Steel-ing Documents
This week I travelled to Pittsburgh to teach a three day course in a downtown office building. When I passed through PA last week, I was blown away by just how many Steeler fans there are (long outside of Pittsburgh). After winning the SuperBowl, the fans of course went nuts. I was unaware of the celebration that was going to take place so I was a little surprised when I went to get a room at my usual hotel and they were booked. Woops! I was able to find a slightly cheaper hotel not too far away, that also provided free Internet access and a shuttle downtown.
By the way, I have had a good couple of weeks. Last week I took the family to New York. It was a vacation. That is, I was not teaching there. We just went for fun. We saw the statue of Liberty, Ellis Island, and Niagara Falls. And now I was in my favorite city, Pittsburgh. So you won't hear any bitching and whining from me in this posting (awww shucks!).
It seems that the Steelers were having one hell of a homecoming on Tuesday afternoon. There was going to be a parade and everything. So at lunchtime, I let everyone break for an hour and half to go watch it. I myself, also went down to the streets. It was simply amazing. There were 250,000 in the streets. All of downtown, and every other Steelers fan that had rolled into town lined the streets. The players came through, cheering, waving to the fans, signing autographs, and even doing some stage diving. Yes, stage diving. It was one hell of a homecoming party, and I was lucky enough to be around at the time.
The follwing day I found myself in this 30 story office building, about 15 floors up. It was lunchtime and I had decided not to go out. I could hold off until dinner, and I had spent way too much of my travel money on t-shirts to take home to my wife (Steeler Superbowl champ shirts). While I was waiting for my students to pop back, I dropped Audrey onto the window sill and went shopping for access points. And wow ... I found a lot of them. Here is what KisMac detected in "passive mode".
I hopped onto the first one that I found without WEP enabled. It was a "linksys" access point. The signal was strong, and I had an internet connection with it. But ... that just didn't satisyfy my urge to explore. I looked around the nextwork for hosts, and found none. I was likely stuck in a private network, that was in turn plugged into a seperate private network. Notice that there are actually two networks named "linksys"? I did. And I wanted to connect to the 'other one'. Like Windows, a Mac will only display the network name, not the actual access points. And when you have two named the same thing, you never know which one you are physically connected to. Luckily, later versions of KisMac like the one I am using, allows you to right click on an access point and join it. And so I did!
Once connected I ran "findsmb" in a terminal and it came up with nothing. I was sure there were windows hosts ... or something on this network. I pinged around and got some semi-conclusive results. Right about now, nmap would be a useful tool but I just reloaded the OS on this laptop a week ago and I was without all my old tools. Where else could I get a map of this network? Of course! I need to see the DHCP lease table. I'll bet that I can connect to the access point and provide the default admin username and password to get it. So I brought up 192.168.1.1 in my browser. I used the username and password of "admin" and I was in.
Next stop was to find the dhcp clients list on this thing. These menus were awful. I much prefer D-Link for navigation. But after much digging, I found a button for the client list. This is what I got.
I know, I know. I hate to blur things out. But what I had stumbled into was obvisouly a law firm. And I don't want to go to prison. So excuse the "mosaic blurs". As you can see, there were plenty of hosts on this network (or there had been lately). A lot of these looked to be laptops. Finding them would be a matter of trial and error. Again, nmap would be helpful. I REALLY need to put some developer tools on this laptop so I can compile my goodies. In the mean time, a simple file browse request will do the trick.
OS X ships with the smbclient utility. I will use it against this list of IP addresses. The usage is pretty simple, smbclient -L //ipaddress, where the "L" says to "show me a list of your shares". When it hanged, I did a CTRL+C to cancel, and then moved to the next one. Here is my terminal dialogue ...
Last login: Wed Feb 8 11:57:59 on ttyp1
Welcome to Darwin!
