08-067), all of them use port 445 and named pipes. But there are no named pipes on Windows 95!

Because I'm a Nessus monkey, let's run a free Nessus scan on it!

Only one critical vulnerability found:
Microsoft Windows NT 4.0 Unsupported Installation Detection

Thanks for nothing, Nessus! But at least it was for free.

Next, I tried GFI Languard, nothing. It detected the machine as Win95, the opened TCP port, and some UDP ports as open (false-positive), and that's all...

Let's try another free vulnerability scanner tool, Nexpose. The results are much better:
  • CIFS NULL Session Permitted  
  • Weak LAN Manager hashing permitted
  • SMB signing not required
  • Windows 95/98/ME Share Level Password Bypass   
  • TCP Sequence Number Approximation Vulnerability  
  • ICMP netmask response
  • CIFS Share Readable By Everyone
I think the following vulnerabilities are useless for me at the moment:
  • Weak LAN Manager hashing permitted - without user interaction or services looking at the network, useless (I might be wrong here, will check this later)
  • TCP Sequence Number Approximation Vulnerability - not interesting
  • ICMP netmask response - not interesting
  • CIFS Share Readable By Everyone - unless there is a password in a text file, useless
But we have two interesting vulns:
  • CIFS NULL Session Permitted  - this could be interesting, I will check this later ...
  • Windows 95/98/ME Share Level Password Bypass - BINGO!
Let me quote Nexpose here:

"3.2.3 Windows 95/98/ME Share Level Password Bypass (CIFS-win9x-onebyte-password)

A flaw in the Windows 95/98/ME File and Print Sharing service allows unauthorized users to access file and print shares by sending the first character of the password. Due to the limited number of attempts required to guess the password, brute force attacks can be performed in just a few seconds.

Established connection to share TEST with password P."

The vulnerability description at MS side:

For example if the password is "Password" (without quotes) and the client sends the password "P" (without quotes) and the length of 1, the client is authenticated. To find the rest of the password, the attacker increments the length to 2 and starts guessing the second letter until he reaches "PA" and gets authenticated again. As share passwords in Windows 95 are not case sensitive, "Pa" and "PA" will also be accepted. The attacker can continue to increment the length and guessing the next letter one-by-one until he gets the full "PASSWORD" (as the maximum length is 8 characters).

I believe all characters between ALT+033 and ALT+255 can be used in the share password in Windows 95, but as it is case insensitive, we have 196 characters to use, and a maximum length of 8 characters. In worst case this means that we can guess the full password in 1568 requests. The funny thing is that the share password is not connected to (by default) any username/account, and it cannot be locked via brute force.

Luckily there is a great tool which can exploit this vulnerability:

Let's check this tool in action:


W00t w00t, it brute forced the password in less then 2 seconds!

Looking at a wireshark dump we can see how it is done:


As you can see, in the middle of the dump we can see that it already guessed the part "PASS" and it is brute-forcing the fifth character, it founds that "W" is the correct fifth character, and starts brute-forcing the sixth character.

If we are lucky with the CTF, the whole C:\ drive is shared with full read-write access, and we can write our team identifier into the c:\flag.txt. But what if we want remote code execution? Stay tuned, this is going to be the topic of the next part of this post.

