Wednesday, November 02, 2005

Invading Print Servers
It's been a while since I did some real network invasion. And today, my homesick depression was reaching an all time high ... so I felt making an few stops might be in order.

On my way back to the hotel, I caught a glimpse of what looked like the edge of a strip mall which I thought might be interesting. I had to make a few turns to get into the parking lot, and it almost seemed like they were hiding it from the main highway. The mall was buried behind towering townhouse condos. As I made my way down a small winding road, I came upon this strange ... village. It was quite an impressive real estate project. The condos were narrow, but stood about four stories high. Some of the condos were actually businesses on the bottom. The problem was ... no parking. So as I spun around in my Bug, all I could wonder was "where the fuck do people park around here?". Hell, I might have even stopped into Quizno's for a sub. But after passing the place three times looking for a place to park my car, I gave up and waved goodbye. None of these little businesses looked all that busy, and I could now see why.

As I drove around in circles, Audrey (the laptop) was going nuts. I had KisMac running, and I was picking up an access point at a rate of about every two seconds. By the time I found a spot and parked in it ... I was down to a single access point. But that's okay. I can only rape one at a time, right? Looking ahead of me, I determined that this access point must belong to one of the following businesses: a hair and nail shop, a mailbox shop, an eyeglasses shop, or a small grocery store. The access point, "linksys", happily accepted me as a visitor and set me up with an address to use. I opened a terminal and went right to work.

My first goal, was to get an idea of what was on this network (other than me). So I did a simple nmap scan, and dumped that into a file like this ...

audrey-ii:~ rayhaque$ nmap 192.168.2.1-254 > nmap.log

While that was running (and it was taking it's sweet time), I hopped to a second terminal and ran "findsmb". This is an old samba utility which does an MS Windows style "network browse". The idea being that any Windows-like file server in the immediate network will 'hollar back'.

audrey-ii:~ rayhaque$ findsmb

IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION
---------------------------------------------------------------------
192.168.2.100 E-710-109987 +[WORKGROUP] [Windows NT 4.0] [NT LAN Manager 4.0]
audrey-ii:~ rayhaque$ smbclient //192.168.2.100


Hooray, I am not alone. But wait just a damned minute. When was the last time you came across a server running Windows NT. I had my doubts. Usually when nmap tells you that it found an NT server, it's actually found some sort of network appliance.

Next I ran "smbclient" and used it to get a dump of file shares from my new friend. Notice it prompted me for a password, and I declined to offer one up. This indicated that it was okay listing it's shares to an anonymous guy like me.

audrey-ii:~ rayhaque$ smbclient -L //E-710-109987
Password:
Domain=[WORKGROUP] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]

Sharename Type Comment
--------- ---- -------
direct Printer direct
ADMIN$ Disk Remote Admin
IPC$ IPC Remote IPC
print Printer print
C$ Disk Default share
D$ Disk Default share
E$ Disk Default share
print$ Disk Printer Drivers
hold Printer hold
Domain=[WORKGROUP] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]

Server Comment
--------- -------
E-710-109987

Workgroup Master
--------- -------
MSOFFICE MASTER
WORKGROUP E-710-109987


What the hell is this thing? Is it a print server? Is it just one of those glorified network printers, with PC-like functionality? I decided to try and connect to one of these shared drives and check it out. And while the C$ share most certainly contains the OS, I am wanting to poke through someones personal data or financial information. That's what really makes these sick little excursions worthwhile.

audrey-ii:~ rayhaque$ smbclient //E-710-109987/e$
Password:
Domain=[WORKGROUP] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
tree connect failed: NT_STATUS_ACCESS_DENIED


Oh ... so you aren't happy with allowing guests access to your hidden shares? Aren't we picky. How about ... administrators? Any love for an Administrator, with a blank password?

audrey-ii:~ rayhaque$ smbclient //E-710-109987/e$ -U Administrator
Password:
Domain=[WORKGROUP] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
smb: \>


That's what I'm talking about. What we have here is an SMB browsing session in progress. It's awaiting my command. Likely, I can now begin searching through files, and if I find something I like, I can "get" it.

smb: \> ls
efi D 0 Wed Oct 30 16:16:53 2002
spool D 0 Mon Apr 26 15:10:28 2004

50516 blocks of size 131072. 48395 blocks available
smb: \>


What on earth? After some poking around in and out of the shares I came to the conclusion that ... this was nothing but a print server. An utterly boring print server. By this time my nmap scan had finished, and I looked through it for my next victim. This was a strange network, in that it had several clients attached to it, but had no Internet gateway, or DNS resolution. It was truely a "workgroup". These networks give me a 'big rubbery one', because most companies don't bother any level of security. Why? Because they aren't connected to anything. Never mind the wireless signal that I used to waltz in from the parking lot.

