Get Netbiosname & Netdde Service Stat With Ip

Full Version: Get Netbiosname & Netdde Service Stat With Ip

GovernmentSecurity.org > System Security > Windows Systems

FakoLy

Jan 4 2005, 09:59 AM

CODE

/*
===========================================================
== Netdde service checker ===
== Coded by tony, based on the houseofdabus exploit ===
===========================================================
Usage : netdde.exe <host>
please juste use this prog to check if netDDE is enabled on your computer

greetz to #coromputer idlers ^^

mailto : tonycorp at gmail . com

SAMPLE :

C:\dub\Debug>netdde 192.168.0.2
[*] Connecting to 192.168.0.2:139 ... OK
[+] Remote netbios name: OBELIX
[*] Connecting to 192.168.0.2:139 ... OK
[-] NetDDE enabled

C:\dub\Debug>net stop netdde
Le service DDE réseau s'arrête.
Le service DDE réseau a été arrêté.

C:\dub\Debug>netdde 192.168.0.2
[*] Connecting to 192.168.0.2:139 ... OK
[+] Remote netbios name: OBELIX
[*] Connecting to 192.168.0.2:139 ... OK
[-] NetDDE disabled

C:\dub\Debug>netdde 192.168.0.3 (My offline computer)
[*] Connecting to 192.168.0.3:139 ... failed
[-] Can't connect to 192.168.0.3:139

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef _WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#endif

/* targets table */
struct targets {
int num;
char name[50];
long jmpaddr;
}
target[]= {
{ 0, "WinXP [universal] ", 0x00abfb1c - 0x20 },
{ 1, "Win2K [universal] ", 0x009efb60 - 0x20 }
};

char jmpcode[] =
"\x90\x90\x90\x90\x66\x81\xC7\x20\x03\xFF\xE7\x90\x90\x90\x90\x90"
"\x50\x6f\x43\x20\x66\x6f\x72\x20\x4e\x65\x74\x44\x44\x45\x20\x28"
"\x4d\x53\x30\x34\x2d\x30\x33\x31\x29\x2e\x20\x43\x6f\x70\x79\x72"
"\x69\x67\x68\x74\x20\x28\x63\x29\x20\x32\x30\x30\x34\x2d\x32\x30"
"\x30\x35\x20\x68\x6f\x75\x73\x65\x6f\x66\x64\x61\x62\x75\x73\x2e"
"\xBB\xBB\xBB\xBB" /* => eax */
"PADPAD";

char smb_sesreq[] =
"\x81\x00\x00\x44\x20\x43\x4b\x46\x44\x45\x4e\x45\x43\x46\x44\x45"
"\x46\x46\x43\x46\x47\x45\x46\x46\x43\x43\x41\x43\x41\x43\x41\x43"
"\x41\x43\x41\x43\x41\x00\x20\x45\x4b\x45\x44\x46\x45\x45\x49\x45"
"\x44\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43"
"\x41\x43\x41\x43\x41\x41\x41\x00";

char smb_negotiate[] =
"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5c\x02"
"\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e"
"\x31\x32\x00";

char req1[] =
"\x81\x00\x00\x44";

char req2[] =
"CACACACACACACACACACACACACACACABP";

unsigned long ndlen = 0;
unsigned long ntarget = 0;
unsigned long backip = 0;
unsigned short bindport = 0;

unsigned char *find_smbname(unsigned char *data, unsigned long len)
{
unsigned char *ptr;
unsigned long i = 0;

ptr = data;
ptr += 91;

while (i <= len - 3) {
if (ptr[i] == '\x00')
if (ptr[i+1] == '\x00')
if (ptr[i+2] == '\x00')
return ptr+i+3;
i++;
}

return NULL;
}

/* fingerprinting */
unsigned char *smb_get_name(char *ip)
{
int sock, r;
unsigned long smbname_len;
unsigned char *name = NULL, *smbname;
struct sockaddr_in s;
struct hostent *he;
unsigned char buf[256];

if ((he = gethostbyname(ip)) == NULL) {
printf("[-] Unable to resolve %s\n", ip);
return NULL;
}

sock = socket(AF_INET, SOCK_STREAM,IPPROTO_TCP);
if (sock < 0) return NULL;

s.sin_family = AF_INET;
s.sin_addr = *((struct in_addr *)he->h_addr);
s.sin_port = htons(139);
memset(&(s.sin_zero), '\0', 8);

