The Magic of
NetBIOS
In
this guide you will learn how to explore the Internet using Windows XP and
NetBIOS:
·
How to Install NetBIOS
<beginnine2a.shtml>
·
How to Use Nbtstat
<beginnine2b.shtml>
·
The Net View Command
<beginnine2c.shtml>
·
What to Do Once You Are Connected
<beginnine2c.shtml>
·
How to Break in Using the XP GUI
<beginnine2d.shtml>
·
More on the Net Commands
<beginnine2e.shtml>
·
How Crackers Break in as Administrator
<beginnine2f.shtml>
·
How to Scan for Computers that Use
NetBIOS <beginnine2g.shtml>
·
How to Play NetBIOS Wargames
<beginnine2h.shtml>
·
An Evil Genius Tip for Win NT Server
Users <beginnine2h.shtml>
·
Help for Windows 95, 98, SE and ME Users
<beginnine2h.shtml>
Not
many computers are reachable over the Internet using NetBIOS commands - maybe
only a few million. But what the heck, a few million is enough to keep a hacker
from getting bored. And if you know what to look for, you will discover that
there are a lot of very busy hackers and Internet worms searching for computers
they can break into by using NetBIOS commands. By learning the dangers of
NetBIOS, you can get an appreciation for why it is a really, truly BAD!!! idea
to use it.
*****************
Newbie note: a worm is a program that reproduces itself. For example, Code Red
automatically searched over the Internet for vulnerable Windows computers and
broke into them. So if you see an attempt to break into your computer, it may
be either a human or a worm.
*****************
If
you run an intrusion detection system (IDS) on your computer, you are certain
to get a lot of alerts of NetBIOS attacks. Here's an example:
The
firewall has blocked Internet access to your computer (NetBIOS Session) from
10.0.0.2 (TCP Port 1032) [TCP Flags: S].
Occurred:
2 times between 10/29/2002 7:38:20 AM and 10/29/2002 7:46:18 AM
A
Windows NT server on my home network, which has addresses that all start with
10.0.0, caused these alerts. In this case the server was just doing its
innocent thing, looking for other Windows computers on my LAN (local area
network) that might need to network with it. Every now and then, however, an
attacker might pretend to have an address from your internal network even
though it is attacking from outside.
If
a computer from out on the Internet tries to open a NetBIOS session with one of
mine, I'll be mighty suspicious. Here's one example of what an outside attack
may look like:
The
firewall has blocked Internet access to your computer (NetBIOS Name) from
999.209.116.123 (UDP Port 1028).
Time:
10/30/2002 11:10:02 AM
(The attacker's IP address has been altered to protect the innocent or the
guilty, as the case may be.)
Want
to see how intensely crackers and worms are scanning the Internet for potential
NetBIOS targets? A really great and free IDS for Windows that is also a
firewall is Zone Alarm. You can download it for free from
http://www.zonelabs.com . You can set it to pop up a warning on your screen
whenever someone or some worm attacks your computer. You will almost certainly get
a NetBIOS attack the first day you use your IDS.
Do
you need to worry when a NetBIOS attack hits? Only if you have enabled NetBIOS
and Shares on your computer. Unfortunately, in order to explore other computers
using NetBIOS, you increase the danger to your own computer from attack by
NetBIOS. But, hey, to paraphrase a famous carpenter from Galilee, he who lives
by the NetBIOS gets hacked by the NetBIOS.
********************
Newbie note: NetBEUI (NetBIOS Extended User Interface) is an out-of-date,
crummy, not terribly secure way for Windows computers to communicate with each
other in a peer-to-peer mode. NetBIOS stands for network basic input/output
system.
Newbie
note: Shares are when you make it so other computers can access files and
directories on your computer. If you set up your computer to use NetBIOS, in
Win XP using the NTFS (new technology file system) you can share files and
directories by bringing up My Computer. Click on a directory - which in XP is
called a "folder". In the left-hand column a task will appear called
"Share this folder". By clicking this you can set who can access this
folder, how many people at a time can access it, and what they can do with the
folder.
********************
There
are a number of network exploration commands that only NetBIOS uses. We will
show how to use nbtstat and several versions of the net command.
How to Install NetBIOS
You
might have to make changes on your system in order to use these commands.
Here's how to enable NetBIOS for Windows XP. (If you are stuck with Windows 95,
98, SE or ME, see the end of this Guide for how to enable NetBIOS.) Click:
Control
Panel -> Network Connections
There
are two types of network connections that may appear here: "Dial-up"
and "LAN or High-Speed Internet".
