NET TOOLS



NET TOOLS

Network Neighborhood and My Network Places aren't the only places where you can connect to other computers' shares. For one, you can use the Find | Computer utility on the Start menu to search for available shares by IP address. This will search for shares on that particular IP whether the host is in your office or across the ocean. However, as with most graphical utilities, Network Neighborhood has an underlying command-line program that drives it. The command-line program is called net; let's further explore this utility.

Implementation

We start with a breakdown of the command-line arguments and a brief description, as shown in Figure. We'll follow with an example usage of the more important commands and what they do. Try typing the /? flag after any of the commands in the table to find more syntax information.

Figure: Net Tools Command-line Arguments

Command Line

Explanation

net accounts

Sets account policies for the system, such as password age, password history, and lockout and logoff policies

net computer

Adds or deletes computers from the domain

net config

Displays current server or workgroup information including computer name, username, software version, and domain name

net continue

Restarts a suspended service

net file

Displays the names of all currently open files and provides the ability to close them

net group

Configures Windows Global Group properties (on domain controllers only)

net help

Gets information about these available commands

net helpmsg

Provides information on a particular error message number

net localgroup

Configures Windows local group properties

net name

Configures messaging names for which the machine will accept messages

net pause

Suspends currently running services

net print

Gets information about a computer's print queue and controls it

net send

Sends a message to another user or computer on the network

net session

Lists or terminates sessions between the local system and other network systems

net share

Creates, deletes, or displays a shared resource

net start

Starts a service

net statistics

Displays statistics for a server or workstation such as network usage, open files, or print jobs

net stop

Stops a service

net time

Displays the time or synchronizes the time with a specified time server

net use

Connects to or disconnects from a shared resource; also displays information about shared resources

net user

Adds or deletes a user

net view

Displays a list of shared resources for a specific computer or all computers on the local subnet

As you can see, net is an extremely useful tool. But from a hacker's standpoint, the two most important net commands are net view and net use. The information that leaks from unsecured shares and the ability to access such shares across the Internet with seeming impunity has not been lost to security professionals who desire better countermeasures. Windows XP Service Pack 2 greatly reduced the impact of insecure default configurations and remote accessibility to Windows shares. Plus, many networks and Internet Service Providers have become more savvy about explicitly blocking TCP ports 139 and 445 in order to be more proactive about limiting access. The fact that spammers noticed that they could send messages to unsecured Windows users via the net message command only highlighted the need for better countermeasures.

With that said, it is still a simple prospect to come across Windows 2000 and Windows NT systems. The techniques for enumeration in this chapter still apply to Windows XP and 2003, but the latter more often require valid credentials than the anonymous connections that their predecessors allowed.

net view

net view allows you to gather two essential bits of information. First, by specifying the domain or workgroup name of your target (which you can discover using nbtstat,detailed in the next section), you can see all the other computers that belong to that domain or workgroup. From there, you can use net view's second mode of operation to examine the shares on each individual host on the network. Here's how it looks:


C:\>net view /WORKGROUP:myworkgroup
Servers available in workgroup MYWORKGROUP.
Server name            Remark
-----------------------------------------------------
\\BADMAN               The bad machine
\\BROCCOLI             Veggies are good for you
\\TECHSUPP             Don't call us - we won't call you
The command was completed successfully.


C:\net view \\badman
Shared resources at \\BADMAN
Sharename    Type         Comment
-----------------------------------------------------
CDRW          Disk
D             Disk
HALF-LIFE     Disk
INSTALL       Disk
MP3S          Disk
The command was completed successfully.
Note 

The first command, net view /workgroup, won't work on Windows NT or 2000. Use net view /domain instead.

We've got a list of machines in the domain/workgroup, and we've found some open shares on the Badman box. Looks like he's sharing some MP3s, a popular first-person shooter game, his entire D: drive, and his CD rewritable (CD-RW). The next logical step, of course, would be to see whether we can connect to any of these shares.

Tip 

You don't have to know a domain name or a NetBIOS name to view the available shares on a system. You can use an IP address instead, such as net view \\192.168.1.101. This means you can find out about shares on any computer anywhere in the world that doesn't have its NetBIOS over TCP (NBT) ports protected by a firewall.

net use

Now that we've found some shares, let's try to connect to them using the net use command:

C:\>net use * \\badman\mp3s
Drive E: is now connected to \\badman\mp3s
The command completed successfully.


C:\>net use * \\badman\d
The password is invalid for \\badman\d
Type the password for \\badman\d:
System error 86 has occurred.
The specified network password is not correct.


C:\>net view \\badman
Shared resources at \\BADMAN
The bad machine
Sharename    Type         Used as  Comment
-----------------------------------------------------
CDRW          Disk
D             Disk
HALF-LIFE     Disk
INSTALL       Disk
MP3S          Disk         E:
The command was completed successfully.
C:\>echo "hi" > e:\test-write-permissions.txt
Network access is denied.
Tip 

You can map a drive letter only if File and Printer Sharing is enabled on the system.

We gained access to the MP3S share and mapped it to our next available drive letter E:, which is what the asterisk (*) indicates in the net use command line. However, we were unable to create a file on the mapped drive, so we have only read access. The D: share appears to be password protected. We would need either a share password or a valid username and password to access this share, in which case we would run the command

net use /u:<username><password>

to connect. So this doesn't really get us too far. There must be something else we can do.

Exploiting the IPC$ Share with net use As it turns out, Windows 2000, XP, and 2003 boxes have "administrative shares." These aren't typical shares that can be browsed from Network Neighborhood or My Network Places, nor can they be seen using net view because the file is hidden by the cunning use of "$" at the end of the share's name: "ShareFoo" is visible to the network, "ShareBar$" is hidden from the network. Only if you are able to determine the Administrator password on a box, can you use the net use command to connect to one of those hidden administrative shares.

There's more. An additional administrative share is made available so that domain administrators can send commands back and forth between servers. This is the IPC$ share. You would think that the IPC$ share would be strongly protected by Administrator login credentials. But some applications actually require use of IPC$ without authentication. Granted, you won't get the full run of the system that you might get if you did have the Administrator credentials, but even by connecting with no credentials whatsoever, you can extract a great deal of information.

Note 

Windows systems through Windows XP only recorded the NetBIOS name of the remote system accessing a host's IPC$ share. Windows 2003 addresses this deficiency by including the IP address, which is more difficult to spoof than the NetBIOS name, in the security event log.

The following script effectively creates a somewhat privileged, somewhat trusted pipe between your box and 192.168.1.150:

C:\>Windows\Desktop>net use \\192.168.1.150\ipc$ "" /user:""
The command completed successfully.

That's it! Now we can run some other tools against 192.168.1.150 to gather information that we never would have had access to before. This information includes usernames, groups, policies, system IDs (SIDs), and other information of that nature.

Tip 

Make sure that you clean up after yourself after connecting to this share. Use net use \\192.168.1.150\IPC$ /delete to disconnect. If you don't, someone will still be able to see you as a connected user and track you back to your IP address by using net session or nbstat -s, discussed shortly.

Previous Section
Next Section

 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows