Bugtraq mailing list archives
Windows Sharing Allows Internet Tracking
From: Preston W Chang <presto () REGIONONLINE COM>
Date: Wed, 21 Mar 2001 18:12:30 -0500
Summary Many of you are probably very familar with the constant sharing problem that we have on the Internet today. The default settings, logging in particular, on NT doesn't help the problem either. Usually, many intruders will go in with obreption and probably without anyone ever knowing without some sort of IDS suite or logging system besides that of NT's. This "problem" may help somewhat. I will discuss later why this is also a "problem" as well as an advantage. The Advantage When logging into a share via NetBIOS, on a NT-to-NT connection, the user connecting will have his/her Temporary Internet Files transferred onto the server which they have connected to. You would find it in this type of path: c:\winnt\profiles\Administrator\Temporary Internet Files. If you believe that you are victim to an intruder, definitely check this folder. I have examined many of the NT "rootkit" techniques and suites, with none that include cleaning out the transferred cache. You may or may not find a definitive profile right away of your intruder, but by common investigation, it should lead you to something. You will find most recently visited sites, as well as cookies from the intruding computer (turn the tables on them =) ). The Problem As long as you can monitor others, there are others that will be able to monitor you. Here's a possible scenario: You were given access to an NT Server via shares just to do some tweaks or whatever. You leave in peace and go back to the rest of your work. What you just did was leave traces of online receipts, cookies, etc., without even knowing it. Part of the problem is that, to my knowledge, there is no option from stopping this from happening, so the cleansing of the transferred cache must be done manually. One minor setting that can contribute to defending from this problem is to enable the "Temporary Internet Files clean on closing" option in Internet Explorer 5x. Conclusion Everytime you connect, clean that cache! Everytime a stranger connects, find that rat! Hehe. Cheesy, but a true statement that should be followed. *ALSO: This can not be stressed enough, but... don't leave shares open to the rest of the internet!@!# Either filter or disable NetBIOS completely if it isn't needed!* Cheers, Charles Chear [presto () regiononline com] http://presto.tpgn.net - This message was sent from: http://www.regiononline.com ! Stop by and see what's going on in YOUR region NOW!
Current thread:
- Windows Sharing Allows Internet Tracking Preston W Chang (Mar 22)
- Re: Windows Sharing Allows Internet Tracking 3APA3A (Mar 23)
- Re: Windows Sharing Allows Internet Tracking Marc Maiffret (Mar 25)
- <Possible follow-ups>
- Windows Sharing Allows Internet Tracking Bill Sobel (Mar 26)
- Re: Windows Sharing Allows Internet Tracking Adam Carter (Mar 26)