Discover Network Shares

From ArchWiki
Revision as of 19:12, 3 April 2008 by Ivh (talk | contribs)
Jump to: navigation, search

Merge-arrows-2.pngThis article or section is a candidate for merging with Access a windows share.Merge-arrows-2.png

Notes: Talk:Access a windows share (Discuss in Talk:Discover Network Shares#)

Discovering and accessing windows shares on your home network

This is how I connected to my girlfriend's Win98 machine over a cross-cable connection - I had to disable her firewall first of course (and mine strangely) to keep it simple. We are currently without an internet connection so we are not at any risk.

This doc is based on Access windows share for a user.

It is worth pointing that all the information gathered using the following tools is easily accessible by checking the settings of the machine you are connecting to - however, if you do it this way all the problems with having the wrong case or path should be more easily avoided - plus if the other machine is quite a distance away you don't want to have to keep going and checking, do you?

Of course you can also use this information to gain access to unprotected windows shares anywhere - this is illegal in most, if not all, places and not too mention rude. We do not condone this type of activity.

To protect yourself always use a firewall and if you must share folders password protect them, and don't put your credit card details in a file within a shared folder.

Here we go, run all this as root.

1) nmap lets us check which ports are open (I am using the 192.168.1.* IP address range as I know what the IPs are, you only need to know the IP to get started here)

nmap -sT 192.168.1.*

This gives the following results, the first result is her box, the second is mine.

Starting nmap 3.78 ( http://www.insecure.org/nmap/ ) at 2005-02-15 11:45 PHT
Interesting ports on 192.168.1.1:
(The 1661 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
139/tcp  open  netbios-ssn
5000/tcp open  UPnP

Interesting ports on 192.168.1.5:
(The 1662 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
6000/tcp open  X11

Nmap run completed -- 256 IP addresses (2 hosts up) scanned in 7.255 seconds

For connecting to windows shares we only need port 139 tho, so we do:

nmap -sT 192.168.1.* -p 139
Starting nmap 3.78 ( http://www.insecure.org/nmap/ ) at 2005-02-15 11:46 PHT
Interesting ports on 192.168.1.1:
PORT    STATE SERVICE
139/tcp open  netbios-ssn

Interesting ports on 192.168.1.5:
PORT    STATE  SERVICE
139/tcp closed netbios-ssn

Nmap run completed -- 256 IP addresses (2 hosts up) scanned in 5.696 seconds

2) Now we know the port we need is open we can use the nmblookup app to check which services are running - we know there are interesting ports on 192.168.1.1 so we just check those

nmblookup -A 192.168.1.1

Looking up status of 192.168.1.1
	PUTER           <00> -         B <ACTIVE>
	HOMENET          <00> - <GROUP> B <ACTIVE>
	PUTER           <03> -         B <ACTIVE>
	PUTER           <20> -         B <ACTIVE>
	HOMENET          <1e> - <GROUP> B <ACTIVE>
	USER NAME <03> -         B <ACTIVE>
	HOMENET          <1d> -         B <ACTIVE>
	..''''MSBROWSE''''. <01> - <GROUP> B <ACTIVE>

so this tells us the status of the NetBios services - PUTER will be the computer name defined in Network Neighbourhood, HOMENET will be the workgroup name, USER NAME is just the name of the logged in user (I think)

Anyway, you need to look for the <20> which shows the name of the computer that has open services - in this case PUTER

3) Now we use smbclient to list which services are shared on PUTER. As you are all security concious people you will have passworded your shared folders in MS as it is notoriously insecure - you may be asked for a password at this point but just press enter and you should still get the list.

smbclient -L \\PUTER

	Sharename       Type      Comment
	---------       ----      -------
	MY_MUSIC        Disk
	SHAREDDOCS      Disk
	PRINTER$        Disk
	PRINTER         Printer
	IPC$            IPC       Remote Inter Process Communication

	Server               Comment
	---------            -------
	PUTER

	Workgroup            Master
	---------            -------
	HOMENET               PUTER

4) Now we know which folders are shared we can mount them locally :) The best way to do this is to create a folder called shares in /mnt, then add a dir for the machine name you are connecting to and a dir for the folder you are mounting:

mkdir -p /mnt/shares
mkdir /mnt/shares/PUTER
mkdir /mnt/shares/PUTER/MY_MUSIC

Then we use samba mount to mount the share, you can do this two ways:

smbmount //PUTER/MYMUSIC /mnt/shares/PUTER/MYMUSIC
mount -t smbfs //PUTER/MYMUSIC /mnt/shares/PUTER/MYMUSIC

NOW it will ask you for the folder sharing password which you SHOULD set for all windows shares - enter the password and it should mount the folder on the specified point. If you don't want to have to give the password separately you can just use the option switch -o

smbmount //PUTER/MYMUSIC /mnt/shares/PUTER/MYMUSIC -o password=folder_password
mount -t smbfs -o password=folderpassword //PUTER/MYMUSIC /mnt/shares/PUTER/MY_MUSIC

If you don't use passwords for your shared folders, you are: a) exposing yourself to hackers, and you can see how easy it is for them b) able to use the guest option

smbmount //PUTER/MYMUSIC /mnt/shares/PUTER/MYMUSIC -o guest

this will fail if the folder IS passworded.

You can also add these commands to fstab to simplify the process and have shares mounted at startup for example:

//PUTER/MYMUSIC    /mnt/shares/PUTER/MYMUSIC    smbfs user,noatime,usernameusername,passwordfolder_password 0 0