Tweet
-------------------------------------------------------------------------------------------------------
What is NetBIOS ? Someone say it is the fancy name for "file and print sharing" which is true. But that
can be misunderstood. Because Netbios is so much more than sharing files with eachother. Its more like
taking control over eachother. In this text I will demonstrate how NetBIOS works, how NetBIOS can be
exploited, and how to protect your self against these attacks. This text is based on the microsoft NT
network because that has far more possibilities then the windows 95/98 platform.
NOTE:This text is ment for educational purposes only. The author or the host of this file takes no
responsobility for what you do after reading this document what so ever. You can blame no one but
yourself for your
own actions.So be careful.
-------------------------------------------------------------------------------------------------------
The NetBIOS session service runs on tcp port 139. So if you run a portscan and dont find port number 139
open, there is no possible way you can exploit the hosts NetBIOS. DOH! But, NetBIOS is now a very big
part of microsoft networks and therefore also many computers have the port open.
1st task : Do a portscan or whatever, and find a host with port 139 open.
If a host have the information you want shared, there is no need in working more on hacking the host to get
deeper into the computer.Therefore, we want to see what resources the computer have shared and if
necesarry, download the wanted information.
We will use the command prompt very much beacuse thats the fastest one, and the one I prefer ;).
2nd task : Open a dos prompt. start >run, type "command" (without the quotes) and hit enter.
NetBIOS is actually pretty funny because it is so strange. There is so many funny things you will
discover and wonder
what the creators where thinking of. But some things that are even more funny is the default
NetBIOS settings of a
windows 2000/nt/xp computer. Lets take a look at it.
I did a scan, found a couple of computers that where windows 2000, with NetBIOS open, and
with default configuration.
the first thing i did, I tryed to view the computers shares. Here is the result:
D:\>net view \\213.145.182.43
System error 5 has occurred.
Access is denied.
-----------------Explaination------------------------------------------------------------
net view = view a computers shares.
\\ = indicates that the next characters/numbers is a computer host/IP adress.
213.145.182.43 = the IP adress.
-----------------------------------------------------------------------------------------
This means that the computer wont let me view the shares without beeing logged on.
So, we have to log on to the computer.
"Oh thats a pitty because I don't have a username and password" you think.
But guess what, here is the funny part:You dont need a username and password!
This is how i solved the problem:
D:\>net use \\213.145.182.43\ipc$ /u:"" ""
The command completed successfully.
D:\>net view \\213.145.182.43
There are no entries in the list.
-----------------Explaination------------------------------------------------------------
net use = connect to a computer / share.
ipc$ = The inter process comunication protocol. A bit hard to explain, but think of
it as the thing that deals with the remote logons for now.
/u:"" "" = The username and password. if we were going to logon with the username
"windows" and the password "sucks" we would have done this: /u:"windows" "sucks"
-----------------------------------------------------------------------------------------
As you can see, I successfully logged on to the remote computer with the username and
password blank. The connection we established is called
a NULL session, and is very restricted, but at least it let me view the share list.
The share list was empty. Or was it? Another funny (or scaring) thing about windows
NT/2k/XP is that on startup
it shares all your drives without you knowing. The shares are hidden, so that the
remote user (you) can not see it, but the administrator can.
The shares can be accesed, but not via a NULL session. You have to get higher
priviligies to acces these shares. This is not a tutorial on password cracking
so, Im going to jump directly to the fun part. You have to get a username and
password yourself. (Maybe I'll write a tutorial on password cracking once, but as a note:
there is tons of tools and tutorials on this allready out on the net, so just
do some research.)
3d task : Get a username and password with more priviligies than a NULL session
on a remote computer. This account should be a superuser (administrator).
We have allready logged on to a computer before, so before you try to acces the
same computer again with different username and password you have to terminate
the other
connection. This is done by typing "net use \\[IP adress]\ipc$ /delete" in
example "net use \\213.145.182.43\ipc$ /delete".
