Introduction
-------------
Remember that I won't go into much detail, because it could start getting
too complicated to explain to newbies. This is a newbies guide after all. If
you want more detailed information about file sharing search the web, or
read some good NT networks administration books.
Windows has an option called file and print sharing. You can use this
option in order to "share" drive and printers, which means giving access to
files and printers to other people - people on your own network, specific
IPs or even the whole world. When you turn this option on, you leave an open
port (port number 139) that accepts connections and understand the "NetBIOS
protocol", a set of commands (a "language") used to access remote file
and print sharing servers, so that other computers can access the files or
printers you decided to share.
Now sometimes in a small company LAN this could be extremely useful. For
example, instead of having a seperate printer for each computer, there's just
one central printer in a computer that allows file and print sharing. But if
you are using file sharing in your home computer (We've seen many people
that have this option turned on and don't even know what it means! Poor
souls) that is connected to the Internet, that could be quite dangerous because
anyone who knows your IP can access your files or printers you're sharing.
If you don't know if file sharing is active in your computer just go to the
control panel and select the Network icon. Now you should see a box where you
can see all the network software that you have installed, such as TCP/IP
(Transfer Control Protocol / Internet Protocol. This is the protocol that is
used to transfer data packets over the Internet. A protocol is like a human
language - if two computers understand it, they can communicate) and probably a
dial-up adapter (so you could transfer TCP/IP packets over a PPP connection.
PPP, or Point to Point Protocol is the protocol used in dial-up connections),
check if you have a line called File and Printer Sharing.
If you have this then you have sharing activated, to turn it off just uncheck
the "I want to be able to give others access to my files" and do the same to
the other. Let's return to the ports thing. Remember port 139? The File Sharing
Port is port 139 and it's called NetBIOS Session Service port. When you have
this option enabled you also have 2 other ports open but they use the UDP
protocol instead of the TCP protocol. These ports are 137 (Name Service) and
138 (Datagram Service). Now if you know anything about DoS attacks (known to
many as nukes) port 139 should sound familiar... There's a kind of DoS (stands
for Denial of Service) attack called the OOB nuke (OOB stands for Out Of Band)
or "winnuke" that sends an OOB packet to port 139 and makes Windows lose
connection and drop the user to "blue screen mode". If you wish to know more
about DoS attacks, I suggest that you wait for the DoS attacks tutorial (at the
time this tutorial was written, the DoS attacks tutorial didn't exist yet.
However, by the time you read it it might already be available, so you can try
and get it from http://blacksun.box.sk).
Okay, enough said, let's get on with it.
----------- Getting In -----------
I'm going to explain two ways of breaking into a Windows box that has file
sharing enabled. Just to see how unsafe Windows is, the programs you'll need
come with Windows. isn't that ironic? Okay, of course they come with Windows!
Would you actually expect Microsoft to release an OS that supports sharing
without the tools to access shares?
Now, of course, you can hack file and print sharing through Unix as well.
We'll get to that in the end. Right now we're dealing with Windows here.
Both ways will have equal starts but then in one of the ways you'll keep
typing commands, and in the other way you'll use a GUI (for the ppl who
don't know GUI stands for Graphical User Interface) software. The programs
that you need are called Nbtstat.exe and Net.exe you can find it in the windows
directory. These programs run from the MS-DOS prompt. To see the help menu
for nbtstat type nbtstat /? And for net type net /?. Now if you are using
Windows 95 you can have the option NetBios Over TCP/IP disabled and with
that disabled nbtstat won't work and will display a error message like this
one: "Failed to access NBT driver" without the quotes. So if this error
message comes up just go to the control panel, and select the network icon. Now
select TCP/IP and choose properties, in the TCP/IP properties box select the
NetBIOS sheet, and enable it checking the box that shouldn't have a cross. If
you have Windows 98 the error message shouldn't be displayed unless you have
some kind of a port blocker on port 139 (such as Nukenabber). A lot of people
have these things on to detect OOB nuke attempts (usually newbies that can't
use a firewall or lamers that never attempted to. Hopefully not you).
Now, you must be thinking that enabling NetBIOS over TCP/IP opens the same
three ports, that you use to access a computer. That's true, because if you
want to use the same protocol you'll need to use the same default ports, or
you can use a terminal emulator to connect to port 139 and instead of using
the application I mentioned to type the protocol commands, but that's a real
pain in the ass. Remember that there isn't any problem with the file sharing,
because you don't have it enabled, you've just got the ports open (you are
just vulnerable to the DoS attack, you can use a firewall or get a patch for
it at www.theargon.com (click on defenses and find the OOB patch), but I don't
know if that would block the incoming data from the host that you are trying
to get in).
