It will be useful coz, all the ipc scanners i know are detected by AV or with a bad NT pass scan :
-ipcscan 2.0 is detected -NT scanner(Dos Version) don't use null session to found the users but NT-user.dic If somebody know this nice log it will be very well apreciated
Soz for a bad english
s54
Feb 17 2004, 10:13 PM
I suggest just putting the desired file on the "Exclude"-list
oYost
Feb 17 2004, 10:37 PM
Huh, i have found it : HScan tested with norton and KAV, it's enough
i didn't think there was a dos version, u can found it HERE
I hope it will help somebody
oYost
Feb 17 2004, 11:02 PM
Hum just a question, in fact, ipcsan, nt scanner and hs scan uses a dictionnary for users, i knew that the null session gives the users accounts so why use they an user dictionnary whereas fxscanner don't use.
Still the virus scanner will detect this nice app mate i already tried this
pyr0
Feb 18 2004, 06:18 AM
try using FSG and then if that doesnt work try using UPX + UPXREDIR then it shouldnt detect it ) Or hex edit and rename all the IPC or what ever then maybe it might not detect it
R0x0r
Feb 18 2004, 07:58 AM
Thanks for the link and the good discussion.. I needed those answers... And I'll try it right away.. Thanks a lot m8's
eXist
Feb 18 2004, 08:14 AM
FSG will be detected as a trojan/backdoor. My own comps at home found it. Use a mix of AsPack and morphine. Morphine is attached as its a bit harder to find, you'll be able to find AsPack no problems. Also, as stated, yes hexing it and changing enough of it will make it undetectable.
R0x0r
Feb 18 2004, 08:31 AM
Just tried HScan. Dosn't it only tell you the users on the computer.. Can't get any passwords. Can anyone help?
oYost
Feb 18 2004, 04:24 PM
Why do u speek of morphine or UPX ? I told u that HScan and NTScanner arent detected by AVs so u havent to answer for answer, it's offtopic .
And nobody answered to my question :
QUOTE
Hum just a question, in fact, ipcsan, nt scanner and hs scan uses a dictionnary for users, i knew that the null session gives the users accounts so why use they an user dictionnary whereas fxscanner don't use.
If u don't know the answer, don't post plz..
setthesun
Feb 18 2004, 05:06 PM
QUOTE (oYost @ Feb 17 2004, 11:02 PM)
Hum just a question, in fact, ipcsan, nt scanner and hs scan uses a dictionnary for users, i knew that the null session gives the users accounts so why use they an user dictionnary whereas fxscanner don't use.
So they don't test all the NT accounts isn't it ?
Thanks for urs answers
Unfortunately not all anti-virus progs have "exclude program" feature. For example Mcaffe.
s54
Feb 18 2004, 05:45 PM
QUOTE (oYost @ Feb 17 2004, 11:02 PM)
Hum just a question, in fact, ipcsan, nt scanner and hs scan uses a dictionnary for users, i knew that the null session gives the users accounts so why use they an user dictionnary whereas fxscanner don't use.
Scanners regulary work like that:
- Check for null session - Get users - Brute useraccounts
on the other hand...
- Check for null session - Null session failed - Brute-force with userlist "user.dic" etc
So if they are able to enumerate the users they will go on attack straight through, otherwise they will try to get in via pre-defined usernames.
s54
Feb 18 2004, 06:04 PM
QUOTE
Unfortunately not all anti-virus progs have "exclude program" feature. For example Mcaffe.
I guess you wanted to quote me, nevermind. McAfee also supports excluding files and folders, as far as I remember(proud legit Norton2003 corporate license user ) McAfee just hides them a bit away. In my research I stumbled on regkeys storing the value for what to exclude, so if anybody prefers silent ops he might attach there
oYost
Feb 18 2004, 06:18 PM
Ok s54, thanks a lot
So I conclude that it's better to have an user dictionnary (i thought they didn't find the users with a null session).
Just another question, what are the most frequents administrators users names to make a better user.dic ? and for passwords ?
s54
Feb 18 2004, 06:23 PM
Commonly like "Administrator" and it's equalents in different languages and some "uber"-admins tend to rename the admin account to "admin", "root" or "r00t". However, there are certain applications that create an admin account or several admin accouns with their own pre-defined passes or weak passes. Do some google on this topic, nearly nobody knows but there are a few dozens programs that actually do.
oYost
Feb 18 2004, 07:39 PM
Ok, i have made thoses lists after looking my results
I hope it will help u
setthesun
Feb 18 2004, 08:45 PM
I think we can login a windows box without know administrator username. It's not important for login.
We can use sid for this and If I didn't forget it, it was 500
So we can login by providing sid. But I'm not sure about this.
R0x0r
Feb 19 2004, 07:59 AM
What is that sid? I would say that you have to have the user/pass.
oYost
Feb 20 2004, 09:51 PM
A remark :
In fact NTscan mark as results all NT accounts and not only Administrators accounts, so in final only HScan seems to be good. But it's still big : 1.7 MB, if uknow a little NT administrator accounts scanner, give me, it will be well apreciated.
oYost
Feb 20 2004, 10:28 PM
2nd remark :
HScan make a report (a htlm page) and open it in end of scan.. it's not invisible at all, still no good scanner.
3rd remark :
I was thinking about modify IPCscan 2.0 but it seems that it can't etablish Null session (tested at home and on 2 remotes).
Still no ipc scanner..
oYost
Feb 20 2004, 10:52 PM
4th Remark :
NTscan is buggy when there is open netbios but not null session so the solution is to give him an empty user.dic if you scan ranges with a lot of IPCs.
I attach NTscan dos version for thoses who want, i hope it will help u.
Todd
Feb 20 2004, 11:39 PM
sflite.exe cant be detected by any Av yet
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
) Or hex edit and rename all the IPC or what ever then maybe it might not detect it 
.
