remote file reading on windows

So remote file reading is a huge security risk and I was just pondering how easy it would be to gain remote access to the computer if you can do this. My guess is youd have to know certian things about the widows file hiearchy meaning that WINNT probably has certain files in c:\WINNT that could give information. What are the possible attacks that someone can use if they can read local files on a windows machine?

Does windows have a password/shadow file similar to *nix systems?
Is it possbile to open folders as files and see what contents are inside?

Also since an attacker would have to know the directory structure it would seem like a good ideas to have your drive start with another letter other than c and to store certain files in other locations other than the default. Obviously the best thing would be to eliminate any remote file reading but if a zero-day exploit popped up, being prepared is the next best thing.

Hey,

Interesting question..................there are people here who will "eat it for breakfast" so to speak, so I will not be boring with my ignorance.

But, what about hidden virtual drives?............I have one on this machine............it's my mirror backup..(and on a different physical drive!)...........I can get to it via a DOS boot disk. It is visible only as a very big file that is encrypted and compressed...............only one amongst 30,000 or more?

I have this to be able to do an almost "instant" restore...............paranoid...yes I learnt it from my cat :)

nice post

cheers,

johnno

Is this file visible when you do a normal start up or only when you use the dos boot disk. Since its on your own drive I guess you could tell windows to disable that piece of hardware but then how do you actually back things up?

Sorry, I did not explain myself too well there :(

The DOS disk is only to get me in if all else fails.

The actual software would usually run under Windows. You call the proggy on your disk, and tell it to run, it comes back and asks for the file location/id. You give it that and it "mounts" the file. You then give it up to 4 passwords (all have to be correct) and it creates the new drive.

In other words it loads the virtual drive as F or G or whatever.

You cannot see the virtual drive on normal startup, as it is just one of thousands of files. You will know it...but a virus will not :D

Just use any sort of backup software to create the contents of this virtual drive...........or just copy stuff there (then you do need a boot disk if anything goes wrong!)

Does this answer your questions?

cheers

Sounds like one of the PGP disk drives. They're quite handy those are, but I've never thought of using it for a secure backup. Cheers nihil!

Ok, yes that answers that question.
But my initial question is still open, and this backup will be good in restoring your system but it does nothing to help in the prevention of compromise initially.

Umm, yes, windows does have password files. In 9x they are located in c:\windows\USER NAME.pwl and no they aren't shadowed, just encrypted (at least in 9x and NT4, I'm not sure about the later versions).

If by remote file reading you mean file sharing (i.e. the ability for one networked computer to read files and download/upload (with the right permission) them), then a client can only see the directorys contained within the file that you have created as shared. i.e. if you share the root of c:\ then they can read everything, but if you shared for example c:\shares, then they could only read files within that directory. This would include the directory c:\shares\share1, but not c:\windows.

And lastly, yes it is a very good idea to install windows in a non standard directory (i.e. d:\my9xOS\), although you can only do this with OS's after 9x, as 9x has to be on the primary partition. So, if you're running NT4.0 or XP then do this!

There you go, hope I helped!!

No, I am not talking about sharing. Im talking about some vulnerablilities with php. For instance I can go to some sites with php not configured correctly and put in a specific url (example www.thisurl.com/php?c:\boot.ini) and read the boot.ini file or any other file on the drive as long as I know the path. So I wasnt sure about how windows stored password I looked where you said but I still cannot see a password file there. I do not hide any files is it possibly stored anywhere else?

i take it your running NT, if so then your log on passwords are kept in an encrypted file called sam. if i remember right its in your winnt\system32 folder. i know their is software out thier but genrally you should not be able to access it locally or remotely when windows is running. the way to access it locally would be to get hold of one of those boot disk that can read from NTFS disks. i know theirs one or two ways to access it remotely but i cant remember how and as far as i know its not an easy job. Lopht have made tools to unencrypt the sam file but its quite a time consuming process.
anyway hope that answers one of your questions.
mark

S3cur|ty4ng31

Sorry If I seemed a little dumb, but there are plenty of people more qualified than I to answer you question in detail.

I thought I would mention the virtual drive out of interest? As it is sort of related from a security viewpoint?

I also have a system restore feature that must store the passwords somwhere inside it.........haven't really tried to take a look as it uses its own weird compression utility.

Another thing is that the swap or page file is another place to look for passwords.....and they are unencrypted there! Not to easy to do remotely though IMHO? And, as they are so large, they would take a long time to extract remotely?



Which Windows OS are we talking about anyway? The password files are no great secret, and could probably be quite quickly downloaded via a trojan, physically, malformed website exploit or whatever.

OK so now we have this file.....what do we do with it?........use a password cracker?...there is no such animal in the average hacker's zoo............you need to have intelligence agency budgets for that kind of stuff (the real thing I mean) and the kit to run it!

The stuff you see uses a "dictionary" as in it looks for known words and phrases. Use English on a Spanish password file and you might as well save your electricity bill. ;)

If you use proper, secure passwords, there is little chance that the average cracking program can break it; so even if PHP is insecure and someone steals your password file, it should be no good to them? if it is...got to be your fault?

I hope this is a bit more help?

Cheers

BTW you need to enforce password changing on a regular basis, that way, even if the password is cracked....it will be no longer valid. :)