From: Nicolas RUFF (nicolas.ruff@gmail.com)
Date: Fri Nov 10 2006 - 12:18:41 EST
> 1) as a pseudo/learning pen-tester, when you are connected to the SharedDocs folder is there anyway to delve further into a system?
No, unless some admin put "passwords.xls" in the SharedDocs folder :)
If you can write into that folder, you can also drop some nice ".EXE"
file, awaiting for someone to click on it.
If the target is missing security patches, you can even try to mess up
"Desktop.ini" or "Folder.hta" special files with some malicious payloads
(try ".WMF" for instance). But it will still require someone to enter
the folder.
> 2) If I can connect to the ShareDocs and IPC$ shares of a computer using the user name of "x" and a password of "" (null), why can't I do the same with the C$ share? Is this because the SharedDocs share is in the group 'everyone'? Thanks alot guys and happy coding!
Shares, like any Windows object, are ACL-protected. Default permission
for C$ is something like "Admins: Full Control", which means that a
non-admin user will not be able to connect.
The full security blobs for default shared objects can be found under:
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity
Regards,
- Nicolas RUFF
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:19 EDT