brackets can be:
00 base computernames and
workgroups, also in "*" queries
01 master browser, in magic __MSBROWSE__
cookie
03 messaging/alerter service; name of logged-in user <--- This one
is cool too ---
20 resource-sharing "server service" name <--- Check this
one ---
1B domain master-browser name
1C domain controller name
1E
domain/workgroup master browser election announcement [?]
I'll talk about
messaging/alert service later, if you want to read about it now, just scroll
down until you find Messaging/Alert Service.
So if the value in the
<xx> box is 20 (by the way, the values are displayed in hex code) it means
that there is sharing enabled. So now how can someone get in? Easy. First you
need to create an entry in your Lmhosts file (can be found at
c:\windows\Lmhosts. There is also an example file at c:\windows\Lmhosts.sam. In
Windows NT, these files can be found at c:\WinNT\Lmhosts and
c:\WinNT\Lmhosts.sam). If you don't have the Lmhosts file, just create it. Read
all the information in the sample file file below. --- Lmhosts.sam file ---
# Copyright (c) 1993-1995 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows
# NT.
#
# This file contains the mappings of IP addresses to NT computernames
# (NetBIOS) names. Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
# corresponding computername. The address and the comptername
# should be separated by at least one space or tab. The "#" character
# is generally used to denote the start of a comment (see the exceptions
# below).
#
# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
# files and offers the following extensions:
#
# #PRE
# #DOM:<domain>
# #INCLUDE <filename>
# #BEGIN_ALTERNATE
# #END_ALTERNATE
# \0xnn (non-printing character support)
#
# Following any entry in the file with the characters "#PRE" will cause
# the entry to be preloaded into the name cache. By default, entries are
# not preloaded, but are parsed only after dynamic name resolution fails.
#
# Following an entry with the "#DOM:<domain>" tag will associate the
# entry with the domain specified by <domain>. This affects how the
# browser and logon services behave in TCP/IP environments. To preload
# the host name associated with #DOM entry, it is necessary to also add a
# #PRE to the line. The <domain> is always preloaded although it will not
# be shown when the name cache is viewed.
#
# Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
# software to seek the specified <filename> and parse it as if it were
# local. <filename> is generally a UNC-based name, allowing a
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share "public" in the example below must be in the
# LanManServer list of "NullSessionShares" in order for client machines to
# be able to read the lmhosts file successfully. This key is under
#
\machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
# in the registry. Simply add "public" to the list found there.
#
# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
# statements to be grouped together. Any single successful include
# will cause the group to succeed.
#
# Finally, non-printing characters can be embedded in mappings by
# first surrounding the NetBIOS name in quotations, then using the
# \0xnn notation to specify a hex value for a non-printing character.
#
# The following example illustrates all of these extensions:
#
# 102.54.94.97 rhino #PRE #DOM:networking #net group's DC
# 102.54.94.102 "appname \0x14" #special app server
# 102.54.94.123 popular #PRE #source server
# 102.54.94.117 localsrv #PRE #needed for the
include
#
# #BEGIN_ALTERNATE
# #INCLUDE \\localsrv\public\lmhosts
# #INCLUDE \\rhino\public\lmhosts
# #END_ALTERNATE
#
# In the above example, the "appname" server contains a special
# character in its name, the "popular" and "localsrv" server names are
# preloaded, and the "rhino" server name is specified so it can be used
# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
# system is unavailable.
#
# Note that the whole file is parsed including comments on each lookup,
# so keeping the number of comments to a minimum will improve performance.
# Therefore it is not advisable to simply add lmhosts file entries onto the
# end of this file.
To create an entry just open the Lmhosts file in your favorite word
processor and enter your target's IP, press tab and enter the share name (the
one that is listed in the name field). Save the file and exit.
Now the are
two methods to access the remote shares you're after: the easy way and the cool
way.
The easy way (GUI)
If you don't want to have any
more trouble just press start, click find and select find computer. Enter the
target's IP address. If your Lmhosts entry is correct, it will show the computer
you want in the search window. Just click on the computer icon, and start
browsing through that computer like you were browsing your own computer.
The cool way
Now it's time to get to know the net.exe
program. To access the help menu just type:
net /? (in a dos Window).
I suggest to redirect all the help to a file and then read it (use net
/? > somefile.txt to redirect all output to somefile.txt and overwrite it, or
net /? >> somefile.txt to append the output to the file without deleting
it). You can also do net option /? to get more help about that option. To access
the share, you create a virtual drive that will be the share in the other
host.
In order to do this you will need to enter:
net use drive
\\[ipaddress]\[sharename]
Where:
- drive is the drive letter you
want. For example f: g: z:
- ipaddress is the target host's IP
-
sharename is the name of the share (remember the table we discussed about
before?)
After doing this you just need to type drive: and then browse
the new drive using Ms-DOS like if you were in your own hard disk (for example,
type:
f:
If your new virtual drive has been assigned the letter
f).
Example:
Lets say that you coded a *really cool* backdoor, and you
want to run on a computer that has share enabled, the share name is Flintstone
and the ipaddress is 145.42.23.14 .
c:\<net use f:
\\145.42.23.14\Flinstone
Now you would just need to copy the backdoor to
the new virtual drive.
c:\<copy backdoor.exe f:\backdoor.exe First
Version Text
Then you would just change drive and run the backdoor.
c:\<f:
f:\<backdoor.exe
And the backdoor is loaded, so now you
can use it to access this computer.
I'm deeply sorry, but what is
written between the First Version Text is wrong.
Using what
is there what probably would happen was installing the backdoor in your own
computer and not in the target host. Thanks to Kimmo from the a-Men Group that
correct me.
What you really need to do is to copy the backdoor.exe file to
the share, and then edit the win.ini file adding the line:
run=%SystemRoot%\backdoor.exe
NOTE: Why %SystemRoot% ?
We
need to use %SystemRoot% instead of F:, because F: is a virtual drive so in the
the host that drive could not exist, so you use the variable %SystemRoot% that
will return the correct drice.
Of course, you can also put the backdoor
in other places, such as c:\windows\winstart.bat (enter the line
%SystemRoot%\backdoor.exe as a new blank line). If there is no such file, create
it.
Messaging/Alert Service
What's this feature? It
doesn't let you access the files for certain, but it's kinda fun, because what
it does is send a message, in Message Box Format to the other host. Watch the
face of the guy that is on the computer when he sees a message box saying
"Error: User To Stupid". However, you need to remember that your host will be
shown in the message box, but if you spoof your host, you can have a good laugh
with this.
When using this feature you also need to create a new entry
in your Lmhosts file. Remember that this can only be used in a LAN network such
as a school LAN with your friends, just to see their faces, nothing more. Even
if you wanted to send it over the Internet you couldn't because it uses a
broadcast system, and when any broadcasted packets get to a router they are
immediately deleted (security reasons. Off the topic of this tutorial).
To send a message to the other computer that computer needs to have a
<03> value. As you can see in the table somewhere in the middle of the
file, <03 says:
03 messaging/alerter service; name of logged-in user
<--- This one is cool too --- So if your target computer has this turned on
you can send a message by typing:
net send sharename message
If you are in
an LAN and don't want people to mess with you, type:
net stop
messenger
Doing this you stop the msg service, so you won't be able to send
or receive messages using the net send syntax. If you want to enable it again,
type:
net start messenger
Now you'll be able to send and receive messages
again.
Appendix A: Accessing Windows shares from
Unix
The easiest way is to use an X-Windows program called
LinNeighborhood, which can be downloaded from http://www.bnro.de/~schmidjo/.
However, you can also do that from your console or xterm window, by using the
smb commands. To learn more, read the man pages of the following
commands:
smbclient
smbmnt
smbmount
smbprint
smbumount
Appendix B: Finding sharing hosts
Suppose you're an
admin that wants to scan his network for vulnerable hosts. Suppose you're a
bored cracker that wants to find possible targets. In both cases you'd want to
have a shares scanner to do the job for you.
You can use a shares scanner to
scan whole subnets and look for vulnerable hosts for you. Get Legion or NbtScan
from packetstorm.securify.com.
Appendix C: Password-Protected
shares
Are you an admin that wants to test how strong his password
protected shares are? Are you a cracker that came across a password-protected
share and don't know what to do? You could try to get a brute-force sharing
password cracker that'll try passwords for you until it finds the correct one.
Cain is one such program, that also has some other features that you might want
to check out.
Appendix D: Detecting Sharing
Attacks
Sharing attacks are usually pretty easy to detect (unless the
attacker is spoofing or performing his attack from another host, thus making it
appear as if the other host is really the attacker). The simplest program for
the job is Lockdown 2000 (from www.lockdown.com). However, it is quite buggy and
doesn't always perform well. You can also try Notron AtGuard (www.norton.com) -
I believe it can also detect sharing attacks, although I havn't tested it yet.
However, if you're going for the real thing, you should try and get a good
firewall or intrusion detection system. My personal favorite for Unix systems is
ipchains (search linux.box.sk, freshmeat.net or any of your other favorites),
while for Windows systems I recommend Firewall-1 (search the net, you should be
able to come across it pretty quickly).
Appendix E: An Easier Way
to Access Shares
Got the target's IP address? Good. Got the share
name? Good. Now hit start, then hit run, and then type:
//ip-address(or
hostname)/sharename
For example: //65.4.78.203/someshare
You will be able
to access the share using an interface similar to what you get when you
double-click on the "my computer" icon, and get rid of the need to assign a
virtual drive.