Vulnerability Development mailing list archives
Re: File Share Vacuum
From: John_Simons () MCKINSEY COM (John Simons)
Date: Fri, 28 Jan 2000 12:33:08 -0500
Look for backups of the registry file. Files with the .reg extension that are larger than 100kb. How about offering this product as a commercial security tool to scan for workstation vulnerabilities? $$ Cha-Ching!
Jonas Denily wrote:I recently decided to create a program for Windows users to scan their network for open file shares. When a share is detected, you can map a drive or you may brute force crack the share if protected. The vacuum part is the ability to scan the remote HD for files that may contain important information. I have set up a great many such as FTP sitelists, ICQ dat files, various ISP ins files, *.pwl, etc.
Also look for *.id files (Lotus Notes), and preferences.js and prefs.js. Bookmark.htm, and the history file, too.I was wondering how I would go about searching the registry remotely or I would be greatly appreciative
if
someone could send me a list of file names, default directory, and program/version they belong too. I am currently compiling a large list
of
these and the user has the ability to choose which ones to vacuum and
also
add custom files. If you know of any of these such files, please email
me.
Ideally, you'll need registry access. Citrix/MS Terminal Server client store some passwords there, for example. By default, NT machines allow remote access to the registry if you connects as a user with sufficient privs (well, by default, everyone can read and write WAY too much of the registry.) For Win9x, it's not so automatic: http://msdn.microsoft.com/library/winresource/dnwin95/S647C.htm Basically, you'd be looking for the ADMIN$ share. If that's not there, you'll have to figure out a way to push code onto the box. Sounds like a fun project in general, though. I'd often thought that it would be worthwhile to have a good list of things that are interesting to steal off a Windows box.
+-------------------------------------------------------------+ | This message may contain confidential and/or privileged | | information. If you are not the addressee or authorized to | | receive this for the addressee, you must not use, copy, | | disclose or take any action based on this message or any | | information herein. If you have received this message in | | error, please advise the sender immediately by reply e-mail | | and delete this message. Thank you for your cooperation. | +-------------------------------------------------------------+
Current thread:
- Re: File Share Vacuum Brooke, O'Neil (Jan 28)
- <Possible follow-ups>
- Re: File Share Vacuum John Simons (Jan 28)
- Re: File Share Vacuum Inedag () AOL COM (Jan 30)