You know how to do the rest now, just change the username and password. If
the username is "Administrator" , the password is "hacker"
and the IP Adress is "213.145.182.43" you would do this:
"net use \\213.145.182.43\ipc$ /u:"Administrator" "hacker"
NOTE:IPC is not a directory, though it is hidden ($). Hard to explain, but
think of it as the protocol that makes remote acces/administration through
netbios possible.
4th task : Have fun!
Now, with a more powered connection to the computer you can start having
fun. Now you can acces the hidden shares of the remote computer, because
they are ment for
administrating purposes, and now you are an administrator ;). So to acces
in example the hidden c: share (named c$) we do this:
"net use x: \\213.145.182.43\c$"
-----------------Explaination------------------------------------------------------------
x: = assigns a drive called x: to the remote share. This means that you
can acces the remote computers c: by going to my computer and double
clicking x: !, or you could browse it in dos, type "x:" and then "dir" in example.
-----------------------------------------------------------------------------------------
But what if the administrator is so "smart" to delete these shares? No problem!
You are a superuser, and therefore you simply create your own share!
goto start>settings>control panel>Administrative tools>Computer managment
from this box you will be able to view and administrate cool things
on your computer, but if you go to Action>Connect to another computer and
type in the IP adress of the computer you've got a superuser connection too
you will be able to view and administrate cool things on the other
computer! Create and delete shares, create new usernames, administrate
the processes running
and much more without any trojan virus installed! Also, you can acces
the remote computers regestry editor. Go to start>>run and type "regedit".
This will open the registry editor. in this box, go to Registry>connect
network registry. Type in the IP Adress. Now you can do what you want to
the remote computers registry.
All you need is this superuser connection. (which can be hard to get sorry)
So take a look and Ill let you expirience the rest of NetBIOS yourself.
IMPORTANT: When you are done hacking a computer, or whatever, it is important
that you deletes the connection so that you dont get traced.
type "net use \\[ip adress] /delete" in example "net use \\213.145.182.43 /delete"
TIP:Dont just read tutorials, understand tutorials, this way you will get
better by yourself in time, also, take a look at all the other net commands.
type "net /?" in the command prompt.
How to protect yourself against these kinds of attacks:
-------------------------------------------------------
1.Disable netbios on your network connections. Go to start>Settings>Network
and dialup connections acces the properties of your internet or lan
connection and
go to the networking tab. Uncheck "File and print sharing for microsoft
networks". That will close port 139.
If you are happy with that, dont continue, if you dont want to disable
the hole thing, read on.
2.Delete all the un necesarry shares. Maybe annoying, but you have to do
this everytime the computer starts, I have a .bat file that does this
for me in my startup directory. How to create a bat file? Open Notepad,
type in dos commands, save it as something.bat in any directory. Puting
it in the startup
directory will run it when the computer starts. The commands you need to
delete shares are the net share command. Type:"net share [share name]
/delete" in example
"net share c$ /delete" to delete the share.
4.Delete the IPC$ each time the computer starts. Type "net share ipc$
/delete"
If you dont want to delete the entire IPC, read on.
3.Disable null sessions to the IPC. Open the regedit. go to
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Contro l>Lsa.
find the dword value called "restrictanonymous". right click it and
select "Modify". Change the Value Data to 1.
4.Allways have long passwords. Do NOT use words as passwords, as
these are easy to guess. Use long combinations of characters (small and big),
numbers and special characters. ($¤#£/())!"=? and so on)
This will take an eventual cracker enourmous long time to crack your password.
5.Delete un-used user accounts. Many companies have incredibly many user
accounts that never gets used. These accounts are nothing but help for the
hacker.
If a computer have 60-80 (which actually is not unnormal) unused accounts,
some of them sure have a short password wcich is big help for the hacker.
Delete them.
goto start>settings>control panel>Administrative tools>Computer managment>
Local users and groups. I'll let you handle the rest.
Thats basicly it. I hope you gained alot of knowledge from this tutorial
so that my work wore useful ;)
Please do not change the text of this file if you host it on yoursite. Thanks.
Peace out. :| :|
What is NetBIOS ? Someone say it is the fancy name for "file and print sharing" which is true. But that
can be misunderstood. Because Netbios is so much more than sharing files with eachother. Its more like
taking control over eachother. In this text I will demonstrate how NetBIOS works, how NetBIOS can be
exploited, and how to protect your self against these attacks. This text is based on the microsoft NT
network because that has far more possibilities then the windows 95/98 platform.
NOTE:This text is ment for educational purposes only. The author or the host of this file takes no
responsobility for what you do after reading this document what so ever. You can blame no one but
yourself for your
own actions.So be careful.
-------------------------------------------------------------------------------------------------------
The NetBIOS session service runs on tcp port 139. So if you run a portscan and dont find port number 139
open, there is no possible way you can exploit the hosts NetBIOS. DOH! But, NetBIOS is now a very big
part of microsoft networks and therefore also many computers have the port open.
1st task : Do a portscan or whatever, and find a host with port 139 open.
If a host have the information you want shared, there is no need in working more on hacking the host to get
deeper into the computer.Therefore, we want to see what resources the computer have shared and if
necesarry, download the wanted information.
We will use the command prompt very much beacuse thats the fastest one, and the one I prefer ;).
2nd task : Open a dos prompt. start >run, type "command" (without the quotes) and hit enter.
NetBIOS is actually pretty funny because it is so strange. There is so many funny things you will
discover and wonder
what the creators where thinking of. But some things that are even more funny is the default
NetBIOS settings of a
windows 2000/nt/xp computer. Lets take a look at it.
I did a scan, found a couple of computers that where windows 2000, with NetBIOS open, and
with default configuration.
the first thing i did, I tryed to view the computers shares. Here is the result:
D:\>net view \\213.145.182.43
System error 5 has occurred.
Access is denied.
-----------------Explaination------------------------------------------------------------
net view = view a computers shares.
\\ = indicates that the next characters/numbers is a computer host/IP adress.
213.145.182.43 = the IP adress.
-----------------------------------------------------------------------------------------
This means that the computer wont let me view the shares without beeing logged on.
So, we have to log on to the computer.
"Oh thats a pitty because I don't have a username and password" you think.
But guess what, here is the funny part:You dont need a username and password!
This is how i solved the problem:
D:\>net use \\213.145.182.43\ipc$ /u:"" ""
The command completed successfully.
D:\>net view \\213.145.182.43
There are no entries in the list.
-----------------Explaination------------------------------------------------------------
net use = connect to a computer / share.
ipc$ = The inter process comunication protocol. A bit hard to explain, but think of
it as the thing that deals with the remote logons for now.
/u:"" "" = The username and password. if we were going to logon with the username
"windows" and the password "sucks" we would have done this: /u:"windows" "sucks"
-----------------------------------------------------------------------------------------
As you can see, I successfully logged on to the remote computer with the username and
password blank. The connection we established is called
a NULL session, and is very restricted, but at least it let me view the share list.
The share list was empty. Or was it? Another funny (or scaring) thing about windows
NT/2k/XP is that on startup
it shares all your drives without you knowing. The shares are hidden, so that the
remote user (you) can not see it, but the administrator can.
The shares can be accesed, but not via a NULL session. You have to get higher
priviligies to acces these shares. This is not a tutorial on password cracking
so, Im going to jump directly to the fun part. You have to get a username and
password yourself. (Maybe I'll write a tutorial on password cracking once, but as a note:
there is tons of tools and tutorials on this allready out on the net, so just
do some research.)
3d task : Get a username and password with more priviligies than a NULL session
on a remote computer. This account should be a superuser (administrator).
We have allready logged on to a computer before, so before you try to acces the
same computer again with different username and password you have to terminate
the other
connection. This is done by typing "net use \\[IP adress]\ipc$ /delete" in
example "net use \\213.145.182.43\ipc$ /delete".
