Bugtraq mailing list archives
Re: Windows Sharing Allows Internet Tracking
From: Marc Maiffret <marc () EEYE COM>
Date: Fri, 23 Mar 2001 11:07:32 -0800
I could be wrong about the following so let me know if you know for a _fact_ that I am. |-----Original Message----- |From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of |Preston W Chang |Sent: Wednesday, March 21, 2001 3:13 PM |To: BUGTRAQ () SECURITYFOCUS COM |Subject: Windows Sharing Allows Internet Tracking <snip> |Usually, many intruders will go in with |obreption and probably without anyone ever knowing without |some sort of IDS suite or logging system besides that of |NT's. <snip> |When logging into a share via NetBIOS, on a NT-to-NT |connection, the user connecting will have his/her Temporary |Internet Files transferred onto the server which they have |connected to. That is incorrect. When you connect to a netbios share, i.e. net use x: \\ip\terd$ bob /user:bob your temporary internet files are _not_ transferred. |You would find it in this type of path: |c:\winnt\profiles\Administrator\Temporary Internet Files. No. The only reason you came to this conclusion is because it "looks" like this is what is happening. C:\>net use q: \\ip\c$ bob /user:bob Then if you go an connect to q:\winnt\profiles\administrator\temporary internet files then yes you will get a listing of your local machines temp files and not the remote machines BUT those files are not stored on the remote machine, in fact Windows NT is actually redirecting your temp internet files request back to your local machine. So while it might look like the files have been transferred to the remote machine. They have not been. Load up filemon (sysinternals.com). |If |you believe that you are victim to an intruder, definitelySigned, |check this folder. I have examined many of the NT "rootkit" |techniques and suites, with none that include |cleaning out the transferred cache. That's because the cache doesn't get transferred. Well at least from what I have seen, I could be completely wrong. | Cheers, | Charles Chear [presto () regiononline com] | http://presto.tpgn.net Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris/ - Network Traffic Analyzer
Current thread:
- Windows Sharing Allows Internet Tracking Preston W Chang (Mar 22)
- Re: Windows Sharing Allows Internet Tracking 3APA3A (Mar 23)
- Re: Windows Sharing Allows Internet Tracking Marc Maiffret (Mar 25)
- <Possible follow-ups>
- Windows Sharing Allows Internet Tracking Bill Sobel (Mar 26)
- Re: Windows Sharing Allows Internet Tracking Adam Carter (Mar 26)