IPC$ question

KGhaleon · January 2007

Does it serve any other uses? I noted earlier today that it opened twice on my machine without me doing anything. I'm just wondering if that's normal. I closed it both times and checked to see if anyone was trying to access my machine, but with so many packets floating about this busy network it was hard to tell.

KG

seuss_ssues · January 2007

If your concerned here is an article discussing the removal of the IPC.

http://support.microsoft.com/?id=314984

JDMurray · January 2007

The IPC$ hidden share is used by the Windows named pipes interprocess communications mechanism. It is created and removed as needed.

KGhaleon · January 2007

Ok, I just figured it was abnormal. If it's a normal windows event, then I'll just leave it alone. If it comes to it, I'll just see if I can disable it. I didn't see anything in that link about disabling an existing share.

KG

sexion8 · January 2007

open a DoS prompt and type IPC$ /delete if you have a null session you want to remove. To stop WindozeXP from IPC sharing: Regedit: HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous=2 then reboot. Block out ports 135, 137-139 (udp&&tcp), 445 (tcp). On reboot open a prompt and type: net view \\you.rip.add.res You should be fine. Before you even do this though, if this machine is behind a router or fw, you may want to try to remotely connect to your machine to see if you can find shares... Chances are you won't be able to... Xlation, you have little to worry about unless your internal network is a war zone

Philippatos · January 2007

Yeah that MS article is just plain wrong. In NT 4.0 you *COULD* delete IPC$ directly, but not in XP. I used to use that trick AFTER loging into the domain to prevent domain admins from being able to administer my workstation.

If they tried to connect they'd get an "access denied" message. I could still access all network resources though, so didn't hinder my work at all.

In the context of C|EH though IPC$ is for establishing null sessions used by hackers for enumeration.
http://www.windowsecurity.com/whitepaper/Windows-Enumeration-USER2SID-SID2USER.html

PS: It's also the reason why renaming the administrator account is a useless "best practice". Should just call it a "useless practice", but someone decided it's best, so must be.

keatron · January 2007

Philippatos wrote:

Yeah that MS article is just plain wrong. In NT 4.0 you *COULD* delete IPC$ directly, but not in XP. I used to use that trick AFTER loging into the domain to prevent domain admins from being able to administer my workstation. If they tried to connect they'd get an "access denied" message. I could still access all network resources though, so didn't hinder my work at all.

In the context of C|EH though IPC$ is for establishing null sessions used by hackers for enumeration.
http://www.windowsecurity.com/whitepaper/Windows-Enumeration-USER2SID-SID2USER.html

PS: It's also the reason why renaming the administrator account is a useless "best practice". Should just call it a "useless practice", but someone decided it's best, so must be.

I wouldn't call renaming the administrator account totally "useless". You should view it as one of the many practices that makes the "layers" of security that much "thicker". While it's a fact that the SID is going to give away an administrator account every time, you'd be surprised how many script kiddies there are who don't even know what a SID looks like or where to find it. Saying it's useless is just like saying "I won't lock my car doors because if a car jacker wants it, he will just break a window and steal my car".

Philippatos · January 2007

You're entitled to your opinion. Saying something is "best" doesn't make it so, however, regardless of whatever authority you think you carry on the topic.

The fact remains changing the administrator account name secures nothing, unlike a lock. You can also change the root account name in *NIX. Nobody does it for the same reason, root's ID would still be the same (in this case zero not 500).

Philippatos · January 2007

Just in case someone is thinking "well, then how do you secure the administrator account?" The answer is create a strong password. That's all there is to it.
http://en.wikipedia.org/wiki/Strong_password

And for maximum security use a random password generator, like:
http://www.liebsoft.com/index.cfm/products/rpmee

keatron · January 2007

Philippatos wrote:

You're entitled to your opinion. Saying something is "best" doesn't make it so,)

I don't think you'll see the word best anywhere in my post.

Philippatos wrote:

however, regardless of whatever authority you think you carry on the topic.

Authority has nothing to do with anything. I was simply giving my opinion (thank you for reminding me of the fact that I am entitled to one). I was simply pointing out the simple fact that just because a measure is not the end all to security concerns, doesn't mean it shouldn't be implemented. I teach (and show) people all the time how easily MAC address filters can be bypassed (wired and wireless implementations), but I certainly don't end the lesson by saying "so since mac filtering can be be bypassed by spoofing MAC addresses, don't do it". I typically say "do it, but here are some other things you need to do in addition to that".

My wife has done a good job of teaching me that I'm not an authority on anything nor do I have authority over anything. She knows everything, and has authority over everything I touch. So you'd better play nice before I sic her on you dude!!!!!

Philippatos wrote:

The fact remains changing the administrator account name secures nothing, unlike a lock. You can also change the root account name in *NIX. Nobody does it for the same reason, root's ID would still be the same (in this case zero not 500).

If you really think a lock secures something, I can take you to a couple of places on the south side of Chicago and show you differently.

Also, I'd be careful using words like "nobody".

keatron · January 2007

Philippatos wrote:

Just in case someone is thinking "well, then how do you secure the administrator account?" The answer is create a strong password. That's all there is to it.
http://en.wikipedia.org/wiki/Strong_password

And for maximum security use a random password generator, like:
http://www.liebsoft.com/index.cfm/products/rpmee

For maximum security you'd use three factor authentication, not single factor (password).

sprkymrk · January 2007

keatron wrote:

Philippatos wrote:

Just in case someone is thinking "well, then how do you secure the administrator account?" The answer is create a strong password. That's all there is to it.
http://en.wikipedia.org/wiki/Strong_password

And for maximum security use a random password generator, like:
http://www.liebsoft.com/index.cfm/products/rpmee

For maximum security you'd use three factor authentication, not single factor (password).

Agreed keatron. In addition, in many environments there is no "real" need for a local admin account anyway. Disable it. Set a strong, random password. Require a Smart Card to log into the workstation. Set the "deny log on locally" for the local admin account.

Phil - you, of all people should know, creating a strong password is NOT "all there is to it". I am sure your C|EH training taught about linux boot disks...

keatron · January 2007

sprkymrk wrote:

keatron wrote:

Philippatos wrote:

Just in case someone is thinking "well, then how do you secure the administrator account?" The answer is create a strong password. That's all there is to it.
http://en.wikipedia.org/wiki/Strong_password

And for maximum security use a random password generator, like:
http://www.liebsoft.com/index.cfm/products/rpmee

For maximum security you'd use three factor authentication, not single factor (password).

Agreed keatron. In addition, in many environments there is no "real" need for a local admin account anyway. Disable it. Set a strong, random password. Require a Smart Card to log into the workstation. Set the "deny log on locally" for the local admin account.

Phil - you, of all people should know, creating a strong password is NOT "all there is to it". I am sure your C|EH training taught about linux boot disks...

Yep, more specifically you should have learned about it in Module 5 when you took the course. As a matter of fact, you should have been instructed on how to use this exact tool. http://home.eunet.no/pnordahl/ntpasswd/

KGhaleon · January 2007

Good information to know. I was actually just using net use * /d /y to end the IPC$ connections, since I don't have shares on this particular laptop that I use.

KG

IPC$ question

Comments