Re: Using Null Session information from NAT.EXE

From: Mike Brentlinger (mdbrentlingerat_private)
Date: Tue Oct 30 2001 - 13:34:22 PST

Next message: Blake Frantz: "Re: Do ICMP re-directs actually work ?"

Previous message: Tom Fischer: "Re: Using Null Session information from NAT.EXE"
Maybe in reply to: Ian Lyte: "Using Null Session information from NAT.EXE"
Next in thread: Ian Lyte: "RE: Using Null Session information from NAT.EXE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

im my experiance the format of net use has not been
     NET USE Z: xxx.xxx.xxx.xxx\c$ /user:administrator password
but has worked as
    net use z:\ xxx.xxx.xxx.xxx\c$ password /u:domain\user
which connects automatically or
    net use z:\ xxx.xxx.xxx.xxx\c$ * /u:domain\user
which prompts you for a masked password

also you may want to terminate current connections with somehting like

net use \\xxx.xxx.xxx.xxx /delete

before running your connection commands, since you will be connected with 
anonymous creditials from running nat

-mdb



----Original Message Follows----
From: "Ian Lyte" <ianlyteat_private>
To: pen-testat_private
Subject: Using Null Session information from NAT.EXE
Date: Tue, 30 Oct 2001 17:39:30

Running NAT.EXE on a machine my local network gives me the following results
[obvious bits changed]


[*]--- Reading usernames from user.txt
[*]--- Reading passwords from bigpass.txt

[*]--- Checking host: xxx.xxx.xxx.xxx
[*]--- Obtaining list of remote NetBIOS names

[*]--- Attempting to connect with name: *
[*]--- Unable to connect

[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03
[*]--- Server time is Tue Oct 30 14:30:36 2001
[*]--- Timezone is UTC+0.0
[*]--- Remote server wants us to encrypt, telling it not to

[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to establish session
[*]--- Was not able to establish session with no password
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `0'

<---SNIP--->

[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password:
`password'
[*]--- CONNECTED: Username: `ADMINISTRATOR' Password: `password'

[*]--- Obtained server information:

Server=[xxxxxxx] User=[] Workgroup=[xxxxxxx] Domain=[]

[*]--- Attempting to access share: \\*SMBSERVER\ <file://\\*SMBSERVER\>
[*]--- Unable to access

[*]--- Attempting to access share: \\*SMBSERVER\ADMIN$
<file://\\*SMBSERVER\ADMIN$>
[*]--- WARNING: Able to access share: \\*SMBSERVER\ADMIN$
<file://\\*SMBSERVER\ADMIN$>
[*]--- Checking write access in: \\*SMBSERVER\ADMIN$
<file://\\*SMBSERVER\ADMIN$>
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\ADMIN$
<file://\\*SMBSERVER\ADMIN$>
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\ADMIN$
<file://\\*SMBSERVER\ADMIN$>

[*]--- Attempting to access share: \\*SMBSERVER\C$ <file://\\*SMBSERVER\C$>
[*]--- WARNING: Able to access share: \\*SMBSERVER\C$
<file://\\*SMBSERVER\C$>
[*]--- Checking write access in: \\*SMBSERVER\C$ <file://\\*SMBSERVER\C$>
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\C$
<file://\\*SMBSERVER\C$>
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\C$
<file://\\*SMBSERVER\C$>

[*]--- Attempting to access share: \\*SMBSERVER\D$ <file://\\*SMBSERVER\D$>
[*]--- WARNING: Able to access share: \\*SMBSERVER\D$
<file://\\*SMBSERVER\D$>
[*]--- Checking write access in: \\*SMBSERVER\D$ <file://\\*SMBSERVER\D$>
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\D$
<file://\\*SMBSERVER\D$>
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\D$
<file://\\*SMBSERVER\D$>

[*]--- Attempting to access share: \\*SMBSERVER\ROOT
<file://\\*SMBSERVER\ROOT>
[*]--- Unable to access

[*]--- Attempting to access share: \\*SMBSERVER\WINNT$
<file://\\*SMBSERVER\WINNT$>
[*]--- Unable to access


Now from here I thought it would just be a case of

NET USE Z: xxx.xxx.xxx.xxx\c$ /user:administrator password

to map the C$ to a local z:

However every time I try that it gives me a

System error 1326 has occurred.
Logon Failure: unknown user name or bad password.

Now I have gone to the machine and know that the user:pass combo is correct.

So, what am I doing wrong? I've searched the archives to no avail and I
notice on Google groups that a lot of people have asked the same question
but not received an answer. So I am turning to you guys ;)

Ian

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Blake Frantz: "Re: Do ICMP re-directs actually work ?"
Previous message: Tom Fischer: "Re: Using Null Session information from NAT.EXE"
Maybe in reply to: Ian Lyte: "Using Null Session information from NAT.EXE"
Next in thread: Ian Lyte: "RE: Using Null Session information from NAT.EXE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 16:44:33 PST