I poked through my nmap file again and targeted my next victim. This server (?) had the address typically reserved for a gateway/router. Yet, it was a dead end for packets. So I made an attempt to talk to it as a Windows file server. I did a simple anonymous style "share list" against it. It obliged.

audrey-ii:~ rayhaque$ smbclient -L //192.168.2.1
Password:
Anonymous login successful
Domain=[MSOFFICE] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Sharename Type Comment
--------- ---- -------
Error returning browse list: NT_STATUS_ACCESS_DENIED
session request to 192.168.2.1 failed (Called name not present)
session request to 192 failed (Called name not present)
Anonymous login successful
Domain=[MSOFFICE] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Server Comment
--------- -------
AUX1
AUX2
MASTER

Workgroup Master
--------- -------
MSOFFICE MASTER
WORKGROUP E-710-109987


This could be interesting, although it may just be another network appliance screwing with me. I think I will check out a different host. Maybe this 192.168.2.4 character. Perhaps it's an actual running PC of some kind.

audrey-ii:~ rayhaque$ smbclient -L //192.168.2.4
Password:
Domain=[MASTER] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Sharename Type Comment
--------- ---- -------
PC Synergy Disk
IPC$ IPC Remote IPC
C Disk
ADMIN$ Disk Remote Admin
C$ Disk Default share
session request to 192.168.2.4 failed (Called name not present)
session request to 192 failed (Called name not present)
Domain=[MASTER] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Server Comment
--------- -------

Workgroup Master
--------- -------


Uh yeah ... this looks like another print server thing. God, I have found the most uninteresting network imaginable to inhabit. But I will look around anyway. This "PC Synergy" thing could possibly be something interesting.

audrey-ii:~ rayhaque$ smbclient "//192.168.2.4/PC Synergy" -U guest
Password:
Domain=[MASTER] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
smb: \> ls
. D 0 Wed Oct 19 07:07:55 2005
.. D 0 Wed Oct 19 07:07:55 2005
PostalMate D 0 Wed Nov 2 16:43:11 2005
POSTALMATEActGrp.xml A 0 Wed Oct 19 07:07:55 2005

38170 blocks of size 524288. 31427 blocks available
smb: \> cd PostalMate
smb: \PostalMate\> ls
. D 0 Wed Nov 2 16:43:11 2005
.. D 0 Wed Nov 2 16:43:11 2005
32767.bmp A 12598 Thu Jun 22 09:51:44 2000
32768.bmp A 49256 Mon Aug 16 08:23:56 2004
32769.bmp A 14470 Mon Dec 4 14:02:26 2000
32770.bmp A 58266 Tue Feb 11 12:10:44 2003
32771.bmp A 15406 Tue Nov 25 07:49:24 2003
32772.bmp A 26100 Thu Sep 23 08:34:46 2004
borlndmm.dll A 25600 Mon Jan 24 06:01:00 2000
CashMate.chm A 228029 Mon Jun 20 13:58:10 2005
Cashmate.exe A 5968384 Thu Sep 22 08:01:00 2005
CashMate.GID AH 41663 Tue Sep 20 13:09:30 2005
Close.exe A 403456 Wed Jul 13 11:26:04 2005
complog.err A 0 Fri Dec 31 16:50:32 2004
DataPurge.dll A 775168 Wed Oct 5 15:25:24 2005
DropOff.dll A 1475072 Wed Oct 5 15:25:24 2005
ElabelSample.txt A 10811 Wed Jan 31 15:02:52 2001
ENHTRKLog.txt A 981 Thu Sep 19 15:04:44 2002
EnhTrkuRsp.txt A 5002 Sun Dec 23 12:08:08 2001
Events.dll A 681984 Wed Oct 5 14:36:35 2005
Events.log A 18221 Wed Oct 5 15:24:59 2005
FedExExpress_QuickRateSettingLog.txt A 408 Thu Jan 6 08:12:24 2005
Global Express Mail.lyt A 2436 Sun Feb 15 21:04:10 2004
Import A 561152 Fri Jan 23 07:45:44 2004
INSTALL.LOG A 7708 Wed Oct 5 15:25:04 2005
libeay32.dll A 651264 Sun Apr 18 16:43:44 2004
License.txt A 18316 Mon Aug 2 09:18:46 2004
Log D 0 Wed Nov 2 08:09:52 2005
MCStrings.txt A 381 Mon Jul 1 13:58:34 2002
midas.dll A 297984 Fri Mar 4 09:02:00 2005
MsgAction1.dll A 695296 Wed Oct 5 15:25:25 2005
MsgDownload.dll A 1114112 Wed Oct 5 15:25:23 2005
MsgRun.dll A 2130432 Wed Oct 5 15:25:23 2005
PDOXUSRS.LCK A 6752256 Wed Nov 2 08:07:29 2005
PDXRBLD.exe A 899072 Wed Jun 22 07:41:00 2005
Pdxrbld.INI A 81 Thu Oct 6 14:28:43 2005
Pdxrbld.LOG A 236 Thu Oct 6 14:27:25 2005
Pdxrbld2.exe A 603648 Fri Aug 3 13:21:00 2001
PMExceptions.txt A 164 Tue Sep 27 10:30:09 2005
PMShipment A 7512 Wed Jan 14 17:09:44 2004
PM_ImportFile.txt A 5359 Mon Oct 23 18:23:16 2000
PM_Win.exe A 15211520 Thu Sep 22 08:00:24 2005
PostalMate.chm A 504423 Tue Sep 6 10:23:56 2005
PostalMate.GID AH 71480 Sat Sep 24 12:44:18 2005
Pre_5_5_5.zip A 481140 Wed Oct 5 15:25:22 2005
Readme.txt A 156358 Wed Sep 21 14:15:22 2005
Setbrows.exe A 4528 Fri Oct 13 15:28:28 1995
ssleay32.dll A 147456 Sun Apr 18 16:43:46 2004
SystemCheck.exe A 941056 Wed Aug 3 10:40:14 2005
SystemUtilities.exe A 2625536 Thu Sep 22 08:01:26 2005
SysUtil.chm A 90859 Wed Aug 31 12:36:02 2005
Tables D 0 Wed Nov 2 17:10:36 2005
UNWISE.EXE A 153088 Fri Jul 26 15:02:06 2002
WSExport.dll A 693760 Thu Aug 11 12:46:18 2005
XMLTransform.dll A 434688 Wed Oct 5 14:36:34 2005
Zebra Dom 1.lyt A 2629 Thu Feb 17 13:45:02 2005
Zebra Dom 2.lyt A 2671 Tue Jun 7 13:53:30 2005
Zebra Dom Express.lyt A 2571 Thu Feb 17 13:45:02 2005
Zebra Dom Postcard.lyt A 2605 Thu Nov 4 09:23:24 2004
Zebra Intl 1.lyt A 3208 Wed Dec 15 07:38:52 2004
Zebra Intl 2.lyt A 2628 Thu Nov 4 09:23:24 2004
_QSQ6.DB A 3008512 Wed Nov 2 08:55:20 2005

