-----[ www.TheCyberUnderground.com


Null IPC connection vulnerability

All NT Servers  have a hidden ipc$ share that cannot be turned off by default.  This "share"
is actually a channel that domain controllers and membersuse to transfer information such as
replication, and directory service updates.  

The problem exists that a hacker (with an NT Workstation or Server) can - with only one command
- masquarade as an NT Server and glean information from the server.  From an NT commandline, issue the following command where 0.0.0.0 is your target NT box:

c:\net use \\0.0.0.0\ipc$ "" /user:""

Now you can do a variety of things, two I'll cover.  One, you can now view all non-hidden shares
on that box.  Do a find computer for 0.0.0.0 (your target), and double-click that computer.
You'll get a list of all the shares.

Also, you can get every username on that b0x.  For this, you'll need the two tools:
sid2user.exe and user2sid.exe.  These tools (and how to use them) are available at
www.hackingexposed.com, as well as many other archives.  Once you have a null ipc connection
(with the above commandline), these tools will work on that box.

Happy Hax0ring.