You know how to do the rest now, just change the username and password. If
the username is "Administrator" , the password is "hacker"
and the IP Adress is "213.145.182.43" you would do this:
"net use \\213.145.182.43\ipc$ /u:"Administrator" "hacker"
NOTE:IPC is not a directory, though it is hidden ($). Hard to explain, but
think of it as the protocol that makes remote acces/administration through
netbios possible.
4th task : Have fun!
Now, with a more powered connection to the computer you can start having
fun. Now you can acces the hidden shares of the remote computer, because
they are ment for
administrating purposes, and now you are an administrator ;). So to acces
in example the hidden c: share (named c$) we do this:
"net use x: \\213.145.182.43\c$"
-----------------Explaination------------------------------------------------------------
x: = assigns a drive called x: to the remote share. This means that you
can acces the remote computers c: by going to my computer and double
clicking x: !, or you could browse it in dos, type "x:" and then "dir" in example.
-----------------------------------------------------------------------------------------
But what if the administrator is so "smart" to delete these shares? No problem!
You are a superuser, and therefore you simply create your own share!
goto start>settings>control panel>Administrative tools>Computer managment
from this box you will be able to view and administrate cool things
on your computer, but if you go to Action>Connect to another computer and
type in the IP adress of the computer you've got a superuser connection too
you will be able to view and administrate cool things on the other
computer! Create and delete shares, create new usernames, administrate
the processes running
and much more without any trojan virus installed! Also, you can acces
the remote computers regestry editor. Go to start>>run and type "regedit".
This will open the registry editor. in this box, go to Registry>connect
network registry. Type in the IP Adress. Now you can do what you want to
the remote computers registry.
All you need is this superuser connection. (which can be hard to get sorry)
So take a look and Ill let you expirience the rest of NetBIOS yourself.
IMPORTANT: When you are done hacking a computer, or whatever, it is important
that you deletes the connection so that you dont get traced.
type "net use \\[ip adress] /delete" in example "net use \\213.145.182.43 /delete"
TIP:Dont just read tutorials, understand tutorials, this way you will get
better by yourself in time, also, take a look at all the other net commands.
type "net /?" in the command prompt.
How to protect yourself against these kinds of attacks:
-------------------------------------------------------
1.Disable netbios on your network connections. Go to start>Settings>Network
and dialup connections acces the properties of your internet or lan
connection and
go to the networking tab. Uncheck "File and print sharing for microsoft
networks". That will close port 139.
If you are happy with that, dont continue, if you dont want to disable
the hole thing, read on.
2.Delete all the un necesarry shares. Maybe annoying, but you have to do
this everytime the computer starts, I have a .bat file that does this
for me in my startup directory. How to create a bat file? Open Notepad,
type in dos commands, save it as something.bat in any directory. Puting
it in the startup
directory will run it when the computer starts. The commands you need to
delete shares are the net share command. Type:"net share [share name]
/delete" in example
"net share c$ /delete" to delete the share.
4.Delete the IPC$ each time the computer starts. Type "net share ipc$
/delete"
If you dont want to delete the entire IPC, read on.
3.Disable null sessions to the IPC. Open the regedit. go to
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Contro l>Lsa.
find the dword value called "restrictanonymous". right click it and
select "Modify". Change the Value Data to 1.
4.Allways have long passwords. Do NOT use words as passwords, as
these are easy to guess. Use long combinations of characters (small and big),
numbers and special characters. ($¤#£/())!"=? and so on)
This will take an eventual cracker enourmous long time to crack your password.
5.Delete un-used user accounts. Many companies have incredibly many user
accounts that never gets used. These accounts are nothing but help for the
hacker.
If a computer have 60-80 (which actually is not unnormal) unused accounts,
some of them sure have a short password wcich is big help for the hacker.
Delete them.
goto start>settings>control panel>Administrative tools>Computer managment>
Local users and groups. I'll let you handle the rest.
Thats basicly it. I hope you gained alot of knowledge from this tutorial
so that my work wore useful ;)
Please do not change the text of this file if you host it on yoursite. Thanks.
Peace out. :| :|