Thursday, November 26, 2009

Net Bios

NetBIOS
Definition: NetBIOS is a software protocol for providing computer communication services on local networks. Microsoft Windows uses NetBIOS on Ethernet or Token Ring networks.
Software applications on a NetBIOS network locate each other via their NetBIOS names. A NetBIOS name is up to 16 characters long and in Windows, separate from the computer name. Applications on other computers access NetBIOS names over UDP port 137. The Windows Internet Naming Service (WINS) provides name resolution services for NetBIOS.
Two applications start a NetBIOS session when one (the client) sends a command to "Call" another (the server) over TCP port 139 on a remote computer. Both sides issue "Send" and "Receive" commands to deliver messages in both directions. The "Hang-Up" command terminates a NetBIOS session.
NetBIOS also supports connectionless communications via UDP datagrams. Applications listen on UDP port 138 to receive NetBIOS datagrams.
NetBIOS and NetBEUI are separate but related technologies. NetBEUI extends NetBIOS with additional networking capabilities.
Also Known As: Network Basic Input/Output System

Host name
A Windows machine's NetBIOS name is not to be confused with the computer's host name. Generally a computer running TCP/IP (whether it's a Windows machine or not) has a host name (also sometimes called a machine name or a DNS name). Generally the host name of a Windows computer is based on the NetBIOS name plus the Primary DNS Suffix, which are both set in the System Control Panel.
There may also be "connection specific suffixes" which can be viewed or changed on the DNS tab in Control Panel → Network → TCP/IP → Advanced Properties. Host names are used by applications such as telnet, ftp, web browsers, etc. In order to connect to a computer running the TCP/IP protocol using its HOST name, the host name must be resolved into an IP Address. Host name- or Fully Qualified Domain Name (FQDN)-IP address resolution is typically done by a Domain Name System (DNS) server.
Node types
The node type of a networked computer relates to the way it resolves NetBIOS names to IP addresses. There are four node types.
• B-node: 0x01 Broadcast
• P-node: 0x02 Peer (WINS only)
• M-node: 0x04 Mixed (broadcast, then WINS)
• H-node: 0x08 Hybrid (WINS, then broadcast)
The node type in use is displayed by opening a command line and typing ipconfig /all. A Windows computer registry may also be configured in such a way as to display "unknown" for the node type.
NetBIOS Suffixes
The NetBIOS suffix, alternately called the NetBIOS End Character (endchar) is the 16th character of a NetBIOS name. This character specifies the record or service type for the registered name record. The number of record types is limited to 255, the number that will fit into a single character. However in actual use the number of commonly used NetBIOS Suffixes is substantially smaller. The most common NetBIOS Suffixes:
ASCII Values of 16th characters of NetBIOS "names"
• 00: Workstation Service
• 03: Messenger Service
• 20: File Service (also called Host Record)
• 1B: Domain Master Browser - Primary Domain Controller for a domain
• 1C: Domain Controllers for a domain (group record with up to 25 IP addresses)
• 01: Master Browser
• 1E: Browser Service Elections

Remote Network Penetration via NetBios Hack/Hacking

These are basic techniques but very useful when penetration testing any Windows based network, the techniques were discovered on WinNT but are still very valid on Windows2000 and in some cases Windows2003 due to backwards compatibility.

This article is being written in a procedural manner. I have approached it much like an intruder would actually approach a network penetration. Most of the techniques discussed in this text are rather easy to accomplish once one understands how and why something is being done.

When targetting a given network, the first thing an intruder would do, would be to portscan the remote machine or network. A lot of information can be gathered by a simple port scan but what the intruder is looking for is an open port 139 – the Default NetBios port. It’s surprising how methodical an attack can become based on the open ports of a target machine. You should understand that it is the norm for an NT machine to display different open ports than a Unix machine.

Intruders learn to view a portscan and tell wether it is an NT or Unix machine with fairly accurate results. Obviously there are some exceptions to this, but generally it can be done.

Recently, several tools have been released to fingerprint a machine remotely, but this functionality has not been made available for NT.

Information gathering with NetBIOS can be a fairly easy thing to accomplish, albeit a bit time consuming. NetBIOS is generally considered a bulky protocol with high overhead and tends to be slow, which is where the consumption of time comes in.

If the portscan reports that port 139 is open on the target machine, a natural process follows. The first step is to issue an NBTSTAT command.

The NBTSTAT command can be used to query network machines concerning NetBIOS information. It can also be useful for purging the NetBIOS cache and preloading the LMHOSTS file. This one command can be extremely useful when performing security audits.

