November 14th, 2001, 01:59 AM
NetBIOS IPC$ help
A hello to everyone at AntiOnline!
I am an experienced computer user, but a newbie when it comes to security issues. Ever since getting my cable connection, and suffering a couple of attacks, I feel it is time to further my knowledge of the subject.
I was recently attacked by someone connecting to my NetBIOS port. I now know lots about this subject, but there is just one thing I cannot find much information on. What is IPC$???
I know that it stands for "Interprocess Control" share, but what is it used for? What benefits does a hacker gain after obtaining access to this share?
My loose understanding of it, is that it adds an external machine to my network, but what can be done once this machine is connected?
Any help, tips, or links would be greatly appreciated.
Thanks in advance...
November 14th, 2001, 03:05 AM
Don't know what to tell you about what can be done with access to this share, other than, copy files to replace system files, which could execute a trojan next time you boot, etc....
There used to be some good info on netbios shares at
but I just went there now, and took a quick look, didnt find anything in a quick scan of the site. They used to have a set of programs there which would turn on and of access to your netbios shares, with having to reboot. But, I couldnt find those either.
Oh well, I didnt look very hard, maybe you can find what I missed.
November 14th, 2001, 04:04 PM
You can find the GRC-pages IchNiSan (1,2,3 in Japanese, no?) was referring to here.
This should answer your questions.
How IPC can be abused
IPC$ is a special, hidden systemwide share for InterProcess Communication, thus called IPC. Application communications fall into the area of IPC, and include Remote Procedure Calls made by NetBIOS, Named Pipes, Windows Sockets, and more. The dollar sign following the share name signifies a hidden share, which means that users will not be able to see those shares when they are browsing the network. Essentially, hidden shares ease administration and aid in system-service delivery.
Hidden system shares are created when NT starts, so even if you delete them, they will return when you restart the server. The share will also reappear when you stop and restart the server service. Only those with administrative rights can assess hidden system shares. There is nothing to configuring the IPC$ share because it is part of the NT system and it needs to be left alone and running.
November 14th, 2001, 04:58 PM
very good Negative,
you are right about my name...
and thanks for finding a link to the grc pages...
November 14th, 2001, 10:21 PM
Thanks to you both, you've been a great help.
Also, thanks for not pulling me apart, like some others seem to do to us newbies.