Monday, June 4, 2007

Netbios hacking, art/crime of

Netbios hacking is the art( or crime) or attacking a Window's Machine using the underlying file transfer protocol setup by Microsoft for file sharing. Almost every Microsoft Windows computer connected to a network, whether it be fiber optics, cable, DSL, Home or Business Network or even dialup has the opportunity to be invaded by a Netbios attack. Many newer PCs have this feature turned off but a lot of times people share certain folders/files with others on the network, not using secure passwords or being careful about what they share.


Scroll to the bottom to get the simple quick attack.

Basics:
IP addresses defined:

First to understand how a netbios attack is done you must understand how a network works. Every network that has a computer or device(e.g. Palm Pad) on it has provides an individual number called an Internet Protocol (IP) address to each device in the form of X.X.X.X (e.g. 192.168.1.1) This can be compared to a house address in the real world. The first 2 Numbers are the "Street address" and are specific to the network/ISP that the device uses. (e.g. 192.168.X.X = a local address, and 64.12.X.X would be a AOL network) and the last 2 numbers are for the individual computer or "House".

Ports defined:
For each IP address, their are ports that open so that applications can talk to the various other parts of the web. port 80 is for web browsing, port 21 is for File Transfer Protocol. You can think of each port as the "name" of a person at a particular house.

THE HOW TO:

  1. For netbios attack to work all you need is the ip address of your target. You can find this by going to command prompt (Start --> Run, type CMD) Then at the black screen type "ipconfig" look for some numbers in the form of "IP address . . . . . . :X.X.X.X"
    That is your IP address.
  2. The computer can either be on a WAN(Wide area network) or a LAN (Local Area Network). A WAN IP address is the IP that shows up on the Internet and allows computers from around the world to contact your PC. Note: A router on a LAN will have it's own WAN IP address that it shares with other PCs. A LAN is a Home or business network that only computers at the same location (hence the name Local) can access. Normally if you are on a LAN you connect to the internet through a router, and all requests to talk to your PC go through that.

  3. The way to tell what you have is to look at the first numbers of your IP address from "ipconfig". If the first 2 #s are "192.168.X.X", "10.10.X.X", or "172.16.X.X" then you have a LAN. Any other first 2 #s mean you are directly connected to the WAN without any router protection.

  4. For a LAN if you want to get into your PC from the internet you have to go through a router. You have to know the WAN of the router and set it up correctly. To find the WAN ip address, go to http://www.nwtools.com from any PC connected to the router with internet access(copy the numbers in the box-- middle screen. That is the IP address.). Your router also has to be setup to allow your PC to connect directly to the Net, via port forwarding or DMZ pass through. --- Check your router's manual for more information.

  5. For a WAN without a Router, simply use ipconfig and copy the IP address you see.

  6. Intruders can get your IP address just by sending you to their site, having you look/send them and Email, installing software on your PC, by network wide port scan(will talk about this later), or by various other means. If they only get your router you are fairly safe, but if they catch you without a router (e.g. a hotel, hotspot or other LAN) they can get inside more easily.
  7. For testing purposes I recommending setting up a network with at least 2 computers on it. (you could also use a virtual machine on a single PC, you will need a Windows setup disk handy)
  8. Once you have the IP address, it is time to do something called a port scan. This will tell you what programs are running and communicating with the outside world using that IP address. Netbios use ports 135, 137-139, and 445 .(Full list of ports: here) There are many port scanners that can be used:

    Angry IP Scanner: http://www.snapfiles.com/get/angryip.html
    (easiest and fastest, though not always the most anonymous)

    Nmap
    :http://download.insecure.org/nmap/dist/nmap-4.20-setup.exe (requires WinCap and isn't as easy to install, but has a whole score of options)

  9. I will show how to do this with Angry IP Scanner since that is the easiest/ Try Nmap if you want more options and are comfortable with command prompt:
    a. Open Angry IP scanner (the file called "ipscan.exe")

    b.
    Put Ip range as X.X.X.X to X.X.X.X. (e.g. 192.168.1.1 to 192.168.1.1)

    c.
    You could have more than 1 IP address: X.X.X.X to X.X.X.Z (e.g. 192.168.1.1 to 192.168.1.3) This would be if you where hacking more than 1 PC.

    d.
    Click Options --> Select Ports…

    e.
    Fill in port field with “135, 137-139, 445” all the ports used by netbios

    f.
    Click “OK”, and then “Start”

    g.
    It will then pop up with a window showing alive hosts, note the number. Click Ok and Scroll through the list till you see the host with ping column = X ms

  10. Now if you see alive host = 1 on the end message it means you can go further, but if it says 1 dead host then it most likely has a firewall and it can't be netbios hacked.
  11. The next thing to do is find out what is open via those ports... so open command prompt (Start--> Run Type "Cmd") type in nbtstat -a X.X.X.X this will give a list of what is open via NetBios.
  12. Now look for a <20> next to the computers name i should look like:









    <20> is the code for netbios.
  13. Now we need to use winfingerprint ( www.winfingerprint.com) so that we can get a little more info about what Netbios shares that are open. A "share" is a folder or Drive (Hard drive, CD rom drive, etc) that is open to other Computers on the network. If this share has a weak password or no password then anybody can easily get in and access whatever is in that folder or drive.
  14. Once winfingerprint is installed select the check boxes "single host","Win32 Os Version", "null IPC$ sessions","NetBIOS shares, "users", "disks", "groups","RPC bindings", "Patch Level", "MAC address", "Sessions" and "Event log" This will give you a huge array of information to work with. (don't worry I will tell you what to do with your little "gold mine" lol )
  15. Type the ip address of the victim PC in the box below "single Host" and Click Scan.


















