Hi,

What is this IPC$ share exactly?As I understand it,its used by Windows to set up connections between PCs running Netbios and it needs no password username to setup.

So if I run : net use \\computername\IPC$

it should connect,but sometimes I get asked for passwords,whats going on?

Once I am on the IPC$ share whats the advantage?I still need to try to brute force any shares available.

Also sometimes I can't even net view an address:system error 5 access denied.

WHY?

I may be a bit slow but please indulge me,i need some details.

Cheers.

$ipc Share uses admin accounts. So you just have to crack the admin passsword and do it that way.

You have the syntax wrong. To establish a null session:

net use \\targetip\ipc$ "" /user""

then do a net view and you wont get access denied

The quotes indicate a blank password and no user

The advantages of this is the ability to enumerate user\computer\account information.

You can also brute force the share for the admin password

OK i'm getting the hang of it..If you don't have the ipc$ you may not be able to net view or nbtstat.

seems there are a few ways of getting ipc$ access.

net use \\computername\ipc$ "" /user:""
net use \\computername\ipc$ * /user:*
net use \\computername\ipc$

Does anyone know which is for which system?

Also on some of our machines we need a password for the ipc$ and not for others.

How do I setup a password on the ipc$ share to protect my own machines?

Cheers ears.

oops missed the : on my syntax but I see you caught that.

You restrict null sessions by editing the registry, check the faqs on hardening systems and is should show you how.

There's more to it then just net view and nbtstat, tools like enum and nat use a null connection to query additional netbios information via specific netenum calls.

But yes, restricting the ability to establish a null session by setting the registry key to something higher than "1" will knock down most netbios enum tools.

Null sessions work on NT\Win2k\Win3k systems unless hardened.

The correct syntax is net use \\computername\ipc$ "" /user:""

Locking it down too far will break trusts and some browsing functions. Better off firewalling it and netbios ports.

Yeah a firewall seems simpler.

Yet some of our PCs here seem harder than others.

The NT machines don't seem to have any password on the ipc$ or c$ shares but the 2000 machines do.

In fact on the 2000 machines even when I give the correct username and password I get a message saying "The credentials supplied conflict with an additional set of credentials"

I figured this meant that particular user was already logged on,but not so.
I tried it as admin on a machine with a standard user logged in and still got the same message.

Is this an extra security feature of win 2k or what?Can we implement a similar feature on NT?

I'm thinking of home users...

Don't forget to clear connections before testing with other accounts.
net use * /delete

You get that credential conflict because YOU have another session established with the target in the background. To verify type "net use"

If you are not asked for a user\password when connecting to c$ then you either have administrative rights on the account you are using to test or the guest account is enabled and in the administrators group.

I'd be looking at permissions.

IPC$ will allow a blank password unless hardened by editing the registry or using the security policy interface.

Whoops posted to wrong thread

Yep that works,nice one.

If I put a password on my ipc$ will it interfere with behind the scenes communication between PCs on my network?

Cheers.

No it only applies to the system you are attached to through the IPC share.

When you connect to another machine it will use your regular logged on credentials

OK ,hang on I'm getting confused.

So I can put a password on my ipc$ by editing the registry or using the security policy.

BUT,this will only work on the machine I am connected to through the IPC$.
But how am I to know who will try to connect to my IPC$

I don't get it,So I can't stop people from connecting to the IPC$ and finding out all about my PC?

Sorry to be dum,I think I have the wrong end of a shitty stick here.

Thanks.

I read your question wrong.

Your ipc$ share is already password protected, it just allows a blank "Null" user and password.

So you have to stop the ability of having someone connect to your IPC via a null session. This you do by editing the registry and setting the value to something higher than "1".

Can a regular user account connect if they have a valid username and password? Yes.

What can they access? Anything that they could normally access with thier user credentials.

Can someone try to brute force your administrator account through IPC$? Yes

Will you still leak netbios information? Yes, but not much.

How do I stop people from screwing with IPC$ and netbios ports? Firewall or filter it out.

OK , makes sense.

I'll try it out and see what happens,Thanks.

BTW do you have any suggestions for a decent bruteforcer which will work right up to 2000 and XP?

If possible one with dictionary attack rather than just running a pass & username list.

I've tried Brutus but it seems to have problems with 2000 and XP.


Thanks again,

You've been a great help.

There's alot of brute force tools out there. I'll upload Scanarator in the tools section. I like this one because it has many useful functions

good post

thanks a lot for information

Sorry guyz I'm totally newbie with NetBios & $IPC Shares. I Have some questions :

1. If the netbios is disabled will be any ability to connect by $IPC ?

2. If $IPC Share has all rights ? (mean read,list etc.)

3. In hacking NT I'm able to connect remote machine by net use. But sometimes I got an error called "Unable to find source". What is it about ?. If I must have RPC session enabled ?


Please teach me that.

there are many tutorials out there where you can learn such things.

1. try google or surf through the different forums on this board

2. first try everything at your own pc (use a 2. one ;-) )

3. learn by your own - ask people as less as you can

have luck!

Regards

thx usefull information - good to read through it after i was a few month abroad without a pc. It refreshs your mind ;-)