38170 blocks of size 524288. 31427 blocks available
smb: \PostalMate\>


Oh - MY - GOD. I am talking to a postage machine. Well, now I know what shop I had targeted. It was the mailbox shop. This had to be the most uneventful adventure EVER. So why did I ever record it for you to read? Why did you even read through all this?

Go away. You bother me.

Historic Comments
Get a Google Map of the place with no parking lots. Perhaps there's parking that you couldn't find. If there truly is no parking there, please post a google maps picture of one of the strangest streets I've ever heard of.

And you should have tried to print some crap out of one of those printers. Something like "I quit" or "The rebellion begins NOW!"
Poe | 11.03.05 - 10:05 pm | #

Hey, Google Maps! Here is a satelite photo of the area. The spot I was in is north of "Beacon Square". It doesn't look like much from this altitude though. You can't make out the intricate little weavings of roads between the big buildings. Like a small german town. From this map, it doesn't even look like the same place. Or maybe it isn't the same place. Perhaps Im lost. You can see by the picture that there are parking lots above, beside, and below the 'campus'/ But these were marked "permit only", and filled up by the condo dwellers.

I was trying to find the Marathon gas station which would have been a good land mark, but it doesn't seem to exist.

Its a government conspiracy.
Ray Dios Haque | 11.04.05 - 3:03 pm | #

Woops ... forgot the map link. Here that is ...

http://maps.google.com/maps?q=qu...06829&t=h& hl=en
Ray Dios Haque | 11.04.05 - 3:04 pm | #

Jesus, those streets are a nightmare. You couldn't find the Quizno's on the map? I tried Google for that, but they all seem to have parking lots. Could be that most of their customers live in nearby apartments, condos, etc. Or those buildings could just be covers for machinery supporting a huge underground government facility. Raccoon City anyone?
Poe | 11.05.05 - 1:51 am | #

Whee, wardriving stories. I need to get me a damn laptop.
SiliconSnake | Homepage | 11.07.05 - 5:09 pm | #

Raaaaaaay. What IRC channel are you haunting now? I miss the milkshake contests. :P
conundrum | 12.07.05 - 11:44 pm | #

The machine you connected to was a windows workstation running a shipping system called "Postalmate 2000" authored by a company called "pcsynergy".
anon | 12.29.06 - 11:57 am | #

You can use nbtenum to enum smb accounts/shares.
jc | 06.06.07 - 10:51 am | #

Tuesday, November 01, 2005

Maryland Trains
I'm getting used to the trains that run through this hotel every twenty minutes. I can almost sleep through the night here. But I will never get used to the loneliness. It's pretty depressing to end a day of training, because after I leave the training center I have nowhere to go. So typically I hang around the training center until five or so when they give me dirty looks and I have to leave.

