|Accessing Windows Shared Resources from Linux|
One of the most common hacking intrussions on windows computers is due to user ignorance.
This affirmation is going to be described on this article, also how it is done and the way to avoid it.
When a Windows 95/98/Me user shares one of his folders to allow other computers in the local network to read or write information there, usually he doesn't know that if he connects to internet will be still sharing this folder to any internet user!
Windows local drives or folders could be easily shared in read only or read/write mode and it allows to use a password to access this resource. If a user wants to share any resource it must use a password to do it, this is the minimun security level and it must be done.
There're two ways for reading this article:
The user that want's to connect from linux to a windows computer (may be at work) over internet to copy some files.
The wannabe hacker that want's to hack the planet using linux.
This last option is greatly discouraged.
Let's go practical:
The first and essential thing is to know the windows computer IP
For the next steps we'll use the IP number 666.666.666.666 (not real and impossible) referencing to the windows computer.
Now let's check if Sharing resources are installed on this computer. This is done by running a scanport program like nmap on TCP port 139.
nmap -sT 666.666.666.666 -p 139
If the result is something like:
For the next step you have to install samba on you Linux computer.
What's samba? samba is a software that allows you to connect a Linux computer to a Windows using NetBIOS to share folders and drives between both OS.
Almost every Linux distribution comes with samba, but if you don't have it, download from: http://www.samba.org/
Once installed, we'll use nmblookup that it's like Network icon on windows desktop to look for other computer names on the net.
nmblookup -B 666.666.666.666 -S \*
and we'll get a list like:
received 12 names
COMPUTER <00> - B <ACTIVE>
COMPUTER <20> - B <ACTIVE>
DOMAIN <00> - <GROUP> B <ACTIVE>
DOMAIN <1c> - <GROUP> B <ACTIVE>
DOMAIN <1b> - B <ACTIVE>
DOMAIN <1e> - <GROUP> B <ACTIVE>
COMPUTER <03> - B <ACTIVE>
ADMINISTRATOR <03> - B <ACTIVE>
DOMAIN <1d> - B <ACTIVE>
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
INet~Services <1c> - <GROUP> B <ACTIVE>
IS~COMPUTER <00> - B <ACTIVE>
If it has a <20> means a shared resource
The values in the <xx> brackets can be:
00 base computernames and workgroups, also in "*" queries
01 master browser, in magic __MSBROWSE__ cookie
03 messaging/alerter service; name of logged-in user <--- This one is cool too ---
20 resource-sharing "server service" name <--- Check this one ---
1B domain master-browser name
1C domain controller name
1E domain/workgroup master browser election announcement [?]
Now we know that COMPUTER <20> is what we were looking for.
To see the shared resources name on COMPUTER:
smbclient -L \\\\COMPUTER -I 666.666.666.666
If a password is asked then it means that this resource uses a password and if you doesn't know it you could not access this way to the computer.
Connect to the computer:
smbclient \\\\COMPUTER\\C -I 666.666.666.666 -d 3 -n nameyouwant -U usernameyouwant
-d 3 is debug level 3 to see all the error messages
-n is name is your netbios name that you will use on this sesion
-U is the usernameyou want to use
Try man smbclient or help once inside the smbclient to know commands.
And remember: Always use a password when sharing a folder from Windows!!