Home Page | Papers

NetBios - The Quickest Hack

(NetBIOS Hacking Can be Compared to As Maggie Noodle's as Both Of them Take just 2 minutes)


Disclaimer :- This text is provided just to share knowlege, i dont sujjest you to go and hack your university or school or anybody's else's computer, its not legal and if ever you get screwed. I dont take any liability for your actions, you and only you are solely responsible for your actions. And you are free to copy and distribute it as long as credit is given to me. if you have any sujjestions or questions regarding hacking or relating this paper you always can reach me at my mail add.


    Here I Start :- 

    NetBIOS stands for Network Basic Input Output System. It is used to share various resources of a network such as printers, scanners, files,etc. It communicates over port number 139. ok so now, just think of the computers at your School or College. They are on Lan (Local Area Network) then its probably having NetBIOS enabled, (NetBIOS is also called as File and Printer Sharing) which means you can get files and store them there (If you have Read\Write Permission). If you want to get a list of the Nodes or computers attached to your Lan you can do that by simply clicking the Network Neighbourhood icon on the desktop and wow u got a list of all the computers attached to your network, and u can probably read everything outta there. even copy the programs, written by your teacher. which she is gona ask you in exams :) and if you want to explore more futher. Click on Entire Network icon and see the names of other networks.

    Entire Network comes handy when you are using cable internet services and they provide you your service through WAN (Wide Area Network). Well you can see a lots of small networks and end user computers attached to it like Cyber cafe's, Personal Connections all the guys who use that ISP (Internet Service Provider) and are online will be listed in that lsit as netbios is enabled by default on all computer with windows and you can see all their files and download them u,they can be small software companies. 

    I think its enough fun with local systems right ? what do you do when you want to hack a computer probably which is on a different network. In fact on a different isp and which is really far away from you think of it, can u do it ? say yes !!! ok now lets see how it can be done now bootup your windows then Goto :- Start => Programs => Ms-Dos Prompt Ah you get a command prompt now. Ok now for an instance take this Ip Address 203.197.173.233 (I sujjest you dont use this ip as it belongs to indiatimes.com domain and they have netbios firewalled so no use beating around the bush :P) ok back to our hack now, Microsoft has given us a wonderful utility called Nbtstat, which helps us to get remote machines name table. Infact it helps us to know that if the remote machine has netbios enable or not. ok so now on your ms-dos command prompt type : nbtstat -a 203.197.173.233 and just wait till it gives you a reply. It will say either of the two things. like :
 

    1) Host not Found.
    

    This means that the remote computer you are trying to hack is probably not having netbios enabled so u must now quit using this stupid thing and get to work for something real, or maybe leave this idiot and get a different target, and try to hack it, if not and you are lucky.. then,
 

    2) If something thing like this appears now Jump and dance your half way getting into that computer. 

NetBIOS Remote Machine Name Table

Name             Type                     Status
-----------------------------------------------------------------------
HOST1                    <00> UNIQUE             REGISTERED
SERVER                    <00> GROUP             REGISTERED
DATABASE               <03> UNIQUE           REGISTERED
GARBAGE               <20> UNIQUE             REGISTERED
SERVER1                   <1E> UNIQUE           REGISTERED
 

                            MAC Address = 44-B0-24-5D-8E-9C

    ok now thats it.. 

    The data given above will be different for every computer, this was just for the sake of example so now when u get the machines name table you can probably say that it has netbios enabled and u even get the mac address of the machine which can be used to exploit trust relations but thats above the scope of this paper so i will end it and continue let me give you a more specific hint if the numbers in that '<>' contains 20 like is => <20> .. this means that it has sharing enabled. Well now Let us proceed and now fire up Notepad and Open the file C:\windows\lmhosts.sam
 

    It will look like this :