Now that you have your NbtStat.exe ready to roll, choose the computer. You
can use the hostname or the IP but you need to use different switches (I'll get
to that in a second).
Let's suppose for a second that this computer's hostname is
Mycomputer.MyIsp.com and the IP is 194.65.34.3. The first thing you need to do
is to see if the computer has file sharing enabled. How can you do that? It's
easy. Type:
nbtstat -a hostname
In this case nbtstat -a Mycomputer.MyIsp.com, but if you want to use the IP
you need to type:
nbtstat -A IP
In this case nbtstat -A 194.65.34.3
That's strange because DOS isn't case sensitive... but that's how things work
(I guess that although DOS isn't case sensitive, this rule doesn't apply to
command parameters. Makes more sense than the opposite).
Now you might receive two different kinds of replies. One that just says
"Host Not Found". If you get this message, you can give up trying to access
the share part of that computer, because that computer hasn't got the NetBIOS
protocol enabled, or you mistyped the hostname or IP. On the other hand, if
you get a table with names, type of sharing and status, it might be your lucky
day! Now if you get this table you're half way in. But remember that
sometimes you will get that table but you will not be able to do anything
productive with it, because the computer won't be sharing anything.
The table should look something like the one that is below:
Name Type Status
-----------------------------------------------------------------------------
Host <20> UNIQUE Registered
Hostbug <00> GROUP Registered
Host machine <03> UNIQUE Registered
-----------------------------------------------------------------------------
If you want to access your own sharing table just type nbtstat -n
-----------------------------------------------------------------------------
The values in the brackets can be:
00 base computernames and workgroups, also in "*" queries
01 master browser, in magic __MSBROWSE__ cookie
03 messaging/alerter service; name of logged-in user <--- This one is cool too --- 20 resource-sharing "server service" name <--- Check this one --- 1B domain master-browser name 1C domain controller name 1E domain/workgroup master browser election announcement [?] ------------------------------------------------------------------------------- I'll talk about messaging/alert service later, if you want to read about it now, just scroll down until you find Messaging/Alert Service. ------------------------------------------------------------------------------- So if the value in the box is 20 (by the way, the values are displayed
in hex code) it means that there is sharing enabled. So now how can someone
get in? Easy. First you need to create an entry in your Lmhosts file (can be
found at c:\windows\Lmhosts. There is also an example file at
c:\windows\Lmhosts.sam. In Windows NT, these files can be found at
c:\WinNT\Lmhosts and c:\WinNT\Lmhosts.sam). If you don't have the Lmhosts file,
just create it. Read all the information in the sample file file below.
--- Lmhosts.sam file ---
# Copyright (c) 1993-1995 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows
# NT.
#
# This file contains the mappings of IP addresses to NT computernames
# (NetBIOS) names. Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
# corresponding computername. The address and the comptername
# should be separated by at least one space or tab. The "#" character
# is generally used to denote the start of a comment (see the exceptions
# below).
#
# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
# files and offers the following extensions:
#
# #PRE
# #DOM:
# #INCLUDE
# #BEGIN_ALTERNATE
# #END_ALTERNATE
# \0xnn (non-printing character support)
#
# Following any entry in the file with the characters "#PRE" will cause
# the entry to be preloaded into the name cache. By default, entries are
# not preloaded, but are parsed only after dynamic name resolution fails.
#
# Following an entry with the "#DOM:" tag will associate the
# entry with the domain specified by . This affects how the
# browser and logon services behave in TCP/IP environments. To preload
# the host name associated with #DOM entry, it is necessary to also add a
# #PRE to the line. The is always preloaded although it will not
# be shown when the name cache is viewed.
#
# Specifying "#INCLUDE " will force the RFC NetBIOS (NBT)
# software to seek the specified and parse it as if it were
# local. is generally a UNC-based name, allowing a
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share "public" in the example below must be in the