  16. When it finishes(it could take a min or 2) scroll down the list till you see "NetBios Shares"
    copy these down or leave the window open you will need them later. Also copy the name of the users under "Users:" -- Provided their are any.

  17. Open a command prompt again and type net use {insert share name here} "" /u:"" for the share name you may want to try \\X.X.X.X\IPC$ first. This is a default share that comes up on most machines, though it may not be on the target you are testing.
  18. Next type: net use * "\\X.X.X.X\C$" * /u:adminstrator
    If "administrator" doesn't work try some of the other usernames that you got from Winfingerprint. You will need to guess the password, good ones to try are:
    (blank), password, password1, pass, admin, administrator, whatever you can think of.
    Repeat for each share that showed up in winfingerprint.

  19. If you get "Error 5 access ... access is denied." or Other errors:http://www.chicagotech.net/systemerrors.htm
    You can hunt for more shares by typing "net view X.X.X.X" for the shares you see substitute "C$" for the share (e.g. if the share was "Drive 2" you would type "net use "\\X.X.X.X\Drive 2" " note: put quotes around ip and share.)
    (if you can guess the password skip to #17, otherwise continue with #16)

    NOTE: I will talk more about password cracking in a future post.

  20. Download NAT (http://www.cotse.com/tools/sw/nat10bin.zip) to begin trying multi combination passwords. Extract all the files in to 1 folder. Then go into command prompt and type " C:\Foldername\nat.exe -u userlist.txt -p password.txt X.X.X.X "

  21. If you still have no cookie, try downloading another list of passwords off of google by searching "filetype:txt passlist.txt". Download the file and put it in the folder with NAT overwriting the file "passlist.txt". Type " C:\Foldername\nat.exe -u userlist.txt -p password.txt X.X.X.X " in command prompt again.

  22. You now have done everything you can do to get Netbios access. If you can't get in now, then most likely the computer is secure from a Netbios hack.

  23. If you get the password and have seen "command completed successfully"(after doing net use * "\\X.X.X.X\C$" * /u:USER) . Open windows explorer. You will see a new drive (it may have a different icon too) . This drive is the drive of the other PC.

  24. You have hacked in. With this power you can put in backdoors, programs that allow you to get in even if the computer's netbios is turned off and passwords are changed. This is why it is not a good idea to go online with a brand new PC and now Protection.


Quick check:

You can test simply if their are any open shared folders/drives on your network by running Angry IP scanner and putting in the IP address for all PCs on the network. (e.g. if 192.168. is the first 2 numbers: 192.168.1.1 to 192.168.1.255) This will test all PCs on your network and let you know which ones have open shares, you then can right click on the computer and select explorer to see what is open for viewing. THIS IS FAST, BUT NOT DOESN'T TEST EVERY ACCESS OPTION... fyi



END NOTES:
You now have the basic idea of how someone could/will enter your system. Even if you weren't able to get access you have a better understanding of the importance of having a firewall. The firewalls I recommend are:

Free Zone Alarm(Works well with all Windows systems, and is more protective/customizable).
Windows Firewall(only good in Vista and XP)


They seem to do the best job with less hassle (Pick only 1 though, or you might have problems). Mcafee and Norton Internet Security 2007 are good and will protect you well, I just feel that over the years these programs have been blown up and take advantage of too many system resources --- Slowing the computer down.

Another thing that you can do to protect yourself is to turn off file sharing. For Win2000, XP:

  1. Start --> control panel --> network connections.
  2. Look for the connection(s) you use to connect to the internet.
  3. Right click and select Properties.
  4. Uncheck “File and printer sharing for Microsoft windows”

(to my knowledge Vista doesn’t allow file sharing by default)

WARNING: Don’t do these steps if you are using a school, work, or other pc that you don’t have permission to change settings on, or if you do printing/file sharing over your network.

Finally it is a good idea to have a router to route your internet through, it proves what is called a hardware firewall.

Hopefully with what you now know, you will be able to avoid becoming a victim of NetBios hacking. :-)

DOWNLOADS & Sites:

Angry IP Scanner: http://www.snapfiles.com/get/angryip.html | mirror 1 |


Nmap: http://download.insecure.org/nmap/dist/nmap-4.20-setup.exe | mirror 1 |

WinCap: http://www.winpcap.org/install/bin/WinPcap_4_0.exe | mirror 1 |

Winfingerprint: http://sourceforge.net/project/showfiles.php?group_id=15870&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;package_id=15574&release_id=328573 | mirror 1 |

Net Command Error List: http://www.chicagotech.net/systemerrors.htm

NAT: http://www.cotse.com/tools/sw/nat10bin.zip | mirror 1 |

Password list: http://amsterdam1.plunder.com/2798/passlist.txt

Free Zone Alarm 7.0: http://www.download.com/ZoneAlarm/3000-10435_4-10653297.html?tag=lst-0-1 | mirror 1(ver. 6.5) |

Windows firewall instructions: http://support.microsoft.com/kb/283673