Chapter 5: Unix Enumeration Tools

 < Day Day Up > 



Many of the most useful tools you’ll ever encounter are either included with your Unix distribution as system utilities or are open source and freely downloadable. We’ll cover some of the basic tools in this chapter.

Samba: Server Message Block Implementation for Unix

When people think of Windows and networks, they ultimately think of the Network Neighborhood, which has recently been expanded to My Network Places in Windows 200x, Me, and XP. When you browse through networks and access files in this manner, you are using a protocol called Server Message Block Protocol (SMB). Most people who share public folders and files on their computers believe that only their peers on their Local Area Network (LAN) have access to the network shares in Network Neighborhood. In reality, however, unless your computer is protected by network address translation (NAT) or a firewall, anyone in the world can find those public shares and connect to them. Anyone.

In addition to Network Neighborhood, Windows has command-line tools to access shares via SMB (discussed in Chapter 6). Unix systems also have SMB-based file-sharing capabilities. Samba contains both client and server abilities that allow you to set up file sharing on a Unix box so that a Windows user in Network Neighborhood can access your Unix share. Additionally, the Samba client can be used to access Windows shares. In this section, we’ll focus only on the Samba client tools that you can use on the Unix side to gain access to SMB shares.

Smbclient

You can think of smbclient as an FTP client front end to an SMB file share. Smbclient is similar to net use on the Windows side. Let’s take a look at some of the commands we can try.

Implementation

First we need to see what shares are available. We can use the –L hostname option to view the shares on a host, but if our smbclient isn’t able to resolve the NetBIOS name to an IP address, we’ll have to specify that separately with the –I flag. We also use the –N option to skip prompting for any passwords (since we should be able to access this information without one).

[jdoe@originix ~]$ smbclient –N -L badman -I 192.168.1.101 Added interface ip=192.168.1.100 bcast=192.168.1.255 nmask=255.255.255.0             Sharename      Type      Comment         ---------      ----      -------         MP3S           Disk         HALF-LIFE      Disk         CDRW           Disk         INSTALL        Disk         D              Disk         IPC$           IPC       Remote Inter Process Communication             Server               Comment         ---------            -------         BADMAN               The bad machine             Workgroup            Master         ---------            -------         MYWORKGROUP          BADMAN 

The output of this command looks similar to that of the net view command seen in Chapter 6—except smbclient was nice enough to tell us about the hidden IPC$ share! The IPC$ share, which will be discussed further in Chapter 6, is a special shared "pipe" that can allow you to execute commands remotely. Notice that in the command line, we actually needed to specify the NetBIOS name of the box (badman). Without it, we wouldn’t have gotten any of this information. We’ll talk about how we obtain this important piece of information in the "Nmblookup" section later in this chapter.

Now let’s see what happens when we try to connect to a share:

[jdoe@originix ~]$ smbclient //badman/mp3s -I 192.168.1.101 Added interface ip=192.168.1.100 bcast=192.168.1.255 nmask=255.255.255.0 Password: smb: \> ls   Innocent.mp3                 A  5269507  Sat Feb  3 02:04:14 2001   Awake.mp3      A  7302760  Mon Feb 12 18:16:44 2001   River.mp3      A  5324800  Wed Jan  3 19:04:12 2001             39060 blocks of size 524288. 18784 blocks available

We try an empty password and get in. Now we can use standard FTP commands (get, put, ls) to determine whether we can read and write files to this share. When we need to log in to a share as a specific user, we use the –U <username> option.

Tip 

If you need a password to access a share, you can specify the password on the command line instead of waiting to be prompted for it. However, that’s probably not a good idea since it will get recorded as plain text in your shell’s history file!

In Windows, you can map a shared resource to a network drive on your computer. Samba allows you to do the same thing using the smbmount command. If you wanted to map the MP3s resource above to a directory called /mnt/mp3s on your Unix file system, you would type this:

[jdoe@originix ~]$ smbmount //badman/mp3s /mnt/mp3s -I 192.168.1.101 Added interface ip=192.168.1.100 bcast=192.168.1.255 nmask=255.255.255.0 Password: [jdoe@originix ~]$ 

You can now manipulate the files in that share using Unix system commands. When you’re finished, you can unmount the share just as you would any Unix file system.

Can we also use Samba to establish a null session with the IPC$ share? Well, not really. We can connect to the IPC$ share with smbclient using null user credentials, but this doesn’t accomplish much. Because the IPC$ share is a pipe and not a file share, smbclient can’t do much with it once we’re connected. You can use rpcclient, included with the Samba distribution, to make use of the IPC$ share—but you’ll need user credentials on the Windows box to use it.

Rpcclient

Rpcclient can be used to execute Windows remote procedure calls (RPCs) from a Unix box. To connect to the IPC$ share on our Windows 2000 box (192.168.1.150), we use this command:

[jdoe@originix ~]$ rpcclient –U administrator 192.168.1.150 Password: rpcclient $>

Once you supply the Administrator password, you’ll be able to perform any number of remote administration commands. Type a ? and press ENTER at this prompt to obtain a list. You cannot establish a NULL IPC$ session with rpcclient.

Nmblookup

We talked about the problem of needing to know NetBIOS names. This Unix-based tool helps us find out that information.

Implementation

Let’s see what happens when we run nmblookup against 192.168.1.101:

[jdoe@originix ~]$ nmblookup -A 192.168.1.101 Sending queries to 192.168.1.255 Looking up status of 192.168.1.101 received 8 names         BADMAN          <00> -         B <ACTIVE>         MYWORKGROUP     <00> - <GROUP> B <ACTIVE>         BADMAN          <03> -         B <ACTIVE>         BADMAN          <20> -         B <ACTIVE>         MYWORKGROUP     <1e> - <GROUP> B <ACTIVE>         JOEUSER         <03> -         B <ACTIVE>         MYWORKGROUP     <1d> -         B <ACTIVE>         ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> num_good_sends=0 num_good_receives=0 

Not exactly what we were hoping for. We got some names, but how do we know what’s what? In this particular example, it’s pretty easy to guess that the hostname we’re looking for is BADMAN. The output of this command is nearly identical to the output of the nbtstat –A command discussed in Chapter 6. The “NBTSTAT” section in Chapter 6 will help you to interpret the NetBIOS codes in this output.

If we need to go the other way and find the IP of a NetBIOS name, we can do that, too:

[bjohnson@originix ~]$ nmblookup badman Sending queries to 192.168.1.255 192.168.1.101 badman<00>

If we add a –S flag, nmblookup includes the same information included from the –A command earlier.

Nmblookup goes through several different methods to attempt to resolve the name (configurable in the smb.conf file). Available methods are WINS or lmhosts, DNS or hosts, or broadcast (which requires that the target be on the same subnet).

Automating the Process

Clearly, you can do a lot of things with SMB file shares once you find them. Several “smbscan” programs are available, both for Windows and Unix, that can scan ranges of IP addresses looking for open shares and attempting to access each one. These tools simply use these underlying methods on a larger scale. For example, the Nessus tool discussed in Chapter 12 scans for open SMB shares as part of its vulnerability assessment.



 < Day Day Up > 



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2004
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net