Security Incidents mailing list archives

Re: Strange Folder

From: Midkaemia <midkaemia () midkaemia fsnet co uk>
Date: Sun, 6 Oct 2002 22:45:58 +0100


Another possibility is that they have exploited the default "null sessions" 
vulnerability of a netbios enabled windows machine. They don't have to be a 
domain user, they just connect as follows..

net use * \\<target>\<any admin share> /user:"" ""

admin shares can be...
ipc$
c$
<any other drive>$
admin$

They can also connect to any public share with no security set.

This way they connect with a blank username and a blank password. A single 
registry key fixes some of the associated problems. See the following link 
for a discussion of some of the nitty gritty.

http://cert.uni-stuttgart.de/archive/focus-ms/2002/03/msg00088.html

Cheers

Mike

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strange Folder discipulus (Oct 05)
- Re: Strange Folder Nick Jacobsen (Oct 06)
  - Message not available
    - Re: Strange Folder discipulus (Oct 06)
    - Re: Strange Folder Midkaemia (Oct 06)
    - Re: Strange Folder discipulus (Oct 07)
- Re: Strange Folder P.P. Lodder (Oct 06)
- Re: Strange Folder Hiroaki Kondo (Oct 07)
- <Possible follow-ups>
- Re: Strange Folder discipulus (Oct 06)
- Re: Strange Folder Neil Dickey (Oct 06)
  - Re: Strange Folder discipulus (Oct 06)
  - Forensics CD (was: Re: Strange Folder Meritt James (Oct 07)
    - Re: Forensics CD (was: Re: Strange Folder Chet Uber (Oct 08)
    - Re: Forensics CD (was: Re: Strange Folder Ryan McBride (Oct 08)