**************
Newbie note: A dial-up connection uses a modem to reach the Internet. LAN
stands for local area network. It's what you have if two or more computers are
linked to each other with a cable instead of modems. Most schools and
businesses have LANs, as well as homes with Internet connection sharing. A DSL
or cable modem connection will also typically show up as a LAN connection.
**************
To
configure your connections for hacking, double click on the connection you plan
to use. That brings up a box that has a button labeled "Properties".
Clicking it brings up a box that says "This connection uses the following
items:"
You
need to have both TCP/IP and NWLink NetBIOS showing. If NWLink NetBIOS is
missing, here's how to add it. Click Install -> Protocol -> Add
NWlink/IPX/SPX/NetBIOS Compatible Transport Protocol.
**************
Newbie note: NWLink refers to Novell's Netware protocol for running a LAN.
**************
How to Use Nbtstat
To
get started, bring up the cmd.exe command. Click Start -> Run and type cmd.exe
in the command line box. This brings up a black screen with white letters. Once
it is up, we will play with the nbtstat command. To get help for this command,
just type:
C:\>nbtstat
help
One
way to use the nbtstat command is to try to get information from another
computer using either its domain name (for example test.target.com), its
numerical Internet address (for example, happyhacker.org's numerical address is
206.61.52.30), or its NetBIOS name (if you are on the same LAN).
C:\>nbtstat
-a 10.0.0.2
Local
Area Connection:
Node IpAddress: [10.0.0.1] Scope Id: []
NetBIOS
Remote Machine Name Table
Name
Type Status
---------------------------------------------
OLDGUY <00> UNIQUE Registered
OLDGUY <20> UNIQUE Registered
WARGAME <00> GROUP Registered
INet~Services <1C> GROUP Registered
IS~OLDGUY......<00> UNIQUE Registered
OLDGUY <03> UNIQUE Registered
WARGAME <1E> GROUP Registered
ADMINISTRATOR <03> UNIQUE Registered
MAC
Address = 52-54-00-E4-6F-40
What
do these things tell us about this computer? Following is a table explaining
the codes you may see with an nbtstat command (taken from the MH Desk
Reference, written by the Rhino9 team).
Name
Number Type Usage =========================================================
<computername> 00 U Workstation Service
<computername> 01 U Messenger Service
<\\_MSBROWSE_> 01 G Master Browser
<compname> 03 U Messenger Service
<computername> 06 U RAS Server Service
<computername> 1F U NetDDE Service
<computername> 20 U File Server Service
<computername> 21 U RAS Client Service
<computername> 22 U Exchange Interchange
<computername> 23 U Exchange Store
<computername> 24 U Exchange Directory
<computername> 30 U Modem Sharing Server Service
<computername> 31 U Modem Sharing Client Service
<computername> 43 U SMS Client Remote Control
<computername> 44 U SMS Admin Remote Control Tool
<computername> 45 U SMS Client Remote Chat
<computername> 46 U SMS Client Remote Transfer
<computername> 4C U DEC Pathworks TCPIP Service
<computername> 52 U DEC Pathworks TCPIP Service
<computername> 87 U Exchange MTA
<computername> 6A U Exchange IMC
<computername> BE U Network Monitor Agent
<computername> BF U Network Monitor Apps
<username> 03 U Messenger Service
<domain> 00 G Domain Name
<domain> 1B U Domain Master Browser
<domain> 1C G Domain Controllers
<domain> 1D U Master Browser
<domain> 1E G Browser Service Elections
<INet~Services>1C G Internet Information Server
<IS~Computer_name>00 U Internet Information Server
To
keep this Guide from being ridiculously long, we'll just explain a few of the
things what we learned when we ran nbtstat -a against 10.0.0.2:
*
it uses NetBIOS
* its NetBIOS name is Oldguy
* one of the users is named Administrator
* it runs a web site with Internet Information Server, and maybe an ftp - file
transfer protocol -- server
* it is a member of the domain Wargame
* it is connected on a local area network and we accessed it through an
Ethernet network interface card (NIC) with a MAC Address of 52-54-00-E4-6F-40.
When
using nbtstat over the Internet, in most cases it will not find the correct MAC
address. However, sometimes you get lucky. That is part of the thrill of legal
hacker exploration. OK, OK, maybe getting a thrill out of a MAC address means
I'm some kind of a freak. But if you are reading this, you probably are freaky
enough to be a hacker, too.
**************
Newbie note: MAC stands for media access control. In theory every NIC ever made
has a unique MAC address, one that no other NIC has. In practice, however, some
manufacturers make NICs that allow you to change the MAC address.
**************
**************
Evil Genius tip: sneak your computer onto a LAN and use it to find the MAC
address of a very interesting computer. Crash it, then give yours the same MAC,
NetBIOS name and Internet address as the very interesting computer. Then see
what you can do while faking being that computer. That's why I get a charge out
of discovering a MAC address, so stop laughing at me already.
**************
**************
You can get fired, expelled, busted and catch cooties warning: Faking all that
stuff is something you would be better off doing only on your own test network,
or with written permission from the owner of the very interesting computer.
**************
Now
that we know some basic things about computer 10.0.0.2, also known as Oldguy,
we can do some simple things to learn more. We can connect to it with a web
browser to see what's on the web site, and with ftp to see if it allows
anonymous users to download or upload files. In the case of Oldguy, anyone can
browse the web site. However, when we try to connect to its ftp server with
Netscape by giving the location ftp://10.0.0.2, it returns the message
"User Mozilla@ cannot log in.
**************
Newbie note: The people who programmed Netscape have always called it Mozilla,
after a famous old movie monster. As a joke they have stuck obscure mentions of
Mozilla into the operations of Netscape. Mozilla lovers recently spun off a
pure Mozilla browser project that has the web site http://www.mozilla.org.
**************
The Net View Command
Now
let's have some serious fun. Netscape (or any browser or ftp program) uses
TCP/IP to connect. What happens if we use NetBIOS instead to try to download
files from Oldguy's ftp server?
Let's
try some more NetBIOS commands:
C:\>net
view \\10.0.0.2
System error 53 has occurred.
The
network path was not found.
I
got this message because my firewall blocked access to Oldguy, giving the
message:
The
firewall has blocked Internet access to 10.0.0.2 (TCP Port 445) from your
computer [TCP Flags: S].
There's
a good reason for this. My firewall/IDS is trying to keep me from carelessly
making my computer a part of some stranger's LAN. Keep in mind that NetBIOS is
a two-way street. However, I want to run this command, so I shut down Zone
Alarm and give the command again:
C:\>net
view \\10.0.0.2
Shared resources at \\10.0.0.2
Share
name Type Used as Comment
--------------------------------------------------------
ftproot Disk
InetPub Disk
wwwroot Disk
The command completed successfully.
This
is a list of shared directories. Oooh, look at that, the ftp server is shared.
Does this mean I can get in? When setting shares on a Windows NT server, the
default choice is to allow access to read, write and delete files to everyone.
So sometimes a sysadmin carelessly fails to restrict access to a share.
What
is really important is that we didn't need a user name or password to get this
potentially compromising information.
Let's
establish an anonymous connection to Oldguy, meaning we connect without giving
it a user name or password:
C:\>net
use \\10.0.0.2\ipc$
Local name
Remote name \\10.0.0.2\IPC$
Resource type IPC
Status OK
# Opens 0
# Connections 1
The command completed successfully.
We
are connected!
**********************
Newbie note: IPC (ipc$) stands for "Inter Process Connector", used to
set up connections across a network between Windows computers using NetBIOS.
**********************
What to Do Once you Are Connected
So
far we haven't quite been breaking the law, although we have been getting
pretty rude if the owner of that target computer hasn't given us permission to
explore. What if we want to stop pushing our luck and decide to disconnect?
Just give the message:
C:\>net
session \\10.0.0.2 /delete
Of
course you would substitute the name or number of the computer to which you are
connected for 10.0.0.2.
What
if you want to stay connected? Oldguy will let you stay connected even if you
do nothing more. By contrast, a login to a Unix/Linux type computer will
normally time out and disconnect you if you go too long without doing anything.
How to Break in Using the XP GUI
You
could try out the other net commands on Oldguy. Or you can go to the graphical
user interface (GUI) of XP. After running the above commands I click My
Computer, then My Network Places and there you'll find the victim, er, I mean,
target computer. By clicking on it, I discover that ftproot has been shared to
- everyone!
Let's
say you were to get this far investigating some random computer you found on
the Internet. Let's say you had already determined that the ftp server isn't
open to the public. At this moment you would have a little angel sitting one
shoulder whispering "You can be a hero. Email the owner of that computer
to tell him or her about that misconfigured ftproot."
