Re: Using Null Session information from NAT.EXE

From: Mike Brentlinger (mdbrentlinger@hotmail.com)
Date: 10/30/01


From: "Mike Brentlinger" <mdbrentlinger@hotmail.com>
To: ianlyte@hotmail.com, pen-test@securityfocus.com
Subject: Re: Using Null Session information from NAT.EXE
Date: Tue, 30 Oct 2001 16:34:22 -0500
Message-ID: <F266DdmIJz6xjakYYcy00016ed7@hotmail.com>

im my experiance the format of net use has not been
     NET USE Z: xxx.xxx.xxx.xxx\c$ /user:administrator password
but has worked as
    net use z:\ xxx.xxx.xxx.xxx\c$ password /u:domain\user
which connects automatically or
    net use z:\ xxx.xxx.xxx.xxx\c$ * /u:domain\user
which prompts you for a masked password

also you may want to terminate current connections with somehting like

net use \\xxx.xxx.xxx.xxx /delete

before running your connection commands, since you will be connected with
anonymous creditials from running nat

-mdb

----Original Message Follows----
From: "Ian Lyte" <ianlyte@hotmail.com>
To: pen-test@securityfocus.com
Subject: Using Null Session information from NAT.EXE
Date: Tue, 30 Oct 2001 17:39:30

Running NAT.EXE on a machine my local network gives me the following results
[obvious bits changed]

[*]--- Reading usernames from user.txt
[*]--- Reading passwords from bigpass.txt

[*]--- Checking host: xxx.xxx.xxx.xxx
[*]--- Obtaining list of remote NetBIOS names

[*]--- Attempting to connect with name: *
[*]--- Unable to connect

[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03
[*]--- Server time is Tue Oct 30 14:30:36 2001
[*]--- Timezone is UTC+0.0
[*]--- Remote server wants us to encrypt, telling it not to

[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to establish session
[*]--- Was not able to establish session with no password
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `0'

<---SNIP--->

[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password:
`password'
[*]--- CONNECTED: Username: `ADMINISTRATOR' Password: `password'

[*]--- Obtained server information:

Server=[xxxxxxx] User=[] Workgroup=[xxxxxxx] Domain=[]

[*]--- Attempting to access share: \\*SMBSERVER\ <file://\\*SMBSERVER\>
[*]--- Unable to access

[*]--- Attempting to access share: \\*SMBSERVER\ADMIN$
<file://\\*SMBSERVER\ADMIN$>
[*]--- WARNING: Able to access share: \\*SMBSERVER\ADMIN$
<file://\\*SMBSERVER\ADMIN$>
[*]--- Checking write access in: \\*SMBSERVER\ADMIN$
<file://\\*SMBSERVER\ADMIN$>
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\ADMIN$
<file://\\*SMBSERVER\ADMIN$>
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\ADMIN$
<file://\\*SMBSERVER\ADMIN$>

[*]--- Attempting to access share: \\*SMBSERVER\C$ <file://\\*SMBSERVER\C$>
[*]--- WARNING: Able to access share: \\*SMBSERVER\C$
<file://\\*SMBSERVER\C$>
[*]--- Checking write access in: \\*SMBSERVER\C$ <file://\\*SMBSERVER\C$>
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\C$
<file://\\*SMBSERVER\C$>
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\C$
<file://\\*SMBSERVER\C$>

[*]--- Attempting to access share: \\*SMBSERVER\D$ <file://\\*SMBSERVER\D$>
[*]--- WARNING: Able to access share: \\*SMBSERVER\D$
<file://\\*SMBSERVER\D$>
[*]--- Checking write access in: \\*SMBSERVER\D$ <file://\\*SMBSERVER\D$>
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\D$
<file://\\*SMBSERVER\D$>
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\D$
<file://\\*SMBSERVER\D$>

[*]--- Attempting to access share: \\*SMBSERVER\ROOT
<file://\\*SMBSERVER\ROOT>
[*]--- Unable to access

[*]--- Attempting to access share: \\*SMBSERVER\WINNT$
<file://\\*SMBSERVER\WINNT$>
[*]--- Unable to access

Now from here I thought it would just be a case of

NET USE Z: xxx.xxx.xxx.xxx\c$ /user:administrator password

to map the C$ to a local z:

However every time I try that it gives me a

System error 1326 has occurred.
Logon Failure: unknown user name or bad password.

Now I have gone to the machine and know that the user:pass combo is correct.

So, what am I doing wrong? I've searched the archives to no avail and I
notice on Google groups that a lot of people have asked the same question
but not received an answer. So I am turning to you guys ;)

Ian

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages

  • Re: faster scans? (nmap)
    ... one host using nmap for syn scans in burst mode with the ... >>>This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: pen test help please asap
    ... > Machine A on client site makes a configurable encrypted OUTBOUND ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: ettercap help
    ... Anyways have never tried Ettercap for VNC. ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • RE: CFM SQL injection
    ... You should better use union or alike get unauthorized data from the ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: ettercap help
    ... > I can get it to sniff telnet, ftp, pop, smb, but no vnc. ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)