You can write an app to use net send and cover its tracks...
Plus, isn't it the messenger service that writes the entries to event
viewer. I think saying "using net send" is a general term for sending
messages using the messenger service.
Either way, using that service , you can exploit it easily.
- N
-----Original Message-----
From: Kurt Buff [mailto:kurt.buff@gmail.com]
Sent: Friday, June 24, 2005 1:48 PM
To: focus-ms@securityfocus.com
Subject: Re: Using Messenger Service for 'Net Send' Functionality ---
Dangerous?Why?
Nick Duda wrote:
| -----Original Message-----
| From: Kurt Buff [mailto:kurt.buff@gmail.com]
| Sent: Thursday, June 23, 2005 12:58 PM
| To: michael.mailinglist@securityfocus.com; at
| Cc: focus-ms@securityfocus.com
| Subject: Re: Using Messenger Service for 'Net Send' Functionality ---
| Dangerous?Why?
|
| michael.mailinglist@securityfocus.com wrote:
|
|>At a previous company I worked for we had issues with employees using
|>it to taunt each other. Since the only audit trail is in the local
|>machine's event logs, it is very difficult to keep track of who is
|>abusing the service. We ended up disabling the service company wide.
|>
|
|
| However, the local machine event log entry *does* the NetBIOS name of
| the sending machine, making it easy to track that, at least. Given
only
| minor sleuthing (and a lack of poorly configured multi-user machines),
| tracking who did what when, in this case, is pretty simple.
|
| Kurt
|
| FYI, It's very easy to write a short VB app that:
|
| A. doesn't record net sends to event viewer
| B. can spoof the sending name of the computer (NetBIOS)
|
| - Nick
True, but then you're no longer using the Net Send command.
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