memset(buf, 0, 256);

printf("[*] Connecting to %s:139 ... ", ip);
r = connect(sock, (struct sockaddr *) &s, sizeof(struct sockaddr_in));
if (r == 0) {
/* sending session request */
send(sock, smb_sesreq, sizeof(smb_sesreq)-1, 0);
Sleep(1000);
r = recv(sock, (char *)buf, 256, 0);
if (r < 0) goto err;

memset(buf, 0, 256);
/* sending negotiation request */
send(sock, smb_negotiate,
sizeof(smb_negotiate)-1, 0);
Sleep(1000);
r = recv(sock, (char *)buf, 256, 0);
if (r < 0) goto err;

printf("OK\n");
smbname = find_smbname(buf, r);
if (smbname == NULL) goto err;
smbname_len = smbname - buf;

name = (unsigned char *)calloc(smbname_len, 1);

/* decoding */
r = 0;
while (smbname_len) {
if (*smbname != '\x00') {
name[r] = *smbname;
r++;
}
smbname++;
smbname_len--;
}
} else {
printf("failed\n[-] Can't connect to %s:139\n", ip);
}

err:
shutdown(sock, 1);
closesocket(sock);

return name;
}

char *netbios_encode(char *ndata, char service)
{
char *tmpdata, *data, *nret;
unsigned long dlen;
char odiv, omod, o;
int i;

data = (char *)calloc(17, 1);
memcpy(data, ndata, strlen(ndata));

dlen = strlen(data);
while (dlen < 15) {
strcat(data, "\x20");
dlen++;
}

memcpy(data+strlen(data), &service, 1);

nret = (char *)calloc(strlen(data)*2+1, 1);
tmpdata = nret;

for (i=0; i<16; i++) {
o = (char)data[i];
odiv = o / 16;
odiv = odiv + 0x41;
omod = o % 16;
omod = omod + 0x41;
*tmpdata++ = odiv;
*tmpdata++ = omod;
}

free(data);

return nret;
}

void usage(char *prog)
{

printf("===========================================================\n");
printf("== Netdde enabled checker ===\n");
printf("== Coded by tony, based on the houseofdabus exploit ===\n");
printf("===========================================================\n");
printf("Usage : %s <host>\n", prog);
printf("please juste use this prog to check if netDDE is enabled on your computer\n");

exit(0);
}

int main (int argc, char **argv)
{

int len, sockfd;
char *host;
char *req;
struct hostent *he;
struct sockaddr_in their_addr;
char rbuf[4096];

#ifdef _WIN32
WSADATA wsa;
#endif

char *ses_req;
char *hname;
char *hn;
unsigned long req_sz, hname_len;
char *nname = NULL;

#ifdef _WIN32
WSAStartup(MAKEWORD(2,0), &wsa);
#endif

if (argc < 2) usage(argv[0]);
host = argv[1];
if (strlen(host) > 1024) return 0;
host = argv[1];
nname = smb_get_name(argv[1]);
if (nname)
{
printf("[+] Remote netbios name: %s\n", nname);

hn = nname;
host = argv[1]; /* target host name */

/* target jmpaddr */
memcpy(jmpcode+80, &target[ntarget].jmpaddr, 4);

ses_req = (char *)calloc(sizeof(req1)-1 + sizeof(req2)-1 + 114, 1);
memcpy(ses_req, req1, sizeof(req1)-1);
memcpy(ses_req+sizeof(req1)-1, "\x20", 1);
hname = netbios_encode(hn, 0x1F);
hname_len = strlen(hname);

memcpy(ses_req+sizeof(req1)-1+1, hname, hname_len);
memcpy(ses_req+sizeof(req1)-1+1+hname_len,"\x00\x20", 2);
memcpy(ses_req+sizeof(req1)-1+1+hname_len+2, req2, sizeof(req2)-1);
memcpy(ses_req+sizeof(req1)-1+1+hname_len+2+sizeof(req2)-1, "\x00", 1);

req_sz = sizeof(req1)-1+sizeof(req2)-1+hname_len+4;

if ((he = gethostbyname(host)) == NULL) {
printf("[-] Unable to resolve %s\n", host);
return 0;
}

if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("[-] Error: socket failed\n");
return 0;
}

req = req1;

their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(139);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);