Related word


  1. Hacking Tools 2019
  2. Hacker Tools 2020
  3. Hacker Security Tools
  4. Black Hat Hacker Tools
  5. Hacking Tools Windows 10
  6. Hacking Tools Pc
  7. Physical Pentest Tools
  8. Pentest Tools Linux
  9. Hacker Tools 2019
  10. New Hack Tools
  11. Hacking Tools Usb
  12. Hacker Tools Apk Download
  13. Pentest Tools Online
  14. Wifi Hacker Tools For Windows
  15. Hacker Tools For Windows
  16. Pentest Tools
  17. Hack Tools For Mac
  18. Hackrf Tools
  19. Hack Tools
  20. Hack Website Online Tool
  21. Hacker
  22. Best Pentesting Tools 2018
  23. How To Install Pentest Tools In Ubuntu
  24. Pentest Tools Windows
  25. Hacking Tools 2019
  26. Tools Used For Hacking
  27. Best Hacking Tools 2020
  28. Hacking Tools For Games
  29. Hack Tools For Games
  30. Kik Hack Tools
  31. New Hack Tools
  32. Hacker Tools Github
  33. Hack Tools For Pc
  34. Hacker Tools For Ios
  35. Pentest Tools For Ubuntu
  36. Tools For Hacker
  37. Hack Apps
  38. Hacker Hardware Tools
  39. Pentest Tools Url Fuzzer
  40. Hacker Tools Apk
  41. Hacker Tools Apk Download
  42. Pentest Recon Tools
  43. Hacking Tools For Windows Free Download
  44. Hack Tools
  45. Pentest Tools Website
  46. Kik Hack Tools
  47. Pentest Tools Website Vulnerability
  48. Hacker Security Tools
  49. Hacking Tools For Beginners
  50. Hack Tools For Ubuntu
  51. Hacking Tools Usb
  52. Hacks And Tools
  53. World No 1 Hacker Software
  54. Hacker Tools Hardware
  55. Black Hat Hacker Tools
  56. Hacker Tools Linux
  57. Hacking Tools
  58. Hacking Tools
  59. Hacker Search Tools
  60. Hacker Tools Hardware
  61. Install Pentest Tools Ubuntu
  62. Hack Tools
  63. Hack Tools Online
  64. Hacking Tools Kit
  65. What Is Hacking Tools
  66. Hacking Tools Github
  67. World No 1 Hacker Software
  68. Hack Tools Mac
  69. Best Hacking Tools 2020
  70. Hacker Tools For Mac
  71. Hacker Tools Mac
  72. Hack App
  73. Hacking Tools For Kali Linux
  74. Hacking Tools Software
  75. Hack Tools For Ubuntu
  76. Hacker Tools Apk Download
  77. Pentest Tools Kali Linux
  78. Hacking Tools 2020
  79. Pentest Tools Github
  80. Hacker Tools For Mac
  81. Hack Tool Apk
  82. Tools 4 Hack
  83. Hack Tools 2019
  84. Growth Hacker Tools
  85. Tools For Hacker
  86. Hacker Tools For Mac
  87. Hackrf Tools
  88. Android Hack Tools Github
  89. Tools For Hacker
  90. Hacking Tools Name
  91. Pentest Tools Windows
  92. Tools 4 Hack
  93. Best Hacking Tools 2020
  94. Best Hacking Tools 2019
  95. Hacking Tools For Kali Linux
  96. Best Pentesting Tools 2018
  97. Pentest Tools Download
  98. Hacking Tools Software
  99. Hacking Tools Pc
  100. Pentest Tools
  101. Pentest Tools For Android
  102. Hacker Tools 2020
  103. Hacking Tools For Pc
  104. Bluetooth Hacking Tools Kali
  105. Hack Tools Mac
  106. Hacker Tools For Ios
  107. Pentest Tools Open Source
  108. Physical Pentest Tools
  109. Hack And Tools
  110. How To Install Pentest Tools In Ubuntu
  111. Hacking Tools Usb
  112. Pentest Recon Tools
  113. Pentest Tools Website Vulnerability
  114. Hacking Tools Software
  115. Pentest Tools Open Source
  116. Game Hacking
  117. Pentest Tools Framework
  118. Hacking Tools Windows 10
  119. What Is Hacking Tools
  120. Hacker Tools Apk Download
  121. Bluetooth Hacking Tools Kali
  122. Hack Tools Mac
  123. Hacker Search Tools
  124. What Are Hacking Tools
  125. Pentest Tools Tcp Port Scanner
  126. Wifi Hacker Tools For Windows
  127. Pentest Tools Port Scanner
  128. Hacker Tools For Windows
  129. Underground Hacker Sites
  130. Pentest Tools Url Fuzzer
  131. Pentest Tools Kali Linux
  132. Pentest Tools Port Scanner
  133. Hack Tool Apk No Root
  134. Pentest Tools Find Subdomains
  135. Termux Hacking Tools 2019
  136. Kik Hack Tools
  137. Hacker Tools Apk
  138. Android Hack Tools Github
  139. Hacking Tools Hardware
  140. Game Hacking
  141. Hacker Tools For Ios
  142. Hacker Hardware Tools
  143. Pentest Tools For Windows
  144. Pentest Tools Framework
  145. Physical Pentest Tools
  146. Termux Hacking Tools 2019
  147. Wifi Hacker Tools For Windows
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)