# LanManServer list of "NullSessionShares" in order for client machines to
# be able to read the lmhosts file successfully. This key is under
#
\machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
# in the registry. Simply add "public" to the list found there.
#
# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
# statements to be grouped together. Any single successful include
# will cause the group to succeed.
#
# Finally, non-printing characters can be embedded in mappings by
# first surrounding the NetBIOS name in quotations, then using the
# \0xnn notation to specify a hex value for a non-printing character.
#
# The following example illustrates all of these extensions:
#
# 102.54.94.97 rhino #PRE #DOM:networking #net group's DC
# 102.54.94.102 "appname \0x14" #special app server
# 102.54.94.123 popular #PRE #source server
# 102.54.94.117 localsrv #PRE #needed for the
include
#
# #BEGIN_ALTERNATE
# #INCLUDE \\localsrv\public\lmhosts
# #INCLUDE \\rhino\public\lmhosts
# #END_ALTERNATE
#
# In the above example, the "appname" server contains a special
# character in its name, the "popular" and "localsrv" server names are
# preloaded, and the "rhino" server name is specified so it can be used
# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
# system is unavailable.
#
# Note that the whole file is parsed including comments on each lookup,
# so keeping the number of comments to a minimum will improve performance.
# Therefore it is not advisable to simply add lmhosts file entries onto the
# end of this file.
To create an entry just open the Lmhosts file in your favorite word
processor and enter your target's IP, press tab and enter the share name
(the one that is listed in the name field). Save the file and exit.
Now the are two methods to access the remote shares you're after: the
easy way and the cool way.
--- The easy way (GUI) ---
If you don't want to have any more trouble just press start, click find
and select find computer. Enter the target's IP address. If your Lmhosts entry
is correct, it will show the computer you want in the search window. Just click
on the computer icon, and start browsing through that computer like you were
browsing your own computer.
--- The cool way ---
Now it's time to get to know the net.exe program. To access the help menu
just type:
net /? (in a dos Window).
I suggest to redirect all the help to a file and then read it
(use net /? > somefile.txt to redirect all output to somefile.txt and overwrite
it, or net /? >> somefile.txt to append the output to the file without deleting
it). You can also do net option /? to get more help about that option. To
access the share, you create a virtual drive that will be the share in the
other host.
In order to do this you will need to enter:
net use drive \\[ipaddress]\[sharename]
Where:
- drive is the drive letter you want. For example f: g: z:
- ipaddress is the target host's IP
- sharename is the name of the share (remember the table we discussed about
before?)
After doing this you just need to type drive: and then browse the new drive
using Ms-DOS like if you were in your own hard disk (for example, type:
f:
If your new virtual drive has been assigned the letter f).
Example:
Lets say that you coded a *really cool* backdoor, and you want to run on a
computer that has share enabled, the share name is Flintstone and the ipaddress
is 145.42.23.14 .
c:\>net use f: \\145.42.23.14\Flinstone
Now you would just need to copy the backdoor to the new virtual
drive.
c:\>copy backdoor.exe f:\backdoor.exe
----- First Version Text ------
Then you would just change drive and run the backdoor.
c:\>f:
f:\>backdoor.exe
And the backdoor is loaded, so now you can use it to access this computer.
--------------------------------
I'm deeply sorry, but what is written between the ----First Version Text---
is wrong.
Using what is there what probably would happen was installing the backdoor
in your own computer and not in the target host. Thanks to Kimmo from the
a-Men Group that correct me.
What you really need to do is to copy the backdoor.exe file to the share,
and then edit the win.ini file adding the line:
run=%SystemRoot%\backdoor.exe
---------------------------------------------------------------------------------
NOTE: Why %SystemRoot% ?
We need to use %SystemRoot% instead of F:, because F: is a virtual drive so
in the the host that drive could not exist, so you use the variable
%SystemRoot% that will return the correct drice.
---------------------------------------------------------------------------------
Of course, you can also put the backdoor in other places, such as
c:\windows\winstart.bat (enter the line %SystemRoot%\backdoor.exe as a new
blank line). If there is no such file, create it.
-----------------------
Messaging/Alert Service
-----------------------
What's this feature? It doesn't let you access the files for certain, but
it's kinda fun, because what it does is send a message, in Message Box Format
to the other host. Watch the face of the guy that is on the computer when he
sees a message box saying "Error: User To Stupid". However, you need to
remember that your host will be shown in the message box, but if you spoof your
host, you can have a good laugh with this.
When using this feature you also need to create a new entry in your Lmhosts
file. Remember that this can only be used in a LAN network such as a school LAN
with your friends, just to see their faces, nothing more. Even if you wanted to
send it over the Internet you couldn't because it uses a broadcast system, and
when any broadcasted packets get to a router they are immediately deleted
(security reasons. Off the topic of this tutorial).
