OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Marc Maiffret (marcEEYE.COM)
Date: Fri Mar 23 2001 - 13:07:32 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I could be wrong about the following so let me know if you know for a _fact_
    that I am.

    |-----Original Message-----
    |From: Bugtraq List [mailto:BUGTRAQSECURITYFOCUS.COM]On Behalf Of
    |Preston W Chang
    |Sent: Wednesday, March 21, 2001 3:13 PM
    |To: BUGTRAQSECURITYFOCUS.COM
    |Subject: Windows Sharing Allows Internet Tracking
    <snip>
    |Usually, many intruders will go in with
    |obreption and probably without anyone ever knowing without
    |some sort of IDS suite or logging system besides that of
    |NT's.
    <snip>
    |When logging into a share via NetBIOS, on a NT-to-NT
    |connection, the user connecting will have his/her Temporary
    |Internet Files transferred onto the server which they have
    |connected to.

    That is incorrect. When you connect to a netbios share, i.e. net use x:
    \\ip\terd$ bob /user:bob your temporary internet files are _not_
    transferred.

    |You would find it in this type of path:
    |c:\winnt\profiles\Administrator\Temporary Internet Files.

    No. The only reason you came to this conclusion is because it "looks" like
    this is what is happening.

    C:\>net use q: \\ip\c$ bob /user:bob

    Then if you go an connect to q:\winnt\profiles\administrator\temporary
    internet files then yes you will get a listing of your local machines temp
    files and not the remote machines BUT those files are not stored on the
    remote machine, in fact Windows NT is actually redirecting your temp
    internet files request back to your local machine. So while it might look
    like the files have been transferred to the remote machine. They have not
    been. Load up filemon (sysinternals.com).

    |If
    |you believe that you are victim to an intruder, definitelySigned,
    |check this folder. I have examined many of the NT "rootkit"
    |techniques and suites, with none that include
    |cleaning out the transferred cache.

    That's because the cache doesn't get transferred. Well at least from what I
    have seen, I could be completely wrong.

    | Cheers,
    | Charles Chear [prestoregiononline.com]
    | http://presto.tpgn.net

    Marc Maiffret
    Chief Hacking Officer
    eEye Digital Security
    T.949.349.9062
    F.949.349.9538
    http://eEye.com/Retina - Network Security Scanner
    http://eEye.com/Iris/ - Network Traffic Analyzer