Описание уязвимости.
Credit DSHWhat is the IPC$ share exploit and how to exploit it...
What is the IPC$ Share?
IPC stands for Inter-Process Communication. This share is used for data sharing between applications and computer. With this share a hacker can take total control of a PC. It has been said that one group of individuals on the net managed to dominate an entire companies network through a single persons PC. This exploit can be discovered easily with many NSS, the one i prefer using is GFI.
How a hacker abused the exploit…
So firstly we have established using our NSS that the IPC$ share is available, we also have the admin password (during writing this article i discovered that the target machine had no admin password, however using a program like the big red button or the Net Bios Auditing tool you can obtain this)
Using the NET commands within DOS we can find and map to shares on remote computers.
Now when going for an NT machine make sure port 139 is open, this can be found out using a normal port scanner, open up DOS and type in the following:
C:\>NET USE \\TARGET\IPC$ "" /USER:""
This is basically saying you want to use the IPC share on the specified target with the password “” and the user name “”. Now we have just asked to make a null session on the target share. Chances are slim that you will obtain it like this so its always handy when the admin password has not been set . When you want to log in as an administrator to the share you would type in the following:
C:\>NET USE \\123.213.123.123\IPC$ "" /USER:Administrator
This is stating that you want to connect under the local account “Administrator” with no password.
After starting a null connection you could try to access the hidden shares. The default hidden shares are: C$, PRINT$, ADMIN$, IPC$. These folders will be invisible to the average user due to the $ sign being placed at the end. Sometimes shares don't have passwords so you can use them without the admins password. Null sessions raerely get you onto shared folders as its not all that dissimilar from a homeless man asking for the keys to the playboy mansion. Null sessions have very little rights on the system.. Next you could try using net view. To do this open the DOS window and type:
C:\>net view \\123.123.123.123 <--- This will display all shares on this machine (WILL NOT DISPLAY THE IPC$ OR ANY OTHER SILENT SHARES)
C:\>net view /workgroup:MSHome <--- Same as above but for workgroups Replace "MSHome" with the name of the workgroup
C:\>net view /domainomain <--- Same as above but with domains Replace "Domain" with the domain name.
