Windows File Sharing

small small Netbios hack
or :
an introduction to some basic DOS networking commands


'Hacking' is often associated with (illegally) accessing a computer over the internet. This is not at all as difficult as it may look at first sight. There are plenty tools to be found on the internet that wil scan the internet for exploitable pc's, and even help you get in and take over. That's how scriptkiddies do it : run a tool, follow instructions, bam, you're in.

Sometimes it does not even involve port scans, password crackers, and the likes

When Microsoft added network functionality to its DOS and Windows operating systems, they focussed mainly on ease of use, not so much on security. Windows 98, even Windows NT, or 2000, work out of the box. The reason they work - networking included - with hardly any need for configuration, is that by default 'everything is allowed untill the network administrator says otherwise'. Other systems (Novell Netware, Linux, Unix, ...) usually take the approach of 'nothing is allowed unless the network administrator allows it', so they are usually better protected.
Besides that, in Windows, the network functionality was added to an operating system that was primarily designed for stand-alone personal computers, so they already lacked the build-in security features of a multi-user system such as Unix or, later, Linux.

As a result, Windows File Sharing is a security treath. Enabling file sharing on a Windows computer that is connected to the internet, even without actually sharing a file or directory, may well open up your computer to anyone with an internet connection.

And does this person need to be some kind of networking expert ? a Windows guru ? Or a bored kid with hours to spend and an enormous collection of 'hacker' toys ? No. It can be done by an average Windows user. Or someone who nows 2 or 3 DOS networking commands.
Let's take the DOS approach here ... the white letters on the black back ground and the somewhat strange commands make it look a bit more wizzardly and mysterious.

You need an address

You need to know the IP address of the computer you want to access. There are a couple of ways to find IP addresses, but I won't go in to that here. Let's just say, for the sake of argument, that one day I was looking through the log of my firewall, and found some entries saying things like 'dropped UDP packet from 222.78.23.01'. There's an IP address, and my computer is receiving UDP packets from it ? Let's check it out.

Ping

Ping is a useful command to find if a given IP address is 'online', and it has soem command line switches that will translate addresses into computer names and vice versa.

ping syntax
ping with switches

Some computers are protected by firewalls or that do not reply to a ping.

nbtstat

nbtstat is another DOS networking command. It displays the netbios name table of a computer. With -A you can add the IP address of the computer who's name table you want to see. If a computer responds to nbtstat, then you know that

  1. it's running windows
  2. it has file sharing enabled
  3. the names that show up may tell you user names, workgroup names or computer names that are known on the remote computer
so, let's give it a go : ping with switches

The fact that Windows File Sharing is enabled, does not necessarilly mean that there are actual shared files on this computer. However, if it's a Windows NT machine, it might share admin$, C$, or other dirives (D$, E$, ...). The $ indicates a 'hidden' share, a shared folder that is invisible in Windows Networking environment, because it's meant to be used by the system rather than by users (administrative shares), or because it holds files that not every user needs to see. A Windows NT server (so Windows 2000 or Windows XP as well) will always have some of these administrative shares. So they can be accessed over the internet, using the DOS or Windows commands for establishing net work connections. You may also find these shares on Windows98 machines.
If the machine is a server, then maybe it's being used as file server, and then it will have other, visible shares.

IPC$ is a slightly different case : it's not an actual sirectory or folder. It stands for Inter Process Communication, and can be found as a share on Windows machines as well. When you can connect with \\nnn.nnn.nnn.nnn\IPC$, you can also try the command "start \\nnn.nnn.nnn.nnn".

In case the IPC connection prompts for a password, you may try

		C:\>net use \\nnn.nnn.nnn.nnn\ipc$ "" /u:""

	

This is called the 'null session', because you provide a null-string ("") for username and password. This allows you to establish the connection with IPC even if it is 'password protected'.

net view

net view should show us the shared folders (and pinters) on the remote machine. However, it will not show hidden ($) shares.
net view output screen shot

Ok, so no shared folders, or at least not visible. In that case, make sure you establish a connection with the IPC first (open a null session), then net view again. Thinks may look better then ... You should also try the so-called hidden shares (with the $).

net use

'net' is the swiss pocket knive of DOS and Windows networking. Just type 'net /?' at a DOS prompt to see all the different uses and options. The one we're trying now is 'net use', to assign a drive letter to a shared folder on the remote computer. Assigning a drive letter (a.k.a. 'map a network connection') means that the shared folder will be look as if it was a hard drive on your computer. Very old DOS technique to use network resources : a DOS program wouldn't see the difference between a 'real' hard drive and a drive letter that refers to a folder on a remote computer. And it works with the hidden$ shares as well, so we'll just have another go :
net use mapping screenshot

To map to folders, the syntax is :
net use * \\nnn.nnn.nnn.nnn\C$
net use * \\nnn.nnn.nnn.nnn\D$
net use * \\nnn.nnn.nnn.nnn\admin$
the * will take the next available drive letter on you machine and use it to point to the shared folder of the remote machine. At this point, you may be asked to give user name or password to be allowed access to these shares. But, as said before, Windows was designed to work withou further configuration, so maybe the guy on the other side forgot all about passwords ...

'net use' without any parameters shows the mapping of local drive letters to remote shares :
screenshot net use drive letter mapping

Because K:\ stands for the remote computer's C:\ drive, You can now access it as if it was part of your computer. In Windows, that may look like this :
screenshot windows explorer

You may even be able to change files on that computer, add files, change the boot.ini file or the autoexec.bat, etc. And if you can upload files and change the autoexec.bat so that it runs the programs that you've put there, you practically own that computer. And all you needed were a few regular DOS/Windows networking commands against an IP address that showed up with 'received UDP packet from xxx' in the log of a router.

netstat

with 'netstat', you can see the active connections of your computer. In this case it will show a connection 'established' with the remote computer. It is also very handy to see if anyone has a connection with your computer ...
netstat has options to show either names or addresses, and you can give an interval to refresh, so that it checks and shows connections every , say, 12 seconds. Like this ;
netstat -a -n 12
'netstat /?' will show more options

netstat screen shot

epilog

This is one of the oldest tricks in the book, in fact it's so old that one doesn't really expect it to work anymore. One would think that, by know, people realise that Windows File sharing on a computer with an internet connection just isn't safe. 3 or 4 regular DOS commands are enough to access such a machine.

Disclaimer
This is a simulation.


A more elaborate discussion of the netbios exploit, in particular the null session, can be found, among others, at Computing and Information Services,Brown University, Providence, RI.