exploiting file and print sharing.html

1000 HOWTOs for various needs [WINDOWS]

<html>
<head>
<title>Exploiting File and Print Sharing</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#000000" text="#ffffff" link="#ffffff" vlink="#ffffff">
<div align="center">
<table width="680" border="0" cellspacing="2" cellpadding="2" align="center">
  <tr>
    <td width="693">
      <pre>
                        :::::::::   ::::::::  :::::::::  ::::::::::
                        :+:    :+: :+:    :+: :+:    :+: :+:
                        +:+    +:+ +:+        +:+    +:+ +:+
                        +#++:++#+  +#++:++#++ +#++:++#:  :#::+::#
                        +#+    +#+        +#+ +#+    +#+ +#+
                        #+#    #+# #+#    #+# #+#    #+# #+#
                        #########   ########  ###    ### ###

              	             <a href="http://blacksun.box.sk" target="_blank">http://blacksun.box.sk</a>
                           _____________________________
    ______________________I       <b>   Topic:</b>             I_____________________
   \                      I                             I                    /
    \     HTML by:        I     <b>Exploiting File and</b>     I   Written by:     /
    >                     I        <b>Print Sharing</b>        I   <a href="mailto:Ghost_Rider9@hotmail.com">Ghost_Rider</a>    <
   /      <a href="mailto:black_mesa@hacktik.org">Martin L.</a>       I_____________________________I   <a href="mailto:barakirs@netvision.net.il">R a v e N</a>       \
  /___________________________>                    <_________________________\</pre>
    </td>
  </tr>
</table>
</div>
<p>Date of Release: 4/2/2000</p>
<p>Thanks to Oggy, a totally kewl and helpful guy that helped us release this tutorial faster.</p>
<h3>Introduction</h4>
<p>Remember that I won't go into much detail, because it could start getting
too complicated to explain to newbies. This is a newbies guide after all. If
you want  more detailed information about file sharing search the web, or
read some good NT networks administration books.</p>
<p>Windows has an option called file and print sharing. You can use this
option in order to "share" drive and printers, which means giving access to
files and printers to other people - people on your own network, specific
IPs or even the whole world. When you turn this option on, you leave an open
port (port number 139) that accepts connections and understand the "NetBIOS
protocol", a set of commands (a "language") used to access remote file
and print sharing servers, so that other computers can access the files or
printers you decided to share.</p>
<p>Now sometimes in a small company LAN this could be extremely useful. For
example, instead of having a seperate printer for each computer, there's
just one central printer in a computer that allows file and print sharing. But if
you are using file sharing in your home computer (We've seen many people
that have this option turned on and don't even know what it means! Poor
souls) that is connected to the Internet, that could be quite dangerous
because anyone who knows your IP can access your files or printers you're sharing.</p>
<p>If you don't know if file sharing is active in your computer just go to
the control panel and select the Network icon. Now you should see a box where
you can see all the network software that you have installed, such as TCP/IP
(Transfer Control Protocol / Internet Protocol. This is the protocol that is
used to transfer data packets over the Internet. A protocol is like a human
language - if two computers understand it, they can communicate) and
probably a
dial-up adapter (so you could transfer TCP/IP packets over a PPP connection.
PPP, or Point to Point Protocol is the protocol used in dial-up
connections),
check if you have a line called File and Printer Sharing.</p>
<p>If you have this then you have sharing activated, to turn it off just
uncheck
the "I want to be able to give others access to my files" and do the same to
the other. Let's return to the ports thing. Remember port 139? The File
Sharing
Port is port 139 and it's called NetBIOS Session Service port. When you have
this option enabled you also have 2 other ports open but they use the UDP
protocol instead of the TCP protocol. These ports are 137 (Name Service) and
138 (Datagram Service). Now if you know anything about DoS attacks (known to
many as nukes) port 139 should sound familiar... There's a kind of DoS
(stands
for Denial of Service) attack called the OOB nuke (OOB stands for Out Of
Band)
or "winnuke" that sends an OOB packet to port 139 and makes Windows lose
connection and drop the user to "blue screen mode". If you wish to know more
about DoS attacks, I suggest that you wait for the DoS attacks tutorial (at
the
time this tutorial was written, the DoS attacks tutorial didn't exist yet.
