Using Null Session information from NAT.EXE

From: Ian Lyte (ianlyte@hotmail.com)
Date: 10/30/01 

From: "Ian Lyte" <ianlyte@hotmail.com>
To: pen-test@securityfocus.com
Subject: Using Null Session information from NAT.EXE
Date: Tue, 30 Oct 2001 17:39:30 
Message-ID: <F40AaNUqsGo9Fr6QCpz0000b3e8@hotmail.com>

Running NAT.EXE on a machine my local network gives me the following results
[obvious bits changed]

[*]--- Reading usernames from user.txt
[*]--- Reading passwords from bigpass.txt

[*]--- Checking host: xxx.xxx.xxx.xxx
[*]--- Obtaining list of remote NetBIOS names

[*]--- Attempting to connect with name: *
[*]--- Unable to connect

[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03
[*]--- Server time is Tue Oct 30 14:30:36 2001
[*]--- Timezone is UTC+0.0
[*]--- Remote server wants us to encrypt, telling it not to

[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to establish session
[*]--- Was not able to establish session with no password
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `0'

<---SNIP--->

[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password:
`password'
[*]--- CONNECTED: Username: `ADMINISTRATOR' Password: `password'

[*]--- Obtained server information:

Server=[xxxxxxx] User=[] Workgroup=[xxxxxxx] Domain=[]

[*]--- Attempting to access share: \\*SMBSERVER\ <file://\\*SMBSERVER\>
[*]--- Unable to access

[*]--- Attempting to access share: \\*SMBSERVER\ADMIN$
<file://\\*SMBSERVER\ADMIN$>
[*]--- WARNING: Able to access share: \\*SMBSERVER\ADMIN$
<file://\\*SMBSERVER\ADMIN$>
[*]--- Checking write access in: \\*SMBSERVER\ADMIN$
<file://\\*SMBSERVER\ADMIN$>
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\ADMIN$
<file://\\*SMBSERVER\ADMIN$>
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\ADMIN$
<file://\\*SMBSERVER\ADMIN$>

[*]--- Attempting to access share: \\*SMBSERVER\C$ <file://\\*SMBSERVER\C$>
[*]--- WARNING: Able to access share: \\*SMBSERVER\C$
<file://\\*SMBSERVER\C$>
[*]--- Checking write access in: \\*SMBSERVER\C$ <file://\\*SMBSERVER\C$>
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\C$
<file://\\*SMBSERVER\C$>
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\C$
<file://\\*SMBSERVER\C$>

[*]--- Attempting to access share: \\*SMBSERVER\D$ <file://\\*SMBSERVER\D$>
[*]--- WARNING: Able to access share: \\*SMBSERVER\D$
<file://\\*SMBSERVER\D$>
[*]--- Checking write access in: \\*SMBSERVER\D$ <file://\\*SMBSERVER\D$>
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\D$
<file://\\*SMBSERVER\D$>
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\D$
<file://\\*SMBSERVER\D$>

[*]--- Attempting to access share: \\*SMBSERVER\ROOT
<file://\\*SMBSERVER\ROOT>
[*]--- Unable to access

[*]--- Attempting to access share: \\*SMBSERVER\WINNT$
<file://\\*SMBSERVER\WINNT$>
[*]--- Unable to access

Now from here I thought it would just be a case of

NET USE Z: xxx.xxx.xxx.xxx\c$ /user:administrator password

to map the C$ to a local z:

However every time I try that it gives me a

System error 1326 has occurred.
Logon Failure: unknown user name or bad password.

Now I have gone to the machine and know that the user:pass combo is correct.

So, what am I doing wrong? I've searched the archives to no avail and I
notice on Google groups that a lot of people have asked the same question
but not received an answer. So I am turning to you guys ;)

Ian

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • Re: Using Null Session information from NAT.EXE
    ... Using Null Session information from NAT.EXE ... > Running NAT.EXE on a machine my local network gives me the following results ... This list is provided by the SecurityFocus Security Intelligence Alert Service. ... For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: ...
    (Pen-Test)
  • Re: Using Null Session information from NAT.EXE
    ... Using Null Session information from NAT.EXE ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: Using Null Session information from NAT.EXE
    ... Using Null Session information from NAT.EXE ... NAT is cleaning up it's connections so you don't ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • RE: Using Null Session information from NAT.EXE
    ... Using Null Session information from NAT.EXE ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: Using Null Session information from NAT.EXE
    ... Using Null Session information from NAT.EXE ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)