|
By
Solantis
How access is gained over a system running the netBIOS
server service and how to prevent it.
This guide was written so that everyone can understand why
they should not enable file/printer sharing, what are these
services vulnerable to, how they are attacked and how to
prevent it. **File/Printer sharing are services which run on
port 139 and are known as the netBIOS session service.They
are used to allow access to local printers/files either in a
Local area network(LAN) a Wide Area Network(WAN) or even to
the Internet(WWW)world wide network, i.e everyone.**
(NetBIOS is not a protocol – it is a standard for
programming. (15 character naming convention.))Please
correct me if I am wrong. Firstly, I would like to explain
to you the two main vulnerablities of file/printer sharing.
They are:
- root access to a system
- DoS attack
--------------------------------------------------------------------------------
Note: "root access" is to have superuser access to a
system. (If you ever used a linux system, you would know
what this means). A superuser can control the system as
he/she likes.He/she has rights to all the files/folders and
can delete, copy, move, upload & download file.He/she can
even change the permision of files.
--------------------------------------------------------------------------------
Now moving on to how the system is accessed.It is very easy
to do this provided you have the mean to do so.You will need
to do the following:
- Confirm that net.exe is installed on your system
- Make sure you logged onto the network
Now the application (net.exe) is a windows application.To
find out if you've got it type net in ms-dos, and if the
echo is "Bad command or file name" then its not on your
system.If you get a list of options then you've got it.To
install it you'll have to go to your network options in
Control Panel and then click add.Now click services, and
then select File and printer sharing for microsoft networks.
Insert your windows CD as prompted and then complete the
installation.Reboot and you've got it. Now when i say make
sure you logged onto the network doesn't mean a local
network (like at home/office) but it means that when you use
Dial-up networking you should select the option, log onto
network.To do this go to Dial-up networking and right click
on your connection.Click on server types and check the box
which reads "Log on to network".Then connect. Now your ready
to connect to any remote host that has sharing enabled.Now
you ask yourself, but how do you know if a system has
sharing enabled?Well, there are numerous way to find
out.I'll give you two example's below:
- Port Scanning
- nbtstat (manually scan)
Port scanning is fairly simple. Download a port scanner and
start scanning.The sharing service be default runs on port
139.So if the scan echo's 139 open then that means the
system has sharing enabled. Manual Scanning can be done by
again using a microsoft tool called "nbtstat.exe".
nbtstat.exe checks if the sharing service is enabled on a
system.At your ms-dos promp type nbtstat -a `ip-address`.
Where `ip-address` is type the remote systems `i.p address`,
e.g If you want to connect to 213.155.33.205, then you'll
type "nbtstat -a 213.155.33.205" (withouth the quotes).Now
if the system has sharing enabled then you'll get a table
which looks something like the one below: Name Type Status
-----------------------------------------------------------------------------
Host <20> UNIQUE Registered
Hostbug <00> GROUP Registered
Host machine <03> UNIQUE Registered
-----------------------------------------------------------------------------
If you want to access your own sharing table just type
nbtstat -n As we see in the table is the Host namr, i.e the
share's name and next to that is a fiqure.The following
fiqures are given below with there detail:
00 Base computer name and Workgroups
01 Master Browser
03 Message Alert service (name of logged in user)
20 Resource Sharing `server service` name
1B Domain master-browser name
1C Domain controller name
1E Domain/workgroup master browser election announcement
Value 20 is the one we are looking for.I wont get into the
other value's (maybe someother time).If there system has
value to to its table then that means that the system has
sharing enabled and is accessable.If the table only show's
value 03 then you might as well forget it.An obviously if
you get a reply from the host when typing "nbtstat -a
ip-address" that the host can not be found also means that
the host has'nt got sharing enableded.
Now to get into the system.I'll explain the easy way first,
using a Graphical User Interface(GUI).All you have to do is,
go to Start >> Run >> and type \\ip-address. e.g
\\213.155.33.205.Once the system is connected it will open
up a window infront of you, on your desktop.This window will
display all the shares on the system and you can access
these shares as if your on your own PC browsing.
Note. Dont use too much resources of your host else your
going to drop his connecting if his on a 56k or slower line.
Now I will explain to you how to access the system using
through dos, using the net.exe application.Now you are going
to create a virtual drive so that the share you're access
can be mounted on (temporarly).Now in ms-dos type: net use
drive \\ip-address\sharename. Where drive is type in the
drive you want the share to be mounted on, where ip-address
is, type in your host i.p and where share name is type in
the shareanme which you got from the "nbtstat table".Once
your done all you have to do is make your virtual drive your
current drive.For example: You mounted your hosts shares on
e: then at the ms-dos promt just type e: and make it your
current working directory(cwd).And then you can also explore
this drive as you like.
Note: Instead of drive you can use * for the next free
drive SYNTAX: < net use * \\ip-address\sharename >
One more note is that password protecting your shares wont
really help because there are various tecniques to crack
these passwords.
I am not going to get into the Denial of service(DoS) in
this guide but it will be up shortly on the site.Just keep
in mind that port 139 is a victim to DoS.
To protect your self against this is either to disable
Sharing on your system.DUH!.Deleting the Fole and printer
sharing for microsoft networks, and then reboot.
Another way is to use a firewall.I suggest you use the
firewall option rather than deleting the microsoft service.
Thats all for this guide, More on the way.
Credits
Error reporting should be directed to
solantis@darkside.za.net and please tell if I should add or
delete anything or if anything is missing.
solantis®2001 WHY ME ?? |