PQwak v2.00a				October 27, 2000
(C) Shane Hird 2000

DISCLAIMER: By using this program, you agree that you are completely
responisble for your own actions, and I, Shane, am in no way
liable, unless its something good.

->What is PQwak?

This program exploits a flaw in the share level password authentication
of MS windows 95/98/ME in its CIFS protocol to find the password of a
given share on one of these machines.


->How does it work?

The program exploits a flaw found by nsfocus (www.nsfocus.com) in which
windows verifies passwords based on the client supplied password length
rather than the server's. The program is essentially a stripped down
NetBIOS client, which communicates at the TCP/IP level, using CIFS through
SMB over NetBios over TCP/IP :P. It first starts with a size 1 password,
iterating through a set of characters, when it finds a match, it goes up
to a size 2 password and so on.


->What are all the fields?

IP:    The IP address of the host.
Share: The passworded plain share name (no '\\' characters)
Name:  The NetBIOS name of the host


->How do I get the IP of a host?

At a command prompt, type
"nbtstat -a hostname"
Then type
"nbtstat -c"
And you should see the host in the list with its IP. If not, type
'arp -a'
and match the MAC address with the physical address retrieved from 
'nbtstat -a hostname' As a last resort, connect to the host, then type 
"netstat -an"
and find the IP in this list.


->How do I get the NetBIOS name of a host?

If you know the IP of a host, you can use 'nbtstat -A 123.123.123.123' and
the name will be returned. (The <20> service). Or you can use one of the
many tools which map names to IP's. The program should be able to resolve the
name ok, but in some cases you may need to specify this yourself (see bugs).


->How can I protect myself?

MS has made a patch available here:
http://www.microsoft.com/technet/security/bulletin/ms00-072.asp
with a FAQ about the problem here:
http://www.microsoft.com/technet/security/bulletin/fq00-072.asp
though the patch for Windows 95 is still to come.


->Is this legal?

Probably not. But then, you're the one using it, not me, and MS is the one
who is responsible for the hole. There is at least one other known client
which exploits this hole, the choice to use mine does not make me any more
responsible.


->It doesn't work.

This program will not work on patched hosts, nor will it work on any NT host.
This is due to the fact that NT uses user level sharing, rather than share
level. It will only work on unpatched Win95/98/ME hosts. There are also some
known bugs which may be causing the problem.


->Known bugs/problems?

Most bugs have been fixed from v1.00. It now uses synchronous sockets, so there
is no need for a delay, this however can cause a problem when resolving the name
if the reply is lost, never returned, or only returned on UDP port 137 (Samba).
In this case, it will hang forever waiting for a reply, hit "Stop" and specify
the name manually by using 'nbtstat -A ip'.
For some reason, some (I'm not sure what version) hosts will return success on
a size 1, NULL byte password even when there is a password. This isn't the case 
with most hosts, but for those that it does, it causes a big problem. For this
reason, the first character starts by trying with a space rather than NULL, this
makes for some very ugly code, and blank passwords will actually be reported as 
a space rather than NULL.
Memory leaks and thread cleanup should be ok, but you probably shouldn't close
the app while it is running, hit stop or wait till it finishes to be safe. The OS
should clean it up OK anyway.


->Where can I get the source code?

There are no current plans to release the source, it is very ugly at the
moment. If you really want to write your own client, I suggest packet sniffing
this program with a good sniffer like 'analyser', and reading up on CIFS in
the MSDN documentation. Also, you will need to code at the TCP/IP level, not
using any high level API's for share connection etc, as they don't allow you
to specify the password length. You will also need to read up on NetBIOS,
although packet sniffing could probably get you enough info.


->Questions/comments?

Ask Shane (shanehird@yahoo.com)


Version History:

v1.00

+ First version.
+ Asynchronous communication, so must specify a delay for reply.
+ Only checked chars from 0x20 to 0x96.

v2.00a

+ Synchronous sockets, no need for delay
+ Much better error reporting
+ Can resolve names from IP if specified
+ Supports a 'Stop' button to interrupt cracking/connecting
+ Heaps better memory/thread/socket management
+ Checks all characters, in the order NULL, 0x20-0xFF, 0x01-0x1A
+ Progress bar for progress through character set