• cracking wep with no clients
  
• crack wep with aircrack + inject packets ( Windows )
  
• how to bug e-mail
  
• aircrack on backtrack with clients ( wep )
  
• writing a port scanner in java
  

• ettercap part 1
  
• ettercap part 2
  
• rainbow tables
  
• social engineering
  
• google security
  

• using truecrypt to lock up your private data
  
• nmap scanning and portsentry evasion
  
• nmap scanning and portsentry evasion 2
  
• windows xp security
  
• php filtering with owasp
  

• quick and simple netbios exploitation with windows xp
  
• quick and simple netbios exploitation with windows xp 2
  
• quick and simple netbios exploitation with windows xp 3
  
• quick and simple netbios exploitation with windows xp 4
  
• quick and simple netbios exploitation with windows xp 5
  

• computertutorials
  
• computertutorials2
  
• securitytutorials
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials2
  
• securitytutorials4
  

QUICK AND SIMPLE NETBIOS EXPLOITATION WITH WINDOWS XP

Quick and Simple - NetBIOS hacking with Windows XP...by Nokia

Before you read any of this paper, please let me point out the following: (other than the fact I originally wrote it in 1999)

When I preformed the following exploit, I used someone else’s Wireless connection, with a spoofed MAC address, using a Live CD. I done this so any logs on the target machine would lead back to the owner of the Wireless AP I used – and from there nothing would lead back to me. If it did somehow lead back to me, as I have used a Live CD there will not be a trace of it on my computer.

I have explained how I done this for a reason. That reason is if you can not meet all of the above as a minimum personal protective measure but still carryout the routines mentioned in this paper, you could very well be leaving yourself wide open to any official action that may be taken against you, as you WILL leave log entries on the target host if you connect to it in the described manner.

I will warn all readers now that this paper uses real live IP addresses over the internet. If you do not agree with this, please stop reading now. If you do not agree with it but still read and therefore learn the methods used in the paper, do not post complaining about the fact real IP’s have been used. Thank you.

However just because real IP's have been used does not mean that by the time you come to read this, the same people will have the same IP addresses, so please don't post saying 'you have followed all the steps and still can't connect to the host'..... As the IP may have changed!



NetBIOS is probably the biggest hole in any Windows computer, when it is not secured properly. You would be very surprised how easy it is for anyone to connect to a PC that is on the internet via its NetBIOS shares.

A definition of NetBIOS is:

“Short for Network Basic Input Output System, an API that augments the DOS BIOS by adding special functions for local-area networks (LANs). Almost all Windows-based LANs for PCs are based on the NetBIOS. Some LAN manufacturers have even extended it, adding additional network capabilities.”


How does NetBIOS work?

NetBIOS can be broken down in to three separate uses:

1) Name service for name registration and resolution
2) Session service for connection-oriented communication
3) Datagram distribution service for connectionless communication

For the NetBIOS application to work properly every host that is utilizing must have a unique NetBIOS name.

What most people and tutorials on NetBIOS fail to understand and mention is when accessing NetBIOS in the manner we will do in this paper we are using NBT or NetBT. This is defined as NetBIOS over TCP/IP and is different than the original NetBIOS specification. The original NetBIOS specification was designed for a very small group of computers to communicate with each other and certainly for no more than 12 in a group. NBT allows computers to use the NetBIOS API on a far bigger scale and to communicate with each other from far away and over the internet. Another common mistake people make is by saying NetBIOS uses port 139, it is in fact NBT that uses port 139 and what we shall be exploiting later on in this paper.

Enter NetBEUI. – NetBEUI is the actual protocol that NetBIOS services use and is quite commonly confused as being a different type of NetBIOS. Think of NetBIOS as the actual program/service and NetBEUI as the protocol the program uses to work. With the introduction of NBT however NetBEIU is being seen less and less on today’s LANS due to it not supporting any routing protocols.

Due to all the different protocols and services that use NetBIOS it has become the general consensus to group it all together and just call it NetBIOS. For most people this is good enough but if you are reading this, you want to exploit it and to do that you need to know that little bit more than the normal user! Wink

Most people (usually Linux lovers) are very quick to jump on the NetBIOS bang wagon by saying it is insecure, should not be used, is a bad design, a major weakness etc.
Whilst if it is incorrectly configured yes, all of the above are probably true , certain conditions have to be met to make it as bad as that. NetBIOS has to meet the following conditions to be exploited, easily:

1. File and Printer Sharing for Microsoft Networks is installed as a network component (Network in Control Panel).
2. File and Printer Sharing for Microsoft Networks is bound to TCP/IP on an adapter used for the Internet.
3. Options for files and printers are checked (enabled) under File and Print Sharing.
4. "Share(s)" have actually been configured for file(s) and printer(s).
5. Strong passwords have not been used on file and printer "share(s)."
6. Scope ID has not been set like a strong password.

Windows PC’s ship with default shares such as SharedDocs. Some of these shares have a $ after them such as C$, PRINT$, ADMIN$, IPC$. The $ tells us they are hidden shares and NT and XP have these by default. There are a lot of hosts out there that make life easy for us by not password protecting their shares, for those that are password protected we can sometime create a “null” session by using the “” /U:”” switch at the end of our command. A null session gives us the lowest possible functionality but it does give us a place to start.

You should now have a very basic and broad understanding of what NetBIOS is – there is a lot more to it than this and I have simplified certain parts of it, as this paper is about exploiting NetBIOS not detailing how it works.

It would be beneficial to you to learn the in’s and out’s about NetBIOS and this web site is the best one I have found for NetBIOS information:
http://www.signaltonoise.net/library/netbios.htm
Or if you want to get really technical, the RFC 1001 for NetBIOS is here:
http://www.networksorcery.com/enp/rfc/rfc1001.txt


Exploiting it:

Windows uses ports 139 and 445 when sharing files between hosts and servers with the NBT service. Usually some form of authentication is required for external hosts to access the shares available on it. However more often than not PC’s are configured to allow unrestricted access to all its shares – and even if we cant get access to the shares there is still a whole host of other valuable information we can collect from these open ports.

Original Tutorial by nokia for TheTAZZone-TAZForum

Originally posted on September 20th, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.