Netbios Hacking is the art of hacking into someone else’s computer through your computer. NetBIOS stands for “Network Basic Input Output System.” It is a way for a LAN or WAN to share folders, files, drives, and printers.
So first off we need to find a computer or the computer to hack into. So if your plugged in to the LAN, or connected to the WAN, you can begin.
Introduction to NetBIOS :
NetBIOS stands for “Network Basic Input Output System”.
It was originally developed by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources. By default it runs on port 139.
NetBIOS gives the various information of the computers on a network, which includes computer name, username, domain, group, and many others…..!
It was originally developed by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources. By default it runs on port 139.
NetBIOS gives the various information of the computers on a network, which includes computer name, username, domain, group, and many others…..!
Scan Your Network
Angry IP Scanner is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses and ports in the Network.
Download Scanner from Here : Angry Ip Scanner
Ping Command :
It is used to test whether the system is alive or dead
Example :
Example :
C:\>ping 192.168.1.11 Pinging 192.168.1.11 with 32 bytes of data: Reply from 192.168.1.11: bytes=32 time=4ms TTL=64 Reply from 192.168.1.11: bytes=32 time=1ms TTL=64 Reply from 192.168.1.11: bytes=32 time=1ms TTL=64 Reply from 192.168.1.11: bytes=32 time=1ms TTL=64 Ping statistics for 192.168.1.11: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 4ms, Average = 1ms
The NBTSTAT Command :
NBTSTAT is the command for manually interact with NetBIOS Over TCP/IP.
All the attributes (switches) used with nbtstat command and their usage can be viewed.
All the attributes (switches) used with nbtstat command and their usage can be viewed.
Example NBTSTAT Response :-
C:\>nbtstat -A 192.168.1.11 NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- TECHTRIGGER <00> UNIQUE Registered TT LABS <00> GROUP Registered TECHTRIGGER <03> UNIQUE Registered TECHTRIGGER <20> UNIQUE Registered TT LABS <1E> GROUP Registered MAC Address = 44-45-53-54-00-00
An intruder could use the output from an nbtstat against your machines to begin gathering information about them.
The next step for an intruder would be to try and list the open shares on the given computer, using the net view command.
Here is an example of the Net View command-
Here is an example of the Net View command-
C:\>net view \\192.168.1.11 Shared resources at \\192.168.1.11 Sharename Type Comment ----------------------------------------------------------------- C Disk Drive C:\ Videos Disk My collection of Hacking videos The command was completed successfully.
This information would give the intruder a list of shares which he would then use in conjunction with the Net Use command, a command used to enable a computer to map a share to it\92s local drive, below is an example of how an intruder would map the C Share to a local G: drive, which he could then browse…!
C:\>net use G: \\192.168.1.11\C The command was completed successfully. C:\>G: G:\>
However, If the intruder was targetting a large network rather than a single remote computer, the next logical step would be to glean possible usernames from the remote machine.
A network login consists of two parts, a username and a password. Once an intruder has what he knows to be a valid list of usernames, he has half of several valid logins.
Now, using the nbtstat command, the intruder can get the login name of anyone logged on locally at that machine. In the results from the nbtstat command, entries with the <03> identifier are usernames or computernames. Gleaning usernames can also be accomplished through a null IPC session and the SID tools
The IPC$ (Inter-Process Communication) share is a standard hidden share on an NT machine which is mainly used for server to server communication. NT machines were designed to connect to each other and obtain different types of necessary information through this share. As with many design features in any operating system, intruders have learned to use this feature for their own purposes. By connecting to this share an intruder has, for all technical purposes, a valid connection to your server. By connecting to this share as null, the intruder has been able to establish this connection without providing it with credentials.
To connect to the IPC$ share as null, an intruder would issue the following command from a command prompt:
c:\>net use \\[ip address of target machine]\ipc$ "" /user:""
If the connection is successful, the intruder could do a number of things other than gleaning a user list, but lets start with that first. As mentioned earlier, this technique requires a null IPC session and the SID tools. Written by Evgenii Rudnyi, the SID tools come in two different parts, User2sid and Sid2user. User2sid will take an account name or group and give you the corresponding SID. Sid2user will take a SID and give you the name of the corresponding user or group. As a stand alone tool, this process is manual and very time consuming. Userlist.pl is a perl script written by Mnemonix that will automate this process of SID grinding, which drastically cuts down on the time it would take an intruder to glean this information.
At this point, the intruder knows what services are running on the remote machine, which major software packages have been installed (within limits), and has a list of valid usernames and groups for that machine. Although this may seem like a ton of information for an outsider to have about your network, the null IPC session has opened other venues for information gathering. The Rhino9 team has been able to retrieve the entire native security policy for the remote machine.
Such things as account lockout, minimum password length, password age cycling, password uniqueness settings as well as every user, the groups they belong to and the individual domain restrictions for that user – all through a null IPC session. This information gathering ability will appear in Rhino9′s soon to be released Leviathan tool. Some of the tools available now that can be used to gather more information via the IPC null session will be discussed below.
With the null IPC session, an intruder could also obtain a list of network shares that may not otherwise be obtainable. For obvious reasons, an intruder would like to know what network shares you have available on your machines. For this information gathering, the standard net view command is used, as follows:
c:\>net view \\[ip address of remote machine]
Depending on the security policy of the target machine, this list may or may not be denied. Take the example below (ip address has been left out for obvious reasons):
C:\>net view \.0.0.0 System error 5 has occurred. Access is denied. C:\>net use \.0.0.0\ipc$ "" /user:"" The command completed successfully. C:\>net view \.0.0.0 Shared resources at \.0.0.0 Share name Type Used as Comment --------------------------------------------------------------------- Accelerator Disk Agent Accelerator share for Seagate backup Inetpub Disk mirc Disk NETLOGON Disk Logon server share www_pages Disk The command completed successfully.
As you can see, the list of shares on that server was not available until after the IPC null session had been established. At this point you may begin to realize just how dangerous this IPC connection can be, but the IPC techniques that are known to us now are actually very basic. The possibilities that are presented with the IPC share are just beginning to be explored.
Once this list of shares had been given, the intruder could then proceed to issue the net use commands as described above.
Disadvantages :
NetBios hacking fails when
1)Remote system is fully patched .
2)Not applicable in Vista/win 7.
3)Remote system has Admin password .
4)Firewall enabled
0 comments:
Post a Comment