Almost anyone beyond a slight interest in computer security is aware of the gaping hole that is the windows share setup. Sure it CAN be locked down, but that is RARELY ever.
Attacking XP was easy this way: you found your shares, the password was usually nothing or the user name itself, if not you wormed around via NULL shares, bruteforced the password, or any other manner of password grabbing. Then youd run good ‘ole psexec and get youreself a shell and get to be nasty.
Not so much anymore! Well…at least up to the psexec part. Vista (and presumably 7, though I havnt gotten to play with it from an outsider’s perspective) has an issue with it of the not working variety.
This means to run our arbitrary commands we have to take a different, more tedious approach. They don’t tell you about this approach in books(cause books can be notoriously neglectful on some stuff) or online guides(so far, cause anything remotely googable is old or doesnt go far enough), luckily once you think about it the way is pretty obvious, nothing rather extreme or news worthy but hopefully useful 🙂
There are really two ways to go from here, theres the ‘more elegant’ and less user-reliant way, but only on multi-user systems by targeting the NTUSER.DAT file, which holds user profile registry settings. The other involves pooling the wool over the sheep’s eyes with the desktop.
Lets start with my preferred way, cause I prefer it.
*Note that this only works on systems with multiple users. This is because our target file NTUSER.DAT gets locked when the associated user is logged on*
After you have share access you most likely will see multiple user names sprawled across your screen. Take your pick, just make sure your pick isn’t logged on. If youre not sure youll find out shortly.
Open up the user folder of your choice and make sure you are viewing any hidden files. NTUSER.DAT should spring at you, grab it and put it on your machine for diabolicalness. Now also isn’t a bad time to upload your own evil executable in a nice share accessible tucked away corner.
Open up your favourite registry editor to open up our stolen file. You are looking for the registry key SoftwareMicrosoftWindowsCurrentVersionRun (OR RunOnce, which will run the specified file on startup once, then delete the key, perfect if your evil exe only needs to be ran once)
This key contains all the executables ran on startup for that *specific* user(at least those managed with the registry). Merely add in the path to your own evil file. That way once the user profile is loaded on startup, your evil executable is loaded with it!
Then it’s pretty simple to just override the NTUSER.DAT of your target with your own malicious NTUSER.DAT, then it’s a matter of waiting till that user logs on. Hook line and sinker!
Assuming the previous method doesn’t work for you, then you can try messing with their desktop. If you have access to the desktop, than you have access to shortcuts on the desktop(for the ones I looked at though, only a fraction of the shortcuts showed up, beats me why). Find one that sounds like is used regularly, a web browser or a game probably works best.
Pull down the .lnk file and for the next part it’s easiest if you are on a windows system youreself. Open up the properties and change the target to wherever your evil file is. The catch is you wanna make sure your evil file will in turn call whatever the shortcut claimed to call, otherwise itll be obvious something is amiss. An easy way to do this is instead make the target a batch script that acts as a wrapper for your evil file and the original shortcut target. Upload and replace needed files and wait till the user falls into your trap.
Well thats all I really got for ya, hope I wasnt TOO wordy for ya. Hopefully now you know of a few ways to take advantage of windows shares, even if the recent windows versions don’t play nice with you. And even if this doesn’t work directly for you, then maybe you can figure out other ways to reap what mis-configuration has sown.
Note: I should probably mention for the curious the reason why I didnt mention editing the global registry via shares is that so far the newer systems are far less friendly with the $ shares (C$, ipc$, ect), it seems like they’ve been locked down by default as I wasn’t able to access such shares when using admin credentials, since most of my knowledge of windows comes from breaking them I can’t be quite so sure.