_________SWAT MAGAZINE ISSUE TWENTY SEVEN MARCH 2000 __________ / \___________________________________________/ \ / **** Resolvement **** \ / By Overload \ ----------------------------------------------------------------------- Ok I thought I would take this opportunity to show you HOW. Unknown Guest gained access to a NT machine connected to my network. The network I have consists of 21 fixed computers, 4 laptops, 2 routers, 1 100mbit 16-port hub, 1 100mbit 3-port hub and 1 10mbit 8-port hub. The Network is connected as follows: [Section 1] Server1------Hub-------Server2 [Area 1] | Router | [Section 2] L-L-L-L------Hub ----------------------- [Area 2] | | [Section 3] C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C-C | Router [Section 4] | ---- C-C---- Hub -- | [Area 3] | | | | |________C-C__| ####################### #Key: # # # #L= Laptop # #C= Desktop Computer # ####################### When any person connects to the network they reach a Solaris machine that is secured very well. From there you are redirected to another machine. The machine it connects to is random (but it does follow a ratio) The Chances of being connected to a: Section 1 machine is 1:25 Section 2 machine is 0:25 Section 3 machine is 24:25 Section 4 machine is 0:25 When Unknown Guest connected to the network he was connected to Server1 and then redirected to a machine in section 3. The Machine he connected to was a NT machine that was not running its www service properly. The reason why this box was connected to my network was so I could fix it, Usually the machine is connected to a LAN I someone else's house. What was on that machine? The Pamela Anderson Archive. It contains all sorts of stuff such as 'The Movie', Normal Pics, Bios and all sorts of stuff. The Mpeg Unknown Guest accessed was just an extract from the movie. Sorry to disappoint you. Now how did he get in? My theory is went into the Dos Prompt and typed "nbtstat -A 213.45.67.890" he then would have received a net bios information table. Why this is built into NT I'll never know. The table gives you information on usernames on the system, it also give you details about the group that is logged on. From there he typed, "Net view \\213.24.67.890" This gave him a list of active shares on the machine He would have got a list of something like \\212.24.67.890\as \\212.24.67.890\MyDocs \\212.24.67.890\overloaded \\212.24.67.890\proxy And some other stuff, not to sure what. As far as I can remember some machines shares had passwords on, but that was not relevant because he decided not to give up. He found a user on the system called "Rob 'The Random Sex Goose' Graham". Prizes for the first person to guess what his password was. To log on to the shares he used "net logon" and logged in as rob (with his 'amazing' password) Then he used "net use F: \\213.45.67.890\as" then went to 'my computer' in windows and just deleted the files. Then he was able to access the shares just the same but replacing the "AS" with any other share. This article is not designed make anyone look stupid etc....It was just to resolve a point. If I get some time I will setup a machine for you all to have ago. Should be at "ntserver4.212.56.119.157". But I may not make it online. And don't forget to check out Overloaded for the exploits that I find. (Some big ones coming soon) Overload Admin@overloaded.org Http://www.overloaded.org ooooo v v eeeee rrrrrr L oooooo a ddd eeeee ddd o o v v e r r L o o a a d d e d d o o v v eeeee rrrrr L o o aaaaa d d eeeee d d o o v v e r r L o o a a d d e d d ooooo v eeeee r r LLLLLL oooooo a a ddd eeeee ddd ttttt eeee ccccc h h n n ooooo L ooooo gggggg iiiii eeeee sssss t e c h h nn n o o L o o g i e s t eeee c hhhhhh n n n o o L o o g gggg i eeeee sssss t e c h h n n n o o L o o g g i e s t eeee ccccc h h n nn ooooo LLLLL ooooo gggggg iiiii eeeee sssss Text Reference: UG_NT-NBT-SWA|00001