| < Day Day Up > |
|
Network Neighborhood and My Network Places aren’t the only places where you can connect to other computers’ shares. For one, you can use the Find | Computer utility on the Start menu to search for available shares by IP address. This will search for shares on that particular IP whether the host is in your office or across the ocean. However, as with most graphical utilities, Network Neighborhood has an underlying command-line program that drives it. The command-line program is called net; let’s further explore this utility.
We start with a breakdown of the command-line arguments and a brief description, as shown in Table 6-1. We’ll follow with an example usage of the more important commands and what they do. Try typing the /? flag after any of the commands in the table to find more syntax information.
Command Line | 9 x | NT | Me | 2000 | XP | Explanation |
---|---|---|---|---|---|---|
net accounts | No | Yes | No | Yes | Yes | Sets account policies for the system, such as password age, password history, and lockout and logoff policies |
net computer | No | Yes | No | Yes | Yes | Adds or deletes computers from the domain |
net config | Yes | Yes | Yes | Yes | Yes | Displays current server or workgroup information including computer name, username, software version, and domain name |
net continue | No | Yes | No | Yes | Yes | Restarts a suspended service |
net diag | Yes | No | Yes | No | No | Displays diagnostic information about the hardware network connections of systems on the network |
net file | No | Yes | No | Yes | Yes | Displays the names of all currently open files and provides the ability to close them |
net group | No | Yes | No | Yes | Yes | Configures Windows Global Group properties (on domain controllers only) |
net help | Yes | Yes | Yes | Yes | Yes | Gets information about these available commands |
net helpmsg | No | Yes | No | Yes | Yes | Provides information on a particular error message number |
net init | Yes | No | Yes | No | No | Loads protocol and network interface card (NIC) drivers without binding them to Windows Protocol Manager |
net localgroup | No | Yes | No | Yes | Yes | Configures Windows local group properties |
net name | No | Yes | No | Yes | Yes | Configures messaging names for which the machine will accept messages |
net logoff | Yes | No | Yes | No | No | Ends the session between your computer and the shared resources to which you were connected |
net logon | Yes | No | Yes | No | No | Logs into a domain or workgroup |
net password | Yes | No | Yes | No | No | Changes the logon password of the specified user |
net pause | No | Yes | No | Yes | Yes | Suspends currently running services |
net print | Yes | Yes | Yes | Yes | Yes | Gets information about a computer’s print queue and controls it |
net send | No | Yes | No | Yes | Yes | Sends a message to another user or computer on the network |
net session | No | Yes | No | Yes | Yes | Lists or terminates sessions between the local system and other network systems |
net share | No | Yes | No | Yes | Yes | Creates, deletes, or displays a shared resource |
net start | Yes | Yes | Yes | Yes | Yes | Starts a service |
net statistics | No | Yes | No | Yes | Yes | Displays statistics for a server or workstation such as network usage, open files, or print jobs |
net stop | Yes | Yes | Yes | Yes | Yes | Stops a service |
net time | Yes | Yes | Yes | Yes | Yes | Displays the time or synchronizes the time with a specified time server |
net use | Yes | Yes | Yes | Yes | Yes | Connects to or disconnects from a shared resource; also displays information about shared resources |
net user | No | Yes | No | Yes | Yes | Adds or deletes a user |
net ver | Yes | No | Yes | No | No | Displays the version of your workgroup redirector |
net view | Yes | Yes | Yes | Yes | Yes | Displays a list of shared resources for a specific computer or all computers on the local subnet |
As you can see, net is an extremely useful tool. But from a hacker’s standpoint, the two most important net commands are net view and net use. Let’s take a look at the detailed usage for each one.
net view allows you to gather two essential bits of information. First, by specifying the domain or workgroup name of your target (which you can discover using nbtstat, detailed in the next section), you can see all the other computers that belong to that domain or workgroup. From there, you can use net view’s second mode of operation to examine the shares on each individual host on the network. Here’s how it looks:
C:\>net view /WORKGROUP:myworkgroup Servers available in workgroup MYWORKGROUP. Server name Remark ----------------------------------------------------- \\BADMAN The bad machine \\BROCOLLI Veggies are good for you \\TECHSUPP Don't call us – we won't call you The command was completed successfully. C:\net view \\badman Shared resources at \\BADMAN Sharename Type Comment ----------------------------------------------------- CDRW Disk D Disk HALF-LIFE Disk INSTALL Disk MP3S Disk The command was completed successfully.
Note | The first command, net view /workgroup, won’t work on Windows NT or 2000. Use net view /domain instead. |
We’ve got a list of machines in the domain/workgroup, and we’ve found some open shares on the Badman box. Looks like he’s sharing some MP3s, a popular first-person shooter game, his entire D: drive, and his CD rewritable (CD-RW). The next logical step, of course, would be to see whether we can connect to any of these shares.
Tip | You don’t have to know a domain name or a NetBIOS name to view the available shares on a system. You can use an IP address instead, such as net view \\192.168.1.101. This means you can find out about shares on any computer anywhere in the world that doesn’t have its NetBIOS over TCP (NBT) ports protected by a firewall. |
Now that we’ve found some shares, let’s try to connect to them using the net use command:
C:\>net use * \\badman\mp3s Drive E: is now connected to \\badman\mp3s The command completed successfully. C:\>net use * \\badman\d The password is invalid for \\badman\d. Type the password for \\badman\d: System error 86 has occurred. The specified network password is not correct. C:\>net view \\badman Shared resources at \\BADMAN The bad machine Sharename Type Used as Comment ----------------------------------------------------- CDRW Disk D Disk HALF-LIFE Disk INSTALL Disk MP3S Disk E: The command was completed successfully. C:\>echo "hi" > e:\test-write-permissions.txt Network access is denied.
Tip | You can map a drive letter only if File and Printer Sharing is enabled on the system. |
We gained access to the MP3S share and mapped it to our next available drive letter E:, which is what the asterisk (*) indicates in the net use command line. However, we were unable to create a file on the mapped drive, so we have only read access. The D: share appears to be password protected. We would need either a share password or a valid username and password to access this share, in which case we would run the command
net use /u:<username><password>
to connect. So this doesn’t really get us too far. There must be something else we can do.
Exploiting the IPC$ Share with net use As it turns out, Windows NT and 2000 boxes have “administrative shares.” These aren’t typical shares that can be browsed from Network Neighborhood or My Network Places; nor can they be seen using net view because the file is hidden by the cunning use of "$" at the end of the share’s name : "ShareFoo" is visible to the network, "ShareBar$" is hidden from the network. Only if you are able to determine the Administrator password on a box, you can use the net use command to connect to one of those hidden administrative shares.
There’s more. An additional administrative share is made available so that domain administrators can send commands back and forth between servers. The is the IPC$ share. You would think that the IPC$ share would be strongly protected by Administrator login credentials. But some applications actually require use of IPC$ without authentication. Granted, you won’t get the full run of the system that you might get if you did have the Administrator credentials, but even by connecting with no credentials whatsoever, you can extract a great deal of information.
Note | Windows systems through Windows XP only recorded the NetBIOS name of the remote system accessing a host’s IPC$ share. Windows 2003 addresses this deficiency by including the IP address, which is more difficult to spoof than the NetBIOS name, in the security event log. |
The following script effectively creates a somewhat privileged, somewhat trusted pipe between your box and 192.168.1.150:
C:\>Windows\Desktop>net use \\192.168.1.150\ipc$ "" /user:"" The command completed successfully.
That’s it! Now we can run some other tools against 192.168.1.150 to gather information that we never would have had access to before. This information includes usernames, groups, policies, system IDs (SIDs), and other information of that nature.
Tip | Make sure that you clean up after yourself after connecting to this share. Use net use \\192.168.1.150\IPC$ /delete to disconnect. If you don’t, someone will still be able to see you as a connected user and track you back to your IP address by using net session or nbstat -s, discussed shortly. |
| < Day Day Up > |
|