Chapter 6: Windows Enumeration Tools

OVERVIEW

In Arthur Conan Doyle's The Valley of Fear , Sherlock Holmes berates a police inspector: "Breadth of view is one of the essentials of our profession. The interplay of ideas and the oblique uses of knowledge are often of extraordinary interest." In this chapter, we hope to demonstrate how to collect knowledge about remote computers for your own oblique uses. At the very least, you might like to generate a list of users who have interactive access to the target system; but many other bits of information can be collected as well. What software is installed? What patches have (or have not) been applied? Password guessing is one of the oldest, most basic ways to attack a system, but does the target system lock accounts after a certain number of incorrect passwords?

Knowledge about a remote system helps you form an idea of the vulnerabilities that may be present. In other cases, file shares with sensitive data may be left open misconfigured to allow anonymous access. You need to look for comprehensive, detailed information well beyond a port scan.

The Windows Network Neighborhood, which has evolved into My Network Places in Windows 2000, Me, and XP, uses a protocol called Server Message Block (SMB) Protocol . Most people who share public folders and files from their computers believe that only their peers on the local area network (LAN) have access to the network shares in Network Neighborhood. In reality, it's quite possible that anyone on the Internet could connect to the file share. The only inherent restriction is that the share may require a username and password.

The majority of information about a Windows system is culled from the IPC$ (InterProcess Communications) share, a default share on the Windows NT, 2000, and XP family of systems. It handles communication between applications on a single system or among remote systems. To support distributed login and a domain environment, the IPC$ share provides an enormous amount of system and user information to servers that request it.

The most basic connection is a NULL, or anonymous, connection, which is set up manually with the net command:

 C:\>net use \target\ipc$ "" /u:"" 

The smbclient command (from the Samba suite, which is described in Chapter 5) can also establish a NULL session, but only the original net use sets up a connection over which other tools can be run.

 $ smbclient \\target\ipc$ "" -U "" 

The significance of this simple, anonymous connection will become evident as you use tools to enumerate information about the target system.