/* connecting */
printf("[*] Connecting to %s:139 ... ", host);
if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) < 0) {
printf("[-] Error: connect failed\n");
return 0;
}
printf("OK\n");

if (send(sockfd, ses_req, req_sz, 0) < 0) {
printf("[-] Error: send failed\n");
return 0;
}

len = recv(sockfd, rbuf, 4096, 0);
if (len < 0) return 0;

/* check NetDDE */
if ((unsigned char)rbuf[0] != 0x82)
{
printf("[-] NetDDE disabled\n");
return 0;
}
printf("[-] NetDDE enabled\n");

shutdown(sockfd, 1);
closesocket(sockfd);
free(ses_req);
free(hname);

return 0;

}

return 0;
}

This new version doesn't require netbios name, but I'm working to do it proper :
With this one, it connects two timers to remote host : firest to check netbios name, then to check netdde. I'm trying to do just one connection to test this.

Then I'll add a function to know the OS of the remote host.

MessyR

Jan 4 2005, 11:17 AM

Anyone compiled it? I tried but got errors (n00b compiler).

DerangeD

Jan 5 2005, 03:26 AM

QUOTE(MessyR @ Jan 4 2005, 11:17 AM)

Anyone compiled it? I tried but got errors (n00b compiler).

compiled without a error with Ms visual 6.0

dunnow with what you tried to compile it .

OleaSTeR

Jan 5 2005, 07:09 PM

your scanner find "enable" unix machine with samba server !!!!

[*] Connecting Port 139....
[*] Sending session request....
[*] Sending negotiation request....
[*] Sending setup account request....
[*] Successful....

Remote OS:
----------

Samba 2.0.7
Unix

[*] Connecting Port 139....
[*] Sending session request....
[*] Sending negotiation request....
[*] Sending setup account request....
[*] Successful....

Remote OS:
----------

Samba 2.2.2
Unix

[*] Connecting Port 139....
[*] Sending session request....
[*] Sending negotiation request....
[*] Sending setup account request....
[*] Successful....

Remote OS:
----------
Samba 2.2.8a-SuSE
Unix

FakoLy

Jan 5 2005, 09:10 PM

thanks for sawing this OleaSTeR, I'll try to correct this

jos40

Jan 5 2005, 10:42 PM

compiled just fine in Microsoft Visual C++ 6

gonna check and thnx a lot for the code

gijukud6

Jan 6 2005, 01:53 AM

Hi,

tryed to compile that also with visual studio 6.
But I got an error

C:\scanner.cpp(238) : error C2440: '=' : 'unsigned char *' could not be converted to 'char *'

(i translated the message into english)

Does any1 know?

greets

THeGooDMaN

Jan 6 2005, 06:49 AM

I compiled it with lcc and it ent very smooth

FakoLy

Jan 6 2005, 07:32 AM

QUOTE(gijukud6 @ Jan 6 2005, 01:53 AM)

Hi,

tryed to compile that also with visual studio 6.
But I got an error

C:\scanner.cpp(238) : error C2440: '=' : 'unsigned char *' could not be converted to 'char *'

(i translated the message into english)

Does any1 know?

greets

name your file as scanner.c, and should work

Booster2ooo

Jan 6 2005, 08:45 AM

I've somme error when i try to compile it ...

With Broland:

CODE

Borland C++ 5.5.1 for Win32 Copyright (c) 1993, 2000 Borland
NetDDEChecker.c:
Warning W8004 NetDDEChecker.c 358: 'req' is assigned a value that is never used
in function main
Warning W8004 NetDDEChecker.c 280: 'host' is assigned a value that is never used
in function main
Warning W8004 NetDDEChecker.c 268: 'nname' is assigned a value that is never use
d in function main
Turbo Incremental Link 5.00 Copyright (c) 1997, 2000 Borland
Fatal: Unable to open file 'WS2_32.OBJ'

With Dev-C++:

CODE

C:/Documents and Settings/Booster/Mes documents/NetDDE Checker.c:358:2: warning: no newline at end of file

