Tuesday, January 15, 2008

Think Thin - The skinny on thin clients p2


::Intro::
In this installment of the series we will be looking at ways to exploit a thin client based network and ways to exploit the thin client unit it self.

NOTE: If you didn’t read part one of this series I suggest you do so or you will be lost!!
Read it @ here

::FTP::
Ok here we are going to see where the thin client is getting the configuration file from. To do this we have to disconnect it from the network by removing the network cable from the back of the client. Then press and hold the power button so it turns off, then turn it back on. Right click on the desk top and select Network Manager, look to the bottom of the window that pops up. Here we should see the address to the FTP server and the home directory for that thin client. Now hoping that one of the apps your thin client is running is a web browser, connect to the FTP server and see if there are any other configuration files available. If there is great lets see what they got. Again remove the network cable from the back of the client, and power the unit down and back on again. Right click the desk top and go to Network Manager. Now at the bottom of the Network Manager window we once again see our FTP server and our home directory. Just replace our home directory with one of the others we found on the FTP server. Plug the network cable back in and get access to the apps linked to that user.

NOTE: Thin clients by default connect to FTP using anonymous login and more often then not the admin would rather setup a anonymous account on the FTP server then put usernames and passwords in all his/her thin clients.

::Pwn::
Ok we are on our clients using an app, now remember we are really connected to the server using RDP or ICA protocol. So when we send commands while using the app in the apps window it is processed by the server. Try hitting “Ctrl + Alt + Delete” and see if you get that windows pop up with buttons on it for logging off and stuff. Look for “Task Manager” If you have access to that we are up for a gold mine! Once in Task Manager hit the “ New Task…” button and start any program you want off the server!!!! That’s not all, on top of that you get dumped to the desk top of the account the client is logged on as on the server!!!! If your really lucky it will be an admin account.

::Apps::
If one of the apps you have access to is a web browser then there are lots and lots of fun things you can do. In the address bar try putting c:\ and it should dump you to the c drive of the server. See if you can access sites out side of the networks intranet. If you have shitty luck and don’t have a web browser see if you can get to anything from on the server. An app might have a “Open file” option or a search option. If you look around the apps you have access to you most likely will be able to break out of the shell and up to a higher level. If not try to make the app you do have access to error, that might dump you somewhere with better access.

::Theories::
Now that we know how to get access to the Network Manager menu and can change where the configuration file comes from, lets take it a step up. If you managed to get access to the FTP server and downloaded one of the config files to the thin client server then emailed it to your self. Then edit it, setup a FTP server with anonymous access with your edited config file. Now set the thin client up to get the config file from your FTP server and poof the thin client is using your config file!!

Why do we need to get a config file from the FTP server to edit?
The config file holds user names and passwords in plan text that are needed to gain access to the network so we can connect to the apps.

NOTE: This theory has never been tested; I got as far as needing a FTP server with anonymous access that runs on port 21 “My ISP blocks port 21 :*(“. I was however able to get access to the FTP server, download a config file and send it to my gmail account from no access at all!! This theory could very well work but until it has been tested it stays a theoy.

Here is the config file I downloaded:
SIGNON=0
AUTOLOAD=1
PRIVILEGE=None
INACTIVE=60
CONNECT=ICA \
Description="Jacrux - Jackson" \
Icon=default \
Username=jdcuser \
Password=jtest \
Domainname=office \
Browserip=192.168.1.102,192.168.1.88 \
Application="JACRUX - JACRUX" \
Autoconnect=yes \
Fullscreen=1

Here is the edited version:
SIGNON=0
AUTOLOAD=1
PRIVILEGE=High ==NOTE== I changed the priv level to high.
INACTIVE=60
CONNECT=ICA \
Description=" JACRUX pwned by Anarchy " \
Icon=default \
Username=jdcuser \
Password=jtest \
Domainname=office \
Browserip=192.168.1.102,192.168.1.88 \
Application="JACRUX pwned by Anarchy" \
Autoconnect=yes \
Fullscreen=1

Keep in mind this is the info in the .ini “configuration” file. This should give you admin access to the thin client and maybe the server.


::That’s all folks::
That’s all I have for you on this topic, feel free to email me about it. Please help me out and click the adds thanxs

Think Thin: The skinny on thin clients part 2
By: Anarchy Angel
anarchy[dot]ang31 [at] gmail
http://aahideaway.blogspot.com

No comments: