Exploiting The IPC Share

 

Now get in to the console (fake ms-dos) in windows. Pick out your target and make sure that it is an NT system and it has port 139 open. You need port 139 open so that net-bios is on. After checking for that you go to the console and type:

Example 1> C:\>NET USE \\TARGET\IPC$ * /USER:
Example 2> C:\>NET USE \\TARGET\IPC$ * /USER:""
Example 3> C:\>NET USE \\TARGET\IPC$ "" /USER:""

  • Note: For some reason the command varies a little bit from NT to NT
  • Note: TARGET is the name or IP of the computer, ex. \\211.3.4.11\ipc$ * /user:
  • Note: If it works youll get> The command completed successfully.
  • Note: To check the connection type NET USE \\TARGET\IPC$

 

After starting a null connection you could try to access the hidden shares. The default hidden shares are: C$, PRINT$, ADMIN$, IPC$. As you can probably tell shares are hidden by putting a $ at the end of the share name. Sometime shares don't have passwords so you can use them. When you create a null connection you have the least possible rights. Next you could try using net view. To do this open the console and type:

Example:

C:\>net view \\TARGET (Shares) 
Or 
C:\>net view /workgroup:TARGETWG (Computers in workgroup) 
Or 
C:\>net view /domain:TARGETD (Computers in domain)

(Note: change TARGETWG to the name of the workgroup to see all of the computers connected) 
(Note: change TARGET to the IP or name of the computer to see all none hidden shares) 
(Note: change TARGETD to domain name example: /domain: Bob.com ) 
If you can't find an open share you could use a program that I like a lot called winfo. Winfo will get all of the user names from the target. Or another programs that is Nat(NetBIOS Auditing Tool). Nat will try names and passwords (dictionary attack) to get the right one. Another well like program is sid2user and user2sid. 
Last but not least there are DoS attacks that could be preformed. Dos attacks become outdated quickly but new ones are always poping up. A good Dos attack that works on NT systems with printer capibiltes. It kinda goes like this (null connection is needed): \\target\pipe\spoolss. Do this alot. The next one is one that im not sure that works but you fill all the connections possible on: \\target\pipe\samr. For that I would recomend use a program like ubend.exe

 

GSO
Written on Saturday, 03 October 2009 15:19 by GSO

Viewed 1869 times so far.
Like this? Tweet it to your followers!
Published in Subscribe to the RSS feed of Network Security & Hacking Articles  Network Security & Hacking Articles / Subscribe to the RSS feed of Legacy Security Articles  Legacy Security Articles
Like this? Let your friends know now!

Rate this article

Latest articles from GSO

Latest 'tweets' from GovernmentSecurity

  • News Update: Cyber war is coming, the impact could be huge: CBS News reports that cyber.. http://bit.ly/1tx1kr | #Security Link Monday, 09 November 2009 07:35
  • News Update: Tenable Network #Security Podcast - Episode 11: Welcome to the Tenable Netw.. http://bit.ly/2Iqd6G | Security Link Monday, 09 November 2009 07:35
  • News Update: Consent will be required for cookies in Europe: EDITORIAL: A law that dema.. http://bit.ly/3JYgip | #Security Link Monday, 09 November 2009 07:35
  • News Update: CBS 60 Minutes tackles cyber-terrorism: Could hackers get into the compute.. http://bit.ly/2d5Y21 | #Security Link Monday, 09 November 2009 07:35
  • Blog Update: We have launched the new GovernmentSecurity.org: We decided to launch th.. http://bit.ly/2G1SSF | #Security Link Saturday, 07 November 2009 17:38
blog comments powered by Disqus
back to top

Site Search

Disqus Tools