C:\DOCUME~1\Booster\LOCALS~1\Temp/cc29baaa.o(.text+0xfb):NetDDE Checker.c: undefined reference to `gethostbyname@4'
C:\DOCUME~1\Booster\LOCALS~1\Temp/cc29baaa.o(.text+0x145):NetDDE Checker.c: undefined reference to `socket@12'
C:\DOCUME~1\Booster\LOCALS~1\Temp/cc29baaa.o(.text+0x17f):NetDDE Checker.c: undefined reference to `htons@4'
C:\DOCUME~1\Booster\LOCALS~1\Temp/cc29baaa.o(.text+0x1ef):NetDDE Checker.c: undefined reference to `connect@12'
C:\DOCUME~1\Booster\LOCALS~1\Temp/cc29baaa.o(.text+0x222):NetDDE Checker.c: undefined reference to `send@16'
C:\DOCUME~1\Booster\LOCALS~1\Temp/cc29baaa.o(.text+0x25b):NetDDE Checker.c: undefined reference to `recv@16'

C:\DOCUME~1\Booster\LOCALS~1\Temp/cc29baaa.o(.text+0x2ad):NetDDE Checker.c: undefined reference to `send@16'
C:\DOCUME~1\Booster\LOCALS~1\Temp/cc29baaa.o(.text+0x2e6):NetDDE Checker.c: undefined reference to `recv@16'
C:\DOCUME~1\Booster\LOCALS~1\Temp/cc29baaa.o(.text+0x3a5):NetDDE Checker.c: undefined reference to `shutdown@8'
C:\DOCUME~1\Booster\LOCALS~1\Temp/cc29baaa.o(.text+0x3b3):NetDDE Checker.c: undefined reference to `closesocket@4'
C:\DOCUME~1\Booster\LOCALS~1\Temp/cc29baaa.o(.text+0x7ab):NetDDE Checker.c: undefined reference to `WSAStartup@8'
C:\DOCUME~1\Booster\LOCALS~1\Temp/cc29baaa.o(.text+0x9b2):NetDDE Checker.c: undefined reference to `gethostbyname@4'
C:\DOCUME~1\Booster\LOCALS~1\Temp/cc29baaa.o(.text+0x9fc):NetDDE Checker.c: undefined reference to `socket@12'
C:\DOCUME~1\Booster\LOCALS~1\Temp/cc29baaa.o(.text+0xa3d):NetDDE Checker.c: undefined reference to `htons@4'
C:\DOCUME~1\Booster\LOCALS~1\Temp/cc29baaa.o(.text+0xa9c):NetDDE Checker.c: undefined reference to `connect@12'
C:\DOCUME~1\Booster\LOCALS~1\Temp/cc29baaa.o(.text+0xaf1):NetDDE Checker.c: undefined reference to `send@16'
C:\DOCUME~1\Booster\LOCALS~1\Temp/cc29baaa.o(.text+0xb38):NetDDE Checker.c: undefined reference to `recv@16'
C:\DOCUME~1\Booster\LOCALS~1\Temp/cc29baaa.o(.text+0xb93):NetDDE Checker.c: undefined reference to `shutdown@8'
C:\DOCUME~1\Booster\LOCALS~1\Temp/cc29baaa.o(.text+0xba1):NetDDE Checker.c: undefined reference to `closesocket@4'

Smb can help me ?

parasita

Jan 6 2005, 09:46 AM

Compiled Fine whit VC++

here is the link:

Netdde-service-checker.rar

Booster2ooo

Jan 6 2005, 10:28 AM

Thx a lot

Enz0s

Jan 6 2005, 03:50 PM

Tnx a lot

THeGooDMaN

Jan 6 2005, 05:40 PM

Is there also a way to save the results in a text file?

parasita

Jan 6 2005, 05:53 PM

QUOTE(THeGooDMaN @ Jan 6 2005, 05:40 PM)

Is there also a way to save the results in a text file?

Yes type on your prompt

Netdde-service-checker.exe xxx.xxx.xxx.xxx>>netbios.txt

THeGooDMaN

Jan 6 2005, 06:01 PM

I made a bat:

FOR /F "tokens=1* delims=, " %%i in (dfind) do NetDDE-check %%i

do I know have to do FOR /F "tokens=1* delims=, " %%i in (dfind) do NetDDE-check %%i >> check.txt

??

because that doesn't work

o0oKARo0o

Jan 9 2005, 09:05 PM

Thats cool but can we scan a whole range aswell ?

droppunx

Jan 10 2005, 02:01 AM

QUOTE(THeGooDMaN @ Jan 6 2005, 06:01 PM)

I'll make a .bat and post it for ya

-droppunx

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.