قالب وردپرس درنا توس
Home / Tips and Tricks / How to list NetBIOS shares with NBTScan & Nmap Scripting Engine «Zero Byte :: WonderHowTo

How to list NetBIOS shares with NBTScan & Nmap Scripting Engine «Zero Byte :: WonderHowTo



NetBIOS is a service that enables communication via a network and is often used to connect to domain and elderly applications. It is an older technology but is still used in certain environments today. Because it is an uncertain protocol, it can often be a good starting point when attacking a network. Scanning for NetBIOS shares with NBTScan and Nmap Scripting Engine is a great way to start.

To solve this technique, we use Metasploitable 2, a deliberately vulnerable virtual machine, like our target machine. We will attack it with Kali Linux, which goes to distro for hackers and pentesters.

Overview of NetBIOS

NetBIOS, which stands for network-based input / output systems, is a service that allows computers to communicate over a network. But NetBIOS is not a network protocol, it's an API. It goes over TCP / IP via the NBT protocol, so it can work on modern networks.

NetBIOS provides two primary communication methods. The datagram service enables connection-free communication over a network, ideal for situations where fast transmission is preferred, such as error generation. The session service, on the other hand, allows two computers to establish a connection for reliable communication. NetBIOS also provides name services that allow name resolution and registration over the network.

Related Reading: Network Protocols Handbook by Javvin Press

The primary modes of attackers use NetBIOS through poisoning attacks that occur when the attacker is on the network and spoofs another machine to control and misdirect traffic. An attacker can also get pertinent information from a user at this time to crack later.

Scan with NBTScan

NBTScan is a command line tool used to scan networks to obtain NetBIOS shares and name information. It can run on both Unix and Windows and sent with Kali Linux by default.

The first thing we can do is print the help, which gives us all the usage options and some examples for scanning networks. Just type nbtscan at the prompt.

  nbtscan 
  NBTscan version 1.5.1. Copyright (C) 1999-2003 Alla Bezroutchko.
This is a free software and it comes with absolutely no warranty.
You can use, distribute and modify it according to the GNU GPL.

Using:
nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits]   (- f filename) | ()
-of verbose effect. Print all received names
from each host
-d-dumping packets. Print the entire package contents.
-e Format output in / etc / hosts format.
-l Format output in lmhosts format.
Can not be used with -v, -s or -h options.
-t timeout wait timeout milliseconds for response.
Standard 1000.
-b bandwidth Output damper. Slow down output
so that it no longer uses the bandwidth bps.
Useful on slow links, so that ougoing issues
do not lose.
- use local port 137 for scans. Win95 boxes
just answer this.
You must be root to use this option on Unix.
-q Suppress banners and error messages,
-s separator Script-friendly output. Do not print
column and disc head, separate fields with separator.
-h Print human readable names for services.
Can only be used with -v options.
-m sends the number of transmissions. Standard 0.
-f filename Take IP addresses to scan from file name.
-f - makes nbtscan take IP addresses from stdin.
 what to scan. Can either be single IP
as 192.168.1.1 or
address range in one of two forms:
xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx.
Example:
nbtscan -r 192.168.1.0/24
Scans the entire C-class network.
nbtscan 192.168.1.25-137
Scans an interval from 192.168.1.25 to 192.168.1.137
nbtscan -v -s: 192.168.1.0/24
Scans C-Class network. Prints results in script-friendly
format with colon as field separator.
Produces production in this way:
192.168.0.1:NT_SERVER:00U
192.168.0.1:MY_DOMAIN:00G
192.168.0.1:ADMINISTRATOR:03U
192.168.0.2:OTHER_BOX:00U
...
nbtscan -f iplist
Scans IP addresses specified in file iplist. 

The most basic way to run this tool is to give it a series of IP addresses. In this case, there is only one machine on the network so I will give its IP address as an example.

  nbtscan 172.16.1.102 
  Making NBT name scanning for addresses from 172.16.1.102

IP address NetBIOS Name Server Uses MAC address
-------------------------------------------------- ----------------------------
172.16.1.102 METASPLOITABLE  METASPLOITABLE 00: 00: 00: 00: 00: 00 

Here we can see the IP address, NetBIOS display name, server server, if applicable, user and MAC address of destination. Note that machines running Samba will sometimes return all zeros as the MAC address in response to the question.

We can get some more information by setting the verbose output with the flag -v .

  nbtscan 172.16.1.102 -v 
  Making NBT name scanning for addresses from 172.16.1.102

NetBIOS host table for host 172.16.1.102:

Incomplete package, 335 bytes long.
Name Type of service
----------------------------------------
METASPLOITABLE <00> UNIQUE
METASPLOITABLE <03> UNIQUE
METASPLOITABLE <20> UNIQUE
METASPLOITABLE <00> UNIQUE
METASPLOITABLE <03> UNIQUE
METASPLOITABLE <20> UNIQUE
__MSBROWSE__ <01> GROUP
WORKING GROUP <00> GROUP
WORKGROUP <1d> UNIQUE
WORKING GROUP <1e> GROUP
WORKING GROUP <00> GROUP
WORKGROUP <1d> UNIQUE
WORKING GROUP <1e> GROUP

Adapter address: 00: 00: 00: 00: 00: 00
---------------------------------------- 

We can see some services and theirs types. This is a kind of jumbled, which leads us to the next option, which will print the services in readable form. Use the -h flag along with the -v option.

  nbtscan 172.16.1.102 -vh 
  Make NBT name scanning for addresses from 172.16.1.102

NetBIOS host table for host 172.16.1.102:

Incomplete package, 335 bytes long.
Name Type of service
----------------------------------------
METASPLOITABLE Workstation Service
METASPLOITABLE Messenger Service
METASPLOITABLE File Server Service
METASPLOITABLE Workstation Service
METASPLOITABLE Messenger Service
METASPLOITABLE File Server Service
__MSBROWSE__ Master Browser
WORKGROUP Domain Name
WORKGROUP Master Browser
WORKGROUP Browser Service Elections
WORKGROUP Domain Name
WORKGROUP Master Browser
WORKGROUP Browser Service Elections

Adapter address: 00: 00: 00: 00: 00: 00
---------------------------------------- 

Now we can see some more information which may prove useful. We can also set the -d flag to dump the contents of the entire package.

  nbtscan 172.16.1.102 -d 
  Making NBT name scanning for addresses from 172.16.1.102

Package dump for host 172.16.1.102:

Incomplete package, 335 bytes long.
Transaction ID: 0x00a0 (160)
Flags: 0x8400 (33792)
Number of questions: 0x0000 (0)
Number of replies: 0x0001 (1)
Name of the service count: 0x0000 (0)
Additional record number: 0x0000 (0)
Question: CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Question Type: 0x0021 (33)
Question Class: 0x0001 (1)
Time to live: 0x00000000 (0)
Rdata length: 0x0119 (281)
Name: 0x0d (13)
Names Received:
METASPLOITABLE Service: 0x00 Flags: 0x0004
METASPLOITABLE Service: 0x03 Flags: 0x0004
METASPLOITABLE Service: 0x20 Flags: 0x0004
METASPLOITABLE Service: 0x00 Flags: 0x0004
METASPLOITABLE Service: 0x03 Flags: 0x0004
METASPLOITABLE Service: 0x20 Flags: 0x0004
__MSBROWSE__ Service: 0x01 Flags: 0x0084
WORKGROUP Service: 0x00 Flags: 0x0084
WORKGROUP Service: 0x1d Flags: 0x0004
WORKGROUP Service: 0x1e Flags: 0x0084
WORKGROUP Service: 0x00 Flags: 0x0084
WORKGROUP Service: 0x1d Flags: 0x0004
WORKGROUP Service: 0x1e Flags: 0x0084

... 

This provides packet data used in the query. Note that this cannot be used with the options -v or -h .

If you have a list of IP addresses that you want to scan stored in a file, -f the flag can be used to specify the input file to be read from. In this case, there is only one machine on the network so that is just what is shown during our search.

  nbtscan -f addresses.txt 
  To make NBT names scan for addresses from addresses.txt

IP address NetBIOS Name Server Uses MAC address
-------------------------------------------------- ----------------------------
172.16.1.102 METASPLOITABLE  METASPLOITABLE 00: 00: 00: 00: 00: 00 

Conversely, if we wanted to store the result of any scan, just add the name of the file we want to write to. [19659011] nbtscan 172.16.1.102> scan.txt

Scanning with Nmap Scripting Engine

Nmap contains a handy little script as part of the Nmap Scripting Engine that we can also use to detect NetBIOS shares. This has the advantage that it can be tracked with other NSE scripts, which ultimately saves time when counting many different things on a network.

We will run Nmap in the usual way and the script nbstat will finish at the end. Here I use the -V option to search ports for running services and their version, along with the -v flag for verbose output. Enter the script to use and it's good to go.

  nmap -sV 172.16.1.102 --cript nbstat.nse -v 
  Start Nmap 7.70 (https://nmap.org) at 2019-02-14 14:12 CST
NSE: Loaded 44 scripts for scanning.
NSE: Script Pre-scan.
Initiation of NSE at 14:12
Completed NSE at 14:12, 0.00s elapsed
Initiation of NSE at 14:12
Completed NSE at 14:12, 0.00s elapsed
Introduction of ARP Ping Scan at 14:12
Scanning 172.16.1.102 [1 port]
Completed ARP Ping Scan at 14:12, 0.05s elapsed (1 total number of hosts)
Initiation of parallel DNS resolution of 1 host. at 14:12
Completed Parallel DNS resolution of 1 host. at 14:12 at 13.00
Initial SYN Stealth Scan at 14:12
Scanning 172.16.1.102 [1000 ports]

...

Host script results:
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user:  NetBIOS MAC:  (unknown)
| name:
| METASPLOITABLE <00> Flags: 
  | METASPLOITABLE <03> Flags: 
  | METASPLOITABLE <20> Flags: 
  | x01 <01> Flags: 
  | WORKGROUP <00> Flags: 
  | WORKGROUP <1d> Flags: 
  | _ WORKGROUP <1e> Flags:   

Nmap starts and runs the usual scan, and then near the end we can finally see the host script results. This seems like one of the scans we previously ran, but it never hurts to be knowledgeable about ways to perform the same task.

How to Prevent NetBIOS Enumeration

Fortunately for all administrators out there is a fairly simple solution to protect against unauthorized scanning of NetBIOS shares, and that is to simply disable NetBIOS. There are some scenarios where inactivation of this can break things, for example when some older programs are completely dependent on it, but more often there are better solutions and it is possible to disable it.

If you absolutely need NetBIOS enabled, be aware of common standard naming conventions. On some versions of Windows C $ or ADMIN $ are common names and should be avoided if possible. The good news for all your hackers out there is that you can be aware of and look for these.

Wrapping Up

In this guide, we learned about the NetBIOS service and how it could be used for an attack. We performed scanning to list open shares with NBTScan, a simple command line tool and then learned how to use an Nmap script to do the same. NetBIOS can be an older technology, but it still exists in business environments today. It can often be a good jump off point after recon, so it's good to know how to identify it.

More information about NetBIOS: & # 39; Inside NetBIOS & # 39; by J. Scott Haugdahl

Cover image by Brett Sayles / Pexels

Source link