Interpretation the information can reveal more than one might think.

Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval]

Switches
   -a    Lists the remote computer's name table given its host name.
   -A    Lists the remote computer's name table given its IP address.
   -c    Lists the remote name cache including the IP addresses.
   -n    Lists local NetBIOS names.
   -r    Lists names resolved by broadcast and via WINS.
   -R    Purges and reloads the remote cache name table.
   -S    Lists sessions table with the destination IP addresses.
   -s    Lists sessions table conversions.

The column headings generated by NBTSTAT have the following meanings:

Input
     Number of bytes received.
Output
     Number of bytes sent.
In/Out
     Whether the connection is from the computer (outbound)
     or from another system to the local computer (inbound).
Life
     The remaining time that a name table cache entry will "live"
     before your computer purges it.
Local Name
     The local NetBIOS name given to the connection.
Remote Host
     The name or IP address of the remote host.
Type
     A name can have one of two types: unique or group.
     The last byte of the 16 character NetBIOS name often
     means something because the same name can be present
     multiple times on the same computer. This shows the last
     byte of the name converted into hex.
State
     Your NetBIOS connections will be shown in one of the
     following "states": 
 
State                   Meaning
 
Accepting         An incoming connection is in process.
 
Associated        The endpoint for a connection has been created
                      and your computer has associated it with an IP
                      address.
 
Connected         This is a good state! It means you're connected
                       to the remote resource.
 
Connecting        Your session is trying to resolve the name-to-IP
                       address mapping of the destination resource.
 
Disconnected      Your computer requested a disconnect, and it is
                        waiting for the remote computer to do so.
 
Disconnecting     Your connection is ending.
 
Idle              The remote computer has been opened in the current
                   session, but is currently not accepting connections.
 
Inbound           An inbound session is trying to connect.
 
Listening         The remote computer is available.
 
Outbound          Your session is creating the TCP connection.
 
Reconnecting      If your connection failed on the first attempt,
                        it will display this state as it tries to reconnect.

Here is a sample NBTSTAT response of my NT Box:

C:\>nbtstat -A 195.171.236.139
 
       NetBIOS Remote Machine Name Table
 
   Name               Type         Status
---------------------------------------------
MR_B10NDE      <00>  UNIQUE      Registered
WINSEKURE LABS <00>  GROUP       Registered
MR_B10NDE      <03>  UNIQUE      Registered
MR_B10NDE      <20>  UNIQUE      Registered
WINSEKURE LABS <1e>  GROUP       Registered
 
MAC Address = 44-45-53-54-00-00
 
Using the table below, what can you learn about the machine?
 
Name                   Number         Type           Usage
=========================================================================
        00             U              Workstation Service
        01             U              Messenger Service
<\\_MSBROWSE_> 01             G              Master Browser
        03             U              Messenger Service
        06             U              RAS Server Service
        1F             U              NetDDE Service
        20             U              File Server Service
        21             U              RAS Client Service
        22             U              Exchange Interchange
        23             U              Exchange Store
        24             U              Exchange Directory
        30             U              Modem Sharing Server Service
        31             U              Modem Sharing Client Service
        43             U              SMS Client Remote Control
        44             U              SMS Admin Remote Control Tool
        45             U              SMS Client Remote Chat
        46             U              SMS Client Remote Transfer
        4C             U              DEC Pathworks TCPIP Service
        52             U              DEC Pathworks TCPIP Service
        87             U              Exchange MTA
        6A             U              Exchange IMC
        BE             U              Network Monitor Agent
        BF             U              Network Monitor Apps
        03             U              Messenger Service
        00             G              Domain Name
        1B             U              Domain Master Browser
        1C             G              Domain Controllers
        1D             U              Master Browser
        1E             G              Browser Service Elections
        1C             G              Internet Information Server
 00            U              Internet Information Server
        [2B]           U              Lotus Notes Server
IRISMULTICAST  [2F]           G              Lotus Notes
IRISNAMESERVER [33]           G              Lotus Notes
Forte_$ND800ZA [20]           U              DCA Irmalan Gateway Service

Unique (U): The name may have only one IP address assigned to it. On a network device, multiple occurences of a single name may appear to be registered, but the suffix will be unique, making the entire name unique.

Group (G): A normal group; the single name may exist with many IP addresses.

Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer, this configuration is necessary to permit the registration. Maximum number of addresses is 25.

Internet Group (I): This is a special configuration of the group name used to manage WinNT domain names.

Domain Name (D): New in NT 4.0.

An intruder could use the table above and the output from an nbtstat against your machines to begin gathering information about them. With this information an intruder can tell, to an extent, what services are running on the target machine and sometimes what software packages have been installed. Traditionally, every service or major software package comes with it’s share of vulnerabilities, so this type of information is certainly useful to an intruder.

The next step for an intruder would be to try and list the open shares on the given computer, using the net view command, Here is an example of the net view command used against my box with the open shares C:\ and C:\MP3S\

C:\>net view \\195.171.236.139
Shared resources at \\195.171.236.139
 
Sharename    Type         Comment
-----------------------------------------------------------------
C            Disk         Drive C:\
MP3S         Disk         My collection of MP3s
The command was completed successfully.

This information would give the intruder a list of shares which he would then use in conjunction with the net use command, a command used to enable a computer to map a share to it’s local drive, below is an example of how an intruder would map the C Share to a local G: drive which he could then browse:

C:\>net use G: \\195.171.236.139\C
The command was completed successfully.
 
C:\>G:
 
G:\>

However, If the intruder was targetting a large network rather than a single remote computer, the next logical step would be to glean possible usernames from the remote machine.

A network login consists of two parts, a username and a password. Once an intruder has what he knows to be a valid list of usernames, he has half of several valid logins.

Now, using the nbtstat command, the intruder can get the login name of anyone logged on locally at that machine. In the results from the nbtstat command, entries with the <03> identifier are usernames or computernames. Gleaning usernames can also be accomplished through a null IPC session and the SID tools

The IPC$ (Inter-Process Communication) share is a standard hidden share on an NT machine which is mainly used for server to server communication. NT machines were designed to connect to each other and obtain different types of necessary information through this share. As with many design features in any operating system, intruders have learned to use this feature for their own purposes. By connecting to this share an intruder has, for all technical purposes, a valid connection to your server. By connecting to this share as null, the intruder has been able to establish this connection without providing it with credentials.

To connect to the IPC$ share as null, an intruder would issue the following command from a command prompt:

c:\>net use \\[ip address of target machine]\ipc$ "" /user:""

If the connection is successful, the intruder could do a number of things other than gleaning a user list, but lets start with that first. As mentioned earlier, this technique requires a null IPC session and the SID tools. Written by Evgenii Rudnyi, the SID tools come in two different parts, User2sid and Sid2user. User2sid will take an account name or group and give you the corresponding SID. Sid2user will take a SID and give you the name of the corresponding user or group. As a stand alone tool, this process is manual and very time consuming. Userlist.pl is a perl script written by Mnemonix that will automate this process of SID grinding, which drastically cuts down on the time it would take an intruder to glean this information.

At this point, the intruder knows what services are running on the remote machine, which major software packages have been installed (within limits), and has a list of valid usernames and groups for that machine. Although this may seem like a ton of information for an outsider to have about your network, the null IPC session has opened other venues for information gathering. The Rhino9 team has been able to retrieve the entire native security policy for the remote machine.

Such things as account lockout, minimum password length, password age cycling, password uniqueness settings as well as every user, the groups they belong to and the individual domain restrictions for that user – all through a null IPC session. This information gathering ability will appear in Rhino9’s soon to be released Leviathan tool. Some of the tools available now that can be used to gather more information via the IPC null session will be discussed below.

With the null IPC session, an intruder could also obtain a list of network shares that may not otherwise be obtainable. For obvious reasons, an intruder would like to know what network shares you have available on your machines. For this information gathering, the standard net view command is used, as follows:

c:\>net view \\[ip address of remote machine]

Depending on the security policy of the target machine, this list may or may not be denied. Take the example below (ip address has been left out for obvious reasons):

C:\>net view \\0.0.0.0
System error 5 has occurred.
 
Access is denied.
 
C:\>net use \\0.0.0.0\ipc$ "" /user:""
The command completed successfully.
 
C:\>net view \\0.0.0.0
Shared resources at \\0.0.0.0
 
Share name   Type         Used as  Comment
 
---------------------------------------------------------------------
Accelerator  Disk                  Agent Accelerator share for Seagate backup
Inetpub      Disk
mirc         Disk
NETLOGON     Disk                  Logon server share
www_pages    Disk
The command completed successfully.

As you can see, the list of shares on that server was not available until after the IPC null session had been established. At this point you may begin to realize just how dangerous this IPC connection can be, but the IPC techniques that are known to us now are actually very basic. The possibilities that are presented with the IPC share are just beginning to be explored.


No comments:

Post a Comment

Search This Blog