Chat with
Hackers

How to Defend
Your Computer 

The Heretic! 
A Hacker Thriller

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front
 

Carolyn's most
popular book,
in 4th edition now!


For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

My SQL for Free

Windows Edition, Jan 3., 2000
_______________________________________________________________________
See the Happy Hacker web site at http://www.happyhacker.org
Your local firewall blocks you? Try http://happyhacker.org
_______________________________________________________________________
Opening Comments
URL's
How to locate hidden shares in NT
Quick Tips
Anonymous connections to IPC$
IE4 EasterEgg
Editor's Comments
******************************************************************
Opening Comments
Perhaps long overdue but certainly welcome, Happy Hacker (HH) brings you a long awaited
Windows Digest's (WD). As you might imagine much has transpired over the last 8 months, both in the hacker as well as the cracker community. My original thought was to try and put together an end of the year review for this edition, after some thought however, I didn't see the point in duplicating efforts. I've included a hyperlink to HackerNews.Com and their end of the year review. I will try to start including an interesting Easter Egg or two that can be used to impress your friends and co-workers from time to time. I'm also strongly considering carrying over something similar to the "quick tips" from Anti-Online and I'd like to begin actively soliciting the opinions of our readers as well on certain issues. I'll be speaking with Carolyn in more detail in the weeks to come regarding making available to you the reader an online voting and poll booth. If you have any comments, questions and or suggestions please feel free to e-mail me at wineditor@happyhacker.org.
URL's

Gov't afraid of Y2K Crackers? You decide.
http://news.excite.com/news/r/991228/14/net-yk-hackers

Are you an IT Manager who has hired a Hacker and are having difficulties communicating or are unsure how to deal with this person? This URL might be for you.
http://www.plethora.net/%7Eseebs/faqs/hacker.html

New to the hacking community? Really want to know how to become a wizard hacker? This is a must read than from the author who brought you "Hacker Jargon".
http://www.tuxedo.org/~esr/faqs/hacker-howto.html

Short Overview of 1999's hacker news.
http://www.hackernews.com/special/1999/99topstories.html

How to locate Hidden Shares in NT
Sometime ago Carolyn posed the question "What are some different ways to locate hidden shares on NT Networks?" Reader response has been great and I've included some of the different responses and edited for technical correctness and grammar where applicable.

Caroline,

To see hidden shares on an NT box you would/could use the NT Resource Kit. The tool is called NETWATCH.
Scenario 1: I am an Admin and I want to check my boxes...I simply execute the program from the command line giving it the IP of the server that I want to check and type "Ctrl+H" to reveal hidden shares.
OR
Scenario 2: When used with LMHosts/IPC Mapping, this tool can be used to bypass "Trust" relationships between NT servers. Example: Server A does not trust Server B and vice versa. Well, I am an "admin" on A and I want to know all the hidden shares on B. By invoking this program while connecting to the IPC$ share....
:) You get ALL the shares.

Respectfully,
-Michael Vaughan
MCSE, A++
Web Site: http://www.nku.edu/~vaughan
Mail: vaughan@nku.edu
ICQ: 20031116

[Editors Note: It is also possible to shutdown and or monitor the IPC$ using NETWATCH. I strongly recommend either disabling IPC$ (providing your computing environment allows for such) or monitoring it with NETWATCH for reasons I will list later along in the digest. I have confirmed both Scenario's and they both work splendidly.]

First of all allow me to thank you for taking your time to address and compile questions/answers to challenge and enlighten the eager amateur and novice hackers on the Net. I've been on the net since early 1996, when the ISP where I worked had a 19kbps data channel (yiques!), and I thank you guys for making this digest to the best of your abilities.

Well. The last digest asks for help in NT security (NT security is my middle name!) regarding hidden shares. The simplest way to locate hidden shares is to perform the following and requires administrative rights:
A) From Administrative tools, go into the Server Manager.
Select the computer you wish to view. Go to ComputeràShared Directories. This will show you the shared directories, even the ones w/ $ on the end. If you do this on a server, you'll even see the admin$, the printer$ (which are NT defaults).

There is another way to do this, through the NET command line. It will take me some time to get the full text about that because I have to work in a little bit, but I will send it up ASAP.