# Copyright (c) 1998 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft Wins Client (NetBios
# over TCP/IP) stack for Windows98
#
# This file contains the mappings of IP addresses to NT computernames
# (NetBIOS) names. Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
# corresponding computername. The address and the comptername
# should be separated by at least one space or tab. The "#" character
# is generally used to denote the start of a comment (see the exceptions
# below).
#
# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
# files and offers the following extensions:
#
# #PRE
# #DOM:<domain>
# #INCLUDE <filename>
# #BEGIN_ALTERNATE
# #END_ALTERNATE
#0xnn (non-printing character support)
#
# Following any entry in the file with the characters "#PRE" will cause
# the entry to be preloaded into the name cache. By default, entries are
# not preloaded, but are parsed only after dynamic name resolution fails.
#
# Following an entry with the "#DOM:<domain>" tag will associate the
# entry with the domain specified by <domain>. This affects how the
# browser and logon services behave in TCP/IP environments. To preload
# the host name associated with #DOM entry, it is necessary to also add a
# #PRE to the line. The <domain> is always preloaded although it will not
# be shown when the name cache is viewed.
#
# Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
# software to seek the specified <filename> and parse it as if it were
# local. <filename> is generally a UNC-based name, allowing a
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share "public" in the example below must be in the
# LanManServer list of "NullSessionShares" in order for client machines to
# be able to read the lmhosts file successfully. This key is under
#\machine\system\currentcontrolset\services\lanmanserver\parameters\null sessionshares
# in the registry. Simply add "public" to the list found there.
#
# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
# statements to be grouped together. Any single successful include
# will cause the group to succeed.
#
# Finally, non-printing characters can be embedded in mappings by
# first surrounding the NetBIOS name in quotations, then using the
# \0xnn notation to specify a hex value for a non-printing character.
#
# The following example illustrates all of these extensions:
#
# 102.54.94.97 rhino #PRE #DOM:networking #net group's DC
# 102.54.94.102 "appname \0x14" #special app server
# 102.54.94.123 popular #PRE #source server
# 102.54.94.117 localsrv #PRE #needed for the include
#
# #BEGIN_ALTERNATE
# #INCLUDE \\localsrv\public\lmhosts
# #INCLUDE \\rhino\public\lmhosts
# #END_ALTERNATE
#
# In the above example, the "appname" server contains a special
# character in its name, the "popular" and "localsrv" server names are
# preloaded, and the "rhino" server name is specified so it can be used
# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
# system is unavailable.
#
# Note that the whole file is parsed including comments on each lookup,
# so keeping the number of comments to a minimum will improve performance.
# Therefore it is not advisable to simply add lmhosts file entries onto the
# end of this file.

    ok now the only thing you have to do is add a simple entry, like this 

    #PRE #DOM:203.197.173.233 #INCLUDE <C:\>

    Let me tell you what it means.. #PRE means load the connection as soon as you connect to the internet and #DOM means the DOMAIN Name, Infact we have to hack the pc and it has a ip and just providing the ip information will suffice, and 203.197.173.233 is the Ip Address of the Computer and #INCLUDE simply means that the C: drive will be mounted during the session.

    Ok so now that we have added the entry, save the file, but make sure u dont save it as lmhosts.txt it is lmhosts.sam and be careful while saving this file. ok now just close all the windows exit the command prompt and then click Start => find => Computer and enter the Ip Address next to Named tag like this -> 203.197.173.233 and press find and Viola you broke into a computer and its not just that you can browse through the directories and copy something like a games or some mp3's and what u can do is just upload a trojan and now do anything, Dont delete anything outta there maybe its somebody's hard work. ok now just think that you just clicked the computer you just got and what if it is password protected ?? did you waste you time ?? well cant say exactly but if you get into such a situation there are some tools that some handy here they are called password bruteforcers :-

    1) NetBIOS bruteforce password tester :- ttp://www.rawlogic.com/netbrute/nbtest.zip

    2) SMBGrind :- http://www.nai.com/

    Ok now get a good password file and load it and get going with it :) till u get the password :)

    Here are some tools which help you automate you tasks form getting the name table and other stuff like fingerprinting the operating system and they also scan a large number of systems for SMB Block Services. Here they are :-

    1) Winfingerprint collects infomation about NetBIOS Name Table and Fingerprints the Operating system and can be found here:- http://winfingerprint.sourceforge.net/

    2) Enum gets information about NetBIOS Name Table and can be found here :- http://razor.bindview.com/tools/

    3) NetBrute :- scans for hosts for smb sharing and can be found here : -
    http://www.rawlogic.com/netbrute

    Preventing yourself from being hacked :
        The first and the best thing that comes to my mind is DISABLE FILE AND PRINTER SHARING., but if you really need sharing then password protect it and dont use password like 'server' 'username', etc , your passwords must be like this 'mnia10st3t'and if possible add a "." in it, and when you dont need to share it to internet then download a good firewall, you can get Zone Alarm from www.zonelabs.com or get tiny personal firewall from http://www.webmasterfree.com/tpfw.html it is availiable for free for home use and for zonelabs u can always get a demo and use these firewalls Block the ports 137,138,139.

    ok guys HAPPY NetBIOS Hacking.
        Now enjoy what you just learned and browse their computers as it was your Own computer and have Phun ;)

Some Noob Quesions. :-

Q) Do i need internet to hack a remote computer ?
A) Yes, you do need a net connection.

Q) What If All the Computers i scan Say Host Not Found ?
A) Probably they all have File Sharing Disabled or you are scanning some other OS. like Linux or Unix.

Q) What do i do if i cant crack the Password ?
A) Goto another computer or wait till u get the password.

Q) Is NetBIOS Hacking Legal ?
A) Obviously it not, it hacking u got into the computer without the permission of the owner. and if u delete the files or anything at your school, or college you can be fired, make sure u dont get caught.

Q) Do I have to enable my file and print sharing ?
A) Yes, you have to if you dont enable your file and print sharing you cant communicate to the computer you are trying to access.


- Anish Shaikh.