Friday, 29 April 2005

Micro$oft ph34r-dowz and it's hidden shares

Try this: open a folder on your desktop and in the address bar, type in the ip address of another machine you have, like so:


It will ask you for a username and password. Type in the username and password for that machine.

Bang! Instant access to that machines root directory. So, if you do a brute force attack you can probably get root on most PCs this way in a relatively short space of time for most machines. Or maybe you'll just lock up their account, preventing them from using it until the administrator unlocks it - either way,you don't want this to happen to your PC!

This 'handy' little feature is deliberately installed by M$ by default and on their wonderfully helpfull website they state:

"Hidden administrative shares that are created by the computer (such as ADMIN$ and C$) can be deleted, but the computer re-creates them after you stop and restart the Server"

So how do you get rid of these blatantly dangerous shares?

A regedit hack seems like the only option.[*1]

But that only gets rid of all but one of your standard shares. IPC$ stays. IPC$ is used for 'Interprocess Communication' (used for server to server comms). See here, here and here why this is bad - most of these article talk about NT, but 2000 and XP were built on top of that and when in doubt - assume the worst.

How do we get rid of this ****ing thing? Goto services and dissable the server service. Also, follow the hints and tips in this article [*2] to dissable netbios over ip (and various other good practices).

Well, hopefully that's made my PC a little more secure until next week when I find another gaping hole in window's so-called security.

You suck Bill.

[*1] There may be certain bits of software that rely on these shares, so it's possible you might one day need to re-insate them temporarily. My advice: if the software relys on that crap, ditch it and get some decent alternative!

[*] Many thanks to John Cesta of server automation tools for providing this list.