Thank you for the opportunity

----------------------------------------------------------------------------
--------------------------------------
"Sic pas pacem, para bellum" (if u wanna peace, get ready for war)
----------------------------------------------------------------------------
--------------------------------------
Anderson L. Ravanello
[Editors Note: The command for viewing hidden shares locally from the command prompt is simply "NET SHARE".]

Sorry about this... I bet you know this already... You can install server tools for Windows 95 by making disks in NT with Client Manager. You can use Server Manager from a Windows 95/98 box to view hidden shares as well.
Hope this helps

Benjamin Cook
[Editors Note: I placed Benjamin's comments here because he brought up a good point. Most of the tools found in administrative tools on your WinNT server can be loaded onto WinNT Workstation or Windows 95/98 client machines for management. Administrators of networks typically have these tools loaded on their workstation machine at their desk to prevent having to run to the server every time they need to make a change.]

Hi Carolyn. It's been a while since I've written.

To answer you request in the last email you sent, here is a script that
will find hidden shares on the network.

One of the common tools that NT administrators use is Kixtart. It is usually used for login scripts, but it can also be used as a powerful scripting language for many other purposes. Here is a Kixtart script that will determine if a user has any hidden shares on their Windows NT computer. You may need Administrator rights on the local machine to run this script... but you may not... I didn't test it without local admin rights.

You are welcome to publish this script as you see fit, provided you keep my comments in it. Please instruct others not to use it for malicious purposes... I am sure that you will provide the appropriate warning.

Thanks.
Dale
[=`)

=====
Dale Holmes
CCNA, MCSE, CNE, UNIX/C
passed CCIE written... [=`)
**********Begin Copy************
; FINDSHARES.KIX
; Version 1.0
; Written by Dale Holmes
; 12/13/99
;
; You may need Administrator access to the NT computer for this script ; run successfully.
; This script will search the Registry for shares, and loop through all
; values found there.
; It will look for the string "$" in the name to determine if the share ; is hidden.
; If so, then the user name, user id, and machine name will be
; Displayed
; along with the
; name of the hidden share.
;
; You can redirect the output of this script to a file in order
; compile a list of hidden shares on your network.
;
; You can also parse through the value of the $readv variable to
; determine the path that the hidden share points to...
;
; Last Modified 12/13/99

 

$returnv = EXISTKEY(
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares" )

IF $returnv <> 0

goto "End"

ENDIF

$Index = 0

:Loop

$ValueName = ENUMVALUE(
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares" ,
$Index )

If @ERROR = 0

; $readv = READVALUE(
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares" ,
$ValueName )
$srv = INSTR( $ValueName , "$$" )
If $srv <> 0
? "@FULLNAME (@USERID on @WKSTA) has a hidden share called $ValueName"
Endif
$Index = $Index + 1
goto "Loop"

Endif

:End
***********Stop Copy/Paste***********
[Editors Note: I am not a resident expert on Kix Scripts and at the time of this writing do not have KIX installed however, I've used KIX Scripts for logon scripts and without actually testing this script it would appear that the authors scrip will work. This script is intended to be used as a Systems Administration tool and as such by publishing it Happy Hacker, the author, and myself would expect it to be used in a responsible manner.]

In order to detect hidden NT shares, do the following under Linux/Un*x:

1. Make sure you have Samba client installed
2. Run the command from a machine on the network to which the NT box is
local.
3. The command is: smbclient -L <machine_name_here> | more
4. Every share ending in $ displayed by the client is a hidden share on the machine, which you can later peruse on that NT box.

Happy Hacking!

MagusCor
Randy Bosetti

[Editors Note: Thank You Randy for not letting us forget about all the *nix users out there.]

Hiya!

This is in response to the latest Happy Hacker newsletter.
Finding hidden shares is REAL easy if you are an
administrator. Use server manager :-). This tool lets you
view ALL shares (and sessions) on any PC in the Domain.
This includes hidden shares. You can actually use it to
CREATE shares (some NT administrators don't know this as
NT 3.5 did not allow you to create shares with this tool)
With Windows 2000 you would use the Microsoft Management
Console and view the computers properties, moving to shares etc... This
Actually allows you to view which FILES a remotely logged in user has
access to.

One other kind of neat thing that you may or may not know of
is the use of "alternate data streams" to hide files.
It's really neat. If you have an NT box available to you,
drop to a command prompt and create a file using (for
example) notepad, ie: "notepad secret.txt"

Edit this file, add some stuff in, save it and take note of
the size of the file, also note the amount of space left on
your drive. Now the fun stuff comes in, in the command
prompt type in "notepad secret.txt:hidden.txt", this will
open up notepad with a new file, type some more stuff in and
save it. Do a "dir", you will not see this file! Nor will
you see it thru explorer or any other conventional file
browsing methods. What has happened is the file was created
in an "alternate data stream", it is part of the original
(secret.txt) file, but not shown normally in that file. Also
note that secret.txt does not increase in size, nor does the
amount of drive space used get changed!!! Above I had
mentioned that no CONVENTIONAL tools could see these files,
there are programs specifically designed to hunt these down
however I can't remember the name of any of them :-P
One potential use of this would be creating extra webpages
without hitting any kind of quota on an NT Webserver ;-)

NOTE: I'm not currently using NT, but it's a few days till I
get back to work, so if some of the above is wrong, I won't
correct it for a few days. Nor do I take credit for either
of the discoveries above. I know Server Manager pretty good
from use of it, and the "alternate data streams" came from
NTBUGTRAQ.

./sigless

Sheldon Fuc
[Editors Note: I was successful in making the hidden.txt file disappear but I did notice a reduced amount of total bytes available after the creation of the file. None the less Sheldon's exercise in "alternative data streams" is exciting. If anyone else confirms everything in its entirety let me know. Thanks for a great article Sheldon.]
Quick Tips

This editions quick tip is from our very own beloved Carolyn Meinel
As posted at http://www.antionline.com

Cure that Christmas Card Hangover

If your desktop computer runs Windows 95/98/NT, you probably viewed some animated emailed Christmas cards. I'm finally warning you about them because if I had told you in advance how dangerous those cards could be, you'd just ignore me. Oh, oh, my nose is growing. I told you a fib. Actually I didn't warn you about animated Christmas cards last week because I forgot, OK? So sue me.

The trouble with animated greeting cards is that they are programs. And any computer program has the potential to hide viruses and Trojans (malicious features hiding in innocuous-looking software).

You've probably seen news stories predicting that Y2K may unleash a witches' brew of nasty viruses and Trojans. If you take those stories seriously,* here's how to save your computer from the consequences of your promiscuous Christmas Card viewing.

First, the bad news. Fred B. Cohen has mathematically proved, in his 1986 doctoral dissertation, that it is impossible to create software that can detect any conceivable virus or Trojan. However, we can improve our chances by running several different programs to catch those nasty surprises. I use both Norton Antivirus and WebTrends Security Analyzer. Actually, WebTrends is downright fascist, sometimes trying to persuade me to delete a program that I put there on purpose, saying (I'm sure with good reason) that it is a security hazard.

How do you know whether your computer security and antivirus software is any good? Most important, you should look to see whether it has a way for you to update it. That's because the cyberbaddies are always finding ways to evade or disable your protective software. WebTrends automatically updates itself whenever it runs, while I have to remember to manually update Norton Antivirus. It's also important to get "under the hood" of your security software. I discovered, for example, that the default configuration of Norton Antivirus exempted all my Microsoft Office programs from being scanned for virus-like activity.

Also, it helps to double check that your software is working properly. I habitually torture my computer while testing cool hacker tricks. So it's not surprising that form time to time something fails in a way that isn't obvious. Every few months I uninstall and reinstall key software just to be safe. If you try to run an update on your security software and it fails to run, that's a pretty sure sign that it's time to reinstall.

Also, software if your computer runs several different operating systems, watch out. All the security software I've seen only looks for things that hurt the operating system on which it is running. Whoever bothers to run an antivirus scanner on Linux or other Unix type operating systems? Yet boot sector viruses will infect your computer regardless of whether you run some kind of Windows or some sort of Unix. I've never found a boot sector virus that bothered a Unix computer. But when you reboot to Windows, ouch, what a hangover.

