Hi friends

I am looking for a handy tool to find out the passwords of shared folders in a remote Windows 2000 server.. Any friends could give me a hand please?

Manu

I got one that uses a dictionary file to crack the IPC$ share. Don't know of anything to brute force it though mate. There must be something out there though. I've heard of many worms using this method. I attached ipccrack.exe if you want it anyway.

Doesn't NAT [Netbios Auditing Tool] do that?

Yeah I think NAT.exe doea it but where is it?

You can get a Unix and Windows variant here along with other tools-
http://www.cotse.com/tools/netbios.htm

OR-
http://www.astalavista.com/tools/auditing/...ecurityscanner/

OR-
http://www.securityfocus.com/tools/543

Thanks v much.

Found a program called Brutus.

Lets you use user lists and pas lists as well as a built in brute force option.

I've only tried it against 2 of our machines one running NT the other 2000.
On both I just get disconnected when trying to force the admin password over SMB.

I'm working on it,if anyone else wants to try its available at:

www.hoobie.net

Also take a look at www.madirish.net

This guys cool and very free with knowledge.

And one more thing, anyone know somewhere to go for updated password & user lists?

Cheers

But a bruteforce attack on a remote machine, that could take years.
Because the password-checking speed will probably be about 1pass/2seconds.

So whats the simplest way to go about it?

lophtcrack it

I believe NAT is supposed to be the fastest out there for cracking shares.It's so fast i think it can crash the victims machine.

edit: didnt notice it said 2k server ... but this info is good for 9x/me

Windows 95, 98, and Millenium have a vulnerability that will allow you to crack the passwords to these shares with amazing speed and without the need of brute forcing. For more information about this, you can read about it http://www.securiteam.com/exploits/5WP010K4UA.html . Go to Start / Run or Windows key R and type command. (cmd if you have Windows NT or 2000) When a command prompt opens up type nbtstat -a ipaddress. Make sure to put the spaces inbetween the commands. You should get output that looks like this:



Local Area Connection:
Node IpAddress: [4.3.37.XXX] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
MATRIX <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
MATRIX <20> UNIQUE Registered
MATRIX <03> UNIQUE Registered
WORKGROUP <1E> GROUP Registered
ADMINISTRATOR <03> UNIQUE Registered
WORKGROUP <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
MATRIX <6A> UNIQUE Registered
MATRIX <87> UNIQUE Registered

MAC Address = 00-80-C6-F9-X-X

The very first name is the NetBIOS name (MATRIX) and the sixth name is the current user on that computer. That could used for other hacking reasons...possibly brute forcing, but that is a diffrent lesson. Important! Remember the NetBIOS name because you will need that to crack the share password.

Download a copy of PQwak and open it up. http://www.illmob.org/files/pqwak.zip
- Where it says NBNAME pug the NetBIOS name that you acquired from nbtstat.
- Put the share name where it says SHARE. The share name is the name of the folder that is password protected.
- Put the IP of your victim where it says IP. Example 4.3.57.153. I am using the 4.x.x.x subnet because it is full of DSL users that are always online.
- The delay should be set accordingly depending on your connection speed. If your connection is a 56K dialup then I HIGHLY recommend your delay be approx. 1000 - 2000. If your connection is standard ADSL then I recommend you set the delay to 800-900.

I'm looking for an brute-forcer for the IPC$-release ,too. I tested the "Essential Net Tools". It is a great tool, bur if the pw list is too large, it hangs up :/

I wanted to use NAT...but I have some problems:

I use it like this:
nat -o output.txt -u userlist.txt -p passlist.txt target
I think nat tries to connect over the IPC$-release to the target and brute-forces the correct pw for the existing account from userlist.txt

But it doesn't. It reads out the netbios nametables and tries to connect. Then there are lines I don't understand:
(nat.exe 1000) frame 5: sp = 0x245F00C, pc = 0x410492
(nat.exe 1000) frame 6: sp = 0x245F028, pc = 0x407EFA
(nat.exe 1000) frame 7: sp = 0x245F4D0, pc = 0x40A619
...
after this it is over. It only takes a few seconds, but no password from my passlist.txt was tried with one of the username by nat??

What's wrong??

I heard that the fastest was SMBAT, samba auditing tools

hxxp://www.cqure.net/tools.jsp?id=01



It often gives me some trouble, just be sure you include the hostname and IP, i dunno why, heres a sample of how i audited a computer here at my house



So it does work, thats actual cmd prompt, un-edited. I dunno if its the same as NB auditing tools, but it doesnt appear to be the same, this one seems to go much faster than it.

What can i also do, if i got ipc$ connected as Administrator ?

are the some ways to upload files, like DAMEWARE do ?

if so, how does it work ?...

yes exellent but at my home this tool didn't share :s

Hoping to not lose face here.....but has anyone else come across this...

when using the SMB Auditing tool v1.0.4 get an SMBNTCreateAndX error which I think may be the reason why after the prog has run, and usccessfully compromised an account, the compromised account and pass are not displayed, same applies with outputing the results to file.