Welcome to my first article regarding hacking techniques. Before I begin, I'd like to explain a few of the generic terms I may use, and make a few points clear about my feelings surrounding hacking.
In any article written by me, I will use the same terms for the "attacker" and "victim" of any scenario:
Attacker: Machine A (Also called "Adam")
Router/Firewalls S ( Also called "Sid" )
Victim: Machine Z (Also called "Zeus")
Other terms will be explained as I go along, but I will try to make everything as clear as possible. First, let me make it clear that hacking is not the pursuit of fame and fortune; it's the pursuit of knowledge; how things work; how to do this; how to do that. If you want to cause damage, go elsewhere - you're not hacking, you're destroying.
Right. First some information about the topic, Netbios.
What is NetBios?
Netbios is the protocol by which networked machines can share files, printers, etc. LAN's rely on NetBios for filesharing, printsharing, etc. Samba, much akin to NetBios in many ways, is the 'Nix filesharing protocol. Both operate along "pretty much" the same lines.
Before you hack, always make sure you're secure. If you don't understand that, stop reading. What follows is a step-by-step account of how to "hack" NetBios and gain access to a victim's shared folders/printers/Specials. I assume you're already familiar with security, otherwise you wouldn't be interested in this.
Never hack from your own IP. Use a proxy, or a remote account on another machine. Buy a shell to run port scans from. Be clean!
Step 1) Find a Victim...
Obviously, you're going to need some form of scanning software, unless you have a pre-determined victim. In my opinion, the software package "Essential Net Tools" is, quite literally, essential. It has almost all of the gadgets you'll need to complete a successful NetBios hack. Once she's installed, open her up. You'll be presented with a series of tools down the left-hand side. For scanning, we'll use the NBTScanner. Obviously, input your IP range. If your "start" IP ends in a 1, it'll auto-fill the "End" IP with a 255. Yay for rapid scanning. So, let's say you're scanning 192.168.0.1 > 192.168.0.255 (Yes, that's an internal range.. It's unlawful to scan externally for people... Do so at your own risk.)
Before long, you should (hopefully) see some results coming up in the window. You see the column called "RS"? If there's a "Yes" in there, that machine has Remote Sharing enabled. A victim. Let's say that the machine 192.168.0.100 came up with RS enabled. The owner of that machine is called Zeus. Oddly enough, his machine is called Zeus. On to step 2.
Step 2) Getting in...
Right, our victim is ripe for the picking. Right-click his entry and go for "Send to" > "Net Audit." This tool will "Audit" his NetBios. Basically, it'll try to get in. Hit Start, and you'll see it start guessing password/username combinations. With any luck, he'll have either not set one, or he'll be using an easy one.
Right, Zeus is an idiot, and he hasn't passworded his Administrator account. Yes, that really does happen... more than you'd think. You should see a list of his shares, and what access you have. If you're looking to leech porn from him, look for anything with "read" access. Maybe you're a little more sinister, look for Read/Write access. If you're *really* sinister, you're going to want read/write to an ADMIN$ share. This is a "Special" share, which will enable you to edit his registry, fiddle with his Device Manager, Services, Accounts and pretty much anything included in "Computer Managment." It also enables you to have full read/write to his System directory (C:\\Winnt\\system32). So, pop open an Explorer window and key in \\\\192.168.0.100\\ADMIN$. If you get in, you might as well be sitting at his desk.
Step 3) What to do...
As with any successful breach of security, there's likely to be logs. Check the obvious places - logs folders and any firewall logs. Rumour has it that some AV's log NetBios activity, so check that, too. You can't be too careful. Also, try and give yourself another way in. Something only you'd know about. Secure your original way in so that another hacker couldn't get in and mess around.
Step 4) Secure and depart...
Once you've secured the box, removed any logs and confirmed that the original security flaw has been fixed - Leave. Don't start messing with his files, and don't do anything that'll arouse suspicion. You've secured a remote box. Sure, it might only be a Windows box, but it's a remote machine. Spoofing, storing, tunneling or just voyeuristic kinks - it will be useful. If you've gone to the trouble of writing your own Win32bit backdoor program, upload it and use a program called BeyondExec to run it remotely. Then you're even more sure of a return visit.
So there you have it: a complete autopsy of how to hack in to NetBios shares. What're you going to do with this information? I don't know, but it's here to educate - nothing more. I do not condone such actions. In fact, I think it's downright unfair to take advantage of someone else's stupidity and lack of security. Unfair! :)
Before I end, let me point out that ENT is not the only program available to do this with. It's what I recommend for 'Dozers, though. Other programs include NetScan Tools and NBTScan (Command-line).
In my next article, I hope to cover some techniques for bypassing Router security and how to generally exploit some of the more common situations for some of the more common routers (D-Link/3Com).
Written by Seijaku (26 December 2004)
This article was originally published by CyberArmy.net in the CyberArmy Library.
|
|