• cracking wep with no clients
  
• crack wep with aircrack + inject packets ( Windows )
  
• how to bug e-mail
  
• aircrack on backtrack with clients ( wep )
  
• writing a port scanner in java
  

• ettercap part 1
  
• ettercap part 2
  
• rainbow tables
  
• social engineering
  
• google security
  

• using truecrypt to lock up your private data
  
• nmap scanning and portsentry evasion
  
• nmap scanning and portsentry evasion 2
  
• windows xp security
  
• php filtering with owasp
  

• quick and simple netbios exploitation with windows xp
  
• quick and simple netbios exploitation with windows xp 2
  
• quick and simple netbios exploitation with windows xp 3
  
• quick and simple netbios exploitation with windows xp 4
  
• quick and simple netbios exploitation with windows xp 5
  

• computertutorials
  
• computertutorials2
  
• securitytutorials
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials2
  
• securitytutorials4
  

QUICK AND SIMPLE NETBIOS EXPLOITATION
WITH WINDOWS XP CONT...

Let me explain the following command briefly first though.

"Net use" – means we are going to use a network resource.
The "*"means use the next available drive letter. We normally have C for the hard drive, D for the next logical partition or next hard drive, E for a CD-ROM and maybe even F for another CD-ROM/DVD-ROM etc. Using the * just tells windows to use the next available letter, starting from Z and working backwards. We can specify our own letter if we want to but the outcome is the same.

Code:
H:\>net use * \\86.132.223.178\johns
Drive Z: is now connected to \\86.132.223.178\johns.

The command completed successfully.


Ok, so John has a share on this computer that is open to the whole world and is not password protected.

How do we see what information is available to us?

Simply go to ‘My Computer’ and you will have a Z drive there already connected and mapped out for you! Click on it and you get to see what is in Johns share.

Let’s try another Share:

Code:
H:\>net use * \\86.132.223.178\SharedDocs
Drive Y: is now connected to \\86.132.223.178\SharedDocs.

The command completed successfully.


So go back to My Computer and you will now see the Y: drive connected and mapped out for you.

The other and easier way to do this, is to now go to Start > Search > Computers and add the IP Address in. You will now get a nice graphical view of all the shares.


So we can view all the shares here……..but that soon gets boring…what else can we do?

Well, if we go to My Computer and right click on the share, then go to properties.
What we are interested in here is the shares and the groups available to us and we can also get to see if it is on an AD domain.
So go to Security and take a look at the shares/groups. It should become apparent now if it is on an AD domain or not.
Would it be worth seeing what rights/privileges John has, since we are on his share…….it would probably be a good idea!

So we go to Security > Advanced > Here we can see a detailed list of all the groups and permissions…..but we want more than that…. So we go to the ‘Effective Permissions tab’ and click on Select.

We now get a box up allowing us to select a user name. We already know his first name is John……..what are the odds that if we go trawling through all the letter and stuff available to us in is share, we could probably find his surname pretty quick……..
Then we enter his first name, a ‘.’ and then his surname. Usernames on an AD are usually a first name and a surname separated by a dot. If it doesn’t work, experiment with different methods of user name!
If you manage to find his log on name – you will be able to view all his current permissions.
But don’t forget the winfo output…which listed the users who are currently logged on……..

SO, we have seen who it is done the manual way and for me, the more enjoyable and skilful way.

Now lets do it the skid die way.

Go and download Essential Net Tools from http://www.tamos.com/ you should be able to get a free 30 day trial of it.

Install it and crank it up.

Now go to NBscan and enter our IP address in to it and it will display pretty much the same information that the command prompt did but in a more graphical manner. Right click on the computer at the top of the window and select Open Computer.

This just opens the same window as we got when we went to search > computers. Right clicking it also give us a few more options such as, Add to LMHOSTS.
If we add this we can connect to it in the same manner we would any other box on the LAN. I’m not going to explain what the LMHOSTS file is as most people will know but if you don’t you can go here to read about it should you wish:
http://support.microsoft.com/?kbid=150800

Play around with the Essential Net Tools application is it is a hell of a lot more than it may first appear to be…..you can use it to sniff data similar to the way Ethereal does……hmmmm could we use that by making it connect to something that needs a share password…….

If we so wanted to, we could connect to the printer shares in the same way we connect to a networked printer on our own LAN and print things out. However we are all a touch more mature than this here aren’t we, so we won’t entertain that idea.

Is there anything else we can do with these shares….of course there is.
If you think about it you have a full and unrestricted TCP connection to another computer – who just happens to trust you from a shared resource point of view.

If we have write privileges we can drop any file we choose in the shared drive. Some of the more astute of you may think about dropping a command prompt or making a quick .bat file to spawn a command prompt and start issuing some

Code:
net user TAZ/ADD


Commands followed by some

Code:
net group "Administrators" TAZ /ADD


However this will not work if you run the command prompt yourself – you will end up adding an administrative user account called TAZ to your own computer.

What if we make a cleverly named batch file for the unsuspecting user to run though……..

If the user has admin rights on the box it is run on, he will add an admin account called TAZ with no password to his PC…………due to the fact all his shares are available to the internet, chances are when he has ran the batch file, he won’t have a clue what he has just done anyways!

Well this “small” paper has run on much longer that I had planned so I will end it here. There is an Advanced NetBIOS paper in the pipeline where we will look at defeating password protected shares, elevating our privileges, enumerating AD users and cracking their passwords.

In summary, I hope I have demonstrated exactly how easy it is to exploit an unprotected NetBIOS share over the internet.
Remember, if you don’t want this to happen to you – make sure that if your PC does meet all of the following requirements, you change at least one of them:

1. File and Printer Sharing for Microsoft Networks is installed as a network component (Network in Control Panel).
2. File and Printer Sharing for Microsoft Networks is bound to TCP/IP on an adapter used for the Internet.
3. Options for files and printers are checked (enabled) under File and Print Sharing.
4. "Share(s)" have actually been configured for file(s) and printer(s).
5. Strong passwords have not been used on file and printer "share(s)."
6. Scope ID has not been set like a strong password.

Original Tutorial by nokia for TheTAZZone-TAZForum

Originally posted on September 20th, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.