Bugtraq mailing list archives

Re: Windows Sharing Allows Internet Tracking

From: Marc Maiffret <marc () EEYE COM>
Date: Fri, 23 Mar 2001 11:07:32 -0800

I could be wrong about the following so let me know if you know for a _fact_
that I am.

|-----Original Message-----
|From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of
|Preston W Chang
|Sent: Wednesday, March 21, 2001 3:13 PM
|To: BUGTRAQ () SECURITYFOCUS COM
|Subject: Windows Sharing Allows Internet Tracking
<snip>
|Usually, many intruders will go in with
|obreption and probably without anyone ever knowing without
|some sort of IDS suite or logging system besides that of
|NT's.
<snip>
|When logging into a share via NetBIOS, on a NT-to-NT
|connection, the user connecting will have his/her Temporary
|Internet Files transferred onto the server which they have
|connected to.

That is incorrect. When you connect to a netbios share, i.e. net use x:
\\ip\terd$ bob /user:bob your temporary internet files are _not_
transferred.

|You would find it in this type of path:
|c:\winnt\profiles\Administrator\Temporary Internet Files.

No. The only reason you came to this conclusion is because it "looks" like
this is what is happening.

C:\>net use q: \\ip\c$ bob /user:bob

Then if you go an connect to q:\winnt\profiles\administrator\temporary
internet files then yes you will get a listing of your local machines temp
files and not the remote machines BUT those files are not stored on the
remote machine, in fact Windows NT is actually redirecting your temp
internet files request back to your local machine. So while it might look
like the files have been transferred to the remote machine. They have not
been. Load up filemon (sysinternals.com).

|If
|you believe that you are victim to an intruder, definitelySigned,
|check this folder. I have examined many of the NT "rootkit"
|techniques and suites, with none that include
|cleaning out the transferred cache.

That's because the cache doesn't get transferred. Well at least from what I
have seen, I could be completely wrong.

|       Cheers,
|          Charles Chear [presto () regiononline com]
|          http://presto.tpgn.net


Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris/ - Network Traffic Analyzer

Current thread:

Windows Sharing Allows Internet Tracking Preston W Chang (Mar 22)
- Re: Windows Sharing Allows Internet Tracking 3APA3A (Mar 23)
- Re: Windows Sharing Allows Internet Tracking Marc Maiffret (Mar 25)
- <Possible follow-ups>
- Windows Sharing Allows Internet Tracking Bill Sobel (Mar 26)
- Re: Windows Sharing Allows Internet Tracking Adam Carter (Mar 26)