[19831] in bugtraq
Re: Windows Sharing Allows Internet Tracking
daemon@ATHENA.MIT.EDU (Marc Maiffret)
Mon Mar 26 01:01:29 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <EIEOJCKGEPCLJHGCNNOPCEFOCFAA.marc@eeye.com>
Date: Fri, 23 Mar 2001 11:07:32 -0800
Reply-To: Marc Maiffret <marc@EEYE.COM>
From: Marc Maiffret <marc@EEYE.COM>
X-To: Preston W Chang <presto@REGIONONLINE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <web-8203873@post2.rnci.com>
I could be wrong about the following so let me know if you know for a _fact_
that I am.
|-----Original Message-----
|From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of
|Preston W Chang
|Sent: Wednesday, March 21, 2001 3:13 PM
|To: BUGTRAQ@SECURITYFOCUS.COM
|Subject: Windows Sharing Allows Internet Tracking
<snip>
|Usually, many intruders will go in with
|obreption and probably without anyone ever knowing without
|some sort of IDS suite or logging system besides that of
|NT's.
<snip>
|When logging into a share via NetBIOS, on a NT-to-NT
|connection, the user connecting will have his/her Temporary
|Internet Files transferred onto the server which they have
|connected to.
That is incorrect. When you connect to a netbios share, i.e. net use x:
\\ip\terd$ bob /user:bob your temporary internet files are _not_
transferred.
|You would find it in this type of path:
|c:\winnt\profiles\Administrator\Temporary Internet Files.
No. The only reason you came to this conclusion is because it "looks" like
this is what is happening.
C:\>net use q: \\ip\c$ bob /user:bob
Then if you go an connect to q:\winnt\profiles\administrator\temporary
internet files then yes you will get a listing of your local machines temp
files and not the remote machines BUT those files are not stored on the
remote machine, in fact Windows NT is actually redirecting your temp
internet files request back to your local machine. So while it might look
like the files have been transferred to the remote machine. They have not
been. Load up filemon (sysinternals.com).
|If
|you believe that you are victim to an intruder, definitelySigned,
|check this folder. I have examined many of the NT "rootkit"
|techniques and suites, with none that include
|cleaning out the transferred cache.
That's because the cache doesn't get transferred. Well at least from what I
have seen, I could be completely wrong.
| Cheers,
| Charles Chear [presto@regiononline.com]
| http://presto.tpgn.net
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris/ - Network Traffic Analyzer