Today I decided to go from the training center to McDonalds (because they have WiFi). I ordered up a chicken sandwich which I have never had from there, and will probably never order again. It was as if they took a single "chicken finger", slapped a cold piece of swiss cheese over it, and tossed it (upside down) into an elongated hamburger bun. There was also a piece of browned lettuce, and a green tomato slice glued in with excessive mayonnaise. Yummy! As I stuffed it down with my fries I made a mental note that this will be mentioned at the pearly gates when I arrive in "fat hell". As I was eating, I looked down into the cardboard box and saw a note that said "enjoy your chicken sandwich". Underneath was a clever little picture of a long haired hippie playing a guitar. What the hell kind of marketing is that?

About five minutes after I paid $2.95 for WiFi access at McDonalds ... it occurred to me that I had wasted my money. I couldn't think of what to do with this wonderful two hours of access I had just purchased. So I checked my email. Didn't have any. I started up my chat client, and updated it. I went to a couple of my favorite websites. That wasted 40 seconds. I ran system updates! I had access to all the worlds wealth of information and couldn't think of what to use it for. Pathetic. Then my phone rang. It was my wife!

She was mad at me. No doubt about that. She wondered (out loud) why I hadn't called her. Was I supposed to call her about something? She was concerned that I always call her at the end of my day and today I "hadn't bothered". I'm sure I had hurt her feelings, because I couldn't take the time to make a call and say hello. Why hadn't I called? It's not because I was too busy. Quite the contrary. Not because I didn't want to talk to her. I miss her dearly, and I am pretty lonely here. I have avoided calling her when I am away because I don't want to bother her. I assume she is busy doing stuff. She usually is. And I feel pretty pathetic calling her because I am desperate for her attention. I need a safer way to contact her. A method that allows me to say hello more often, without bugging her. I used to instant message her a lot but she dumped the IM software because people wouldn't leave her alone. Perhaps I could buy her a phone that IM's, and then I can harass her all the time!

As I left the McDonalds and headed to my car, I passed a Maryland police office who was on his way in. I couldn't help but notice his flak jacket which may just be standard uniform in these parts. I nodded, smiled, and said hello to him. When he got to the door of the restaurant he stopped, and called "excuse me" across the parking lot to me. I stopped, turned around, and said "yes?". Then he turned around, waving me off, and headed inside. That was strange. Was he looking for dinner, or was he there for me? I know my laptop probably looks like an explosive device due to my 'enhancements'. And sometimes when I pull it out in public places people give me strange looks. But I hadn't attracted any unwanted attention that I could think of. I had chosen a spot in the rear of the establishment that was even colder than the rest of the place (which was pretty damned cold). And I faced a wall, so nobody would nice my lid attachments. Maybe I should think twice about eating there again. The whole thing left a bad taste in my mouth. Of course, that was probably from the chicken I ate. I drove away (quickly) and went straight to the hotel.

As I stumbled up the steps to the third floor of my hotel, one of my shoes slipped off and got stuck between the steps. Thinking I might lose it down a couple flights of stairs, I jumped to my knees to grab it. As I did, my eyeglasses came flying off. In a quick swoop to keep those from getting away I lost control of my book bag which spun off my arm and crashed into the steps. Luckily, my course materials took the blunt of the blow, and my laptop seems to be unaffected. I put my glasses back on. I took my other shoe off. I slung my bag back over my shoulder. I collected my pride. I slid into my room.

I pulled back the covers. Took off my dress shirt. Plopped myself down. Checked the time. 7:15PM. What the hell am I going to do until I fall asleep? I guess it's another night of whatever's on HBO. Last night it was "Catwoman", which I am guessing will go down in history as the absolute worst comic book movie ever made.

Historic Comments
Sorry to hear about the lonliness, but as far as your marriage goes, not being happy about being seperated from your wife is a good thing. If you were happy being away from home that would be a bad sign.

You and your wife should use the new yahoo meesenger, it has new 'stealth settings' that allow you to set who can see you online. This is directly from the yahoo help.

"If you are IMing with a few people and don't want to be interrupted, you can use Stealth Settings to appear invisible to everyone except the people you want to talk to."
Dennis | 11.02.05 - 11:25 am | #

You know, I should try that. It's been a long time since I tried to bring her back to IM'ing. Part of the problem is me though. I can't IM when I am teaching, because my PC screen is projected into the wall.

I really want a mobile phone that does it. That would be all too convenient. Expensive as hell too.
Ray Dios Haque | 11.04.05 - 3:06 pm | #