Skip to content
October 21, 2008 / technocrawl

Removing Hidden Shares from Win32 Boxes

NetBIOS open way for many Intruders if the port is open in a LAN, by default the port number for the NetBOS would be 139, and if it is in open state, then the hackers can take advantage over the default hidden share present in windows box specifically the IPS$ share, ( IPC – Inter Process Connect ), here the attacker can exploit this just by using the ‘net use’ command that is shiped with the windows machine itself, they will juts use the ‘net use ‘ command and will establish a remote connection via IPC$ and once done, they can remotely create user account on the compromised box and can establish a telnet connection and can easily root the box.

Here is a counter measure that can be taken to avoid this sort of attack,

By default Windows 2000, Windows XP and WinNT automatically enables the hidden shares (admin$, c$, d$ and IPC$ – Inter Process Connect ).

The following Registry Key will help you in disabling the Hidden shares.

System Key: [HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > LanmanServer > Parameters]
Value Name: AutoShareWks
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disable shares, 1 = enable)
Goto Run and type compmgmt.msc, this will take you to the computer management, here Click on ‘shared folders’ and then ‘share’ then delete the shares that you want to remove.

Note : To remove the admin share for only the current session use the second method (Computer Management console), if you want a permanent removal, add the AutoShareWks in the registry .

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: