Archive for Pneumatica .:: The online-community orginator! ::.
 

Donate to our new server appeal.

       Pneumatica Forum Index -> Linx Network Security Section
Linx

Exploiting the IPC$ Share...

What is the IPC$ Share?

IPC stands for Inter-Process Communication. This share is used for data sharing between applications and computer. With this share a hacker can take total control of a PC. It has been said that one group of individuals on the net managed to dominate an entire companies network through a single persons PC.

How to Abuse the Share…

So firstly we have established using our NSS that the IPC$ share is available, we also have the admin password (il write a post on how to get this later ;) )
Using the NET commands within DOS we can find and map to shares on remote computers.
Now when going for an NT machine make sure port 139 is open, this can be found out using the GFI NSS, open up DOS and type in the following:

C:\>NET USE \\TARGET\IPC$ "" /USER:""

This is basically saying you want to use the IPC share on the specified target with the password “” and the user name “”. Now we have just asked to make a null session on the target share. Chances are slim that you will obtain it like this so its always handy when the admin password has not been set Smile. When you want to log in as an administrator to the share you would type in the following:

C:\>NET USE \\TARGET\IPC$ "" /USER:Administrator

This is stating that you want to connect under the local account “Administrator” with no password.

• Note: For some reason the command varies a little bit from NT to NT
• Note: TARGET is the name or IP of the computer, ex. \\211.3.4.11\ipc$ * /user:
• Note: If it works youll get> The command completed successfully.
• Note: To check the connection type NET USE \\TARGET\IPC$

After starting a null connection you could try to access the hidden shares. The default hidden shares are: C$, PRINT$, ADMIN$, IPC$. Adding “$” to the end of a folder makes it hidden if you didn’t already guess. Sometime shares don't have passwords so you can use them without the admins password. When you create a null connection you have the least possible rights, you are at the bottom of the food chain. Next you could try using net view. To do this open the DOS window and type:

C:\>net view \\TARGET (Shares)

C:\>net view /workgroup:TARGETWG (Computers in workgroup)

C:\>net view /domain:TARGETD (Computers in domain)

(Note: change TARGETWG to the name of the workgroup to see all of the computers connected)
(Note: change TARGET to the IP or name of the computer to see all none hidden shares)
(Note: change TARGETD to domain name example: /domain: Bob.com

       Pneumatica Forum Index -> Linx Network Security Section
Page 1 of 1
Create your own free forum | Buy a domain to use with your forum