AGAIN QUR3SHI HERE
Disable the default shares
Windows NT and Windows 2000 open hidden administrative shares on each PC for use by the system account. You can go to a command prompt and see these by typing NET SHARE
You can disable the default shares two ways.
One is to stop or disable the Server service, which totally removes the ability to share folders on your computer. This does not stop you can accessing shared folders on other computers if you keep the Microsoft Client option.
You can disable the Server service (via Control Panel > Administration Tools > Services) be clicking Manual or Disabled or else the service will start the next time the computer is restarted.You could also disable File and Print Sharing as described in the closing
unnecessary ports section.
The other way is via the Registry by editing HKeyLocal Machine\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters.
For Servers edit (or add) AutoShareServer with a REG_DWORD Value of 0.
For Workstations, edit (or add) AutoShareWks with a REG_DWORD Value of 0.
Keep in mind that disabling these shares provide an extra measure of security, but may cause you problems in a local Windows-networked environment.
The default-hidden shares are:
C$ D$ E$ Root of each partition. For a Windows NT workstation/Windows 2000 Professional computer only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows NT Server/ Windows 2000 x Server computer, members of the Server Operators group can also connect to these shared folders
ADMIN$ %SYSTEMROOT% This share is used by the system during anyremote administration of a computer. The path of this resource is always the path to the Windows 2000/NT system root (the directory in which Windows 2000/NT is installed usually C:\Winnt).
FAX$ On Windows 2000 server, this used by fax clients in the process of sending a fax. The shared folder temporarily caches files and accesses cover pages stored on the server.
IPC$ Temporary connections between servers using named pipes essential for communication between programs. It is used during remote administration of a computer and when viewing a computer's shared resources. This share can be very dangerous and can be used to extract large amounts of information about your network, even by an anonymous account.
NetLogon This share is used by the Net Logon service of a Windows 2000 and NT Server computer while processing domain logon requests.
PRINT$ %SYSTEMROOT%\SYSTEM32\SPOOL\DRIVERS Used during remote administration of printers.
Unfortunately this registry hack does NOT stop the IPC$ share and this is a share that is often used by hackers to enumerate systems before attack since it can yield a wealth of information about your system names, your user names, and more. If your ACL permissions are not correct or you haven't disabled anonymous user access or you haven't disabled the guest account then this port can lead to total system comprimise within minutes!
Try the following command for yourself from a command line:
net use \\yourcomputername\IPC$ "" /user:""
If this command succeeds then you are at very serious risk of being hacked. From here a hacker may run any number of utilities (such as NetBIOS Auditing Tool) to access all your user names, including administrator, and then run a password cracking program to gain entry with higher level access rights. It is no good having disabled the administrative shares if this one is still open since a hacker can do everything from here.
Typically, having cracked a user password (ANY USER!) he will then proceed to open Control Panel/Administrative Tools/Computer Management and then select "Connect to remote computer". At this point he can see everything that you see in the Computer Management- including your devices, services, etc. Typically he can then start the Telnet service and stop your firewall or other protection services such as anti-virus.
Before he does that he will use regedit.exe and enable a remote connection to your registry and disable the password requirements. He can then telnet straight to the command line on your PC and it's game over!
So what can you do to tie down your IPC$ share?
Well, you can go to Control Panel | Administrative Tools | Computer Management | Shares each time you boot and manually delete this share but that can get laborious and you will forget.
You can create a batch file with a single line in that you run every time you boot and logon:
net share IPC$ /delete
You could even set this so it runs automatically everytime that you logon by putting it in your Startup group. The problem comes if you need to leave your PC unattended. A DoS attack could cause a reboot of your PC and with you not around the logon wouldn't happen and the batch file would not execute and a hacker could have all the time in the world to play.
If you have a copy of the Windows 2000 or NT Resource Kit then you can install the AUTOEXNT.EXE file onto your PC. You will also need to copy the INSTEXNT.EXE file. Just copy these files to the winnt\system32 directory and create a batch file called autoexnt.bat and place this in the same directory. This should contain the single line:
net share IPC$ /delete
To install Autoexnt as a service type at the command line:
instexnt install
A registry key for the "AutoExNT" service will need to be added or modified in order to ensure that the "AutoExNT" service does not start before the LAN Redirector components of NT are completely up and running. To check and/or install this registry key follow these steps:
Start the Registry Editor by clicking Start | Run and typing regedt32.
Navigate to the HKEY_LOCAL_MACHINE Hive.
Open the System | CurrentControlSet | Services | AutoExNT key.
Check for the existence of a "DependOnService" value on the right-hand side of the screen.
If the "DependOnService" key exists, add the following two entries to the bottom of the list:
LanManServer
LanManWorkstation
If the "DependOnService" key does not exist, highlight the "AutoExNT" service key on the left-hand side of the screen. Then choose Edit | Add Value from the menu. Type in "DependOnService" as the value name (without quotes) and choose REG_MULTI_SZ as the data type. Then click OK.
Now that the key exists, add the following two entries to the bottom of the list of the "DependOnService" value:
LanManServer
LanManWorkstation
Test your installation by rebooting your PC. Go to the Control Panel | Administrative Tools | Services program and make sure the Autoexnt service has started
Then go to Control Panel | Administrative Tools | Computer Management | Shares and make sure the IPC$ key is gone.
You are now much safer from NetBIOS enumeration attacks. You can also use the autoexnt.bat file to run other programs automatically at startup, however you should carefully monitor that there are no unauthorised changes to this file since anyone else who gains access to your PC could add entries to the batch file!
If you don't have the Autoexnt file and need to leave your PC unattended then you should DISABLE all file sharing by following our instructions.
Regards.
Qur3shi.
SHARING THE KNOWLEDGE BECAUSE KNOWLEDGE IS A POWER.
contact me at 03009246212 after 5:00 PM.