I have scanned my IP range for netbios shares. I have found a C$ share that is not password protected but once I have opened it. \\XXX.XXX.XXX.XXX\C$ I have no rights. Please if there is a possible way would somebody explain to me how to gain the rights. Note I can not write to the drive

Maybe you fell into a honeypot.

Run enum or getacct to see what the real administrators account is and check that you are logged in with it.

You can also run (After establishing a null or other session):
local administrators \\targetIP

get local.exe from the windows server resource kit

If it is an administrator account (RID 500) and you are still restricted, I would personally look elsewhere. Normally only administrators can connect to the C$ share, but just maybe the system owner stopped sharing C$ by editing the registry then reshared it as a regular share and gave it special permissions for a renamed admin account. That's why insuring that you are using an admin account is important

I haven't tested a scanario like this but it sounds possible.


Things do not appear normal. Know what is normal behavior and what is not.

Possibly Restrict Anonymous is enabled, so you'd need a tool like 'Sid2User/User2Sid to get the name of the administrators account [RID 500].
One of the most powerful tools if you have established a null session, is DUMPACL [used to be called DUMPSEC i believe] .It can pull up a list of users,groups, and the NT system's policies and user rights.

BTW what scanner did you use to find the share and are you finding many, 'cos most NETBIOS ports seem to be shut down from what i can gather [due to the recent Blaster worm etc.]. Their scarcity makes it a bit suspect, and as krakatoa says - could be a honeypot.

I scanned using Netbrute. I have come across the term Honey Pot before but am nor sure what it really means. Also last question. How could I crack share passwords. I have got PQWAK but this only cracks WIN9X passwords.

Thanks

A honeypot is set up to trap hackers/crackers so be careful.
I think Netbrute has a pass cracker which you download seperately on their site.
NAT [netbios auditing tool]is regarded as the best i believe, but is obviously noisy and will leave a footprint behind.There are two versions of PQWAK, but i'm not sure if vers. 2 will crack 2000 and XP.

You haven't mentioned how many boxes your picking up with open shares.Is it a lot?

Well I scanned for about 5 minutes and had about 15, so quite reasonable really.

Yeah, it's strange 'cos i don't pick up any.My ISP must be blocking NETBIOS after the recent worm attacks i think.

anyone know honeypot spencer? @ ww .spencer.com ? and where to find it ?

=====
On default windows XP Pro installation :
net use \\192.168.77.1\IPC$ ""/user:administrator"" ""administrator""
the command complete successfully
net use q: \\192.168.77.1\C$ ""/user:administrator"" ""administrator""
system error 5 has occurred
access is denied
OR
multiple connection ...bla, bla.....
====
Why...???
You must setting folder option...=open explorer ==>tools ==>folder option ==>view ==>(uncheck)use simple file sharing (rekomended)
===
NOW TRY CONNECT TO C$
net use \\192.168.77.1\IPC$ ""/user:administrator"" ""administrator""
the command complete successfully
net use q: \\192.168.77.1\C$ ""/user:administrator"" ""administrator""
the command complete successfully
===========

this is not happen on win 2000 all version...
=======
If any wrong, please correct...