CRAWLCLiCK Forums : Powered by vBulletin version 2.2.9 CRAWLCLiCK Forums > Software & Multimedia > Security and Encryption > Hacking > Hacking Windows Using NetBIOS
  Last Thread   Next Thread
Thread Post New Thread    Post A Reply

Hacking Windows Using NetBIOS

Old Post posted October-27th-2003 at 03:22 AM

Report this post to a moderator | IP: Logged


Registered: Nov 2002
Location: USA
Posts: 293

In depth Guide Too Hacking Windows Using NetBIOS

By: C0ldPhaTe

It has been brought to my attention that many people don・t understand the way NetBIOS works. Many don・t even know where to begin when it comes to hacking NetBIOS. So in this tutorial I・m going to cover the basics of hacking NetBIOS, I will also remind you hacking with NetBIOS is almost the easiest way to hack remotely. Although it might be one of the most easiest way to hack remotely you will find that hacking with NetBIOS has a lot of powerful uses also.

The Network Basic Input Output System (NetBIOS):
The Network Basic Input Output System is also known as NetBIOS. NetBIOS was originally developed by IBM, which used Sytek as an Application Programming Interface (API) for the client software operation systems. These systems included Windows98, Windows Me, Windows NT.

The Network Neighborhood:
Many of you have seen the icon labeled :Network Neighborhood; but a lot of upcoming hackers also known as newbies might not know exactly how to use the Network Neighborhood or understand how it works. The Network Neighborhood is used to access the computers attached to your network. After you have click on the icon to the Network Neighborhood your computer then tries to get all the names of the computers attached to your network. Issuing a command known as NetBIOS does this. The NetBIOS command is used to g-e various information on computers connected to a network. But before you can move onto any of this you will first have to start from the basics, which I have included below. From there you can the attack your target.

Information Gathering And Server Penetration:
The first step you would do while looking for a target victim is to portscan the target machines or network. One thing to keep in mind is when you・re hacking a Windows NT system or network. NetBIOS tends to be the target of the bruteforce attack. The reason for this is because Information gathering with NetBIOS is fairly easy to do. The thing to keep in mind is if the Port Scanner returns that your target machine or network has port 139 open you can simple query that system with using simple commands which I will go into a little later with this tutorial.

What Is the NBTSTAT Command:
The NBTSTAT command is a very powerful command, which allows you to manually interact with NetBIOS. To use this command you will first have to launch the MS-DOS Command Prompt, for those of you who don・t know how to launch this you can do so by going to your Start Button and clicking on it then slide your mouse over the run button and type in Command in the run prompt and it will automatically launch the MS-DOS Prompt.

The NBTSTAT Command Options:
The Below display is the display that you would get if you went into the MS DOS Prompt and typed c:\windows\nbtstat/? You would then get the below reading which g-es you a basic breakdown of what you will be able to do or what you could do with the NBTSTAT command. I know it・s a little hard to read the table below with any real knowledge of what that table means so I・m actually going to walk you through a real hack so you can get a little understanding on how you would go about actually go about using the information your gather. Ok now onto the more fun and useful information .

Displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP).
NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n][-r] [-R] [-s] [S] [interval] ]

NBTSTAT -a (adapter status) Lists the remote machine's name table g-en its name
NBTSTAT -A (Adapter status) Lists the remote machine's name table g-en its IP address.
NBTSTAT -c (cache) Lists the remote name cache including the IP addresses
NBTSTAT -n (names) Lists local NetBIOS names.
NBTSTAT -r (resolved) Lists names resolved by broadcast and via WINS
NBTSTAT -R (Reload) Purges and reloads the remote cache name table
NBTSTAT -S (Sessions) Lists sessions table with the destination IP addresses
NBTSTAT -s (sessions) Lists sessions table converting destination IP addresses to host names.

RemoteName - Remote host machine name. IP address Dotted decimal representation of the IP address.
Interval - Redisplays selected statistics, pausing interval seconds between each display.

The column headings which are generated by using the NBTSTAT command have the following meanings:

Input - Number of bytes rece-ed
Output - Number of bytes sent
In/Out - Whether the connection is from your target computer is outbound or from another system to your local network, which is known as, inbound.
Life - The remaining time that a name table caches will so called l-e.
Local Name - This is what is known as your local NetBIOS name g-en to your connection.
Remote Host - The name or the Internet Protocol (IP) g-en to the address of the remote host.

