Windows Edition, Jan 3., 2000
See the Happy Hacker web site at http://www.happyhacker.org
Your local firewall blocks you? Try http://happyhacker.org
How to locate hidden shares in NT
Anonymous connections to IPC$
Perhaps long overdue but certainly welcome, Happy Hacker (HH)
brings you a long awaited
Windows Digest's (WD). As you might imagine much has transpired
over the last 8 months, both in the hacker as well as the cracker
community. My original thought was to try and put together an
end of the year review for this edition, after some thought however,
I didn't see the point in duplicating efforts. I've included
a hyperlink to HackerNews.Com and their end of the year review.
I will try to start including an interesting Easter Egg or two
that can be used to impress your friends and co-workers from
time to time. I'm also strongly considering carrying over something
similar to the "quick tips" from Anti-Online and I'd
like to begin actively soliciting the opinions of our readers
as well on certain issues. I'll be speaking with Carolyn in more
detail in the weeks to come regarding making available to you
the reader an online voting and poll booth. If you have any comments,
questions and or suggestions please feel free to e-mail me at
Gov't afraid of Y2K Crackers? You decide.
Are you an IT Manager who has hired a Hacker and are having
difficulties communicating or are unsure how to deal with this
person? This URL might be for you.
New to the hacking community? Really want to know how to become
a wizard hacker? This is a must read than from the author who
brought you "Hacker Jargon".
Short Overview of 1999's hacker news.
How to locate Hidden Shares in NT
Sometime ago Carolyn posed the question "What are some different
ways to locate hidden shares on NT Networks?" Reader response
has been great and I've included some of the different responses
and edited for technical correctness and grammar where applicable.
To see hidden shares on an NT box you would/could use the
NT Resource Kit. The tool is called NETWATCH.
Scenario 1: I am an Admin and I want to check my boxes...I simply
execute the program from the command line giving it the IP of
the server that I want to check and type "Ctrl+H" to
reveal hidden shares.
Scenario 2: When used with LMHosts/IPC Mapping, this tool can
be used to bypass "Trust" relationships between NT
servers. Example: Server A does not trust Server B and vice versa.
Well, I am an "admin" on A and I want to know all the
hidden shares on B. By invoking this program while connecting
to the IPC$ share....
:) You get ALL the shares.
Web Site: http://www.nku.edu/~vaughan
[Editors Note: It is also possible to shutdown and or monitor
the IPC$ using NETWATCH. I strongly recommend either disabling
IPC$ (providing your computing environment allows for such) or
monitoring it with NETWATCH for reasons I will list later along
in the digest. I have confirmed both Scenario's and they both
First of all allow me to thank you for taking your time to
address and compile questions/answers to challenge and enlighten
the eager amateur and novice hackers on the Net. I've been on
the net since early 1996, when the ISP where I worked had a 19kbps
data channel (yiques!), and I thank you guys for making this
digest to the best of your abilities.
Well. The last digest asks for help in NT security (NT security
is my middle name!) regarding hidden shares. The simplest way
to locate hidden shares is to perform the following and requires
A) From Administrative tools, go into the Server Manager.
Select the computer you wish to view. Go to ComputeràShared
Directories. This will show you the shared directories, even
the ones w/ $ on the end. If you do this on a server, you'll
even see the admin$, the printer$ (which are NT defaults).
There is another way to do this, through the NET command line.
It will take me some time to get the full text about that because
I have to work in a little bit, but I will send it up ASAP.
Thank you for the opportunity
"Sic pas pacem, para bellum" (if u wanna peace, get
ready for war)
Anderson L. Ravanello
[Editors Note: The command for viewing hidden shares locally
from the command prompt is simply "NET SHARE".]
Sorry about this... I bet you know this already... You can
install server tools for Windows 95 by making disks in NT with
Client Manager. You can use Server Manager from a Windows 95/98
box to view hidden shares as well.
Hope this helps
[Editors Note: I placed Benjamin's comments here because he brought
up a good point. Most of the tools found in administrative tools
on your WinNT server can be loaded onto WinNT Workstation or
Windows 95/98 client machines for management. Administrators
of networks typically have these tools loaded on their workstation
machine at their desk to prevent having to run to the server
every time they need to make a change.]
Hi Carolyn. It's been a while since I've written.
To answer you request in the last email you sent, here is
a script that
will find hidden shares on the network.
One of the common tools that NT administrators use is Kixtart.
It is usually used for login scripts, but it can also be used
as a powerful scripting language for many other purposes. Here
is a Kixtart script that will determine if a user has any hidden
shares on their Windows NT computer. You may need Administrator
rights on the local machine to run this script... but you may
not... I didn't test it without local admin rights.
You are welcome to publish this script as you see fit, provided
you keep my comments in it. Please instruct others not to use
it for malicious purposes... I am sure that you will provide
the appropriate warning.
CCNA, MCSE, CNE, UNIX/C
passed CCIE written... [=`)
; Version 1.0
; Written by Dale Holmes
; You may need Administrator access to the NT computer for this
script ; run successfully.
; This script will search the Registry for shares, and loop through
; values found there.
