NetBIOS is a service that enables communication over a network and is often used to join a domain and legacy applications. It's an older technology, but it's still used in some environments today. Because it is an unsecured protocol, it is often a good place to start when attacking a network. Browsing NetBIOS shares with NBTScan and the Nmap Scripting Engine is a good place to start.
To work through this technique, we use Metasploitable 2, a deliberately vulnerable virtual machine, as the target machine. We will attack it with Kali Linux, the point of contact for hackers and pentesters alike.
NetBIOS, a network for the basic input / output system, is a service that allows computers to communicate with one another network. NetBIOS is not a network protocol, but an API. It runs over TCP / IP over the NBT protocol and can thus be used in modern networks.
NetBIOS offers two main communication methods. The datagram service enables connectionless communication over a network, ideal for situations where fast transmission is preferred, such as: B. the error generation. The session service, on the other hand, allows two computers to connect for reliable communication. NetBIOS also provides naming services that enable name resolution and registration over the network.
Related Literature: & # 39; Network Protocols Handbook & # 39; by Javvin Press
The main way attackers exploit NetBIOS is through poisoning attacks that occur during the attack. The attacker is on the network and fakes another machine to control and misdirect traffic. An attacker could also get the hashed credentials of a user at this point to crack later.
Scanning with NBTScan
First, you can print out the help that gives us all the uses and examples of network scanning. Just type nbtscan at the command prompt.
NBTscan Version 1.5.1. Copyright (C) 1999-2003 Alla Bezroutchko. This is a free software and no guarantee is given. You can use, distribute and modify it under the terms of the GNU GPL. Usage: nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (- f filename) | (
) -v verbose output. Print all names received from every host -d dump packages. Print the entire package contents. -e Formats the output in / etc / hosts format. -l Format the output in LMHOST format. Can not be used with the -v, -s, or -h options. -t timeout wait milliseconds for response. Default 1000. -b bandwidth output limitation. Slow down the output so it no longer uses the bandwidth bps. Useful for slow links, making outgoing queries not to be dropped -r use the local port 137 for scans. Win95 boxes Just answer it. You must be root to use this option on Unix. -q suppress banners and error messages, -s separator Script-friendly output. Do not push Column and data record headers, separated fields with separators. -h Print human readable names for services. Can only be used with the -v option. -m retransmits number of retransmits. Default 0. -f filename Use IP addresses to scan from file filename -f - causes nbtscan to inherit IP addresses from stdin. what to scan. Can either be a single IP like 192.168.1.1 or Address range in one of two forms: xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx. Examples: nbtscan -r 192.168.1.0/24 Scans the entire network of the C-Class. nbtscan 192.168.1.25-137 Scans an area from 192.168.1.25 to 192.168.1.137 nbtscan -v -s: 192.168.1.0/24 Scans a network of the C-class. Prints results in script-friendly form Format with colon as field separator. Produces an issue like this: 192.168.0.1:NT_SERVER:00U 192.168.0.1:MY_DOMAIN:00G 192.168.0.1:ADMINISTRATOR:03U 192.168.0.2:OTHER_BOX:00U ... nbtscan -f iplist Scans the IP addresses specified in the iplist file.
The easiest way to run this tool is to assign it a set of IP addresses. In this case, there is only one computer on the network, so I give his IP address as an example.
NBT name lookups for addresses of 172.16.1.102 IP Address NetBIOS Name Server User MAC Address -------------------------------------------------- ---------------------------- 172.16.1.102 METASPLOITABLE
METASPLOITABLE 00: 00: 00: 00: 00: 00
Here we can see the IP address, the NetBIOS display name, the server, if necessary the user and the MAC address of the server Aim. Please note that computers running Samba sometimes return all zeroes as MAC addresses in response to the query.
For more information, see the detailed output with the -v flag.
nbtscan 172.16.1.102 -v
NBT name lookups for addresses of 172.16.1.102 NetBIOS name table for host 172.16.1.102: Incomplete package, 335 bytes long. Name Service type ---------------------------------------- METASPLOITABLE <00> UNIQUE METASPLOITABLE <03> UNIQUE METASPLOITABLE <20> UNIQUE METASPLOITABLE <00> UNIQUE METASPLOITABLE <03> UNIQUE METASPLOITABLE <20> UNIQUE __MSBROWSE__ <01> GROUP WORKING GROUP <00> GROUP WORKING GROUP <1d> UNIQUE WORKING GROUP <1e> GROUP WORKING GROUP <00> GROUP WORKING GROUP <1d> UNIQUE WORKING GROUP <1e> GROUP Adapter Address: 00: 00: 00: 00: 00: 00 ------------------------------------
We can see some services and their services types. This is somehow confused, which brings us to the next option, where the services are printed in a human-readable form. Use the flag -h together with the option -v .