To send a message to the other computer that computer needs to have a <03>
value. As you can see in the table somewhere in the middle of the file, <03
says:
03 messaging/alerter service; name of logged-in user <--- This one is cool
too ---
So if your target computer has this turned on you can send a message by
typing:
net send sharename message
If you are in an LAN and don't want people to mess with you, type:
net stop messenger
Doing this you stop the msg service, so you won't be able to send or receive
messages using the net send syntax. If you want to enable it again, type:
net start messenger
Now you'll be able to send and receive messages again.
Appendix A: Accessing Windows shares from Unix
----------------------------------------------
The easiest way is to use an X-Windows program called
LinNeighborhood, which can be downloaded from http://www.bnro.de/~schmidjo/.
However, you can also do that from your console or xterm window, by using the
smb commands. To learn more, read the man pages of the following commands:
smbclient smbmnt smbmount smbprint smbumount
Appendix B: Finding sharing hosts
---------------------------------
Suppose you're an admin that wants to scan his network for vulnerable hosts.
Suppose you're a bored cracker that wants to find possible targets. In both
cases you'd want to have a shares scanner to do the job for you.
You can use a shares scanner to scan whole subnets and look for vulnerable
hosts for you. Get Legion or NbtScan from packetstorm.securify.com.
Appendix C: Password-Protected shares
-------------------------------------
Are you an admin that wants to test how strong his password protected shares
are? Are you a cracker that came across a password-protected share and don't
know what to do? You could try to get a brute-force sharing password cracker
that'll try passwords for you until it finds the correct one. Cain is one such
program, that also has some other features that you might want to check out.
Appendix D: Detecting Sharing Attacks
-------------------------------------
Sharing attacks are usually pretty easy to detect (unless the attacker is
spoofing or performing his attack from another host, thus making it appear as
if the other host is really the attacker). The simplest program for the job is
Lockdown 2000 (from www.lockdown.com). However, it is quite buggy and doesn't
always perform well. You can also try Notron AtGuard (www.norton.com) - I
believe it can also detect sharing attacks, although I havn't tested it yet.
However, if you're going for the real thing, you should try and get a good
firewall or intrusion detection system. My personal favorite for Unix systems
is ipchains (search linux.box.sk, freshmeat.net or any of your other
favorites), while for Windows systems I recommend Firewall-1 (search the net,
you should be able to come across it pretty quickly).
Appendix E: An Easier Way to Access Shares
------------------------------------------
Got the target's IP address? Good. Got the share name? Good. Now hit start,
then hit run, and then type:
//ip-address(or hostname)/sharename
For example: //65.4.78.203/someshare
You will be able to access the share using an interface similar to what you get
when you double-click on the "my computer" icon, and get rid of the need to
assign a virtual drive.
-------------
Remember that I won't go into much detail, because it could start getting
too complicated to explain to newbies. This is a newbies guide after all. If
you want more detailed information about file sharing search the web, or
read some good NT networks administration books.
Windows has an option called file and print sharing. You can use this
option in order to "share" drive and printers, which means giving access to
files and printers to other people - people on your own network, specific
IPs or even the whole world. When you turn this option on, you leave an open
port (port number 139) that accepts connections and understand the "NetBIOS
protocol", a set of commands (a "language") used to access remote file
and print sharing servers, so that other computers can access the files or
printers you decided to share.
Now sometimes in a small company LAN this could be extremely useful. For
example, instead of having a seperate printer for each computer, there's just
one central printer in a computer that allows file and print sharing. But if
you are using file sharing in your home computer (We've seen many people
that have this option turned on and don't even know what it means! Poor
souls) that is connected to the Internet, that could be quite dangerous because
anyone who knows your IP can access your files or printers you're sharing.
If you don't know if file sharing is active in your computer just go to the
control panel and select the Network icon. Now you should see a box where you
can see all the network software that you have installed, such as TCP/IP
(Transfer Control Protocol / Internet Protocol. This is the protocol that is
used to transfer data packets over the Internet. A protocol is like a human
language - if two computers understand it, they can communicate) and probably a
dial-up adapter (so you could transfer TCP/IP packets over a PPP connection.
PPP, or Point to Point Protocol is the protocol used in dial-up connections),
check if you have a line called File and Printer Sharing.
