PQwak v1.00				October 22, 2000
(C) Shane Hird 2000

DISCLAIMER: By using this program, you agree that you are completely
responisble for your own actions, and I, Shane, am in no way
liable, unless its something good.

->What is PQwak?

This program exploits a flaw in the share level password authentication
of MS windows 95/98/ME in its CIFS protocol to find the password of a
given share on one of these machines.


->How does it work?

The program exploits a flaw found by nsfocus (www.nsfocus.com) in which
windows verifies passwords based on the client supplied password length
rather than the server's. The program is essentially a stripped down
NetBIOS client, which communicates at the TCP/IP level, using CIFS through
SMB over NetBios over TCP/IP :P. It first starts with a size 1 password,
iterating through a set of characters, when it finds a match, it goes up
to a size 2 password and so on. Not all characters are tested, cause I
wasn't sure what were valid, but this can be changed on request.


->What are all the fields?

NBNAME is the calling name of the host. Usually this is the same as the
netbios name (computer name) itself.
SHARE is the name of the password protected share (folder).
IP is the IP address of the host.
DELAY is the time between password attempts. You should leave enough time
to receive a reply from the host. 50-100 is good for the local net, >200 is
better for outside sub-nets, and >800 is probably ok for inter-nets.


->How do I get the IP of a host?

At a command prompt, type
"nbtstat -a hostname"
Then type
"nbtstat -c"
And you should see the host in the list with its IP. If not, type
'arp -a'
and match the MAC address with the physical address retrieved from 
'nbtstat -a hostname' As a last resort, connect to the host, then type 
"netstat -an"
and find the IP in this list.


->How do I get the NBNAME of a host?

If you know the IP of a host, you can use 'nbtstat -A 123.123.123.123' and
the name will be returned. (The <20> service). Or you can use one of the
many tools which map names to IP's. I have written a couple myself, and
these are available freely.


->How can I protect myself?

MS has made a patch available here:
URL=http://www.microsoft.com/technet/security/bulletin/fq00-072.asp
though I think Win 95 is unsupported as yet.


->Is this legal?

Probably not. But then, you're the one using it, not me, and MS is the one
who is responsible for the hole. There is at least one other known client
which exploits this hole, the choice to use mine does not make me any more
responsible.


->It doesn't work.

This program will not work on some hosts, nor will it work on any NT host.
This is due to the fact that NT uses user level sharing, rather than share
level. Also, there may be some characters I have missed out in the set,
and also, there is very minimal error checking. Try increasing the delay
if you dont have a quick link between you and the host. There is also an
inbuilt delay of 500ms to setup the connection, this may not be long enough
for slow connections. There is nothing that can be done about it other than
changing the program itself.


->Known bugs?

A few. The most important is that because it is multi-threaded, and there
isn't great cleanup, you should only use it once, then close it and re-open
it before using it again. This also seems to help a problem where it doesn't
successfully find more than one password in a session. Also, it will only
find passwords for 'disk' shares, this could be changed to any type, but
this was just left in from testing and never changed, and it won't in the
near future.


->Is there support for password lists?

If a host is patched, they are still obviously vulnerable to a dictionary
attack. This isn't supported as yet, but may be in the future, as it would
be very simple to include. Time, however, is of the essence.


->It crashes all the time.

This program was written in about a day, live with it, or go write your own.


->This program sucks.

So do you.


->Does using this make me an elite hacker?

No


->Questions/comments?

Ask Shane (me).