Walking through SMB Tracking

Feb 10, 2012 6:25 AM

When you connecting your computer to the public network like restaurant, cafe, airport, and etc. You have to be aware with your personal data. If you forgot to disable file sharing in your PC/notebook, your shared data are in a danger!!!, why???. It can be described from your notebook while it live in your office. While you powered on it machine in your office, it's not a problem to share anything data in a trusted network. Then, when you go to the public area and connecting your notebook to the public network arround you. Don't forget to disable your file share, except you have protected your share with some password. It's a general negligance in the world.



Ok, we'll sharpen the discussion about data tracking for the result from the negligance as describe at previous paragraph. It has occurred when you were sitting in the public area and connecting your notebook to the public network. For example, you forgot to disable file share in your notebook. When you were connecting your notebook to the public network (public wifi), there are several man or woman arround you that use public service like wifi. In this circumstance, you were in a same network with man or woman arround you.

While you are in a same network with some people. That mean, someone can access your computer and your shares. So, don't forget to disable all file share while you live in a public network (untrusted network). With the little tricks of samba, we can get some data that spread in network through SMB protocol. That tricks are shown below.

0x01. We'll get an information about from the quetion: "who are online in the network?". With nmap, we'll get the answer.

root@war49:/home/war49# nmap -n -sP 192.168.1.0/24
Starting Nmap 5.21 ( http://nmap.org ) at 2011-05-04 13:21 WIT
Nmap scan report for 192.168.10.1
Host is up (0.0040s latency).
MAC Address: 00:26:5A:BC:8E:21 (D-Link)
Nmap scan report for 192.168.10.3
Host is up (0.0039s latency).
MAC Address: 00:26:5A:BC:8E:21 (D-Link)
Nmap scan report for 192.168.10.5
Host is up (0.0055s latency).
MAC Address: 00:22:58:14:27:B3 (Taiyo Yuden Co.)
Nmap scan report for 192.168.10.16
Host is up (0.12s latency).
MAC Address: 1C:4B:D6:DF:34:F8 (AzureWave)
Nmap scan report for 192.168.10.19
Host is up (0.040s latency).
MAC Address: 00:0E:E8:D6:4C:E1 (zioncom)
Nmap scan report for 192.168.10.22
Host is up (0.10s latency).
MAC Address: D8:A2:5E:8C:E6:2C (Unknown)
Nmap scan report for 192.168.10.23
Host is up (0.0025s latency).
MAC Address: 00:23:69:6C:62:9F (Cisco-Linksys)
Nmap scan report for 192.168.10.26
Host is up.
Nmap scan report for 192.168.10.28
Host is up (0.030s latency).
MAC Address: 90:4C:E5:24:91:D6 (Hon Hai Precision Ind. Co.)
Nmap scan report for 192.168.10.30
Host is up (0.035s latency).
MAC Address: 1C:4B:D6:E0:58:29 (AzureWave)
Nmap scan report for 192.168.10.31
Host is up (0.065s latency).
MAC Address: 74:EA:3A:94:6D:75 (Unknown)
Nmap scan report for 192.168.10.38
Host is up (0.16s latency).
MAC Address: 00:16:44:74:06:6C (Lite-on Technology)
Nmap scan report for 192.168.10.40
Host is up (0.0014s latency).
MAC Address: 00:23:69:77:CE:3C (Cisco-Linksys)
Nmap scan report for 192.168.10.41
Host is up (0.018s latency).
MAC Address: 48:5D:60:9F:70:98 (Unknown)
Nmap scan report for 192.168.10.45
Host is up (0.024s latency).


0x02. While you sitting and connected to the public network, you could be tracked easily. This description will figure out about "what does the computer names and it shared in the network". But, before you run at there, you should disable your shares. I just commenting in my smb.conf to disable my share, like this:

#[war49 share]
# comment = my share
# path = /home/wardi
# valid users = wardi
# public = yes
# writable = yes
# printable = no
# security = share
# create mask = 0765

If you have some browser that running on text mode like links, you could obtain list of machine names which running in the network. Of course, your browser should has supported smb protocol to track down the machine names. In this illustration, my machine name is WAR49, i can track my neighbor. This machines is not in a same workgroup name nor domain name, so their workgroup/domain are different.

root@war49:/home/war49# links smb:\\WAR49
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.2.5]
Sharename Type Comment
——— —- ——-
IPC$ IPC IPC Service (Samba Server)
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.2.5]
Server Comment
——— ——-
GREAT_POWER <- (my neighbor)
LUKMANSIREGAR <- (my neighbor)
ACER-1DD0BBC6D0 <- (my neighbor)
CNUNG-PC <- (my neighbor)
WAR49 Samba Server
Workgroup Master
——— ——-
NONE BLACKXP <- (my neighbor)
MSHOME MIRANDA <- (my neighbor)
DIGITAL VIVIE <- (my neighbor)
INFINITY METANOL <- (my neighbor)
WORKGROUP WAR49 <- (my machine)
... (cut here).


0x03. Track.. and ... track!!!. Our main target is not a computer name, but their data. With their negligance for share their data that should not be known by others. You can track it with SMB protocol that show below. For example, i pick the METANOL machine name that running on Windows system.

smb:\\METANOL\
Domain=[METANOL] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
Sharename Type Comment
——— —- ——-
Documents and Settings Disk
E$ Disk Default share
IPC$ IPC Remote IPC
D$ Disk Default share
Alucard Disk
Longinus (H) Disk
Utopia (E) Disk
Explode (K) Disk
System(C) Disk
Harddisk Ibu Disk
Euphoria (D) Disk
LONGINUS (Q) Disk
New (F) Disk
ESP (Q) Disk
ADMIN$ Disk Remote Admin
C$ Disk Default share
I Disk
J Disk
H Disk
BAsafj (Q) Disk
Domain=[METATRON] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
Server Comment
——— ——-
Workgroup Master


Of course, with your links browser, you can track the contents of the disks, (C), (D), (E), F), ... etc.

smb:\\METATRON\Utopia (E)
Domain=[METATRON] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
022a2ba03987ff44e362ad49fa2d1d3c.png A 496210 Sat Mar 28 18:29:40 2009
adadeh.torrent A 15073 Thu Feb 19 16:04:30 2009
agth D 0 Fri Mar 20 21:18:58 2009
as.txt A 1278 Fri Mar 13 16:26:59 2009
Assembly D 0 Sun Jul 27 19:05:19 2008
My Music + pictures D 0 Mon Dec 22 15:55:35 2008
... (cut here)


Finally, you can download all of the data to your computer easily.

0x04. Suggestion,
Your data is yours, your data is your property. If it's a private, only you are the one who have access or your partner that you trusted and don't share it in a public area. The evils arround you are hungry.. XD XD XD.

0 comments:

Article list :