In depth Guide Too Hacking Windows Using NetBIOS
By: C0ldPhaTe
Introduction:
It has been brought to my attention that many people don’t understand the way NetBIOS works. Many don’t even know where to begin when it comes to hacking NetBIOS. So in this tutorial I’m going to cover the basics of hacking NetBIOS, I will also remind you hacking with NetBIOS is almost the easiest way to hack remotely. Although it might be one of the most easiest way to hack remotely you will find that hacking with NetBIOS has a lot of powerful uses also.
The Network Basic Input Output System (NetBIOS):
The Network Basic Input Output System is also known as NetBIOS. NetBIOS was originally developed by IBM, which used Sytek as an Application Programming Interface (API) for the client software operation systems. These systems included Windows98, Windows Me, Windows NT.
The Network Neighborhood:
Many of you have seen the icon labeled “Network Neighborhood” but a lot of upcoming hackers also known as newbies might not know exactly how to use the Network Neighborhood or understand how it works. The Network Neighborhood is used to access the computers attached to your network. After you have click on the icon to the Network Neighborhood your computer then tries to get all the names of the computers attached to your network. Issuing a command known as NetBIOS does this. The NetBIOS command is used to give various information on computers connected to a network. But before you can move onto any of this you will first have to start from the basics, which I have included below. From there you can the attack your target.
Information Gathering And Server Penetration:
The first step you would do while looking for a target victim is to portscan the target machines or network. One thing to keep in mind is when you’re hacking a Windows NT system or network. NetBIOS tends to be the target of the bruteforce attack. The reason for this is because Information gathering with NetBIOS is fairly easy to do. The thing to keep in mind is if the Port Scanner returns that your target machine or network has port 139 open you can simple query that system with using simple commands which I will go into a little later with this tutorial.
What Is the NBTSTAT Command:
The NBTSTAT command is a very powerful command, which allows you to manually interact with NetBIOS. To use this command you will first have to launch the MS-DOS Command Prompt, for those of you who don’t know how to launch this you can do so by going to your Start Button and clicking on it then slide your mouse over the run button and type in Command in the run prompt and it will automatically launch the MS-DOS Prompt.
The NBTSTAT Command Options:
The Below display is the display that you would get if you went into the MS DOS Prompt and typed c:\windows\nbtstat/? You would then get the below reading which gives you a basic breakdown of what you will be able to do or what you could do with the NBTSTAT command. I know it’s a little hard to read the table below with any real knowledge of what that table means so I’m actually going to walk you through a real hack so you can get a little understanding on how you would go about actually go about using the information your gather. Ok now onto the more fun and useful information J.
Displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP).
NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n][-r] [-R] [-s] [S] [interval] ]
NBTSTAT -a (adapter status) Lists the remote machine's name table given its name
NBTSTAT -A (Adapter status) Lists the remote machine's name table given its IP address.
NBTSTAT -c (cache) Lists the remote name cache including the IP addresses
NBTSTAT -n (names) Lists local NetBIOS names.
NBTSTAT -r (resolved) Lists names resolved by broadcast and via WINS
NBTSTAT -R (Reload) Purges and reloads the remote cache name table
NBTSTAT -S (Sessions) Lists sessions table with the destination IP addresses
NBTSTAT -s (sessions) Lists sessions table converting destination IP addresses to host names.
RemoteName - Remote host machine name. IP address Dotted decimal representation of the IP address.
Interval - Redisplays selected statistics, pausing interval seconds between each display.
The column headings which are generated by using the NBTSTAT command have the following meanings:
Input – Number of bytes received
Output – Number of bytes sent
In/Out – Whether the connection is from your target computer is outbound or from another system to your local network, which is known as, inbound.
Life – The remaining time that a name table caches will so called live.
Local Name – This is what is known as your local NetBIOS name given to your connection.
Remote Host – The name or the Internet Protocol (IP) given to the address of the remote host.
Actually Using The NBTSTAT Command:
Ok Now I will begin to show you how to use the NBTSTAT command this is an example later on in the tutorial I will give you a step by step break down on everything from gaining the target information to actually hacking into using The NBSTAT Command. Now remember this is an actual machine of which has port 139 open and allows File Sharing the domain is known as Http://www.intrixsoftware.com now I will begin the process of making my way into the system.
Example On How To Use the NBTSTAT Command:
C:\WINDOWS>NBTSTAT –a 66.94.35.10
NetBIOS Remote Machine Name Table
Name Type Status
------
SETI2 <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
SETI2 <20> UNIQUE Registered
INet~Services <1C> GROUP Registered
SETI2 <03> UNIQUE Registered
WORKGROUP <1E> GROUP Registered
IS~SETI2...... <00> UNIQUE Registered
WORKGROUP <1D> UNIQUE Registered
MAC Address = 00-10-DC-5F-F2-E6
Important Note: If you don’t get a read out with the number <20> showing. This means that the target victum has enabled the File Sharing and Print Sharing. Also another thing you might get is the “Host Not Found” This shows that either port 139 is a closed connection or that the Internet Protocol (IP) doesn’t exist.
Now from the information we have gathered from the NBTSTAT command you can proceed to either continue on hacking or you could use the other information for such as connection hijacking, MAC spoofing etc. This information is rather important while continuing on in your hack but before you can do anything else you going to need to know a little about what you just read, so below I have broke down the NetBIOS Remote Machine Name Table.
