Thursday, November 13, 2003

Laws Of Wardriving

So last week I am stumbling around a server room, knee deep in cables, dead PC's and general techno-trash. I am waiting for the MAIL server to make it's next move. To entertain myself I pop open my iBook and see a few new updates. So I attempt to install them and find that my access is SHOT. It's sooooo slow. Eventually I figure out, I am not connected to my access point at the office, I was on someone elses.

Today I finally made the decision to step onto the access point and check out the network. I have a feeling that thie access point is one I found a week or two earlier named 'linksys'. The name had now been changed to reflect the name of the firm. Yes, a law firm on an unprotected wireless network. Interesting.

The approach: I took my usual first approach with the network. I checked out my IP, and then starting working my was backward pinging for hosts. My IP ended in 8, so I tried 7,6,5,4, 3, and 2. Most answered, and I didnt check out the IP ending in 1, because that was the access point.

Next I ran a nice util called "smbutil" to check out the first target. Here is what it returned.

Ray-Haques-Computer:~ rayhaque$ smbutil view //(removed).4
kextload: extension /System/Library/Extensions/smbfs.kext is already loaded
Password:
Share Type Comment
-------------------------------
IPC$ pipe Remote IPC
print$ disk Printer Drivers
SharedDocs disk
awest printer HP LaserJet 1200 Series PCL
Printer2 printer Canon Bubble-Jet BJC-85
ADMIN$ disk Remote Admin
C$ disk Default share

7 shares listed from 7 available
Ray-Haques-Computer:~ rayhaque$


This was interesting. A SharedDocs folder indicating that it was probably Windows XP. And a couple of printers. Perhaps a Windows 2000 box serving as a print server? I make a couple of bad attempts to connect to the admin share. No dice. Oh well. NEXT!

Ray-Haques-Computer:~ rayhaque$ smbutil view //(removed).2
kextload: extension /System/Library/Extensions/smbfs.kext is already loaded
Password:
Share Type Comment
-------------------------------
E disk
PRIVATE$ disk
SHARED_DRIVE disk
IPC$ pipe Remote Inter Process Communication

4 shares listed from 4 available
Ray-Haques-Computer:~ rayhaque$


I wonder what's on E? It says 'disk', but more likely it's a CD-ROM shared out. Reguardless, I couldn't guess the admin password so we won't know. But did you notice the private share? It's funny how Microsoft hides shares ending with a dollar sign ... but using a *nix SMB client obviously ignores the 'hide me' aspect of it. Neat! - NEXT!

Ray-Haques-Computer:~ rayhaque$ smbutil view //(removed).3
kextload: extension /System/Library/Extensions/smbfs.kext is already loaded
Password:
Share Type Comment
-------------------------------
D disk
HP_DISK disk
IPC$ pipe Remote Inter Process Communication

3 shares listed from 3 available
Ray-Haques-Computer:~ rayhaque$


By now I am getting discouraged ... but I hit the goldmine. This "D" share turns out to be a very open share that is used to dump backups to. Funny how the whole network is nailed down pretty tight. Yet, a shared folder with guest access has everything important put into one place. My initial view is below.



I wonder what's in that backup folder? Click-click!



Two backups to chose from. Neither one is really current. I'll check out the newest one though and see what I can dig up.



Was this really important Tammy? What the hell? Does your employer know you are wasting his drive space for this trash? Let's see what else you are holding onto.



I am wasting my lunch hour on this. I could be out in my car, surfing a real network, in search of interesting tidbits. Still, Ricky made me do a double take. Sad thing is, this is only one about about 20 different stuff animal with penis photos. Finally, I stumble onto something worthwhile.



A law firms complete client database, organized by name. Inside each directory is a couple of MS Word documents. They detail each clients history with the firm, the status of their case, etc. It's a pretty large database. I poke in and out of a few records, and continue onward. This would prove to be the highlight of my search.

Ray-Haques-Computer:~ rayhaque$ smbutil view //(removed).6
kextload: extension /System/Library/Extensions/smbfs.kext is already loaded
Password:
Share Type Comment
-------------------------------
IPC$ pipe Remote IPC
print$ disk Printer Drivers
hpdeskje printer hp deskjet 940c series

3 shares listed from 3 available
Ray-Haques-Computer:~ rayhaque$


What the hell is this, a print server? Everybody in this joint has a printer it seems. The admin shares aren't showing, but I try and access them anyway. My attempts are fruitless, and I am unable to uncover their administrative password.

Running out of lunch hour, I decide to check out one more thing. The access point. Surely whoever set it up must have changed the password.



Nope! I walk right in. Maybe I should have started here? It occurs to me that I could have gotten some hints for those administrative passwords by seeing the resgitered PC name in the DHCP client table. I bring it up and see some hostnames. I blurred them for 'privacy' if there is such a thing.




I also poke around the other areas of the WAP's settings, and take interest in the WAN connection, which is using PPPoE. That's Point-to-Point-Protocol Over Ethernet. This is more or less what I consider the poor man's VPN connection. Interesting way of keeping connected to what looks like the ISP.



All in all, not a bad days wardriving adventure. And I never even left my desk. I am pleased not only that my new Cantenna rig on my lappy pulls in some serious WiFi signals, it still works just fine without any external attachment. That was a conern I had doing that little operation.

And now if you excuse me, I need to help my son and daughter pass the next level of Odd World (the best Playstation game ever). And in a short while, I will be laying the pipe to my wife. So please, do not message me. KTHX!

No comments:

Post a Comment