So, with these depressing thoughts in mind, have a happy New Year. I'm spending next weekend on a Y2K-compliant sailboat on a lake in sunny southern New Mexico. What about you? ;^)

* When it comes to Y2K, I'm a follower of the Alfred E. Neuman philosophy: "What, me worry?"

To Download Sample Trojans & Trojan Removal Tools, Visit The AntiCode Archives.
*************************************************************************************
Anonymous connections to IPC$

By default when you install Windows NT Server or Workstation a hidden share called IPC$ is put in place. IPC is short for "Inter Process Connector", the IPC is used for certain processes to communicate over a network between machines. For instance during a Windows NT Login the client computer sends its Netbios name to be validated by a Domain Controller, to the BDC or PDC's IPC$ to confirm the membership of that workstation in the DC's domain. It is possible to make an anonymous connection to IPC$ both over private and public networks to NT Workstations and Servers. Why would someone want to make an anonymous connection to the IPC$ share? Well with the NT Options pack and Resource Kit installed try the following command.

 

Net Use \\<target>\ipc$ "" /USER:""
The command completed successfully

This being accomplished issue the following command from your workstation.

Local administrators
<Will display a list of all user accounts with administrator rights on target machine>

Global administrators
<Will display a list of all user accounts with DOMAIN administrative rights in domain>

I need not go into detail regarding what other type of useful information can be gleamed by making anonymous connections to a machines IPC$ share. Most Security Analysts that are worth their salt monitor a great deal of activity across IPC$, many Intrusion Detection Systems also utilize IPC$ extensively. For this as well as reasons of ethic I only recommend experimenting with IPC$ on your hacker laboratory LAN. For information on how to setup a hacker laboratory LAN visit http://happyhacker.org/winlan.html .

*************************************************************************************

IE4 Easter Egg

Now who doesn't like showing off their mad computer skills to their friends and or colleagues? Here is a nice little Easter Egg to impress your "less technically adept" friends or co-workers.

1. Open Internet Explorer Version 4.0 (Must be IE4, Service Packs are ok… IE5 does not work)
2. Click on Help à About Internet Explorer
3. At this point you have a little "About Internet Explorer" window open.
4. In the upper right hand corner of this window is a little miniature IE4 logo. Move your mouse pointer over to the logo and with the CTRL key depressed and held left click and hold onto the logo.
5. Now with the logo on your cursor and still holding down the CTRL key drag the logo to the left side of the window right below the graphic of the globe.
6. Still with CTRL held down and the icon attached to your cursor quickly move your cursor from left to right across the "INTERNET EXPLORER" Bold text.
7. You will notice that the text slides off the screen toward the right and a little box labeled "Unlock" is now available.
8. With the CTRL key still depressed move the IE4 logo onto the little bmp of the globe located on the left side of the window.
9. Release the CTRL key and drop the logo onto the BMP of the globe by releasing the left mouse button
10. Move your mouse over the the "Unlock" box and left click once.
11. ENJOY THE SHOW!

-Greggory Peck aka Tonehrz

Editors Notes
I am the new editor for the Happy Hacker Windows Digest. With me comes a long career in the security field that has taken me through the Department of the Navy, the hotel casino industry, tradeshow industry and now into a side adventure of editing. As my professional career has moved along through the years I recognized that change only comes through suggestions. I encourage everyone to submit their suggestions regarding topics they might like to see in the future or what additions they might like to have. If you have ideas for future topics please e-mail me and let me know. I will be working towards making the HHWD a bit more exciting to read and will speak with Carolyn about putting up an area at http://www.happyhacker.org where we can do some online polls, votes, and perhaps moderated message groups. Until next time Happy Hacking!
_______________________________________________________________________

Unsubscribe with message
unsubscribe hh.

This is a list devoted to *legal* hacking! If anyone plans to use any information in this Digest or at our Web site to commit crime, go away! We like to put computer criminals behind bars where they belong!

Unix editor Mike Miller unixeditor@techbroker.com;
Hacker Wargame Directors, Vincent Larsen vincent@sage-inc.com and John Vranesevich <jp@antionline.com>;
Clown Princess: Carolyn Meinel <>

Happy Hacker is part of a 501 (c) (3) tax deductible organization
© 2001 Happy Hacker All rights reserved.