Breakdown Of The NetBIOS Remote Machine Name Table:
Before you can go any further you will need to know a little information about how to read the NetBIOS Remote Machine Name Table. Understanding the list below is key to gaining access to a target machine running
Name Number Type Usage
------
<computername> 00 Unique Workstation Service
computername> 01 Unique Messanger Service
\\_MSBROWSE_ 01 Group Master Browser
computername> 03 Unique Messenger Service
computername> 06 Unique RAS Server Service
computername> 1F Unique NetDDE Service
computername> 20 Unique File Server Service
computername> 21 Unique RAS Client Service
computername> 22 Unique Exchange Interchange
computername> 23 Unique Exchange Store
computername> 24 Unique Exchange Directory
computername> 30 Unique Modem Sharing Server Service
computername> 31 Unique Modem Sharing Client Service
computername> 43 Unique SMS Client Remote Control
computername> 44 Unique SMS Admin Remote Control
computername> 45 Unique SMS Client Remote Chat
computername> 46 Unique SMS Client Remote Transfer
computername> 4C Unique DES Pathworks TCPIP Service
computername> 52 Unique DES Pathworks TCPIP Service
computername> 87 Unique Exchange MTA
computername> 6A Unique Exchange IMC
computername> BE Unique Network Monitor Agent
computername> BF Unique Network Monitor Applications
<username> 03 Unique Messenger Service
<domain> 00 Group Domain Name
<domain> 1B Unique Domain Master Browser
<domain> 1C Group Domain Controllers
<domain> 1D Unique Master Browser
<domain> 1E Group Browser Service Elections
<Inet~Services> 1C Group Internet Information Server
<IS~Computer_name> 00 Unique Internet Information Server
computername> 2B Unique Lotus Notes Server
------
Now that you have seen the complete NetBIOS Remote Machine Table in full I will now tell you how to actually go about reading the table and understanding exactly what the table says. Below you going to find a complete listing and definitions to each listing so please keep this table and listing handy because it will play a big part in your hacker journeys.
NetBIOS Remote Machine Name Table Definitions:
Unique - Anything with the name unique may only have one Internet Protocol (IP) address assigned to it.
Group - A normal group, this allows a single name to exist with many Internet Protocols.
Domain Name – New in Microsoft Windows NT 4.0
Internet Group – A special configuration of the group names.
Now what you do from the received output is up to you, but most hackers would glean possible usernames from the remote machine or remote machines. Which this will now lead me on to another think known as NET command.
Using NetBIOS Shares:
After you have found a NetBIOS share you will then proceed to add it to your LMHOSTS file. After you add this to your LMHOSTS file you will be able to view the remote computer within your Network Neighborhood. If you don’t add it to your LMHOSTS file you will not be able to view the computer remotely. After adding it to your LMHOSTS file you can simply use the find computer options within Windows NT and Windows 95,98 to browse the shares. You could also use the alternation option to use the very powerful NET.exe
C:\>net view 66.94.35.10
C:\>net view \\SETI2
Shared Resources At 66.94.35.10
Share Name Type Used As Comment
------
NETLOGON DISK Logon Server Share
SETI2 DISK
TEST DISK
Note: You will often find shares like the C$, ADMIN$ and IPC$ share hidden and will most of the time not be shown. Below is a listing of shares you might come across and should be familiar with. A lot of times you will find that these shares are indeed password protected so you might have to try and Brute Force attack the password or your might get lucky and find that the password is a default password which was sent with the machine. If your asking yourself how do I know the default passwords search the web for “Default NetBIOS passwords” and you should be rather pleased with your outcome.
Below a listing of Shares and there uses:
Share Name Type Comment
------
ADMIN$ DISK Remote Admin
C$ DISK Default Share
IPC$ IPC: Remote IPC
NETLOGON DISK Logon Server Share
Test DISK
I will now connect to the IPC$ share on 66.94.35.10 using a Null Session.
C:\net use \\66.94.35.10\ipc$ “” /user:””
The command completed successfully
I will now connect to a normal share using the Net use command. Which can then be used to have remote access to drive in which I place in the command.
C:\net use x: \\ 66.94.35.10\test
The command completed successfully.
C:\net use
New connections will be remembered.
Status Local Remote Network
------
OK X: \\ 66.94.35.10 Microsoft Windows Network
OK B: \\ a 66.94.35.10 Microsoft Windows Network
The command completed successfully.
I mentioned above about the NET.exe and how powerful it actually was well I will now tell you some interesting but yet very useful while your hacking into a machine to know. With the understanding of these commands and how they work will make the process of gaining administrative writes a whole lot easier.
What NET.exe Is Good For:
Below you will find out just what NET.exe can be used for I have included a listing of things its capable of and a definition of what each command does.
NET name - This will show the current name of the computer and who is currently logged in.
NET accounts – Will show the password restricted users.
NET share – Displays all shares on the local machine.
NET user – Will show accounts created on the local machine.
NET group – Can be used to add people to the Administrative group.
How To Crack Share Passwords:
You might remember me saying above about finding shares that are password protected on your target machine. For cracking passwords on Windows 95,98,Me, XP you can use a password cracker known as “PQWAK” this can be found on any web page that deals with password crackers. PQWAK is decrypting a share password within usually a minuet or so. The only bad thing is that PQWAK can only crack the remote passwords of the remote operating system its running on.
Conclusion:
Well I hope you have learned a little bit about hacking with NetBIOS. Although hacking NetBIOS is one of the most easiest ways to hack into a system it is also a very powerful way to take over a system. I would also recommend downloading some text files or buying some books on Windows NT, Windows 2000 or hacking web servers. Remember it’s always smarter to read information before acting. The more knowledgeable you are about your target operating system the less likely you are to make a false move, which will get your ass caught. I’m not claming to be “l33t”, as most people would consider themselves. You will see a lot of people say the are but you will find very few who really are. Also don’t be ashamed if you go into a channel and someone makes fun of you for asking a question. We all have gone through it just don’t get discouraged, just blow them off and continue to read up on anything you can get your hands on. If you have any questions you can find me within Mirc or you can contact me through the information provided below. Also be sure to download my other tutorials.