Ray-Dios-Haques-Computer:~ rayhaque$ smbclient -L //192.168.1.101
session request to 192.168.1.101 failed (Called name not present)
ç^C
Ray-Dios-Haques-Computer:~ rayhaque$ smbclient -L //192.168.1.102
timeout connecting to 192.168.1.102:445
Error connecting to 192.168.1.102 (Host is down)
Connection to 192.168.1.102 failed
Ray-Dios-Haques-Computer:~ rayhaque$ smbclient -L //192.168.1.105
Password:
Domain=[PARALEGAL] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
Sharename Type Comment
--------- ---- -------
My Documents Disk
IPC$ IPC Remote IPC
print$ Disk Printer Drivers
SharedDocs Disk
Printer7 Printer SHARP AL-1641CS (Copy 1)
Printer4 Printer Sharpdesk Composer
Printer5 Printer SHARP AL-1641CS (Copy 3)
Printer3 Printer SHARP AL-1641CS
sharp Printer SHARP AL-1641CS (Copy 2)
Printer9 Printer PrimoPDF
Printer2 Printer HP Deskjet 3840 Series
MARCIAL Disk
Printer Printer HP Image Writer
session request to 192.168.1.105 failed (Called name not present)
session request to 192 failed (Called name not present)
Domain=[PARALEGAL] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
Server Comment
--------- -------
Workgroup Master
--------- -------
Ray-Dios-Haques-Computer:~ rayhaque$ smbclient
Usage: [-?EgVNkP] [--usage] [-R NAME-RESOLVE-ORDER] [-M HOST] [-I IP] [-L HOST]
[-t CODE] [-m LEVEL] [-T IXFqgbNan] [-D DIR] [-c ARG] [-b BYTES]
[-p PORT] [-d DEBUGLEVEL] [-s CONFIGFILE] [-l LOGFILEBASE]
[-O SOCKETOPTIONS] [-n NETBIOSNAME] [-W WORKGROUP] [-i SCOPE]
[-U USERNAME] [-A FILE] [-S on|off|required] service
Ray-Dios-Haques-Computer:~ rayhaque$ smbmount
-bash: smbmount: command not found
Ray-Dios-Haques-Computer:~ rayhaque$ mountsmb
-bash: mountsmb: command not found
Ray-Dios-Haques-Computer:~ rayhaque$ mount -t smb
Ray-Dios-Haques-Computer:~ rayhaque$ mount -t smb //192.168.1.105/MARCIAL
usage: mount [-dfruvw] [-o options] [-t ufs | external_type] special node
mount [-adfruvw] [-t ufs | external_type]
mount [-dfruvw] special | node
Ray-Dios-Haques-Computer:~ rayhaque$ mount -t smbfs //192.168.1.105/MARCIAL
usage: mount [-dfruvw] [-o options] [-t ufs | external_type] special node
mount [-adfruvw] [-t ufs | external_type]
mount [-dfruvw] special | node
Ray-Dios-Haques-Computer:~ rayhaque$
It looks like I found a winner. He has a couple of interesting looking shares. It's too bad I can't remember how to mount a share from terminal. Instead, I end up using "Finder" to "Connect to server ...". Here is that box.
There is a delay, and I am now asked to authenticate. This could be a problem, as I am not a user on their domain/directory ... if they have one. I will try "guest" with no password. This probably won't work.
Oh, and it does work. How sad! I wonder what we will find here. Let's have a look at this share, shall we?
These look like ... "lawyer stuff" ... or something. Let's have a closer look.
Looks like an interesting story. Some womans husband is getting deported, and she is asking that they please not take him away. How is it this guy rakes in $94k a year raising horses. I'm in the wrong fucking business. Either I need to start raising horses, or become an immigrant and hook up with one.
I don't know what this fingerprint business is about. But I thought it looked amusing.
There were no doubt other goodies on this workstation, but I had a whole network to explore, and lunchtime was going by fast. I went ahead and moved onto my next target. Here is that terminal dialogue ...
Last login: Wed Feb 8 12:09:52 on ttyp2
Welcome to Darwin!