However, by the time you read it it might already be available, so you can
try and get it from <a href="http://blacksun.box.sk" target="_blank">http://blacksun.box.sk</a>).</p>
<h4>Okay, enough said, let's get on with it.</h4>
<p>----------- Getting In -----------</p>
<p>I'm going to explain two ways of breaking into a Windows box that has file
sharing enabled. Just to see how unsafe Windows is, the programs you'll need
come with Windows. isn't that ironic? Okay, of course they come with
Windows!</p>
<p>Would you actually expect Microsoft to release an OS that supports sharing
without the tools to access shares?<br>
  Now, of course, you can hack file and print sharing through Unix as well.
We'll get to that in the end. Right now we're dealing with Windows here.
Both ways will have equal starts but then in one of the ways you'll keep
typing commands, and in the other way you'll use a GUI (for the ppl who
don't know GUI stands for Graphical User Interface) software. The programs
that you need are called Nbtstat.exe and Net.exe you can find it in the
windows
directory. These programs run from the MS-DOS prompt. To see the help menu
for nbtstat type nbtstat /? And for net type net /?. Now if you are using
Windows 95 you can have the option NetBios Over TCP/IP disabled and with
that disabled nbtstat won't work and will display a error message like this
one: "Failed to access NBT driver" without the quotes. So if this error
message comes up just go to the control panel, and select the network icon.
Now
select TCP/IP and choose properties, in the TCP/IP properties box select the
NetBIOS sheet, and enable it checking the box that shouldn't have a cross.</p>
<p>If you have Windows 98 the error message shouldn't be displayed unless you have
some kind of a port blocker on port 139 (such as Nukenabber). A lot of
people
have these things on to detect OOB nuke attempts (usually newbies that can't
use a firewall or lamers that never attempted to. Hopefully not you).
  Now, you must be thinking that enabling NetBIOS over TCP/IP opens the same
three ports, that you use to access a computer. That's true, because if you
want to use the same protocol you'll need to use the same default ports, or
you can use a terminal emulator to connect to port 139 and instead of using
the application I mentioned to type the protocol commands, but that's a real
pain in the ass. Remember that there isn't any problem with the file
sharing,
because you don't have it enabled, you've just got the ports open (you are
just vulnerable to the DoS attack, you can use a firewall or get a patch for
it at <a href="http://www.theargon.com" target="_blank">www.theargon.com</a> (click on defenses and find the OOB patch), but I
don't
know if that would block the incoming data from the host that you are trying
to get in).</p>
<p>Now that you have your NbtStat.exe ready to roll, choose the computer. You
can use the hostname or the IP but you need to use different switches (I'll
get
to that in a second).
  Let's suppose for a second that this computer's hostname is
Mycomputer.MyIsp.com and the IP is 194.65.34.3. The first thing you need to
do
is to see if the computer has file sharing enabled. How can you do that?
It's
easy. Type:</p>
<blockquote>
<p><i>nbtstat -a hostname</i></p>
</blockquote>
<p>
  In this case nbtstat -a Mycomputer.MyIsp.com, but if you want to use the
IP
you need to type:</p>
<blockquote>
<p><i>nbtstat -A IP</i></p>
<p>In this case nbtstat -A 194.65.34.3</p>
</blockquote>
<p>That's strange because DOS isn't case sensitive... but that's how things
work
(I guess that although DOS isn't case sensitive, this rule doesn't apply to
command parameters. Makes more sense than the opposite).
