Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Marc Maiffret (marcEEYE.COM)
Date: Fri Mar 23 2001 - 13:07:32 CST
I could be wrong about the following so let me know if you know for a _fact_
that I am.
|From: Bugtraq List [mailto:BUGTRAQSECURITYFOCUS.COM]On Behalf Of
|Preston W Chang
|Sent: Wednesday, March 21, 2001 3:13 PM
|Subject: Windows Sharing Allows Internet Tracking
|Usually, many intruders will go in with
|obreption and probably without anyone ever knowing without
|some sort of IDS suite or logging system besides that of
|When logging into a share via NetBIOS, on a NT-to-NT
|connection, the user connecting will have his/her Temporary
|Internet Files transferred onto the server which they have
That is incorrect. When you connect to a netbios share, i.e. net use x:
\\ip\terd$ bob /user:bob your temporary internet files are _not_
|You would find it in this type of path:
|c:\winnt\profiles\Administrator\Temporary Internet Files.
No. The only reason you came to this conclusion is because it "looks" like
this is what is happening.
C:\>net use q: \\ip\c$ bob /user:bob
Then if you go an connect to q:\winnt\profiles\administrator\temporary
internet files then yes you will get a listing of your local machines temp
files and not the remote machines BUT those files are not stored on the
remote machine, in fact Windows NT is actually redirecting your temp
internet files request back to your local machine. So while it might look
like the files have been transferred to the remote machine. They have not
been. Load up filemon (sysinternals.com).
|you believe that you are victim to an intruder, definitelySigned,
|check this folder. I have examined many of the NT "rootkit"
|techniques and suites, with none that include
|cleaning out the transferred cache.
That's because the cache doesn't get transferred. Well at least from what I
have seen, I could be completely wrong.
| Charles Chear [prestoregiononline.com]