"The command completed succesfully" indicates that the command completed successfully ;-) i.e. you established a null connection to the IPC$ share. apparently, the machine doesn't have any declared shares...that's a good thing. The remote registry is locked...that's also a good thing. Bottom line, you *were* able to log in using NULL credentials...otherwise, you wouldn't have been able to query the machine for shares, registry, etc.
Think of it as finger++ (for windows)... John Lampe https://f00dikator.hn.org/ "Knowledge will forever govern ignorance, and a people who mean to be their own governors, must arm themselves with the power knowledge gives. A popular government without popular information or the means of acquiring it, is but a prologue to a farce or a tragedy or perhaps both." --James Madison ----- Original Message ----- From: "Jared Breland" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 25, 2002 5:11 PM Subject: Re: netbios question hmm... C:\> net use \\<ip>\ipc$ /user:"" "" The command completed successfully. C:\> net view \\<ip> There are no entries in the list. I also tried doing a remote registry connect, but basically got a permission denied. I tried net use on a couple other computers that turned up in the results, but they gave me "System error 1219 has occurred. The credentials supplied conflict with an existing set of credentials." Am I doing something wrong, or is this just a false positive? -- Jared Breland Information Security Intern [EMAIL PROTECTED] 901-748-5632 "John Lampe" <j_lampe@bells To: <[EMAIL PROTECTED]>, "Jared Breland" outh.net> <[EMAIL PROTECTED]> cc: 07/25/2002 Subject: Re: netbios question 05:31 AM really only of interest if ipc$ is shared (default share). If so, then: net use \\ip\ipc$ /user:"" "" from a dos prompt... if that works then you can try net view \\ip regedt32 (and connect to remote IP) dom2sid sid2dom etc. John Lampe https://f00dikator.hn.org/ "Knowledge will forever govern ignorance, and a people who mean to be their own governors, must arm themselves with the power knowledge gives. A popular government without popular information or the means of acquiring it, is but a prologue to a farce or a tragedy or perhaps both." --James Madison ----- Original Message ----- From: "Jared Breland" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 25, 2002 4:30 PM Subject: netbios question I get at least one of the following for just about any Windows host I scan, but what exactly does it mean? Does it mean I can actually login to the box and view it's contents? How? I've tried every way I can think of, but I haven't been able to figure it out. Oh, and no, I'm not trying to view other people's data, just trying to understand the process of how it works so I'll know how to protect against it. I'm sure that's assumed for the people on this list, but just so there's no confusion... :-). ---------------------------------------------------------------------------- ------ . It was possible to log into the remote host using the following login/password combinations : 'guest'/'' . It was possible to log into the remote host using a NULL session. The concept of a NULL session is to provide a null username and a null password, which grants the user the 'guest' access To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and Q246261 (Windows 2000). Note that this won't completely disable null sessions, but will prevent them from connecting to IPC$ . All the smb tests will be done as 'guest'/'' in domain ---------------------------------------------------------------------------- -------- . It was possible to log into the remote host using a NULL session. The concept of a NULL session is to provide a null username and a null password, which grants the user the 'guest' access To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and Q246261 (Windows 2000). Note that this won't completely disable null sessions, but will prevent them from connecting to IPC$ . All the smb tests will be done as ''/'' in domain -- Jared - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body. * To subscribe again, send a mail to [EMAIL PROTECTED] with "subscribe nessus" in the body - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body. * To subscribe again, send a mail to [EMAIL PROTECTED] with "subscribe nessus" in the body - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body. * To subscribe again, send a mail to [EMAIL PROTECTED] with "subscribe nessus" in the body