On
the other shoulder a little devil is sneering, "Show the luser no mercy.
Information should be free. Because I said so, that's why. Hot darn, are those
spreadsheets from the accounting department? You could make a lot of bucks
selling those files to a competitor, muhahaha! Besides, you're so ugly that
future cellmate Spike won't make you be his girlfriend."
Some
hackers might think that because ftproot is shared to the world that it is OK
to download stuff from it. However, if someone were to log in properly to that
ftp server, he or she would get the message "Welcome to Oldguy on Carolyn
Meinel's LAN. Use is restricted to only those for whom Meinel has assigned a
user name and password." This warning logon banner is all a computer owner
needs to legally establish that no one is allowed to just break in. It won't
impress a judge if a cracker says "The owner was so lame that her computer
deserved to get broken into" or "I'm so lame that I forgot to try to
use the ftp server the normal way."
More on the Net Commands
Let's
get back to the net commands. There are many forms of this command. In XP you
can learn about them with the command:
C:\>net
help
The syntax of this command is:
NET
HELP
command
-or-
NET command /HELP
Commands
available are:
·
NET
ACCOUNTS
·
NET
HELP
·
NET
SHARE
NET COMPUTER
·
NET
HELPMSG
·
NET
START
·
NET
CONFIG
·
NET
LOCALGROUP
·
NET
STATISTICS
·
NET
CONFIG SERVER
·
NET
NAME
·
NET
STOP
·
NET
CONFIG WORKSTATION
·
NET
PAUSE
·
NET
TIME
·
NET
CONTINUE
·
NET
PRINT
·
NET
USE
·
NET
FILE
·
NET
SEND
·
NET
USER
·
NET
GROUP
·
NET
SESSION
·
NET
VIEW
·
NET
HELP SERVICES lists some of the services you can start.
·
NET
HELP SYNTAX explains how to read NET HELP syntax lines.
·
NET
HELP command | MORE displays Help one screen at a time.
How Crackers Break in as Administrator
As
we look around Oldguy further, we see that there's not much else an anonymous
user can do to it. We know that there is a user named Administrator. What can
we do if we can convince Oldguy that we are Administrator?
******************
Newbie note: in Windows NT, 2000 and XP, the Administrator user has total power
over its computer, just as root has total power over a Unix/Linux type
computer. However, it is possible to change the name of Administrator so an
attacker has to guess which user has all the power.
******************
Let's
try to log in as Administrator by guessing the password. Give the command:
C:\>net
use \\10.0.0.2\ipc$ * /user:Administrator
Type the password for \\10.0.0.2\ipc$:
System error 1219 has occurred.
Multiple
connections to a server or shared resource by the same user, using more than
one user name, are not allowed. Disconnect all previous connections to the
server or shared resource and try again.
This
means that someone else is currently logged onto this server who has
Administrator rights. Furthermore, this person is probably watching me on an
IDS and thinking up terrible things to do to me. Eeep! Actually this is all
going on inside my hacker lab - but you get the idea of what it could be like
when trying to invade a computer without permission.
I
discover that whether I guess the password correctly or not, I always get the
same error message. This is a good safety feature. On the other hand, one of
the users is named Administrator. This is a bad thing for the defender. When
you first set up a Windows NT or 2000 server, there is always a user called
Administrator, and he or she has total power over that computer. If you know
the all-powerful user is named Administrator, you can try guessing the password
whenever no one is logged on with Administrator powers.
Computer
criminals don't waste time guessing by hand. They use a program such as NAT or
Legion to get passwords. These programs are why smart NT administrators rename
their Administrator accounts and choose hard passwords. Also, this kind of
persistent attack will be detected by an intrusion detection system, making it
easy to catch criminals at work.
********************
You can get expelled warning: What if you are a student and you want to save
your school from malicious code kiddies who steal tests and change grades? It
is important to get permission *in writing* before you test the school's
network. Even then, you still must be careful to be a model student. If you act
up, cut classes - you know what I mean - the first time a cracker messes up the
network, who do you think they will suspect? Yes, it's unfair, and yes, that is
the way the world works.
********************
How to Scan for Computers that Use
NetBIOS
Your
tool of choice is a port scanner. Any computer that is running something on
port 139 is likely (but not certain) to be using NetBIOS. Most crackers use
nmap to port scan. This tool runs on Unix/Linux type computers. You can get it
at <http://www.insecurity.org/>.
There is also a Windows version of nmap, but it isn't very good. A better
choice for Windows is Whats Up from <http://www.ipswitch.com/>.
You can get a one month free trial of it.
Here's
an example of an nmap scan of Oldguy:
test-box:/home/cmeinel
# nmap -sTU 10.0.0.2
Starting
nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on (10.0.0.2):
(The 3060 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
70/tcp open gopher
80/tcp open http
135/tcp open loc-srv
135/udp open loc-srv
137/udp open netbios-ns
138/udp open netbios-dgm
139/tcp open netbios-ssn
500/udp open isakmp
Nmap
run completed -- 1 IP address (1 host up) scanned in 8 seconds
As
you can see from this scan, three ports are identified with NetBIOS. This tells
us that we could set nmap to scan a large number of Internet addresses, only
looking for port 139 on each. To learn how to set up nmap to run this way, in
your Unix or Linux shell give the command "man nmap".
For
more on what crackers do once they break into a computer using NetBIOS (like
installing back doors), see http://happyhacker.org/gtmhh/vol3no10.shtml
<vol3no10.shtml>.
********************
You can get punched in the nose warning: if you use a port scanner against
networks that haven't given you permission to scan, you will be waving a red
flag that says "Whaddaya wanna bet I'm a computer criminal?" You
can't get arrested for merely port scanning, but people who don't like being
scanned might get you kicked off your Internet service provider.
You
can get really, big time, punched in the nose warning: If you visit the same
computer or LAN really often to see what's new and to try different things,
even if you don't break the law you'd better be doing it with the permission of
the owner. Otherwise you may make enemies who might crash or destroy your
operating system. And that is only what they may do when feeling mellow. After
a night of hard drinking - well, you don't want to find out.
********************
How to Play NetBIOS Wargames
What
if you want to challenge your friends to a hacker wargame using NetBIOS? The
first thing to do is *don't* email me asking me to break in for you. Sheesh.
Seriously, almost every day I get emails from people claiming to have
permission from their girlfriend/boyfriend and begging me to help them break
in. You can read their hilarious pleas for help at http://happyhacker.org/sucks/
<../sucks/index.shtml> .
The
way to run a hacker wargame over the Internet is first, get permission from
your Internet provider so they don't kick you off for hacking. They probably
run an IDS that scans users for suspicious activity. They probably hate
malicious hackers. Enough said.
Second,
you and your friends are likely to be at a different Internet address every
time you log on. Your safest way to play over the Internet is for each player
to get an Internet address that is the same every time he or she logs on: a
"static" address. This way you won't accidentally break into someone
else's computer.
You
have to arrange with your Internet provider to get a static address. Normally
only a local provider can do this for you. A big advantage of using a local
provider is you can make friends with the people who work there - and they are
probably hackers.
If
you live in an apartment building or dormitory with other hackers, you can play
break-in games without using the Internet. Set up a LAN where you can play
together. For example, you can string Ethernet cable from window to window. To
learn how to set up a Windows Ethernet LAN, see
http://happyhacker.org/gtmhh/winlan.shtml .
Or
you could set up a wireless LAN. With wireless you never know who might come
cruising with a laptop down the street by your home or business and break in.
That can make a wargame lots more fun. For help on how to break into wireless
LANs (it's pathetically easy), see <http://www.wardriving.com/>.
**************
Evil genius tip: Attack using a Win NT
server with the Microsoft Resource Kit installed. Heh, heh. With
it you can give the command:
C:\>Local
Administrators \\<targetbox.com>
This
should show all user accounts with administrator rights on targetbox.com.
C:\>Global
Administrators \\<targetbox.com >
This
should show all user accounts with Domain administrative rights. These are
exceptionally worth compromising, because with one Domain administrative
password you will be able to control many resources among NT servers,
workstations, and Win 95/98 computers.
I've
tried to install the Resource Kit on XP Professional, but it wasn't compatible.
Another
option is to install hacker tools such as Red Button and DumpACL, which extract
information on user names, hashes, and which services are running on a given
machine.
**************
Help for users of Windows 95, 98, SE or
ME
To
enable NetBIOS, click
Control
Panel -> Network -> Protocols
If
you see both NetBEUI and TCP/IP, you are already using NetBIOS. If not, add
NetBEUI.
To
bring up the command screen, click Start -> Run and type in command.com.