If you have this then you have sharing activated, to turn it off just uncheck
the "I want to be able to give others access to my files" and do the same to
the other. Let's return to the ports thing. Remember port 139? The File Sharing
Port is port 139 and it's called NetBIOS Session Service port. When you have
this option enabled you also have 2 other ports open but they use the UDP
protocol instead of the TCP protocol. These ports are 137 (Name Service) and
138 (Datagram Service). Now if you know anything about DoS attacks (known to
many as nukes) port 139 should sound familiar... There's a kind of DoS (stands
for Denial of Service) attack called the OOB nuke (OOB stands for Out Of Band)
or "winnuke" that sends an OOB packet to port 139 and makes Windows lose
connection and drop the user to "blue screen mode". If you wish to know more
about DoS attacks, I suggest that you wait for the DoS attacks tutorial (at the
time this tutorial was written, the DoS attacks tutorial didn't exist yet.
However, by the time you read it it might already be available, so you can try
and get it from http://blacksun.box.sk).
Okay, enough said, let's get on with it.
----------- Getting In -----------
I'm going to explain two ways of breaking into a Windows box that has file
sharing enabled. Just to see how unsafe Windows is, the programs you'll need
come with Windows. isn't that ironic? Okay, of course they come with Windows!
Would you actually expect Microsoft to release an OS that supports sharing
without the tools to access shares?
Now, of course, you can hack file and print sharing through Unix as well.
We'll get to that in the end. Right now we're dealing with Windows here.
Both ways will have equal starts but then in one of the ways you'll keep
typing commands, and in the other way you'll use a GUI (for the ppl who
don't know GUI stands for Graphical User Interface) software. The programs
that you need are called Nbtstat.exe and Net.exe you can find it in the windows
directory. These programs run from the MS-DOS prompt. To see the help menu
for nbtstat type nbtstat /? And for net type net /?. Now if you are using
Windows 95 you can have the option NetBios Over TCP/IP disabled and with
that disabled nbtstat won't work and will display a error message like this
one: "Failed to access NBT driver" without the quotes. So if this error
message comes up just go to the control panel, and select the network icon. Now
select TCP/IP and choose properties, in the TCP/IP properties box select the
NetBIOS sheet, and enable it checking the box that shouldn't have a cross. If
you have Windows 98 the error message shouldn't be displayed unless you have
some kind of a port blocker on port 139 (such as Nukenabber). A lot of people
have these things on to detect OOB nuke attempts (usually newbies that can't
use a firewall or lamers that never attempted to. Hopefully not you).
Now, you must be thinking that enabling NetBIOS over TCP/IP opens the same
three ports, that you use to access a computer. That's true, because if you
want to use the same protocol you'll need to use the same default ports, or
you can use a terminal emulator to connect to port 139 and instead of using
the application I mentioned to type the protocol commands, but that's a real
pain in the ass. Remember that there isn't any problem with the file sharing,
because you don't have it enabled, you've just got the ports open (you are
just vulnerable to the DoS attack, you can use a firewall or get a patch for
it at www.theargon.com (click on defenses and find the OOB patch), but I don't
know if that would block the incoming data from the host that you are trying
to get in).
Now that you have your NbtStat.exe ready to roll, choose the computer. You
can use the hostname or the IP but you need to use different switches (I'll get
to that in a second).
Let's suppose for a second that this computer's hostname is
Mycomputer.MyIsp.com and the IP is 194.65.34.3. The first thing you need to do
is to see if the computer has file sharing enabled. How can you do that? It's
easy. Type:
nbtstat -a hostname
In this case nbtstat -a Mycomputer.MyIsp.com, but if you want to use the IP
you need to type:
nbtstat -A IP
In this case nbtstat -A 194.65.34.3
That's strange because DOS isn't case sensitive... but that's how things work
(I guess that although DOS isn't case sensitive, this rule doesn't apply to
command parameters. Makes more sense than the opposite).
Now you might receive two different kinds of replies. One that just says
"Host Not Found". If you get this message, you can give up trying to access
the share part of that computer, because that computer hasn't got the NetBIOS
protocol enabled, or you mistyped the hostname or IP. On the other hand, if
you get a table with names, type of sharing and status, it might be your lucky
day! Now if you get this table you're half way in. But remember that
sometimes you will get that table but you will not be able to do anything
productive with it, because the computer won't be sharing anything.
The table should look something like the one that is below:
Name Type Status
-----------------------------------------------------------------------------
Host <20> UNIQUE Registered
Hostbug <00> GROUP Registered
Host machine <03> UNIQUE Registered
-----------------------------------------------------------------------------
If you want to access your own sharing table just type nbtstat -n
-----------------------------------------------------------------------------
The values in the
