|
| FAQ Article: NetBIOS Hacking |
Computers use things called protocols to communicate with each other. Typically, Windows has standard protocols available to be used (e.g. TCP/IP, NETBEUI, IPX, SNA, Appletalk). These can be used for communication with other computers over the Internet (Wide Area Network) or a standard network (Local Area Network) like you might find in offices, or even your own house :)
One of the most popular protocols lets you share files, disks, directories, and printers etc. to other computers on the same network. This protocol is known as SMB (Server Message Block) standard.
An SMB client or server can communicate with just about any other similar program that adheres to this SMB standard including Warp Connect, Warp 4, LAN Server, Lan Server/400, IBM PC Lan and Warp Server (from IBM), LANtastic in SMB mode (from Artisoft), MS-Client, Windows for Workgroups, Windows 95, LAN Manager and Windows NT Workstation & Server, DEC Pathworks, LM/UX, AS/UX, Syntax and Samba.
Now, you probably know the Windows SMB simply by the name "File and Print sharing" - lol, I bet you recognise it now :) Yes, if you have ever set up a little network, you will no doubt have switched on Windows file and print sharing.
Basically, it allows you to do just that, share files and printers with other computers connected to your computer. So...whats the problem? Well, as usual - Windows 95, 98, and Millenium shares are insecure even if you have a password set up. What a suprise.
When you turn file and print sharing on in your Windows networking options, you open port 139 up on your computer. This port is then used to communicate using the NetBIOS protocol - and share files and printers with other computers. File and print sharing is dead handy...and mostly means that you can stop using floppy disks to transfer your files between your computers.
However, it is too easy to badly set up file and print sharing...and most people leave themselves insecure. How do I mean insecure? Well, lets just say most people end up sharing their folders and printers with the world - rather than just their network!
Port 139 is notorious because it is usually associated with WinNuke and OOB nukes. Basically, people used to always use WinNuke to send "out of band" packets to your port 139 - which caused your computer to crash. This was mainly used on Windows 95 computers, but scarily...unpatched computers are still all over the place.
So, lets begin by getting your computer ready. One of the programs you will need to use is "nbtstat", now - you may have problems using this if you have netbios over TCP/IP disabled (usually only applies to win 95).
So, you will need to to into your control panel and select "Network". Then, select TCP/IP and choose "Properties". In there you should see a tab for "NETBIOS" - go into that and check the box that says "I want to enable netbios over TCP/IP". After you have tried this tutorial, you can put your setting back to how they were if you wish.
Ok, so now we need to see if our target system actually has file and print sharing enabled. To do this, we use the program I just mentioned - "nbtstat". Now, lets say your target is "dialup232.bierded-admin.com" who's IP address resolves to "192.124.41.223". To check if the target has file and print sharing enabled, do:
- Go to a dos prompt. You can do this by going to the Start Menu, choosing "Run", and typing in "Command".
- Then type: "nbtstat -a dialup232.bierded-admin.com" (or "nbtstat -A 192.124.41.223" if you plan to use an IP...notice the captial A).
- If you get the message "Host Not Found" - this means they haven't got NETBIOS installed...and therefore - try another hostname or IP!
Ok - so now you should be presented with a cryptic looking table :) - it might look something like this:
| Name | | Type | Status | | MyPC | <00> | UNIQUE | Registered | | WORKGROUP | <00> | GROUP | Registered | | MyPC | <03> | UNIQUE | Registered | | MyPC | <20> | UNIQUE | Registered | | WORKGROUP | <1E> | GROUP | Registered |
The values in the brackets can be:
* 00 base computernames and workgroups
* 01 master browser
* 03 messaging/alerter service
* 20 resource-sharing "server service" name
* 1B domain master-browser name
* 1C domain controller name
* 1E domain/workgroup master browser election announcement
Now, the important thing is - if the value in the brackets is 20, it means that the target has sharing enabled..and therefore, we can continue. Go to your Start Menu, choose "Run" and type in "\\IP ADDRESS" - where IP ADDRESS is the IP you have been checking with nbtstat (so, using my example I would type \\192.124.41.223).
Now, wait for about 10 seconds and you should find yourself connected to their IP - and you should be able to see their shares! (i.e. what folders they are sharing off their computer). At this stage you can start wondering whether or not the person knows they are actually sharing these files to the whole internet!
Now...for some of you, that might be it - mission successful. However, what happens if you try to access the share, and it asks you for a password? Well - a lot of people out there will tell you that brute forcing is the answer...wrong.
Brute forcing would only be required if the computer is running Windows NT. Windows 95, 98, 98se, and even ME has a fatal flaw, which if unpatched (and 80% of them will be!) means we can get the password very quickly!
Here is a description of the flaw:
Share level password protection for the File and Print Sharing service in Windows 95/98/98SE/ME can be bypassed.
Share level access provides peer to peer networking capabilities in the Windows 9x/ME environment. It depends on password protection in order to grant or deny access to resources.
Due to a flaw in the implementation of File and Print Sharing security, a remote intruder could access share level protected resources without entering a complete password by programatically modifying the data length of the password.
The flaw is due to the NetBIOS implementation in the password verification scheme share level access utilizes. The password length is compared to the length of data sent during the password verification process. If the password was programatically set to be 1 byte, then only the first byte would be verified.
If a remote attacker was able to correctly guess the value of the first byte of the password on the target machine, access would be granted to the share level protected resource.
Windows 9x remote administration is also affected by this vulnerability because it uses the same authentication scheme. Successful exploitation of this vulnerability could lead to the retrieval, modification, addition, and deletion of files residing on a file or print share.
There you go - sounds good eh? lol...I bet it does :) - Now, I know most of you won't be interested in the real coding that makes this flaw possible - but unlike most, I still feel this is important. This is why I have included the proper description of the flaw above, and included the C source implementation of the exploit with this faq (samba.txt).
However, I know some of you just want to get on and exploit the bug - so I also included "PQWak.exe" which is a compiled program :) - so, choose your own path...are you a script-kiddie? lol
So - go back and look at the output you got from nbtstat - the first item in the first row under the "Name" field is the NETBIOS name - and you will now need that (for my example, the NETBIOS name would be "MyPC"). Open up PQWak.exe and feed in the information you should now have:
- "NBNAME" is the NETBIOS name you just got
- "Share" is the name of the folder that asked you for the password when you clicked it
- "IP" is the persons IP...doh!
- "Delay" should be set according to your connection speed. Probably best to use something like "700-1500". If PQWak gives you the wrong pass, or doesn't find the pass - try increasing the delay
Now hit "ok" - and you should be given the password to the share with amazing speed :) - basically, it will try to guess the first letter of the password (and it knows when it gets it right) - then move on to the second letter etc.
So, I guess strictly you could describe it as a form of brute forcing - but, with this flaw you should get the pass in seconds rather than hours. Now go back and double click the share that asked you for a password. Fill in the password that PQWak gave you. Bang :)
As I mentioned, this trick isn't present on NT or 2000 - so they would require some form of brute forcing to get the password...there are loads of tools for that available on the net.
|
Posted on: 02-02-2003
Article has been viewed 17211 times
|
| |
| Comments |
|
Post a comment
Please use the form below to post your comments on this article. All comments will be reviewed by the admin before being published publically.
|
| |
|