; It will look for the string "$" in the name to determine
if the share ; is hidden.
; If so, then the user name, user id, and machine name will be
; along with the
; name of the hidden share.
; You can redirect the output of this script to a file in order
; compile a list of hidden shares on your network.
; You can also parse through the value of the $readv variable
; determine the path that the hidden share points to...
; Last Modified 12/13/99
$returnv = EXISTKEY(
IF $returnv <> 0
$Index = 0
$ValueName = ENUMVALUE(
If @ERROR = 0
; $readv = READVALUE(
$srv = INSTR( $ValueName , "$$" )
If $srv <> 0
? "@FULLNAME (@USERID on @WKSTA) has a hidden share called
$Index = $Index + 1
[Editors Note: I am not a resident expert on Kix Scripts and
at the time of this writing do not have KIX installed however,
I've used KIX Scripts for logon scripts and without actually
testing this script it would appear that the authors scrip will
work. This script is intended to be used as a Systems Administration
tool and as such by publishing it Happy Hacker, the author, and
myself would expect it to be used in a responsible manner.]
In order to detect hidden NT shares, do the following under
1. Make sure you have Samba client installed
2. Run the command from a machine on the network to which the
NT box is
3. The command is: smbclient -L <machine_name_here> | more
4. Every share ending in $ displayed by the client is a hidden
share on the machine, which you can later peruse on that NT box.
[Editors Note: Thank You Randy for not letting us forget about
all the *nix users out there.]
This is in response to the latest Happy Hacker newsletter.
Finding hidden shares is REAL easy if you are an
administrator. Use server manager :-). This tool lets you
view ALL shares (and sessions) on any PC in the Domain.
This includes hidden shares. You can actually use it to
CREATE shares (some NT administrators don't know this as
NT 3.5 did not allow you to create shares with this tool)
With Windows 2000 you would use the Microsoft Management
Console and view the computers properties, moving to shares etc...
Actually allows you to view which FILES a remotely logged in
One other kind of neat thing that you may or may not know of
is the use of "alternate data streams" to hide files.
It's really neat. If you have an NT box available to you,
drop to a command prompt and create a file using (for
example) notepad, ie: "notepad secret.txt"
Edit this file, add some stuff in, save it and take note of
the size of the file, also note the amount of space left on
your drive. Now the fun stuff comes in, in the command
prompt type in "notepad secret.txt:hidden.txt", this
open up notepad with a new file, type some more stuff in and
save it. Do a "dir", you will not see this file! Nor
you see it thru explorer or any other conventional file
browsing methods. What has happened is the file was created
in an "alternate data stream", it is part of the original
(secret.txt) file, but not shown normally in that file. Also
note that secret.txt does not increase in size, nor does the
amount of drive space used get changed!!! Above I had
mentioned that no CONVENTIONAL tools could see these files,
there are programs specifically designed to hunt these down
however I can't remember the name of any of them :-P
One potential use of this would be creating extra webpages
without hitting any kind of quota on an NT Webserver ;-)
NOTE: I'm not currently using NT, but it's a few days till I
get back to work, so if some of the above is wrong, I won't
correct it for a few days. Nor do I take credit for either
of the discoveries above. I know Server Manager pretty good
from use of it, and the "alternate data streams" came
[Editors Note: I was successful in making the hidden.txt file
disappear but I did notice a reduced amount of total bytes available
after the creation of the file. None the less Sheldon's exercise
in "alternative data streams" is exciting. If anyone
else confirms everything in its entirety let me know. Thanks
for a great article Sheldon.]
This editions quick tip is from our very own beloved Carolyn
As posted at http://www.antionline.com
Cure that Christmas Card Hangover
If your desktop computer runs Windows 95/98/NT, you probably
viewed some animated emailed Christmas cards. I'm finally warning
you about them because if I had told you in advance how dangerous
those cards could be, you'd just ignore me. Oh, oh, my nose is
growing. I told you a fib. Actually I didn't warn you about animated
Christmas cards last week because I forgot, OK? So sue me.
The trouble with animated greeting cards is that they are
programs. And any computer program has the potential to hide
viruses and Trojans (malicious features hiding in innocuous-looking
You've probably seen news stories predicting that Y2K may
unleash a witches' brew of nasty viruses and Trojans. If you
take those stories seriously,* here's how to save your computer
from the consequences of your promiscuous Christmas Card viewing.
First, the bad news. Fred B. Cohen has mathematically proved,
in his 1986 doctoral dissertation, that it is impossible to create
software that can detect any conceivable virus or Trojan. However,
we can improve our chances by running several different programs
to catch those nasty surprises. I use both Norton Antivirus and
WebTrends Security Analyzer. Actually, WebTrends is downright
fascist, sometimes trying to persuade me to delete a program
that I put there on purpose, saying (I'm sure with good reason)
that it is a security hazard.
How do you know whether your computer security and antivirus
software is any good? Most important, you should look to see
whether it has a way for you to update it. That's because the
cyberbaddies are always finding ways to evade or disable your
protective software. WebTrends automatically updates itself whenever
it runs, while I have to remember to manually update Norton Antivirus.