Actually Using The NBTSTAT Command:
Ok Now I will begin to show you how to use the NBTSTAT command this is an example later on in the tutorial I will g-e you a step by step break down on everything from gaining the target information to actually hacking into using The NBSTAT Command. Now remember this is an actual machine of which has port 139 open and allows File Sharing the domain is known as Http:// now I will begin the process of making my way into the system.

Example On How To Use the NBTSTAT Command:


NetBIOS Remote Machine Name Table

Name Type Status
SETI2 <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
SETI2 <20> UNIQUE Registered
INet~Services <1C> GROUP Registered
SETI2 <03> UNIQUE Registered
IS~SETI2....... <00> UNIQUE Registered

MAC Address = 00-10-DC-5F-F2-E6

Important Note: If you don・t get a read out with the number <20> showing. This means that the target victum has enabled the File Sharing and Print Sharing. Also another thing you might get is the :Host Not Found; This shows that either port 139 is a closed connection or that the Internet Protocol (IP) doesn・t exist.

Now from the information we have gathered from the NBTSTAT command you can proceed to either continue on hacking or you could use the other information for such as connection hijacking, MAC spoofing etc. This information is rather important while continuing on in your hack but before you can do anything else you going to need to know a little about what you just read, so below I have broke down the NetBIOS Remote Machine Name Table.

Breakdown Of The NetBIOS Remote Machine Name Table:
Before you can go any further you will need to know a little information about how to read the NetBIOS Remote Machine Name Table. Understanding the list below is key to gaining access to a target machine running

Name Number Type Usage
00 Unique Workstation Service
01 Unique Messanger Service
<\\_MSBROWSE_> 01 Group Master Browser
03 Unique Messenger Service
06 Unique RAS Server Service
1F Unique NetDDE Service
20 Unique File Server Service
21 Unique RAS Client Service
22 Unique Exchange Interchange
23 Unique Exchange Store
24 Unique Exchange Directory
30 Unique Modem Sharing Server Service
31 Unique Modem Sharing Client Service
43 Unique SMS Client Remote Control
44 Unique SMS Admin Remote Control
45 Unique SMS Client Remote Chat
46 Unique SMS Client Remote Transfer
4C Unique DES Pathworks TCPIP Service
52 Unique DES Pathworks TCPIP Service
87 Unique Exchange MTA
6A Unique Exchange IMC
BE Unique Network Monitor Agent
BF Unique Network Monitor Applications
03 Unique Messenger Service
00 Group Domain Name
1B Unique Domain Master Browser
1C Group Domain Controllers
1D Unique Master Browser
1E Group Browser Service Elections
1C Group Internet Information Server
00 Unique Internet Information Server
2B Unique Lotus Notes Server

Now that you have seen the complete NetBIOS Remote Machine Table in full I will now tell you how to actually go about reading the table and understanding exactly what the table says. Below you going to find a complete listing and definitions to each listing so please keep this table and listing handy because it will play a big part in your hacker journeys.
NetBIOS Remote Machine Name Table Definitions:

Unique - Anything with the name unique may only have one Internet Protocol (IP) address assigned to it.
Group - A normal group, this allows a single name to exist with many Internet Protocols.
Domain Name - New in Microsoft Windows NT 4.0
Internet Group - A special configuration of the group names.

Now what you do from the rece-ed output is up to you, but most hackers would glean possible usernames from the remote machine or remote machines. Which this will now lead me on to another think known as NET command.

Using NetBIOS Shares:
After you have found a NetBIOS share you will then proceed to add it to your LMHOSTS file. After you add this to your LMHOSTS file you will be able to view the remote computer within your Network Neighborhood. If you don・t add it to your LMHOSTS file you will not be able to view the computer remotely. After adding it to your LMHOSTS file you can simply use the find computer options within Windows NT and Windows 95,98 to browse the shares. You could also use the alternation option to use the very powerful NET.exe

C:\>net view
C:\>net view \\SETI2

Shared Resources At

Share Name Type Used As Comment
NETLOGON DISK Logon Server Share

Note: You will often find shares like the C$, ADMIN$ and IPC$ share hidden and will most of the time not be shown. Below is a listing of shares you might come across and should be familiar with. A lot of times you will find that these shares are indeed password protected so you might have to try and Brute Force attack the password or your might get lucky and find that the password is a default password which was sent with the machine. If your asking yourself how do I know the default passwords search the web for :Default NetBIOS passwords; and you should be rather pleased with your outcome.

