| \
                                   |  \
                                   | | \
                            __     | |\ \             __
      _____________       _/_/     | | \ \          _/_/     _____________
     |  ___________     _/_/       | |  \ \       _/_/       ___________  |
     | |              _/_/_____    | |   > >    _/_/_____               | |
     | |             /________/    | |  / /    /________/               | |
     | |                           | | / /                              | |
     | |                           | |/ /                               | |
     | |                           | | /                                | |
     | |                           |  /                                 | |
     | |                           |_/                                  | |
     | |                                                                | |
     | |      c   o   m   m   u   n   i   c   a   t   i   o   n   s     | |
     | |________________________________________________________________| |

  ...presents...     Who's Gonna Get Screwed Today?
                        NetBIOS Attacks over TCP
                                                         by SirDystic

             __///////\ -cDc- CULT OF THE DEAD COW -cDc- /\\\\\\\__
               \\\\\\\/  Everything You Need Since 1986  \///////
  ___    _   _    ___     _   _    ___       _   _      ___    _   _      ___

Microsoft has never claimed that Windows95 (or any of its DOS
predecessors) is secure.  In fact, they offer an entirely different
product line for people concerned with security (their New Technology
line).  In our ever growing net, there must be more than 1000 new
users a day worldwide.  A fairly large portion of the Internet is not
servers and mainframes but personal computer users, most of whom use Win95
because it's cheap and well supported by games and Microsoft's suite
of barely adequate, yet all-encompassing applications.

What person on the Internet cannot afford to be concerned with

Few people seem to realize that all of the networking functionality
built into windows is available over _any_ TCP connection by default,
even a PPP or SLIP dial-up to Prodigy or most ISPs!  Nor do many
people filter the appropriate ports on their firewalls leaving most
machines with a permanent connection to the Internet fully accessible
via NetBIOS.  Perhaps the "Sharing..." selection available from any
drive or directory's menu is just too convenient and people don't
realize what they're opening themselves up to, but about 1 out of 3
Windows 95 users who have file sharing enabled have their whole file
system exported with no password.  For those users who actually do
bother using passwords, it's usually one of the most obvious, and with
no logging, delaying, or any deterrent for password hacking, 3 to 7
passwords per second can be tried across the Internet.

Recently a bug was discovered in almost every version of Windows which
caused the operating system to crash (hard) when out-of-bound data is
sent to a TCP port.  Since all Windows machines by default were
listening on port 139 for NBT connections, the standard exploit
connected to this port to send the OOB data.  Microsoft fairly quickly
release a patch for NT to fix this bug, but their response for 95 was
much slower.  Their initial 'fix' was to release a registry edit which
disabled NBT and recommended turning off any other listening ports
such as 113 (identd).  This caused a large number of people on the
Internet to become invulnerable to NBT attacks.  America Online also
began filtering this port, as well as UDP 137 (nbnames), causing
another large chunk of lamers to become protected.  Still plenty of
phish in the c.

All that is required to access a machine across NBT is the machine's
NetBIOS name and IP address.  User friendly Microsoft even included a
tool with Win95 and NT which will display a remote machine's NetBIOS
names, including the machine name, login name and domain name, one of
which is often a part of a share password.

To access a machine across NBT, retrieve the target IP's machine name
using nbtstat.exe (nbtstat -A ip, machine name is usually displayed
first).  Add the IP and machine name to a file "lmhosts" in your
windows directory on a line by themselves and *BLAM*, you can access
that machine by name through any network function.  You can net view
\\machine, net use \\machine\res, start \\machine, ping machine,
winnuke machine, etc...

Once access is gained to the windows directory (either through ADMIN$
or one of the user's exports) the pwl file can be decrypted (way to go
MS!) using a variation of the glide code, and voila:  all the user's
passwords including their dial-up account password, any web passwords,
and any passwords for network resources they've accessed.  A list of
the most recently accessed documents on the machine can be found in
the "recent" directory, the desktop can be directly manipulated by
altering the "Desktop" directory, the start menu can be directly
manipulated by altering the "Start Menu" directory, the Startup
directory is in "Start Menu\Programs", if you rename the Fonts
directory, uppon reboot Windows gives the message:  "Unable to load
gdi.exe. Please reinstall Windows."  Don't forget to delete
netstat.exe and netwatch.exe to stay a little more hidden.

What's more, MS documents that shares exported with a name ending in a
$ will not be listed on remote browse lists.  This is partially true. 
It turns out that the Samba client (the gnu UNIX implementation of
NetBIOS) has no problem listing shares ending in $, including ADMIN$
and ipc$.  I ported this functionality to Win32 with a few minutes

What can this be used for?

Get dial-up accounts on the ISP of your choice:
Scan through the dial-ups till you find a machine with their windows
directory exported and copy their .pwl file(s).  When it was shown
that Microsoft's 'encryption' of the .pwl files was a joke, Microsoft
did release a patch and on later versions of Win95, the files were
further obfuscated and to my knowledge no later versions have been
decrypted, but I'm not sure anyone's put any effort towards it.  In
any case, we're playing odds.  Most people are still running the
breakable version of Win95, so keep looking till you find one you can
read.  Passwords can also be found storred by popular ftp clients such
as WSFTP and CuteFTP, decoders are available for their data files. Get
any kind of file you like; Use IRC to locate people who are trading
the type of file you're interested in (warez, pix, mp3, etc.) by
listing the users in appropriate channels (#*warez*, #*pics*,
#*mp3*...) and scan through them till one with their file system
exported is found.  Use the "Recent" directory to quickly find the
interesting files on their machine, lnk files store the export name as
well as the rellative and absolute location of the file (just type
them, you'll see).  Also use ftp clients and servers' ini files to
locate download and zip directories.

Run programs on other people's machines:
Put links in people's "Startup" directory to run the program of your
choice. The filenames " .lnk" and " .exe" are particularly useful as
they show up blank in GUI listings and cannot be run from the DOS
prompt (as their 8.3 names become exe~1.)  Use this to create mass
parallel processing, or run a program with a message of your choice.

So in conclusion, since the only protection Win95 allows you in "Share
level" access mode is a case-insensitive max 8 character password,
pick a good one, and until people start getting a clue (fat chance)
you can entertain yourself by browsing through random (or not so
random) people's personal files.

    .-.                             _   _                             .-.
   /   \           .-.             ((___))             .-.           /   \
  /.ooM \         /   \       .-.  [ x x ]  .-.       /   \         /.ooM \
-/-------\-------/-----\-----/---\--\   /--/---\-----/-----\-------/-------\-
/lucky  13\     /       \   /     `-(' ')-'     \   /       \     /lucky  13\
           \   /         `-'         (U)         `-'         \   /
            `-'              the original e-zine              `-'    _
      Oooo                    eastside westside                     / )   __
 /)(\ (   \                       WORLDWIDE                        /  (  /  \
 \__/  )  /  Copyright (c) 1997 cDc communications and the author. \   ) \)(/
       (_/     CULT OF THE DEAD COW is a registered trademark of    oooO
          cDc communications, PO Box 53011, Lubbock, TX, 79453, USA.      _
  oooO        All rights reserved.  Edited by Grandmaster Ratte'.   __   ( \
 /   ) /)(\                                                        /  \  )  \
 \  (  \__/       Save yourself!  Go outside!  Do something!       \)(/ (   /
  \_)                     xXx   BOW to the COW   xXx                    Oooo