A VERY SIMPLE TUT ON BIOS HACKING

Bios hacking is one of the simplest methods of hacking. It allows you to connect to a remote computer which has 'file and print sharing' on.

1. To check if a certain computer has file and print sharing on then goto DOS and type in "nbtstat -a ipaddress" (without the
") if you get a something like Host Not found then the Ip does not have file and print sharing on but if you get something like:

NetBIOS Remote Machine Name Table

Name Type Status
-------------------------------------------------------------
host <20> UNIQUE Registered
WORKGROUP <00> GROUP Registered
sys <03> UNIQUE Registered

Then this Ip has file and print sharing on. MUHAHA. Now all you is find what is the name of a host which has a code of 20 (you know the <20> in the second coloumn) the name in this case is 'host'
Now you go and open any text editor, eg: Notepad and then click on File>Open and open a file called Lmhosts which is located in C:\Windows. remember Lmhosts does not have an extention so make sure you have File of Types to All Files (*.*). Once you have opened the document go to the end of it and type in the name of the host (in this case its host) and then press tab and type in the Ip address of the host. So Lmhosts (no extension should look like something like this:

----------------------------------------------------

host 210.231.01.23

----------------------------------------------------
Now save the file and exit. Click on Start and then Find, then click on Computer. Type in the Ip address in the search field and hit enter. You should get a result with the host as the name. double click on it and you are now moving around the victims directory as if it was your own.

koo . this i did not know.

At last, something useful. Thanks for that terrific netbios post.

A great reminder to check and see if you have any shares on your drives. IPC$ , C$, and Admin$ are often enabled by default which would be more than enough security stupidness to allow someone to do this to the machine.

Those running Windows 2000, consider filtering/blocking traffic inbound and outbound on ports 139 and 445.

Why did you name your post Netbios Explained? You didn't explain it...

Maybe you're the one that should take a closer look at www.hackers.com (http://www.hackers.com) 's Neophyte section, especially that txt-file by The Mentor
(entitled 'Mentor's Last Words' (Hence the misake that many people make)). (http://www.antionline.com/showthread.php?threadid=130947)

that didn't really explane netBIOS hacking. i've got an IP with open shares... drive C:\ and printer is open. but i've found that "netBIOS explaned" tutorial damn near useless... any who, i was wondering what netSTAT is used for. i know all the commands -a -e -n -r bla bla bla, but what are they used for? i know what they do but i get confused easily. :P
latr,
Remote_Access_

A simple tut on bios hacking? When abbreviating words you should be careful that the abbreviation doesn't mean something else - the acronymn "bios" actually stands for basic input/output system.
Another thing - this is *not* any form of hacking, mapping windows shares is about the lamest thing you can do, you're simply taking advantage of peoples niavity and microsofts bad programing. Certainly people should be made aware of this glaring hole in thier system, but explaining to people how to take advantage of this is ridiculous. A more apt title for this post would be "how to be a loser script kiddie"
One final thing - your explanation of this diabolical, there's no need to mess about with lmhosts to map shares - you obviously don't know what you're talking about.

I am not sure if UberC0der was being serious or sarcastic, but I agree that something like this is a good reminder to check and re-check that netbios is not leaking stuff out to the network/internet that you don't want people to know.

As for the tut, a better title may have been `NetBIOS exploit for the lazy and hopeless'.

Well, this being my first post on your forum, I found this topic of intrest because on this subject I can atleast provide some accurate info. Be forwarned, I am prone to long explanations at time, this could be one :)

I agree that this thread is somewhat misleading, Badassatchu, I'm sure is refering to the transport protocol 'NetBIOS' used by windows for lan type functionality (networking) between a small number of computers where some amount of inner-system trust could be assumed. What needs to be understood is that this protocal was not intended for global networking (internet) where inner-system trust shouldn't be assumed, unless you like being a victim. :)

This transport protocal (NetBIOS) that windows put into their OS's was designed by IBM, sorry Petemcevoy...you can't blame MS for everything, many many years before the internet was even around as we know it today and it's inherent security weakness became very exploitable on the global web to those savy people with to much curiosity or bad intentions. This weakness lies in the Microsoft network services, ie. 'client for Microsoft networks, file and printering sharing for Microsoft networks, and Microsoft family logon' and of these, the file and print sharing service is the most exploitable and most dangerous security risk to your personel computer. Why you ask, simply put, this particular service makes your computer exposed to the global web and not limitied to just a lan (loacal area network) envoronment which means your lan just got a whole lot bigger. This is a bad thing because that 'file and print sharing' service likes to do just that, share...sharing your files and info to the whole web world just as it was intended to do, but in a lan setting. This weakness allows others, with the know how, to access your computer and in a sense, take it over if they choose to. If your not sure, that's a bad thing, very bad. :) Sidenote, these sevices have nothing to do with the internet and your web browsing, email, newsgroups will all work just fine, isn't that nice of them to tell you that...:D.

What can you do, you might ask as the unknowing, naive person to protect yourself from bad people on the web? Well, let me first make this discalimer, the info that follows is for those who are not or have no need for a lan connection, for the rest of you, chat with your IT guru, who has nothing to do anyways. :) Understand that this is not a complete security remedy, but only a small slice that will close one of the biggest dam hack exploits in your windows running computer. It deals with network bindings and how you can configure your pc to close that dreaded port 139 that likes to share so much with the web.

To the deed, and I will assume somewhat that you can get around in your computer ok:

For Win 95/98

Step 1, go to start/setting/control panel/network(open it).
Step 2, delete all network services except 'microsoft family logon' Don't touch 'tcp/ip, dial-up adapter, or netBEUI' in the main window of the netwrok panel. If you don't have 'netBEUI' then you need to add it.
Step 3, click dial up adapter/properties/bindings tab and make sure that both 'tcp/ip and netBEUI' are checked.
Step 4, click the tcp/ip/properties/ click ok on warning and select the bindings tab, unckeck all windows network services.
Step5, click netBEUI/properties and check the microsoft family logon network service.
Step 6, hit ok at the bottom on the network panel and resart your computer.

You have now closed that nasty port139 and made the sharing aspect of your computer's personality a thing of the past. Hope that helps some of you out there in web world, if your still confused, you can email me, but be nice.

In closing, I have no objections to someone sharing a 'tut' as you guys put it, but I also feel that a counter is needed to help those, not in the know, to combat your 'tut'. Afterall, this is the 'Anti Online' website, isn't it. :D

sorry Petemcevoy...you can't blame MS for everything.

Looking back at my post, i don't see where i "blame MS for everything" - could you show me?
****ing mick.

Hey, I just read up on the antipoint system for these forums, be careful.

As to your witty response, if you look carefully at your post, in the sentence that contains the comment about Microsoft's 'bad programming' it could be viewed that you think they created that transfer protocol (NetBIOS). As to the word 'everything' bad choice on my part, sub the word 'this' for it and that will narrow it for you.

As to your profanity, well...that just goes to character, and yours at that moment was lacking. Maybe you need a few Guinness's in you to loosen you up and put a smile on your face...huh! :D

Fyi, i don't give a **** about antipoints - do your worst.
I don't see how my comment about microsofts bad programming is open to any interpretation, the fact of the matter is they integrated this pile of shit networking feature into thier os and unleashed it on the unsuspecting public without any regard to the security of thier customers, who invented it is irrelevant and i certainly don't need you to give me a networking history lesson.


Afterall, this is the 'Anit Online' website, isn't it
It certainly is not, cretin.

Just a little precision on Irish's explanations:
you only need to add NetBEUI (which means NetBios Extended User Interface) if you want enable sharing on your LAN:

NetBEUI is a simple Network level protocol which can carry NetBIOS transport only, and automaticly (netBios is automaticly binded to netbeui). The reason that netbeui is safer for sharing on you LAN is that it is NOT routable, in otherwords, it cannot travel over the internet*.

Another way to protect yourself from sharing hacks from the internet would be to unbind NetBIOS over TCP (this is more practical in case you have a multi-homed host (ie, 2 NICs, one exposed (internet), one local (lan)), you can unbind only the exposed NIC from netBios over tcp...

Also, if running Win2000 (i guess XP too but I can't confirm), only unbinding NetBIOS over TCP won't cut it. The explanation is as follows: Win2k now supports SMB over TCP (directly). SMB (server messaging block) is the actual data exchange "application layer" (maybe not exactly but close enough for this) protocol. This means that win2000 doesn't need NetBIOS anymore to share... You can, however, also disable SMB over TCP by going into
network and dial-up connections -> advanced (menu) -> advanced settings and deselecting the bindings (file and print sharing for MS..) from tcp/ip...
Edit: forgot to mention that SMB over TCP is on tcp port 445

Hope this helps some...

Ammo

*It might be possible that you're lan (ie NetBEUI) is accessible from your ISP local segment of cablemodem for exemple...

There's a program in the forum downloads called Legion that you can use to scan your network computers to see if any of them are openly sharing drives.
Its a bit easier than netstat. So easy, you might say, that even a "script-kiddie" could use it.
But it is a very useful tool if you are managing a large group of computers with not too wise users at the controls.

Well, Petemcevoy, I'm not interested in bantering back and forth so you can display that winning persona of yours, so lets just pretend that the other doensn't exist and we'll be ok...ciao. Oh, I do want to thank you for pointing out my spelling error though, Petemcevoy, that was nice of you. :D

Thanks for the bit of clean up to my post, Ammo, I forgot about the 'unbind netbios over tcp/ip' but I think after making the changes, it auto unchecks, but ppl, do check it just in case in the tcp/ip properties under the netbios tab. In the end I was only trying to alert those unaware of the security breach and to offer a solution to the original post in this thread.

Best, to all.

If you're not interested in bantering back and forth tommy o'toole, may i suggest a network security discussion forum is not the best place for you. I merely responded to an erroneous comment by yourself, the linear dimensions of my exteriority are not a factor in this instance.

where can i found the "Lmhost" file if i am using Windows 2000???

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=130968#post699636) by oyao
where can i found the "Lmhost" file if i am using Windows 2000???

C:\WINNT\system32\drivers\etc

copy the lmhosts.sam (sample file) to lmhosts and modify it as you need.

Ammo

i am very impressed from the findings at least all these knowledge coming from a newbie is somthing worth congratulating

Please tell me if I'm doing this right. I use a ping sweeper to find IPs that have port 139 open and then I type c:\nbtstat -A ipaddress.
Is this right?

Thanks.

Maybe this will help?




Understanding NetBIOS
By NeonSurge
Released through the rhino9 Team

Preface

Before you begin reading this paper, understand that this paper was written for the novice to the concept of NetBIOS, but - it also contains information the veteran might find educational. I am prefacing this so that I do not get e-mail like "Why did you start your paper off so basic?" - Simple, its written for people that may be coming from an enviroment that does not use NetBIOS, so they would need me to start with basics, thanks. -NeonSurge, rhino9 team.

Whats is NetBIOS?

NetBIOS (Network Basic Input/Output System) was originally developed by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources. Since its creation, NetBIOS has become the basis for many other networking applications. In its strictest sense, NetBIOS is an interface specification for acessing networking services.

NetBIOS, a layer of software developed to link a network operating system with specific hardware, was originally designed as THE network controller for IBM's Network LAN. NetBIOS has now been extended to allow programs written using the NetBIOS interface to operate on the IBM token ring architecture. NetBIOS has since been adopted as an industry standard and now, it is common to refer to NetBIOS-compatible LANs.

It offers network applications a set of "hooks" to carry out inter-application communication and data transfer. In a basic sense, NetBIOS allows applications to talk to the network. Its intention is to isolate application programs from any type of hardware dependancies. It also spares software developers the task of developing network error recovery and low level message addressing or routing. The use of the NetBIOS interface does alot of this work for them.

NetBIOS standardizes the interface between applications and a LANs operating capabilities. With this, it can be specified to which levels of the OSI model the application can write to, making the application transportable to other networks. In a NetBIOS LAN enviroment, computers are known on the system by a name. Each computer on the network has a permanent name that is programmed in various different ways. These names will be discussed in more detail below.

PC's on a NetBIOS LAN communicate either by establishing a session or by using NetBIOS datagram or broadcast methods. Sessions allow for a larger message to be sent and handle error detection and correction. The communication is on a one-to-one basis. Datagram and broadcast methods allow one computer to communicate with several other computers at the same time, but are limited in message size. There is no error detection or correction using these datagram or broadcast methods. However, datagram communication allows for communication without having to establish a session.

All communication in these enviroments are presented to NetBIOS in a format called Network Control Blocks (NCB). The allocation of these blocks in memory is dependant on the user program. These NCB's are divided into fields, these are reserved for input and output respectively.

NetBIOS is a very common protocol used in todays enviroments. NetBIOS is supported on Ethernet, TokenRing, and IBM PC Networks. In its original induction, it was defined as only an interface between the application and the network adapter. Since then, transport like functions have been added to NetBIOS, making it more functional over time.

In NetBIOS, connection (TCP) oriented and connectionless (UDP) communication are both supported. It supports both broadcasts and multicasting and supports three distinct services: Naming, Session, and Datagram.

NetBIOS Names

NetBIOS names are used to identify resources on a network. Applications use these names to start and end sessions. You can configure a single machine with multiple applications, each of which has a unique NetBIOS name. Each PC that supports an application also has a NetBIOS station name that is user defined or that NetBIOS derives by internal means.

NetBIOS can consist of up to 16 aplhanumeric characters. The combination of characters must be unique within the entire source routing network. Before a PC that uses NetBIOS can fully function on a network, that PC must register their NetBIOS name.

When a client becomes active, the client advertises their name. A client is considered to be registered when it can successfully advertise itself without any other client claiming it has the same name. The steps of the registration process is as follows:

1. Uppon boot up, the client broadcasts itself and its NetBIOS information anywhere from 6 to 10 to ensure every other client on the network receives the information.

2. If another client on the network already has the name, that NetBIOS client issues its own broadcast to indicate that the name is in use. The client who is trying to register the already in use name, stop all attempts to register that name.

3. If no other client on the network objects to the name registration, the client will finish the registration process.

There are two types of names in a NetBIOS enviroment: Unique and Group. A unique name must be unique across the network. A group name does not have to be unique and all processes that have a given group name belong to the group. Each NetBIOS node maintains a table of all names currently owned by that node.

The NetBIOS naming convention allows for 16 characters in a NetBIOS name. Microsoft, however, limits these names to 15 characters and uses the 16th character as a NetBIOS suffix. A NetBIOS suffix is used by Microsoft Networking software to indentify the functionality installed or the registered device or service.

[QuickNote: SMB and NBT (NetBIOS over TCP/IP work very closely together and both use ports 137, 138, 139. Port 137 is NetBIOS name UDP. Port 138 is NetBIOS datagram UDP. Port 139 is NetBIOS session TCP. For further information on NetBIOS, read the paper at the rhino9 website listed above]

The following is a table of NetBIOS suffixes currently used by Microsoft WindowsNT. These suffixes are displayed in hexadecimal format.

Name Number Type Usage
==========================================================================
&lt;computername&gt; 00 U Workstation Service
&lt;computername&gt; 01 U Messenger Service
&lt;\\_MSBROWSE_&gt; 01 G Master Browser
&lt;computername&gt; 03 U Messenger Service
&lt;computername&gt; 06 U RAS Server Service
&lt;computername&gt; 1F U NetDDE Service
&lt;computername&gt; 20 U File Server Service
&lt;computername&gt; 21 U RAS Client Service
&lt;computername&gt; 22 U Exchange Interchange
&lt;computername&gt; 23 U Exchange Store
&lt;computername&gt; 24 U Exchange Directory
&lt;computername&gt; 30 U Modem Sharing Server Service
&lt;computername&gt; 31 U Modem Sharing Client Service
&lt;computername&gt; 43 U SMS Client Remote Control
&lt;computername&gt; 44 U SMS Admin Remote Control Tool
&lt;computername&gt; 45 U SMS Client Remote Chat
&lt;computername&gt; 46 U SMS Client Remote Transfer
&lt;computername&gt; 4C U DEC Pathworks TCPIP Service
&lt;computername&gt; 52 U DEC Pathworks TCPIP Service
&lt;computername&gt; 87 U Exchange MTA
&lt;computername&gt; 6A U Exchange IMC
&lt;computername&gt; BE U Network Monitor Agent
&lt;computername&gt; BF U Network Monitor Apps
&lt;username&gt; 03 U Messenger Service
&lt;domain&gt; 00 G Domain Name
&lt;domain&gt; 1B U Domain Master Browser
&lt;domain&gt; 1C G Domain Controllers
&lt;domain&gt; 1D U Master Browser
&lt;domain&gt; 1E G Browser Service Elections
&lt;INet~Services&gt; 1C G Internet Information Server
&lt;IS~Computer_name&gt; 00 U Internet Information Server
&lt;computername&gt; [2B] U Lotus Notes Server
IRISMULTICAST [2F] G Lotus Notes
IRISNAMESERVER [33] G Lotus Notes
Forte_$ND800ZA [20] U DCA Irmalan Gateway Service

Unique (U): The name may have only one IP address assigned to it. On a network device, multiple occurences of a single name may appear to be registered, but the suffix will be unique, making the entire name unique.

