Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: the C$ and ipc$ shares
From: Nicolas RUFF <nicolas.ruff () gmail com>
Date: Fri, 10 Nov 2006 18:18:41 +0100

1) as a pseudo/learning pen-tester, when you are connected to the SharedDocs folder is there anyway to delve further 
into a system?

No, unless some admin put "passwords.xls" in the SharedDocs folder :)

If you can write into that folder, you can also drop some nice ".EXE"
file, awaiting for someone to click on it.

If the target is missing security patches, you can even try to mess up
"Desktop.ini" or "Folder.hta" special files with some malicious payloads
(try ".WMF" for instance). But it will still require someone to enter
the folder.


2) If I can connect to the ShareDocs and IPC$ shares of a computer using the user name of "x" and a password of "" 
(null), why can't I do the same with the C$ share? Is this because the SharedDocs share is in the group 'everyone'? 
Thanks alot guys and happy coding!

Shares, like any Windows object, are ACL-protected. Default permission
for C$ is something like "Admins: Full Control", which means that a
non-admin user will not be able to connect.

The full security blobs for default shared objects can be found under:
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity

Regards,
- Nicolas RUFF


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • Re: the C$ and ipc$ shares Nicolas RUFF (Nov 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault