If I find a comp with Weak NT pass, for ex. Administrator/[BLANK], the only way to hack such mashine would be if $admin share is enabled, and then connect with PSEXEC to get a remote shell...
I don't know any other way, so if there is, please say...
THat means, that if I disable $admin share, then mashine would not be hackable any more.. Right?
So how do I disable this share?

Then, only other way to hack it is to login with this Weak pass through Terminal service, but I can configure TS to allow logging only from certain username, right?
I think I saw this option somewhere, but now I can't remember where, so someone please refresh my memory...

you can also connect to c$, d$or print$ on some machines, there execute your uploaded programs with psexec x:\servu.exe for example if you have mapped it with net use. or Upload an batch with nc -v -L -p 12345 -e cmd.exe for example thats do the job also.

http://www.petri.co.il/disable_administrative_shares.htm

you can do it also right click on your drive -> share and restrict access

i don't think that you can easily disable the admin share.
it is needed by windows. another possibility to connect to a weak passworded pc is "dameware".


4 terminal services go to your sysconfig -> administer -> local ... -> set userrights -> login over terminal processes...

my os is german, so sorry 4 the bad description.

I think there should be more possibilities to (ab)use the account..

Using the $admin share or Terminal Services should be only some..cause u have an admin account for a NT-System so u should use any service which is based on NT-Authentification for example Ftp/Remote-IIS-Admin/etc... if activated.

btw. another question is there a commandlineprogramm for windows-os that can block ports(mini firewall) ???

@ brOmstar http://www.governmentsecurity.org/forum/in...?showtopic=4361

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareServer for servers
Name: AutoShareWks for workstations
Type: REG_DWORD
Value: 0

Thanks to whoever posted it before... (was on this board)

The thing why i mentioned speccifically $admin share is because when I find some server with Weak pass, I first try to login with PSEXEC like this
psexec //ip -u name -p pass cmd.exe
And, I got one of these erros when I don't succeed:
Cannot find Network name
or
You cannot connect to this mashine, $admin is disabled..
...so I quit trying this kind of server, because I couldn't find other way to upload/execute files...

In other words, I don't know how to connect to other shares with PSexec, so I would get shell.. I don't know if it is even possible to connect to any other then $admin and execute programs..

But why am I saying all this.. Because I wish to secure such server with Weak pass.. I cannot just send mail to admin, and say, "hey, you got weak pass".. Maybe there is a way to stop someone from scanning for weak pass. And so even if there was a weak pass, scanner like X-Scan wouldn't notice it...
I know for example, that I have blank pass on my XP, but when I scan myself with X-Scan, it doesn't give me any results.. I did alot of security modifications to my XP, so I don't know exactly what I did to get these results..

@br0mstart: Try Aphex Firewall..

very nice @NewBieMan..was only an idea to close port 139 so i didn't search the forum..

@extreme close port 139 so nobody can scan/connect

here m8:

net share /delete ADMIN$ /y
net share /delete Administrator$ /y
net share /delete IPC$ /yes

I think that pass can be checked through 445 too. But if I stop 139, then I will also disable any networking capabilites like file sharing, right?

disabling it totally doesn't sound like the way to go...
the registry changes is what i recommended for my school on this same area...

deleting the shares doesn't work, they will be automatically recreated next reboot

umm.. think logically.. would you rather disable after each boot or not worry about it while it's always disabled?

why not the way like this ?

echo echo Now Deleting Netshares ! >> c:\Autoexec.bat
echo net share /delete ADMIN$ /y >> c:\Autoexec.bat
echo net share /delete Administrator$ >>/y c:\Autoexec.bat
echo net share /delete IPC$ /yes >> c:\Autoexec.bat

another way is to disable the RCP Service.
this will stop any possibility to send remote commands. and for terminal service, it won't allow you to login using no password would it?

my idea was not to stop the service on port 139/445 my suggestion is to block the ports to the outside..

?? He found a weak pw-server over the internet(so ports are not blocked by isp) and he wants to protect this one from rehacking(if no one can connect no one can test for weak pw's), i think it's a good method.

My problem at the moment is that i don't know if this tiny firewall.exe can block connections from inet so that in the Lan nobody take notice.

Stop services isn't a good way for me cause the user could take notice that something is wrong.

ok i don't want to discuss this ...I only tried to help him ..if u only want to be secure like killaloop thinks change the pw!

/edit =)

if the admin himself uses the $admin-share and he can not access with his blank pw he will take a look on his system, so i would never prefer the registry method