Group (G): A normal group; the single name may exist with many IP addresses.

Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer, this configuration is necessary to permit the registration. Maximum number of addresses is 25.

Internet Group (I): This is a special configuration of the group name used to manage WinNT domain names.

Domain Name (D): New in NT 4.0

For a quick and dirty look at a servers registered NetBIOS names and services, issue the following NBTSTAT command:

nbtstat -A [ipaddress]

NetBIOS Sessions

The NetBIOS session service provides a connection-oriented, reliable, full-duplex message service to a user process. NetBIOS requires one process to be the client and the other to be the server. NetBIOS session establishment requires a preordained cooperation between the two stations. One application must have issued a Listen command when another application issues a Call command. The Listen command references a name in its NetBIOS name table (or WINS server), and also the remote name an application must use to qualify as a session partner. If the receiver (listener) is not already listening, the Call will be unsuccessful. If the call is successful, each application receives notification of session establishment with the session-id. The Send and Receive commands the transfer data. At the end of a session, either application can issue a Hang-Up command. There is no real flow control for the session service because it is assumed a LAN is fast enough to carry the required traffic.

NetBIOS Datagrams

Datagrams can be sent to a specific name, sent to all members of a group, or broadcast to the entire LAN. As with other datagram services, the NetBIOS datagrams are connectionless and unreliable. The Send_Datagram command requires the caller to specify the name of the destination. If the destination is a group name, then every member of the group receives the datagram. The caller of the Receive_Datagram command must specify the local name for which it wants to receive datagrams. The Receive_Datagram command also returns the name of the sender, in addition to the actual datagram data. If NetBIOS receives a datagram, but there are no Receive_Datagram commands pending, then the datagram is discarded.

The Send_Broadcast_Datagram command sends the message to every NetBIOS system on the local network. When a broadcast datagram is received by a NetBIOS node, every process that has issued a Receive_Broadcast_Datagram command receives the datagram. If none of these commands are outstanding when the broadcast datagram is received, the datagram is discarded.

NetBIOS enables an application to establish a session with another device and lets the network redirector and transaction protocols pass a request to and from another machine. NetBIOS does not actually manipulate the data. The NetBIOS specification defines an interface to the network protocol used to reach those services, not the protocol itself. Historically, has been paired with a network protocol called NetBEUI (network extended user interface). The association of the interface and the protocol has sometimes caused confusion, but the two are different.

Network protocols always provide at least one method for locating and connecting to a particular service on a network. This is usually accomplished by converting a node or service name to a network address (name resolution). NetBIOS service names must be resolved to an IP address before connections can be established with TCP/IP. Most NetBIOS implementations for TCP/IP accomplish name address resolution by using either broadcast or LMHOSTS files. In a Microsoft enviroment, you would probably also use a NetBIOS Namer Server known as WINS.

NetBEUI Explained

NetBEUI is an enhanced version of the NetBIOS protocol used by network operating systems. It formalizes the transport frame that was never standardized in NetBIOS and adds additional functions. The transport layer driver frequently used by Microsofts LAN Manager. NetBEUI implements the OSI LLC2 protocol. NetBEUI is the original PC networking protocol and interface designed by IBM for the LanManger Server. This protocol was later adopted by Microsoft for their networking products. It specifies the way that higher level software sends and receives messages over the NetBIOS frame protocol. This protocol runs over the standard 802.2 data-link protocol layer.

NetBIOS Scopes

A NetBIOS Scope ID provides an extended naming service for the NetBIOS over TCP/IP (Known as NBT) module. The primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS name. The NetBIOS scope ID on two hosts must match, or the two hosts will not be able to communicate. The NetBIOS Scope ID also allows computers to use the same computer namee as they have different scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique.

==========================================================================
Thats it for NetBIOS. If you have any comments or questions... direct them to NeonSurge@abyss.com.

Rhino9: The WindowsNT Security Research Team:
www.x-treme.abyss.com/techvoodoo/rhino9

Peace.
NeonSurge
NeonSurge@abyss.com