قالب وردپرس درنا توس
Home / Tips and Tricks / Listing NetBIOS Shares with NBTScan & Nmap Scripting Engine «Null Byte :: WonderHowTo

Listing NetBIOS Shares with NBTScan & Nmap Scripting Engine «Null Byte :: WonderHowTo



NetBIOS is a service that enables communication over a network and is often used to join a domain and legacy applications. It's an older technology, but it's still used in some environments today. Because it is an unsecured protocol, it is often a good place to start when attacking a network. Browsing NetBIOS shares with NBTScan and the Nmap Scripting Engine is a good place to start.

To work through this technique, we use Metasploitable 2, a deliberately vulnerable virtual machine, as the target machine. We will attack it with Kali Linux, the point of contact for hackers and pentesters alike.

NetBIOS Overview

NetBIOS, a network for the basic input / output system, is a service that allows computers to communicate with one another network. NetBIOS is not a network protocol, but an API. It runs over TCP / IP over the NBT protocol and can thus be used in modern networks.

NetBIOS offers two main communication methods. The datagram service enables connectionless communication over a network, ideal for situations where fast transmission is preferred, such as: B. the error generation. The session service, on the other hand, allows two computers to connect for reliable communication. NetBIOS also provides naming services that enable name resolution and registration over the network.

Related Literature: & # 39; Network Protocols Handbook & # 39; by Javvin Press

The main way attackers exploit NetBIOS is through poisoning attacks that occur during the attack. The attacker is on the network and fakes another machine to control and misdirect traffic. An attacker could also get the hashed credentials of a user at this point to crack later.

Scanning with NBTScan

NBTScan is a command-line tool that is used to scan networks to retrieve NetBIOS shares and name information. It can run on both Unix and Windows, and ships with Kali Linux by default.

First, you can print out the help that gives us all the uses and examples of network scanning. Just type nbtscan at the command prompt.

  nbtscan 
  NBTscan Version 1.5.1. Copyright (C) 1999-2003 Alla Bezroutchko.
This is a free software and no guarantee is given.
You can use, distribute and modify it under the terms of the GNU GPL.

Usage:
nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits]   (- f filename) | ()
-v verbose output. Print all names received
from every host
-d dump packages. Print the entire package contents.
-e Formats the output in / etc / hosts format.
-l Format the output in LMHOST format.
Can not be used with the -v, -s, or -h options.
-t timeout wait milliseconds for response.
Default 1000.
-b bandwidth output limitation. Slow down the output
so it no longer uses the bandwidth bps.
Useful for slow links, making outgoing queries
not to be dropped
-r use the local port 137 for scans. Win95 boxes
Just answer it.
You must be root to use this option on Unix.
-q suppress banners and error messages,
-s separator Script-friendly output. Do not push
Column and data record headers, separated fields with separators.
-h Print human readable names for services.
Can only be used with the -v option.
-m retransmits number of retransmits. Default 0.
-f filename Use IP addresses to scan from file filename
-f - causes nbtscan to inherit IP addresses from stdin.
 what to scan. Can either be a single IP
like 192.168.1.1 or
Address range in one of two forms:
xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx.
Examples:
nbtscan -r 192.168.1.0/24
Scans the entire network of the C-Class.
nbtscan 192.168.1.25-137
Scans an area from 192.168.1.25 to 192.168.1.137
nbtscan -v -s: 192.168.1.0/24
Scans a network of the C-class. Prints results in script-friendly form
Format with colon as field separator.
Produces an issue like this:
192.168.0.1:NT_SERVER:00U
192.168.0.1:MY_DOMAIN:00G
192.168.0.1:ADMINISTRATOR:03U
192.168.0.2:OTHER_BOX:00U
...
nbtscan -f iplist
Scans the IP addresses specified in the iplist file. 

The easiest way to run this tool is to assign it a set of IP addresses. In this case, there is only one computer on the network, so I give his IP address as an example.

  nbtscan 172.16.1.102 
  NBT name lookups for addresses of 172.16.1.102

IP Address NetBIOS Name Server User MAC Address
-------------------------------------------------- ----------------------------
172.16.1.102 METASPLOITABLE  METASPLOITABLE 00: 00: 00: 00: 00: 00 

Here we can see the IP address, the NetBIOS display name, the server, if necessary the user and the MAC address of the server Aim. Please note that computers running Samba sometimes return all zeroes as MAC addresses in response to the query.

For more information, see the detailed output with the -v flag.

  nbtscan 172.16.1.102 -v 
  NBT name lookups for addresses of 172.16.1.102

NetBIOS name table for host 172.16.1.102:

Incomplete package, 335 bytes long.
Name Service type
----------------------------------------
METASPLOITABLE <00> UNIQUE
METASPLOITABLE <03> UNIQUE
METASPLOITABLE <20> UNIQUE
METASPLOITABLE <00> UNIQUE
METASPLOITABLE <03> UNIQUE
METASPLOITABLE <20> UNIQUE
__MSBROWSE__ <01> GROUP
WORKING GROUP <00> GROUP
WORKING GROUP <1d> UNIQUE
WORKING GROUP <1e> GROUP
WORKING GROUP <00> GROUP
WORKING GROUP <1d> UNIQUE
WORKING GROUP <1e> GROUP

Adapter Address: 00: 00: 00: 00: 00: 00
------------------------------------ 

We can see some services and their services types. This is somehow confused, which brings us to the next option, where the services are printed in a human-readable form. Use the flag -h together with the option -v .

  nbtscan 172.16.1.102 -vh 
  NBT name lookups for addresses of 172.16.1.102

NetBIOS name table for host 172.16.1.102:

Incomplete package, 335 bytes long.
Name Service type
----------------------------------------
METASPLOITABLE Workstation Service
METASPLOITABLE Messenger Service
METASPLOITABLE File Server Service
METASPLOITABLE Workstation Service
METASPLOITABLE Messenger Service
METASPLOITABLE File Server Service
__MSBROWSE__ Master Browser
WORKGROUP domain name
WORKING GROUP Master Browser
WORKING GROUP Browser service options
WORKGROUP domain name
WORKING GROUP Master Browser
WORKING GROUP Browser service options

Adapter Address: 00: 00: 00: 00: 00: 00
------------------------------------ 

Now we can see something more information that stands out than useful. We can also set the flag -d to save the contents of the entire package.

  nbtscan 172.16.1.102 -d 
  NBT name lookups for addresses of 172.16.1.102

Package dump for host 172.16.1.102:

Incomplete package, 335 bytes long.
Transaction ID: 0x00a0 (160)
Flags: 0x8400 (33792)
Number of questions: 0x0000 (0)
Number of answers: 0x0001 (1)
Name Service Count: 0x0000 (0)
Additional record number: 0x0000 (0)
Question name: CKAAAAAAAAAAAAAAAAAAAAAA
Question type: 0x0021 (33)
Question class: 0x0001 (1)
Time to live: 0x00000000 (0)
Rdata Length: 0x0119 (281)
Number of names: 0x0d (13)
Names received:
METASPLOITABLE service: 0x00 flags: 0x0004
METASPLOITABLE service: 0x03 flags: 0x0004
METASPLOITABLE service: 0x20 flags: 0x0004
METASPLOITABLE service: 0x00 flags: 0x0004
METASPLOITABLE service: 0x03 flags: 0x0004
METASPLOITABLE service: 0x20 flags: 0x0004
__MSBROWSE __ service: 0x01 flags: 0x0084
WORKGROUP service: 0x00 flags: 0x0084
WORKGROUP service: 0x1d flags: 0x0004
WORKGROUP service: 0x1e flags: 0x0084
WORKGROUP service: 0x00 flags: 0x0084
WORKGROUP service: 0x1d flags: 0x0004
WORKGROUP service: 0x1e flags: 0x0084

... 

This returns packet data used in the query. Note that this can not be used with the options -v or -h .

If a list of IP addresses you want to scan is stored in a file, [19459010Flag-f can be used to specify the input file from which to read. Again, there is only one machine on the network, so only one appears during our scan

IP Address NetBIOS Name Server User MAC Address
————————————————– —————————-
172.16.1.102 METASPLOITABLE METASPLOITABLE 00: 00: 00: 00: 00: 00

If you want to save the output of a scan, just add the name of the file you want to write to.

  nbtscan 172.16.1.102> scan.txt 

Scanning with the Nmap Scripting Engine

Nmap includes a handy little script as part of the Nmap Scripting Engine, which allows us to discover NetBIOS shares as well. This has the advantage that it can be run with other NSE scripts, which ultimately saves time when enumerating many different things in a network.

We will execute Nmap in the usual way, and the nbstat script will be completed at the end. Here I use the option -sV to examine ports for running services and their version, along with the flag -v for detailed editions. Enter the script to use and we're ready to go.

  nmap -sV 172.16.1.102 --script nbstat.nse -v 
  Start of Nmap 7.70 (https://nmap.org) at 02.09.02-14 14:12 CST
NSE: 44 scripts were loaded for scanning.
NSE: script precheck.
Initiation of the NSE at 14:12
NSE finished at 14:12, 0.00s elapsed
Initiation of the NSE at 14:12
NSE finished at 14:12, 0.00s elapsed
Initiate ARP ping scan at 14:12
Scanning 172.16.1.102 [1 port]
Completed ARP ping scan at 14:12, 0.05 seconds elapsed (1 total host)
Initiate parallel DNS resolution of a host. at 14:12
Parallel DNS resolution of 1 host completed. at 14:12 13.00s have passed
Initiate SYN stealth scan at 14:12
Scanning 172.16.1.102 [1000 ports]

...

Host script results:
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS users:  NetBIOS MAC:  (unknown)
| name:
| METASPLOITABLE <00> Flags: 
  | METASPLOITABLE <03> Flags: 
  | METASPLOITABLE <20> Flags: 
  |  x01  x02__MSBROWSE __  x02 <01> Flags: 
  | WORKING GROUP <00> Flags: 
  | WORKGROUP <1d> Flags: 
  | _ WORKGROUP <1e> Flags:   

Nmap starts and performs the usual scan. At the end, the results of the host script are displayed. This seems to be similar to one of our previous scans, but it never hurts to know about different ways to accomplish the same task.

How to Prevent NetBIOS Enumeration

Fortunately, there is a fairly simple solution for all administrators to protect against unauthorized scanning of NetBIOS shares. This means simply disabling NetBIOS. There are some scenarios where disabling this feature might cause problems, for example, if certain older applications depend entirely on it, but in most cases there are better solutions, and it is okay to disable them.

If You Need to Do This If NetBIOS is Enabled, follow common standard naming conventions. In certain versions of Windows C $ or ADMIN $ are common names and should be avoided if possible. The good news for anyone who hacks you is that you can watch and look for them.

Summary

In this tutorial we learned how the NetBIOS service works and how it can be used for an attack. We did the scanning to list open shares with NBTScan, a simple command-line tool, and then learned how to use an Nmap script to do the same. NetBIOS may be an older technology but is still used today in enterprise environments. It's often a good starting point after Recon, so it's good to know how to identify him.

Learn more about NetBIOS: & # 39; Inside NetBIOS & # 39; by J. Scott Haugdahl

Cover photo by Brett Sayles / Pexels

Source link