nbtscan 172.16.1.102 -vh
NBT name lookups for addresses of 172.16.1.102 NetBIOS name table for host 172.16.1.102: Incomplete package, 335 bytes long. Name Service type ---------------------------------------- METASPLOITABLE Workstation Service METASPLOITABLE Messenger Service METASPLOITABLE File Server Service METASPLOITABLE Workstation Service METASPLOITABLE Messenger Service METASPLOITABLE File Server Service __MSBROWSE__ Master Browser WORKGROUP domain name WORKING GROUP Master Browser WORKING GROUP Browser service options WORKGROUP domain name WORKING GROUP Master Browser WORKING GROUP Browser service options Adapter Address: 00: 00: 00: 00: 00: 00 ------------------------------------
Now we can see something more information that stands out than useful. We can also set the flag -d to save the contents of the entire package.
nbtscan 172.16.1.102 -d
NBT name lookups for addresses of 172.16.1.102 Package dump for host 172.16.1.102: Incomplete package, 335 bytes long. Transaction ID: 0x00a0 (160) Flags: 0x8400 (33792) Number of questions: 0x0000 (0) Number of answers: 0x0001 (1) Name Service Count: 0x0000 (0) Additional record number: 0x0000 (0) Question name: CKAAAAAAAAAAAAAAAAAAAAAA Question type: 0x0021 (33) Question class: 0x0001 (1) Time to live: 0x00000000 (0) Rdata Length: 0x0119 (281) Number of names: 0x0d (13) Names received: METASPLOITABLE service: 0x00 flags: 0x0004 METASPLOITABLE service: 0x03 flags: 0x0004 METASPLOITABLE service: 0x20 flags: 0x0004 METASPLOITABLE service: 0x00 flags: 0x0004 METASPLOITABLE service: 0x03 flags: 0x0004 METASPLOITABLE service: 0x20 flags: 0x0004 __MSBROWSE __ service: 0x01 flags: 0x0084 WORKGROUP service: 0x00 flags: 0x0084 WORKGROUP service: 0x1d flags: 0x0004 WORKGROUP service: 0x1e flags: 0x0084 WORKGROUP service: 0x00 flags: 0x0084 WORKGROUP service: 0x1d flags: 0x0004 WORKGROUP service: 0x1e flags: 0x0084 ...
This returns packet data used in the query. Note that this can not be used with the options -v or -h .
If a list of IP addresses you want to scan is stored in a file, [19459010Flag-f can be used to specify the input file from which to read. Again, there is only one machine on the network, so only one appears during our scan
IP Address NetBIOS Name Server User MAC Address
If you want to save the output of a scan, just add the name of the file you want to write to.
nbtscan 172.16.1.102> scan.txt
Scanning with the Nmap Scripting Engine
Nmap includes a handy little script as part of the Nmap Scripting Engine, which allows us to discover NetBIOS shares as well. This has the advantage that it can be run with other NSE scripts, which ultimately saves time when enumerating many different things in a network.
We will execute Nmap in the usual way, and the nbstat script will be completed at the end. Here I use the option -sV to examine ports for running services and their version, along with the flag -v for detailed editions. Enter the script to use and we're ready to go.
nmap -sV 172.16.1.102 --script nbstat.nse -v
Start of Nmap 7.70 (https://nmap.org) at 02.09.02-14 14:12 CST NSE: 44 scripts were loaded for scanning. NSE: script precheck. Initiation of the NSE at 14:12 NSE finished at 14:12, 0.00s elapsed Initiation of the NSE at 14:12 NSE finished at 14:12, 0.00s elapsed Initiate ARP ping scan at 14:12 Scanning 172.16.1.102 [1 port] Completed ARP ping scan at 14:12, 0.05 seconds elapsed (1 total host) Initiate parallel DNS resolution of a host. at 14:12 Parallel DNS resolution of 1 host completed. at 14:12 13.00s have passed Initiate SYN stealth scan at 14:12 Scanning 172.16.1.102 [1000 ports] ... Host script results: | nbstat: NetBIOS name: METASPLOITABLE, NetBIOS users:
NetBIOS MAC: (unknown) | name: | METASPLOITABLE <00> Flags: | METASPLOITABLE <03> Flags: | METASPLOITABLE <20> Flags: | x01 x02__MSBROWSE __ x02 <01> Flags: | WORKING GROUP <00> Flags: | WORKGROUP <1d> Flags: | _ WORKGROUP <1e> Flags:
Nmap starts and performs the usual scan. At the end, the results of the host script are displayed. This seems to be similar to one of our previous scans, but it never hurts to know about different ways to accomplish the same task.
How to Prevent NetBIOS Enumeration
Fortunately, there is a fairly simple solution for all administrators to protect against unauthorized scanning of NetBIOS shares. This means simply disabling NetBIOS. There are some scenarios where disabling this feature might cause problems, for example, if certain older applications depend entirely on it, but in most cases there are better solutions, and it is okay to disable them.
If You Need to Do This If NetBIOS is Enabled, follow common standard naming conventions. In certain versions of Windows C $ or ADMIN $ are common names and should be avoided if possible. The good news for anyone who hacks you is that you can watch and look for them.
In this tutorial we learned how the NetBIOS service works and how it can be used for an attack. We did the scanning to list open shares with NBTScan, a simple command-line tool, and then learned how to use an Nmap script to do the same. NetBIOS may be an older technology but is still used today in enterprise environments. It's often a good starting point after Recon, so it's good to know how to identify him.
Learn more about NetBIOS: & # 39; Inside NetBIOS & # 39; by J. Scott Haugdahl