It's also important to get "under the hood" of your
security software. I discovered, for example, that the default
configuration of Norton Antivirus exempted all my Microsoft Office
programs from being scanned for virus-like activity.
Also, it helps to double check that your software is working
properly. I habitually torture my computer while testing cool
hacker tricks. So it's not surprising that form time to time
something fails in a way that isn't obvious. Every few months
I uninstall and reinstall key software just to be safe. If you
try to run an update on your security software and it fails to
run, that's a pretty sure sign that it's time to reinstall.
Also, software if your computer runs several different operating
systems, watch out. All the security software I've seen only
looks for things that hurt the operating system on which it is
running. Whoever bothers to run an antivirus scanner on Linux
or other Unix type operating systems? Yet boot sector viruses
will infect your computer regardless of whether you run some
kind of Windows or some sort of Unix. I've never found a boot
sector virus that bothered a Unix computer. But when you reboot
to Windows, ouch, what a hangover.
So, with these depressing thoughts in mind, have a happy New
Year. I'm spending next weekend on a Y2K-compliant sailboat on
a lake in sunny southern New Mexico. What about you? ;^)
* When it comes to Y2K, I'm a follower of the Alfred E. Neuman
philosophy: "What, me worry?"
To Download Sample Trojans & Trojan Removal Tools, Visit
The AntiCode Archives.
Anonymous connections to IPC$
By default when you install Windows NT Server or Workstation
a hidden share called IPC$ is put in place. IPC is short for
"Inter Process Connector", the IPC is used for certain
processes to communicate over a network between machines. For
instance during a Windows NT Login the client computer sends
its Netbios name to be validated by a Domain Controller, to the
BDC or PDC's IPC$ to confirm the membership of that workstation
in the DC's domain. It is possible to make an anonymous connection
to IPC$ both over private and public networks to NT Workstations
and Servers. Why would someone want to make an anonymous connection
to the IPC$ share? Well with the NT Options pack and Resource
Kit installed try the following command.
Net Use \\<target>\ipc$ "" /USER:""
The command completed successfully
This being accomplished issue the following command from your
<Will display a list of all user accounts with administrator
rights on target machine>
<Will display a list of all user accounts with DOMAIN administrative
rights in domain>
I need not go into detail regarding what other type of useful
information can be gleamed by making anonymous connections to
a machines IPC$ share. Most Security Analysts that are worth
their salt monitor a great deal of activity across IPC$, many
Intrusion Detection Systems also utilize IPC$ extensively. For
this as well as reasons of ethic I only recommend experimenting
with IPC$ on your hacker laboratory LAN. For information on how
to setup a hacker laboratory LAN visit http://happyhacker.org/winlan.html
IE4 Easter Egg
Now who doesn't like showing off their mad computer skills
to their friends and or colleagues? Here is a nice little Easter
Egg to impress your "less technically adept" friends
1. Open Internet Explorer Version 4.0 (Must be IE4, Service
Packs are ok
IE5 does not work)
2. Click on Help à About Internet Explorer
3. At this point you have a little "About Internet Explorer"
4. In the upper right hand corner of this window is a little
miniature IE4 logo. Move your mouse pointer over to the logo
and with the CTRL key depressed and held left click and hold
onto the logo.
5. Now with the logo on your cursor and still holding down the
CTRL key drag the logo to the left side of the window right below
the graphic of the globe.
6. Still with CTRL held down and the icon attached to your cursor
quickly move your cursor from left to right across the "INTERNET
EXPLORER" Bold text.
7. You will notice that the text slides off the screen toward
the right and a little box labeled "Unlock" is now
8. With the CTRL key still depressed move the IE4 logo onto the
little bmp of the globe located on the left side of the window.
9. Release the CTRL key and drop the logo onto the BMP of the
globe by releasing the left mouse button
10. Move your mouse over the the "Unlock" box and left
11. ENJOY THE SHOW!
-Greggory Peck aka Tonehrz
I am the new editor for the Happy Hacker Windows Digest. With
me comes a long career in the security field that has taken me
through the Department of the Navy, the hotel casino industry,
tradeshow industry and now into a side adventure of editing.
As my professional career has moved along through the years I
recognized that change only comes through suggestions. I encourage
everyone to submit their suggestions regarding topics they might
like to see in the future or what additions they might like to
have. If you have ideas for future topics please e-mail me and
let me know. I will be working towards making the HHWD a bit
more exciting to read and will speak with Carolyn about putting
up an area at http://www.happyhacker.org where we can do some
online polls, votes, and perhaps moderated message groups. Until
next time Happy Hacking!
Unsubscribe with message
This is a list devoted to *legal* hacking! If anyone plans
to use any information in this Digest or at our Web site to commit
crime, go away! We like to put computer criminals behind bars
where they belong!
Unix editor Mike Miller firstname.lastname@example.org;
Hacker Wargame Directors, Vincent Larsen email@example.com
and John Vranesevich <firstname.lastname@example.org>;
Clown Princess: Carolyn Meinel <>
Happy Hacker is part of a 501 (c) (3) tax deductible