|
This will explain the "uses" of IPC for hackers.
Inter-Process Communication is used for data sharing between
applications and computers. We will be looking at Windows NT
default IPC$ share use for communication between computers.
This share is what we use to start to gain access to the
server. What we will look at before we start is the NET
commands for the console in NT.
(Note I was unable to create a null connection using a
95/98 computer I had to use an NT computer) The net commands
that we will be using are net use and net view. Now get in
to the console (fake ms-dos) in windows. Pick out your
target and make sure that it is an NT system and it has port
139 open. You need port 139 open so that net-bios is on.
After checking for that you go to the console and type:
Example 1> C:\>NET USE \\TARGET\IPC$ * /USER:
Example 2> C:\>NET USE \\TARGET\IPC$ * /USER:""
Example 3> C:\>NET USE \\TARGET\IPC$ "" /USER:""
Note: For some reason the command varies a little bit from
NT to NT
Note: TARGET is the name or IP of the computer, ex.
\\211.3.4.11\ipc$ * /user:
Note: If it works youll get> The command completed
successfully.
Note: To check the connection type NET USE \\TARGET\IPC$
After starting a null connection you could try to access
the hidden shares. The default hidden shares are: C$,
PRINT$, ADMIN$, IPC$. As you can probably tell shares are
hidden by putting a $ at the end of the share name. Sometime
shares don't have passwords so you can use them. When you
create a null connection you have the least possible rights.
Next you could try using net view. To do this open the
console and type:
Example:
C:\>net view \\TARGET (Shares)
Or
C:\>net view /workgroup:TARGETWG (Computers in workgroup)
Or
C:\>net view /domain:TARGETD (Computers in domain)
(Note: change TARGETWG to the name of the workgroup to see
all of the computers connected)
(Note: change TARGET to the IP or name of the computer to
see all none hidden shares)
(Note: change TARGETD to domain name example: /domain:
Bob.com )
If you can't find an open share you could use a program
that I like a lot called winfo. Winfo will get all of the
user names from the target. Or another programs that is
Nat(NetBIOS Auditing Tool). Nat will try names and passwords
(dictionary attack) to get the right one. Another well like
program is sid2user and user2sid.
Last but not least there are DoS attacks that could be
preformed. Dos attacks become outdated quickly but new ones
are always poping up. A good Dos attack that works on NT
systems with printer capibiltes. It kinda goes like this
(null connection is needed): \\target\pipe\spoolss. Do this
alot. The next one is one that im not sure that works but
you fill all the connections possible on:
\\target\pipe\samr. For that I would recomend use a program
like ubend.exe.
Credits
written by Mind Rift
version 1.0 |