  Now you might receive two different kinds of replies. One that just says
"Host Not Found". If you get this message, you can give up trying to access
the share part of that computer, because that computer hasn't got the
NetBIOS
protocol enabled, or you mistyped the hostname or IP. On the other hand, if
you get a table with names, type of sharing and status, it might be your
lucky
day! Now if you get this table you're half way in. But remember that
sometimes you will get that table but you will not be able to do anything
productive with it, because the computer won't be sharing anything.</p>
<p>The table should look something like the one that is below:</p>
<blockquote>
<table>
<tr>
  <th colspan="2">Name</th>
  <th>Type</th>
  <th>Status</th>
</tr>
<tr>
  <td>Host</td>
  <td>&lt;20&gt;</td>
  <td>UNIQUE</td>
  <td>Registered</td>
</tr>
<tr>
  <td>Hostbug</td>
  <td>&lt;00&gt;</td>
  <td>GROUP</td>
  <td>Registered</td>
</tr>
<tr>
  <td>Host machine</td>
  <td>&lt;03&gt;</td>
  <td>UNIQUE</td>
  <td>Registered</td>
</tr>
</table>
</blockquote>
<p>If you want to access your own sharing table just type <i>nbtstat -n</i></p>
<p>The values in the <xx> brackets can be:</p>
<blockquote>
<table>
<tr>
  <td>00</td>
  <td>base computernames and workgroups, also in "*" queries</td>
</tr>
<tr>
  <td>01</td>
  <td>master browser, in magic __MSBROWSE__ cookie</td>
</tr>
<tr>
  <td>03</td>
  <td>messaging/alerter service; name of logged-in user  <--- This one is cool too ---</td>
</tr>
<tr>
  <td>20</td>
  <td>resource-sharing "server service" name  <--- Check this one ---</td>
</tr>
<tr>
  <td>1B</td>
  <td>domain master-browser name</td>
</tr>
<tr>
  <td>1C</td>
  <td>domain controller name</td>
</tr>
<tr>
  <td>1E</td>
  <td>domain/workgroup master browser election announcement [?]</td>
</tr>
</table>
</blockquote>
<p>I'll talk about messaging/alert service later, if you want to read about
it now, just scroll down until you find Messaging/Alert Service.</p>
<p>So if the value in the &lt;xx&gt; box is 20 (by the way, the values are
displayed
in hex code) it means that there is sharing enabled. So now how can someone
get in? Easy. First you need to create an entry in your Lmhosts file (can be
found at c:\windows\Lmhosts (yes, no extension). There is also an example file
at c:\windows\Lmhosts.sam, but this is not the file you should edit. In Windows
NT,  these files can be found at c:\WinNT\Lmhosts and c:\WinNT\Lmhosts.sam). If
you don't have the Lmhosts file, just create it. Read all the information in
the sample file file below.</p>
<blockquote>
<table>
<tr>
<td bgcolor="#777777">
<pre>
--- Lmhosts.sam file ---
# Copyright (c) 1993-1995 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows
# NT.
#
# This file contains the mappings of IP addresses to NT computernames
# (NetBIOS) names.  Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
# corresponding computername. The address and the comptername
# should be separated by at least one space or tab. The "#" character
# is generally used to denote the start of a comment (see the exceptions
# below).
#
# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
# files and offers the following extensions:
#
#      #PRE
#      #DOM:&lt;domain&gt;
#      #INCLUDE &lt;filename&gt;
#      #BEGIN_ALTERNATE
#      #END_ALTERNATE
#      \0xnn (non-printing character support)
#
# Following any entry in the file with the characters "#PRE" will cause
# the entry to be preloaded into the name cache. By default, entries are
# not preloaded, but are parsed only after dynamic name resolution fails.
#
# Following an entry with the "#DOM:&lt;domain&gt;" tag will associate the
# entry with the domain specified by &lt;domain&gt;. This affects how the
# browser and logon services behave in TCP/IP environments. To preload
# the host name associated with #DOM entry, it is necessary to also add a
# #PRE to the line. The &lt;domain&gt; is always preloaded although it will not
# be shown when the name cache is viewed.
#
# Specifying "#INCLUDE &lt;filename&gt;" will force the RFC NetBIOS (NBT)
# software to seek the specified &lt;filename&gt; and parse it as if it were
# local. &lt;filename&gt; is generally a UNC-based name, allowing a
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share "public" in the example below must be in the
# LanManServer list of "NullSessionShares" in order for client machines to
# be able to read the lmhosts file successfully. This key is under
#
\machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
# in the registry. Simply add "public" to the list found there.
#
# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
# statements to be grouped together. Any single successful include
# will cause the group to succeed.
#
# Finally, non-printing characters can be embedded in mappings by
# first surrounding the NetBIOS name in quotations, then using the
# \0xnn notation to specify a hex value for a non-printing character.
#
# The following example illustrates all of these extensions:
#
# 102.54.94.97     rhino         #PRE #DOM:networking  #net group's DC
# 102.54.94.102    "appname  \0x14"                    #special app server
# 102.54.94.123    popular            #PRE             #source server
# 102.54.94.117    localsrv           #PRE             #needed for the
include
#
# #BEGIN_ALTERNATE
# #INCLUDE \\localsrv\public\lmhosts
# #INCLUDE \\rhino\public\lmhosts
# #END_ALTERNATE