port 139

[Neodk]

Hey...

This port 139 on windows computers is mostly open and there is some kind of worm (sasser i think that use that port) what is it this sasser worm does ? and how ? anyone knows that ?

[Metgod]

Hi,

More than sasser use that port.. it's quite a well known port and there are many exploits  (read : programs that abuse it, not necessarily 'exploit' it) it..

For info on sasser, you can check most anti virus/etc companies.. for example, Symantec has the following info on it :
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html

Hope that helps.

Met

[Neodk]

k thx. But i was more interrested in what an hows an etc. virus makes a buffer overflow...

[Metgod]

Hi,

I thought the page I gave did explain that. Or maybe you mean as far as code ?

Only thing I can suggest is exploit the vuln it uses and then learn more about the code it uses. I mean, I don't know if I'm even answering your question.

Are you after the code itself or ?

I think that you have some options.. one is to try to get the source (very good way to learn is by reading code) or find an article on the hole itself. Even better is doing both.. code and the vuln.

Does that help you get a start or am I way off ?

Met

[Neodk]

Okay.. thx. for that... Now im actually getting further.. i have now establish a null session using IPC$ but how do i then get further ? if i etc. want an admin account or write acces to a drive i cant seem to get the commands i know to work

[Metgod]

Well this isn't something I'm very familiar with, but, I would have to know what commands you're referring to.

I would also suggest just looking up info on it. Often a web search will yield what you need.

Don't know without more info of what you're trying to do though.

Let me know and I'll try to help more.

Met

[Neodk]

i have searched but didn really found anything useful... itryed the net use command but i cant get it to work...

http://www.brown.edu/Facilities/CIS/CIRT/help/netbiosnull.html

^^^have been looked on that...

[Metgod]

Hey,

Well I don't know how I can really help. I don't know much about netbios (I actually stay away from it and do not have it enabled on my win box). Windows isn't my place of expertise either I'm afraid.

I don't know though.. what have you tried doing exactly ? I dont know if I can help but if I had what you tried and the setup so to speak I might be able to figure it out.

That or someone else on the board here. That is, if someone else checks it soon.

Let me know either way ...

Btw, maybe this is of some help or do you know this bit already ?

http://www.digitaltrust.it/arachnids/IDS204/event.html

Also, that script on the link you mentioned.. have you looked at that ?

Just some thoughts.

Take care,
Met

[Neodk]

I wanna learn something about security and how to gain admin control so to start of i have setup a old machine in my room with windows xp only.. and now i wanna try see if i can hack it... it probley sounds easy for you... But i wanna try hack to understand how it works... I have used google and from there learned some netbios cmd's and how to make a null session... but when i have made a null session i cant get it to mount and shares on the target pc and i dont know what the next thing is i should go for to get admin rights...

I hope there is someone that can help me...ave used google and from there learned some netbios cmd's and how to make a null session... but when i have made a null session i cant get it to mount and shares on the target pc and i dont know what the next thing is i should go for to get admin rights...

I hope there is someone that can help me...

[Metgod]

Quick idea..

I assume you got an error message or some sort of message anyway, when trying to do the mounting...

What does the error say ? And have you tried looking it up in google ? I know I've had some whacky errors before when doing some things and it has helped. Granted it might not. I did look at google on netbios null sessions, but didn't find much, but it might be worth a try.

If not, I'll see if I can get some more info or get someone who might know this to respond.


Met

[Neodk]

yeah cant remember it.. but it is when i try to use the "net use " cmd... =(

[Tazinator]

Windows is really difficult to hack from another Windows box and even Linux, not in the sense that its secure, but because it lacks a good remote shell so sending it commands are difficult w/o a hole. Thankfully (if you are hacking into a windows box that is), its got lots of holes. haha

TCP/139 = NetBIOS Session (TCP), Windows File and Printer Sharing

139 is also a port RPC listens on, though only 1 of many. Its basically the way Windows boxen talk to one another and issue commands over a network. Its a scaled down remote shell which only accepts commands remotely and is what in an NT/Active Directory environment allows admins to view Event Logs, change passwords, see print jobs, etc on remote network machines. Damn near every Windows internal client/server function relies on RPC. All the ports it listens on are dynamically assigned from 1024 to 65,535 though some specific services are restricted to specific ports. Some versions of Windows allow you to change the ports for some RPC functions via the registry.

Just a little info for you.

[Neodk]

Tazinator thx. for the info... but what do i do when i have etablish a null session and the sharing is running ? i cant get the "net use" cmd to work.... ! so annoying

[Tazinator]

What ver of Windows and SP level?