Tuesday, January 26, 2010

NetBIOS Enumeration

---NBTscan is a program for scanning IP networks for NetBIOS name information.

---For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.

---The first thing a remote attacker will try on a Windows 2000 network is to get list of hosts attached to the wire.

     net view / domain,

     nbstat -A



If an attacker notes a windows OS with port 139 open, he would be interested in checking what resources he can access or view on the remote system. This is shown in the screenshot above. However, to enumerate the NetBIOS names, the remote system must have enabled File and Printer Sharing.

Using these techniques the attacker can launch two types of attack on the remote computer having NetBIOS. He can choose to read/write to a remote computer system depending on the availability of shares. Alternatively he can launch a denial of service.

A recent instance was reported in August 2002 when Microsoft issued an advisory stating that an attacker could seek to exploit an unchecked buffer in network share provider on machines that have anonymous access enabled by sending a malformed SMB request to a target computer and crashing it.

 Attack Methods-  Let us adopt an attacker's perspective to his port scan results.


On finding port 139 open, the attacker can first use the nbtstat command

Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval]


Note that an attacker will take particular interest in the id <03>. We try to connect to this remote machine using a null session. Usage: net use \\IP\IPC$ "" /user: "" This command connects to the machine using a null user and null password as signified by the empty quotes. The IPC$ is the hidden share on the particular IP that we will try to access in order to list any shared resources. Two main drawbacks of nbtstat are that it is restricted to operating on a single user and its rather inscrutable output. The tool NBTScan addresses these issues.

 Tools  A tool that can be used for such exploits is NBTScan written by Alla Bezroutchko and available at http://www.inetcat.org/software/nbtscan.html. NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address. NBTscan uses port 137 UDP for sending queries. If the port is closed on destination host destination will reply with ICMP "Port unreachable" message. See screenshot below.

0 comments:

Post a Comment