if you think your windows box is pretty secure and you know what you are doing you might want to see who tries to do what when your firewall is off (you do have a firewall dont you)

netbios attacks are a pretty good example so we'll look at that

by default windows will send your login credentials such as the username and ntlm hash + challenge first.
so if Joe hacker decides to run \\yourip then you will be able to capture his login credentials, silly Joe Hacker.

* get the ethereal packet sniffer from www.ethereal.com
* get the winpcap packet driver from winpcap.polito.it. version 3.0 is the most stable but does not work over a modem, the latest beta 3.1 version will work over a modem
* enable netbios *gasp* over your internet connection by turning on "File and Printer Sharing..." and "Client for MS Networks". for this i thouroughly recommend you turn off any guest accounts and have a strong password (you should have anyway)

Configure ethereal with the following data - currently set for netbios

capture filter


display filter


in the attached archive is an optional color pack just to make it easier - you can import this into ethereal
red and dark red will display ntlm authentication packets
blue will show connections to IPC$
green should show lsass exploit connections or lsass scans (tho other programs may use lsass too like IPsec)

i have created a small app that will extract NTLM credentials from captured packets - included in the rar file (ethread.exe)
to use it simply save the auth packet to auth.txt and challenge packet to chal.txt from ethereal - dont save the whole lot just the individual packets

this is most entertaing if someone says 'OMFG i have ur IP i can hack you' so you say 'go right ahead i have netbios shares too!', BAM! you get their info

Notes:
You will have to add more to the display filter to see all of the colors
LC4/LC5 and cain & abel will also provide a similar method of capturing login info but currently only works over ethernet adaptors
etheread.exe works for me but if you have any probs with it either the app isnt designed for that packet or you are using it incorrectly
I chose ethereal because it is free

EDIT: file was damaged during upgrade so im reuploading for a request (filters not inlcuded cos i lost them)
source for etheread is inlcluded but its just a bunch of simple file/string operations i wrote real fast to make it work so dont expect to learn so much

Nice tutorial, and good explanation, will install the stuff tonight when I get home

Infact I had a very nice Ethreal tut, Well, Let me go and find it.

Damn, my 3 hard drives got lots of "junks" and well, getting mad these days

Anyway thanks nuorder. Nice.

Manu

lol
think i'm gonna try that prog then
i hate those msn kiddiez saying things like: m3 l33t sp34k i h4xx y00

sweet job m8 will give it a go

this is a mini-honeypot ?

very nice tutorial

also i forgot to add:
if you see HOD as the domain/host name in one of the packets its most likely the sasser worm or someone trying to use the 'houseofdabus' lsass exploit against you

Nice tut dude. w3 sp34k l33t

well, this might be worth checking out...
Thanks for the ethereal guide m8! gonna make some tests on my home network.

btw, lol @ m3 l33t sp34k i h4xx y00

If I recall correctly winsnort was released. try that out for an IDS on windows.

aye, id like to try this at home, unfortuantly most of the local isp's around here (cable and dsl at least) block 139/135/445

works well at work tho. see some attacks every now and then... although id suggest snort if you really want to get into ids...


nonetheless a very cool post.

Thanks for the sharing!
Well I'm a baby so...
@+