Below a listing of Shares and there uses:

Share Name Type Comment
ADMIN$ DISK Remote Admin
C$ DISK Default Share
IPC$ IPC: Remote IPC
NETLOGON DISK Logon Server Share

I will now connect to the IPC$ share on using a Null Session.

C:\net use \\\ipc$ :; /user:;;
The command completed successfully

I will now connect to a normal share using the Net use command. Which can then be used to have remote access to dr-e in which I place in the command.

C:\net use x: \\\test
The command completed successfully.

C:\net use
New connections will be remembered.

Status Local Remote Network
OK X: \\ Microsoft Windows Network
OK B: \\ a Microsoft Windows Network
The command completed successfully.

I mentioned above about the NET.exe and how powerful it actually was well I will now tell you some interesting but yet very useful while your hacking into a machine to know. With the understanding of these commands and how they work will make the process of gaining administrat-e writes a whole lot easier.

What NET.exe Is Good For:
Below you will find out just what NET.exe can be used for I have included a listing of things its capable of and a definition of what each command does.

NET name - This will show the current name of the computer and who is currently logged in.
NET accounts - Will show the password restricted users.
NET share - Displays all shares on the local machine.
NET user - Will show accounts created on the local machine.
NET group - Can be used to add people to the Administrat-e group.

How To Crack Share Passwords:
You might remember me saying above about finding shares that are password protected on your target machine. For cracking passwords on Windows 95,98,Me, XP you can use a password cracker known as :PQWAK; this can be found on any web page that deals with password crackers. PQWAK is decrypting a share password within usually a minuet or so. The only bad thing is that PQWAK can only crack the remote passwords of the remote operating system its running on.

Well I hope you have learned a little bit about hacking with NetBIOS. Although hacking NetBIOS is one of the most easiest ways to hack into a system it is also a very powerful way to take over a system. I would also recommend downloading some text files or buying some books on Windows NT, Windows 2000 or hacking web servers. Remember it・s always smarter to read information before acting. The more knowledgeable you are about your target operating system the less likely you are to make a false move, which will get your ass caught. I・m not claming to be :l33t;, as most people would consider themselves. You will see a lot of people say the are but you will find very few who really are. Also don・t be ashamed if you go into a channel and someone makes fun of you for asking a question. We all have gone through it just don・t get discouraged, just blow them off and continue to read up on anything you can get your hands on. If you have any questions you can find me within Mirc or you can contact me through the information provided below. Also be sure to download my other tutorials.

MIRC: #h4ckerz, #crystalz, #hackalot, #Hackfest, #Hack-i, #Hacku, #minangcrew, #Hack0r,#hack.exe,#localhost
AOL IM: Myst1kal One

Other Documents I Have Written:
In depth Guide Too Hacking Windows Using NetBIOS - February 7, 2003
A complete users guide to port scanning - February 06, 2003
A Quick Unix Command Guide - January 30, 2003
A Definit-e Trojan Port Listing - January 30, 2003
Basics On How To Identify A Firewall - January 23, 2003
The Common Gateway Interface (CGI) - November 28, 2002
Microsoft IIS Unicode Exploit Explained - November 13, 2002



Click Here to See the Profile for Franklin Click here to Send Franklin a Private Message Find more posts by Franklin Add Franklin to your buddy list

All times are GMT. The time now is 02:05 PM. Post New Thread    Post A Reply
  Last Thread   Next Thread
Show Printable Version | Email this Page | Subscribe to this Thread

Forum Jump:
Rate This Thread:

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is ON
vB code is ON
Smilies are ON
[IMG] code is OFF

Powered by: vBulletin Version 2.2.9
Copyright 2000 - 2002, Jelsoft Enterprises Limited.
Style by: Tech-Forums

archive 0.17500198 seconds (60.26% PHP - 39.74% MySQL) with 28 queries.