Ray-Dios-Haques-Computer:~ rayhaque$ smbclient -L //192.168.1.106
session request to 192.168.1.106 failed (Called name not present)
session request to 192 failed (Called name not present)
Password:
Domain=[ATTORNEY] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
Sharename Type Comment
--------- ---- -------
Clients Disk
My Documents Disk
IPC$ IPC Remote IPC
print$ Disk Printer Drivers
SharedDocs Disk
C Disk
Impro56 Disk
Printer3 Printer PrimoPDF
Printer5 Printer KONICA MINOLTA PagePro 1350W (Copy 1)
Case Lists Disk
Printer2 Printer KONICA MINOLTA PagePro 1350W
ADMIN$ Disk Remote Admin
C$ Disk Default share
Printer Printer Microsoft Office Document Image Writer
session request to 192.168.1.106 failed (Called name not present)
session request to 192 failed (Called name not present)
Domain=[ATTORNEY] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
Server Comment
--------- -------
Workgroup Master
--------- -------
Ray-Dios-Haques-Computer:~ rayhaque$
You'll that it asks me for a password at some point, and I just sort of struck the enter key as if to say "I don't need no steenkin' password". That seemed to do the trick, and I got a list of shared stuff. Would you LOOK at these?
Note to prospective network users/attorneys/fucktards: Do not share your entire client list, without security, calling it Clients, and leave it laying on a non-secured access point. Do not share "My Documents". They are YOUR fucking documents. Not mine. Keep them to yourself. Do not share your entire C drive. In fact, having shared your entire C drive in such a manner, you can disregard all of these other rules -because you are an idiot, and you blew it.
I attach to the "C" share just to see if the user was indeed that stupid. They were. I hit the "Clients" folder to see if it does indeed have a list of clients, or documents pertaining to their client base. It does.
This is the point at which I make an ethical decision. Should I delve into the lives of others and begin reading their personal files? Do I really want to explore the legal matters of strangers, and further incriminate myself?
...Of course I fucking do it! Here are some samples of the better tidbits I found.
Just when I was getting to the really good stuff my students started returning to lunch. My laptop is a real eye sore, and Audrey just loves the attention she gets for her "Franken-stein-ish" appearance. After having a couple of awkward moments with students having over my shoulder asking "whatcha' doing?" I decided to end this adventure and get back to work.
Next time I am out in Pittsburgh I really need to go wardriving, or better yet war-walking.
Historic CommentsChrist Ray, see what happens when you try to do a bigboy job with a "mac"?
"Where else could I get a map of this network? Of course! I need to see the DHCP lease table"
Fuck "findsmb" dude. Hitting the lease table it first on my list. No waiting, no guessing, and if someone is dumb enough to name their router "Linksys" then there is a 92.3% chance the default password is the same.
On a side note, I would have to say as of late that I really like the Auditor (or BackTrack) live Cd from remote-exploit.org. It just have all the tools/drivers in one package.
Now, add that with a network card that supports packet injection and you've got wep cracking in less than a couple minutes. Longer for 3 types of wpa.
anyways....i digress....i need ben and jerry's.
Phrightener | 02.10.06 - 11:17 pm | #
you law breaker you
LiteHedded | Homepage | 02.14.06 - 10:33 am | #
Should have renamed their documents: Dear John Letter, People I'm Firing, People I'm Sleeping With, Embezzelment Funds, Potato Bar, etc...
Keep them guessing when they need that document next.
Poe | 02.16.06 - 7:35 pm | #
Phrighty: I love you. When are we going to finally get together and have gay sex? I'm going to have to check out that Auditor distro. I was just telling someone the other day about how cool Knoppix-STD was before it got so old and useless.
Poe: Hah! They would probably learn to live with the annoyance instead of figuring out how to fix it. "Where is the Smith case?" - "Oh, check the 'Go Fuck Yourself' folder, and open up 'i shit myself lol.doc'.
-Ray
Ray Dios Haque | 02.21.06 - 8:19 pm | #