_ | \ | \ | | \ __ | |\ \ __ _____________ _/_/ | | \ \ _/_/ _____________ | ___________ _/_/ | | \ \ _/_/ ___________ | | | _/_/_____ | | > > _/_/_____ | | | | /________/ | | / / /________/ | | | | | | / / | | | | | |/ / | | | | | | / | | | | | / | | | | |_/ | | | | | | | | c o m m u n i c a t i o n s | | | |________________________________________________________________| | |____________________________________________________________________| ...presents... Who's Gonna Get Screwed Today? NetBIOS Attacks over TCP by SirDystic 09/01/1997-#338 __///////\ -cDc- CULT OF THE DEAD COW -cDc- /\\\\\\\__ \\\\\\\/ Everything You Need Since 1986 \/////// ___ _ _ ___ _ _ ___ _ _ ___ _ _ ___ |___heal_the_sick___raise_the_dead___cleanse_the_lepers___cast_out_demons___| Microsoft has never claimed that Windows95 (or any of its DOS predecessors) is secure. In fact, they offer an entirely different product line for people concerned with security (their New Technology line). In our ever growing net, there must be more than 1000 new users a day worldwide. A fairly large portion of the Internet is not servers and mainframes but personal computer users, most of whom use Win95 because it's cheap and well supported by games and Microsoft's suite of barely adequate, yet all-encompassing applications. What person on the Internet cannot afford to be concerned with security?!? Few people seem to realize that all of the networking functionality built into windows is available over _any_ TCP connection by default, even a PPP or SLIP dial-up to Prodigy or most ISPs! Nor do many people filter the appropriate ports on their firewalls leaving most machines with a permanent connection to the Internet fully accessible via NetBIOS. Perhaps the "Sharing..." selection available from any drive or directory's menu is just too convenient and people don't realize what they're opening themselves up to, but about 1 out of 3 Windows 95 users who have file sharing enabled have their whole file system exported with no password. For those users who actually do bother using passwords, it's usually one of the most obvious, and with no logging, delaying, or any deterrent for password hacking, 3 to 7 passwords per second can be tried across the Internet. Recently a bug was discovered in almost every version of Windows which caused the operating system to crash (hard) when out-of-bound data is sent to a TCP port. Since all Windows machines by default were listening on port 139 for NBT connections, the standard exploit connected to this port to send the OOB data. Microsoft fairly quickly release a patch for NT to fix this bug, but their response for 95 was much slower. Their initial 'fix' was to release a registry edit which disabled NBT and recommended turning off any other listening ports such as 113 (identd). This caused a large number of people on the Internet to become invulnerable to NBT attacks. America Online also began filtering this port, as well as UDP 137 (nbnames), causing another large chunk of lamers to become protected. Still plenty of phish in the c. All that is required to access a machine across NBT is the machine's NetBIOS name and IP address. User friendly Microsoft even included a tool with Win95 and NT which will display a remote machine's NetBIOS names, including the machine name, login name and domain name, one of which is often a part of a share password. To access a machine across NBT, retrieve the target IP's machine name using nbtstat.exe (nbtstat -A ip, machine name is usually displayed first). Add the IP and machine name to a file "lmhosts" in your windows directory on a line by themselves and *BLAM*, you can access that machine by name through any network function. You can net view \\machine, net use \\machine\res, start \\machine, ping machine, winnuke machine, etc... Once access is gained to the windows directory (either through ADMIN$ or one of the user's exports) the pwl file can be decrypted (way to go MS!) using a variation of the glide code, and voila: all the user's passwords including their dial-up account password, any web passwords, and any passwords for network resources they've accessed. A list of the most recently accessed documents on the machine can be found in the "recent" directory, the desktop can be directly manipulated by altering the "Desktop" directory, the start menu can be directly manipulated by altering the "Start Menu" directory, the Startup directory is in "Start Menu\Programs", if you rename the Fonts directory, uppon reboot Windows gives the message: "Unable to load gdi.exe. Please reinstall Windows." Don't forget to delete netstat.exe and netwatch.exe to stay a little more hidden. What's more, MS documents that shares exported with a name ending in a $ will not be listed on remote browse lists. This is partially true. It turns out that the Samba client (the gnu UNIX implementation of NetBIOS) has no problem listing shares ending in $, including ADMIN$ and ipc$. I ported this functionality to Win32 with a few minutes work. What can this be used for? Get dial-up accounts on the ISP of your choice: Scan through the dial-ups till you find a machine with their windows directory exported and copy their .pwl file(s). When it was shown that Microsoft's 'encryption' of the .pwl files was a joke, Microsoft did release a patch and on later versions of Win95, the files were further obfuscated and to my knowledge no later versions have been decrypted, but I'm not sure anyone's put any effort towards it. In any case, we're playing odds. Most people are still running the breakable version of Win95, so keep looking till you find one you can read. Passwords can also be found storred by popular ftp clients such as WSFTP and CuteFTP, decoders are available for their data files. Get any kind of file you like; Use IRC to locate people who are trading the type of file you're interested in (warez, pix, mp3, etc.) by listing the users in appropriate channels (#*warez*, #*pics*, #*mp3*...) and scan through them till one with their file system exported is found. Use the "Recent" directory to quickly find the interesting files on their machine, lnk files store the export name as well as the rellative and absolute location of the file (just type them, you'll see). Also use ftp clients and servers' ini files to locate download and zip directories. Run programs on other people's machines: Put links in people's "Startup" directory to run the program of your choice. The filenames " .lnk" and " .exe" are particularly useful as they show up blank in GUI listings and cannot be run from the DOS prompt (as their 8.3 names become exe~1.) Use this to create mass parallel processing, or run a program with a message of your choice. So in conclusion, since the only protection Win95 allows you in "Share level" access mode is a case-insensitive max 8 character password, pick a good one, and until people start getting a clue (fat chance) you can entertain yourself by browsing through random (or not so random) people's personal files. .-. _ _ .-. / \ .-. ((___)) .-. / \ /.ooM \ / \ .-. [ x x ] .-. / \ /.ooM \ -/-------\-------/-----\-----/---\--\ /--/---\-----/-----\-------/-------\- /lucky 13\ / \ / `-(' ')-' \ / \ /lucky 13\ \ / `-' (U) `-' \ / `-' the original e-zine `-' _ Oooo eastside westside / ) __ /)(\ ( \ WORLDWIDE / ( / \ \__/ ) / Copyright (c) 1997 cDc communications and the author. \ ) \)(/ (_/ CULT OF THE DEAD COW is a registered trademark of oooO cDc communications, PO Box 53011, Lubbock, TX, 79453, USA. _ oooO All rights reserved. Edited by Grandmaster Ratte'. __ ( \ / ) /)(\ / \ ) \ \ ( \__/ Save yourself! Go outside! Do something! \)(/ ( / \_) xXx BOW to the COW xXx Oooo