net use
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: net use

  1. #1
    Senior Member
    Join Date
    Jan 2004
    Posts
    199

    net use

    Does anyone know if the 'net use' command in windows (dos) leaves a trace behind after a drive has been mapped and then disconnected ? ... and does the machine that has a drive mapped report this in anyway ?

    Thanks.
    -

  2. #2
    net use does not leave a trace behind, except, it does leave a trace behind on the remote system that the user used to map the drive has been logged in to that computer...

    also, when you keep a drive mapped, and the remote computer is turned off and powered on again, they will be asked if they want to remain the connection with your computer.

    (all this is what i have seen from the systems in our domain, perhaps there are some things different if both systems aren't in the same domain, but i'm not sure).

    hope this helps you

  3. #3
    Senior Member
    Join Date
    Jan 2004
    Posts
    199
    Thanks for the advice dude.

    Do you happen to know where this log is kept. What logs that a connection has been made in the past ?
    -

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    The answer is it depends on the OS and how the system was setup.

    Win95/98 you wouldn't notice unless you rebooted and then it would prompt you.

    WinNT/2K/XP, if you have auditing enabled, will create an entry viewable in the event viewer.

    You could also catch traces of the connection using the other net commands as well as netstat -an.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    Also I suppose Snort would log things of this nature since you do have to make TCP connections. So it depends also on what IDS the other computer has set [or the network].
    /\\

  6. #6
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by hypronix
    Also I suppose Snort would log things of this nature since you do have to make TCP connections. So it depends also on what IDS the other computer has set [or the network].
    Unless I have my snort configured wrong, the standard set of rules will not report on this. You may be able to write your own local rule, but I haven't looked into it.

    (Tiger ----- do you do anything like this?)

    Cheers:
    DjM

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    DjM:

    Nope.... To much work....

    No, seriously, it would take a lot of messing and setting up of valid servers variables etc. to be able to avoid all the normal share traffic to the servers. It might be viable on a home network where this kind of activity isn't happening every 3 seconds of the day but on a decent sized network this stuff goes on all the time.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Originally posted here by DjM
    Unless I have my snort configured wrong, the standard set of rules will not report on this. You may be able to write your own local rule, but I haven't looked into it.

    (Tiger ----- do you do anything like this?)

    Cheers:
    Wouldn't something like:

    alert tcp any any <> $HOME_NET 139 (msg:"Netbios SSN")
    alert tcp any any <> $HOME_NET 443 (msg: "Netbios SSN Win2k")

    Of course that would log EVERYTHING...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  9. #9
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by nebulus200
    Wouldn't something like:

    alert tcp any any <> $HOME_NET 139 (msg:"Netbios SSN")
    alert tcp any any <> $HOME_NET 443 (msg: "Netbios SSN Win2k")

    Of course that would log EVERYTHING...
    The traffic that these rules would generate on an internal IDS/Snort would be HUGE

    DjM

  10. #10
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Originally posted here by DjM
    The traffic that these rules would generate on an internal IDS/Snort would be HUGE

    :o
    Yeah, it depends on what I would be trying to do. At home, I would definitely use $EXTERNAL_NET instead of any. Of course, I don't allow netbios through my router so that would be moot, which I guess is why I left it at any anyway :) I haven't played around with snort in so long I am sure there are some specific things content wise you could look for...

    I don't know if these are in the usual snort since we run an appliance type deal, but here are a few that look for specifics:

    Code:
    Enable 1293 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; content:"|00|.|00|E|00|M|00|L"; flow:to_server,established; classtype:bad-unknown; reference:url,www.f-secure.com/v-descs/nimda.shtml; sid:1293; rev:8;)
    Enable 1294 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; content:"|00|.|00|N|00|W|00|S"; flow:to_server,established; classtype:bad-unknown; reference:url,www.f-secure.com/v-descs/nimda.shtml; sid:1294; rev:8;)
    Enable 1295 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda RICHED20.DLL"; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0"; flow:to_server,established; classtype:bad-unknown; reference:url,www.f-secure.com/v-descs/nimda.shtml; sid:1295; rev:7;)
    Enable 529 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS DOS RFPoison"; flow:to_server,established; content: "|5C 00 5C 00 2A 00 53 00 4D 00 42 00 53 00 45 00 52 00 56 00 45 00 52 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|";reference:arachnids,454; classtype:attempted-dos; sid:529; rev:5;)
    Enable 530 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session"; flow:to_server,established; content: "|00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E 00 54 00 20 00 31 00 33 00 38 00 31|"; reference:bugtraq,1163; reference:cve,CVE-2000-0347; reference:arachnids,204; classtype:attempted-recon; sid:530; rev:7;)
    Enable 1239 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; classtype:attempted-recon; sid:1239; rev:5;)
    Enable 532 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$access"; flow:to_server,established; content:"\\ADMIN$|00 41 3a 00|"; reference:arachnids,340; classtype:attempted-admin; sid:532; rev:4;)
    Enable 533 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ access"; flow:to_server,established; content: "|5c|C$|00 41 3a 00|";reference:arachnids,339; classtype:attempted-recon; sid:533; rev:5;)
    Enable 534 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD.."; flow:to_server,established; content:"\\..|2f 00 00 00|"; reference:arachnids,338; classtype:attempted-recon; sid:534; rev:4;)
    Enable 535 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD..."; flow:to_server,established; content:"\\...|00 00 00|"; reference:arachnids,337; classtype:attempted-recon; sid:535; rev:4;)
    Enable 536 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$access"; flow:to_server,established; content:"\\D$|00 41 3a 00|"; reference:arachnids,336; classtype:attempted-recon; sid:536; rev:4;)
    Enable 537 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share access"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; content:"\\IPC$|00|"; nocase; classtype:attempted-recon; sid:537; rev:8;)
    Enable 538 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share access (unicode)"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; content:"|5c00|I|00|P|00|C|00|$|00|"; nocase; reference:arachnids,334; classtype:attempted-recon; sid:538; rev:7;)
    Enable 539 	# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Samba clientaccess"; flow:to_server,established; content:"|00|Unix|00|Samba"; reference:arachnids,341; classtype:not-suspicious; sid:539; rev:4;)
    Enable 2101 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; offset:4; depth:5; content:"|00 00 00 00|"; offset:43; depth:4; reference:cve,CAN-2002-0724; reference:url,http://www.microsoft.com/technet/sec.../MS02-045.asp; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:denial-of-service; sid:2101; rev:4;)
    Enable 2103 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|ff|SMB|32|"; offset:4; depth:5; content:"|00 14|"; offset:60; depth:2; byte_test:2,>,1024,0,relative,little; reference:cve,CAN-2003-0201; reference:url,http://www.digitaldefense.net/labs/a.../DDI-1013.txt; classtype:attempted-admin; sid:2103; rev:4;)
    Enable 2174 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg access"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|a2|"; offset:4; depth:5; content:"\\winreg|00|"; offset:85; nocase; classtype:attempted-recon; sid:2174; rev:1;)
    Enable 2175 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg access (unicode)"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|a2|"; offset:4; depth:5; content:"\\|00|w|00|i|00|n|00|r|00|e|00|g|00|"; nocase; offset:85; classtype:attempted-recon; sid:2175; rev:1;)
    Enable 2176 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Startup Folder access attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|32|"; offset:4; depth:5; content:"Documents and Settings\\All Users\\Start Menu\\Programs\\Startup|00|"; classtype:attempted-recon; sid:2176; rev:1;)
    Enable 2177 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Startup Folder access attempt (unicode)"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|32|"; offset:4; depth:5; content:"\\|00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00|\\|00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00|\\|00|S|00|t|00|a|00|r|00|t|00|u|00|p"; classtype:attempted-recon; sid:2177; rev:1;)
    Enable 2190 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|00|"; distance:21; within:1; classtype:attempted-dos; sid:2190; rev:1;)
    Enable 2191 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:2; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|00|"; distance:21; within:1; classtype:attempted-dos; sid:2191; rev:1;)
    Enable 2192 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)
    Enable 2193 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2193; rev:1;)
    Enable 2251 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote Activation bind attempt"; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|"; distance:29; within:16; tag:session,5,packets; reference:cve,CAN-2003-0715; reference:cve,CAN-2003-0528; reference:cve,CAN-2003-0605; classtype:attempted-admin; reference:url,http://www.microsoft.com/technet/sec.../MS03-039.asp; sid:2251; rev:3;)
    Enable 2252 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|"; distance:29; within:16; tag:session,5,packets; classtype:attempted-admin; reference:cve,CAN-2003-0715; reference:cve,CAN-2003-0528; reference:cve,CAN-2003-0605; reference:url,http://www.microsoft.com/technet/sec.../MS03-039.asp; sid:2252; rev:3;)
    Enable 2257 	#alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; offset:0; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:url,http://www.microsoft.com/technet/sec.../MS03-043.asp; reference:bugtraq,8826; reference:cve,CAN-2003-0717; classtype:attempted-admin; sid:2257; rev:1;)
    Enable 2258 	#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|04 00|"; distance:0; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:url,http://www.microsoft.com/technet/sec.../MS03-043.asp; reference:bugtraq,8826; reference:cve,CAN-2003-0717; classtype:attempted-admin; sid:2258; rev:1;)
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •