Follow by Email

Blog Archive

Search This Blog

How to list NetBIOS shares using the NBTScan and Nmap Script Engine

how to find all NetBios shares using NBTScan and Nmap || NetBIOS is a service that provides network connectivity and is often used to join a domain and legacy applications.
Share it:
NetBIOS is a service that provides network connectivity and is often used to join a domain and legacy applications. This is a rather old technology, but it is still used in some software environments. And since this is an unprotected protocol, quite often it can be the starting point for an attack on a network. A good start would be to scan NetBIOS shares using the NBTScan and Nmap Script Engine.
NetBIOS shares

To accomplish this task, we will use our target machine as Metasploitable 2- a virtual machine with vulnerabilities intentionally created in it. We will attack it with Kali Linux, a distribution for hackers and pentesters.


    NetBIOS Overview

    NetBIOS literally means “Basic Network Input / Output System”. It is a service that allows computers to communicate with each other over a network. However, NetBIOS is not a network protocol, but an API. It works on top of TCP / IP protocols using the NBT protocol, which allows it to work in modern networks.

    NetBIOS provides two basic methods of communication. The datagram service allows you to communicate over a network without establishing a connection, which is ideal for situations where fast data transfer is important, for example, when generating errors. Session service, on the other hand, allows two computers to establish a connection to provide more reliable communication. NetBIOS also provides name services that deal with name resolution and network registration.

    The main method of exploiting NetBIOS hackers is poisoning attacks. Their essence lies in the fact that the attacker being in the network, disguised as another machine in order to control and redirect traffic. At this stage, the hacker can also obtain the hashed user credentials in order to subsequently crack them.

    Scan using NBTScan

    NBTScan is a command line tool used to scan networks for NetBIOS shared resources and name information. It can work in both Unix and Windows and is included in the standard Kali Linux distribution by default.

    The first thing we can do is print out a certificate that will give us an idea of ​​all the uses for it and a few examples for scanning networks. Just type in the terminal nbtscan.

    nbtscan
    NBTscan version 1.5.1. Copyright (C) 1999-2003 Alla Bezroutchko.
    This is a free software and it comes with absolutely no warranty.
    You can use, distribute and modify it under terms of GNU GPL.
    
    Usage:
    nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename)|()
     -v  verbose output. Print all names received
       from each host
     -d  dump packets. Print whole packet contents.
     -e  Format output in /etc/hosts format.
     -l  Format output in lmhosts format.
       Cannot be used with -v, -s or -h options.
     -t timeout wait timeout milliseconds for response.
       Default 1000.
     -b bandwidth Output throttling. Slow down output
       so that it uses no more that bandwidth bps.
       Useful on slow links, so that ougoing queries
       don't get dropped.
     -r  use local port 137 for scans. Win95 boxes
       respond to this only.
       You need to be root to use this option on Unix.
     -q  Suppress banners and error messages,
     -s separator Script-friendly output. Don't print
       column and record headers, separate fields with separator.
     -h  Print human-readable names for services.
       Can only be used with -v option.
     -m retransmits Number of retransmits. Default 0.
     -f filename Take IP addresses to scan from file filename.
       -f - makes nbtscan take IP addresses from stdin.
      what to scan. Can either be single IP
       like 192.168.1.1 or
       range of addresses in one of two forms:
       xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx.
    Examples:
     nbtscan -r 192.168.1.0/24
      Scans the whole C-class network.
     nbtscan 192.168.1.25-137
      Scans a range from 192.168.1.25 to 192.168.1.137
     nbtscan -v -s : 192.168.1.0/24
      Scans C-class network. Prints results in script-friendly
      format using colon as field separator.
      Produces output like that:
      192.168.0.1:NT_SERVER:00U
      192.168.0.1:MY_DOMAIN:00G
      192.168.0.1:ADMINISTRATOR:03U
      192.168.0.2:OTHER_BOX:00U
      ...
     nbtscan -f iplist
      Scans IP addresses specified in file iplist.
    The simplest (and most basic) way to launch this great tool is to give it a range of IP addresses. In our case, there is only one computer on the network, so we will give its IP address as an example.
    nbtscan 172.16.1.102
    IP address       NetBIOS Name     Server    User             MAC address
    ------------------------------------------------------------------------------
    172.16.1.102     METASPLOITABLE     METASPLOITABLE   00:00:00:00:00:00
    Here we see the IP address, the display name of the NetBIOS, the server (if any), the user and the MAC address of the target. Note that machines running Samba sometimes return zero as a MAC address in response to such a request.
    We can get a little more information if we set the verbose -v flag.
    nbtscan 172.16.1.102 -v
    Doing NBT name scan for addresses from 172.16.1.102
    
    NetBIOS Name Table for Host 172.16.1.102:
    
    Incomplete packet, 335 bytes long.
    Name             Service          Type
    ----------------------------------------
    METASPLOITABLE   <00>             UNIQUE
    METASPLOITABLE   <03>             UNIQUE
    METASPLOITABLE   <20>             UNIQUE
    METASPLOITABLE   <00>             UNIQUE
    METASPLOITABLE   <03>             UNIQUE
    METASPLOITABLE   <20>             UNIQUE
    __MSBROWSE__  <01>              GROUP
    WORKGROUP        <00>              GROUP
    WORKGROUP        <1d>             UNIQUE
    WORKGROUP        <1e>              GROUP
    WORKGROUP        <00>              GROUP
    WORKGROUP        <1d>             UNIQUE
    WORKGROUP        <1e>              GROUP
    
    Adapter address: 00:00:00:00:00:00
    ----------------------------------------
    In this case, we see some services and an indication of their type. This jumble brings us to the next use case, which will output services in a readable form. To do this, use the -h flag with the -v flag.
    nbtscan 172.16.1.102 -vh
    Doing NBT name scan for addresses from 172.16.1.102
    
    NetBIOS Name Table for Host 172.16.1.102:
    
    Incomplete packet, 335 bytes long.
    Name             Service          Type
    ----------------------------------------
    METASPLOITABLE   Workstation Service
    METASPLOITABLE   Messenger Service
    METASPLOITABLE   File Server Service
    METASPLOITABLE   Workstation Service
    METASPLOITABLE   Messenger Service
    METASPLOITABLE   File Server Service
    __MSBROWSE__  Master Browser
    WORKGROUP        Domain Name
    WORKGROUP        Master Browser
    WORKGROUP        Browser Service Elections
    WORKGROUP        Domain Name
    WORKGROUP        Master Browser
    WORKGROUP        Browser Service Elections
    
    Adapter address: 00:00:00:00:00:00
    ----------------------------------------
    Now we see a bit more information that may be useful to us. We can also set the -d flag to dump (save) the contents of the entire package.
    nbtscan 172.16.1.102 -d
    Doing NBT name scan for addresses from 172.16.1.102
    
    Packet dump for Host 172.16.1.102:
    
    Incomplete packet, 335 bytes long.
    Transaction ID: 0x00a0 (160)
    Flags: 0x8400 (33792)
    Question count: 0x0000 (0)
    Answer count: 0x0001 (1)
    Name service count: 0x0000 (0)
    Additional record count: 0x0000 (0)
    Question name:  CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    Question type: 0x0021 (33)
    Question class: 0x0001 (1)
    Time to live: 0x00000000 (0)
    Rdata length: 0x0119 (281)
    Number of names: 0x0d (13)
    Names received:
    METASPLOITABLE    Service: 0x00 Flags: 0x0004
    METASPLOITABLE    Service: 0x03 Flags: 0x0004
    METASPLOITABLE    Service: 0x20 Flags: 0x0004
    METASPLOITABLE    Service: 0x00 Flags: 0x0004
    METASPLOITABLE    Service: 0x03 Flags: 0x0004
    METASPLOITABLE    Service: 0x20 Flags: 0x0004
    __MSBROWSE__   Service: 0x01 Flags: 0x0084
    WORKGROUP         Service: 0x00 Flags: 0x0084
    WORKGROUP         Service: 0x1d Flags: 0x0004
    WORKGROUP         Service: 0x1e Flags: 0x0084
    WORKGROUP         Service: 0x00 Flags: 0x0084
    WORKGROUP         Service: 0x1d Flags: 0x0004
    WORKGROUP         Service: 0x1e Flags: 0x0084
    
    ...
    This command gives us the packet data that was used in this request. Note that this parameter cannot be used with the -v or -h options.
    If you want to scan a list of IP addresses that are written in a file, you can use the -f flag to specify such a file as input and read these IP addresses from it. In our case, there is only one computer on the network, so in the course of our scanning, we only see it alone.
    nbtscan -f addresses.txt
    Doing NBT name scan for addresses from addresses.txt
    
    IP address       NetBIOS Name     Server    User             MAC address
    ------------------------------------------------------------------------------
    172.16.1.102     METASPLOITABLE     METASPLOITABLE   00:00:00:00:00:00
    Conversely, if you want to save the results of any scan, you just need to add the name of the file to which you want to write this data to the end of the command.
    nbtscan 172.16.1.102 > scan.txt

    Scan Using Nmap Scripting Engine


    Nmap, as part of the Nmap scripting engine, has one very handy little script that we can also use to accurately detect NetBIOS shared resources. This method has a slight advantage over the previous one - it can be run with other NSE scripts (Nmap Scripting Engine), which ultimately saves time when displaying many different things on the network.
    We will run Nmap in the usual way, and the nbstat script will exit at the end. Here we use the -sV option to check ports, running services and their versions, as well as the -v flag for verbose output. Specify the script that you want to use, and we are ready to go.
    nmap -sV 172.16.1.102 --script nbstat.nse -v
    Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 14:12 CST
    NSE: Loaded 44 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 14:12
    Completed NSE at 14:12, 0.00s elapsed
    Initiating NSE at 14:12
    Completed NSE at 14:12, 0.00s elapsed
    Initiating ARP Ping Scan at 14:12
    Scanning 172.16.1.102 [1 port]
    Completed ARP Ping Scan at 14:12, 0.05s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 14:12
    Completed Parallel DNS resolution of 1 host. at 14:12, 13.00s elapsed
    Initiating SYN Stealth Scan at 14:12
    Scanning 172.16.1.102 [1000 ports]
    
    ...
    
    Host script results:
    | nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: , NetBIOS MAC:  (unknown)
    | Names:
    |   METASPLOITABLE<00>   Flags: 
    |   METASPLOITABLE<03>   Flags: 
    |   METASPLOITABLE<20>   Flags: 
    |   \x01\x02__MSBROWSE__\x02<01>  Flags: 
    |   WORKGROUP<00>        Flags: 
    |   WORKGROUP<1d>        Flags: 
    |_  WORKGROUP<1e>        Flags: 
    Nmap starts and starts the usual scan, and then towards the end we finally see the results of the script. This is similar to the scan results that we performed earlier, but in fact it never hurts to know that there are different ways to perform the same task.

    How to prevent scanning of shared NetBIOS resources

    Fortunately for all administrators, there is a fairly simple solution to protect against unauthorized scanning of NetBIOS shared resources, namely, simply disabling NetBIOS itself. There are situations when disabling it can lead to malfunctions in the system, for example, when some obsolete applications completely depend on it, but in most cases, instead of these obsolete applications, there are already more advanced solutions and disabling NetBIOS will not harm. If you absolutely need to have NetBIOS, then beware of using default names. In some versions of Windows, C $ or ADMIN $ are well-known names and should be avoided if possible.

    Conclusion In this lesson we learned about the NetBIOS service and how it can be used to attack. Using NBTScan, a simple console tool, we scanned and listed shared resources, and then figured out how to use the Nmap script for the same purpose. NetBIOS and obsolete technology may be, but it is still found in corporate environments. And often, after exploration, its operation can be a good starting point for a start, so it’s helpful to know how it can be identified.


    Share it:

    Penetration Testing

    Post A Comment:

    0 comments: