GulfTech Computers - Professional Computer Services  
Additional Links
-> Dicussion Forum
-> Encryption Tools
-> Information Tools
-> Net Info Tools
-> Latest Advisories
-> Latest Vulns
-> Latest Win Software
-> Latest Nix Software
-> Security News
-> Security Press
Recent News

GulfTech Computers strives to beat the price(s) of any other business around. Check with us first as it just may save you some time and money. And who doesn't want to save money? Please contact us with any questions or inquiries.

Latest GulfTech Releases

SubScan v1.2 Scans a domain for DNS records and SubDomains. Very stealthy, and can be used to find many hosts not on the public netblock. A very interesting tool to say the least. Works on both Nix and Windows based systems. Get it now!

Download SubScan v1.2

Search GulfTech
You can use the form below to search our site. Just enter the keyword or keywords to search.
Latest Advisories
Gentoo Linux Security Advisory - aspell: Buffer overflow in word-list-compress (GLSA 200406-14)
Gentoo Linux Security Advisory - Squid: NTLM authentication helper buffer overflow (GLSA 200406-13)
SUSE Security Announcement - subversion (SuSE-SA:2004:018)
Debian Security Advisory - New krb5 packages fix buffer overflows (DSA 520-1)
SUSE Security Announcement - kernel (SuSE-SA:2004:017)
Latest Vulnerabilities
Snitz Forum 2000 XSS Vulnerability
IBM acpRunner Activex Dangerous Methods Vulnerability
Web Wiz Forums Registration Rules XSS Vulnerability
VICE Emulator Format String Vulnerability
VP-ASP Shopping Cart Multiple Vulnerabilities
Latest Security News
TSA tries biometric checks
IT security is a top priority at the Olympics
Time to dump Internet Explorer
IP phones can create network security risk
Q&A; with SecurityFocus' Alfred Huger

NetBIOS Vulnerabilities

The Basics


NetBIOS (Network Basic Input/Output System) refers to a concept originally conceived by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources. NetBIOS has since been adopted as an industry standard and now it offers network applications a chance to fill up the previous communication gaps by carrying out inter-application communication and data transfer. In a basic sense, NetBIOS allows applications to talk to the network.

A computer is open to NetBIOS if that computer has port 139 open. All "File and Printer Sharing" on a Windows machine runs over this port. Quite A few users on the Internet leave their hard disks exposed on this port. This is one of the first ports hackers want to connect to, and the port that many firewalls and some ISP's block. Port 139 is primarily used by the SMB browser service that fills the information within the "Network Neighborhood" icon on your Windows desktop.

Now that you know a little bit about NetBIOS we can start checking to see whether or not your network(s) are vulnerable. For this one needs to scan the network or a range of IP's to see who has port 139 open. For this I recommend you use LAN Scan, NetCat, or Nmap. Of course there are a wealth of programs out there, so find one that best suits your needs. Once you have finished scanning the network and have found vulnerable IP's and PC's on the LAN then you can start trying to gain access to these machines. First you need to open your start menu and click "Run". Inside the "Run" prompt type:

\\xxx.xxx.xxx.xxx

Obviously you have to replace xxx.xxx.xxx.xxx with the IP or name of the targeted IP/machine. If successful this will open a window which will show the contents of the targets NetBIOS shares. You may now view, download, and in most cases upload and delete files and other documents off the targeted computer. If this does not happen and a password box pops up then you are relatively safe. However it is possible for an intruder to brute force the login information using a number of programs such as SMBgrind, and PQwak. Most programs of this nature will ask for the IP address and share name. Share name is like the name of the folder which is password protected. For example C$

Now I will give a brief explanation of null sessions (No Password or Username) and how attackers use them to gain unauthorized access. Inter-Process Communication is used for data sharing between applications and computers. We will be looking at Windows NT default IPC$ share use for communication between computers. This share is what we use to start to gain access to the target. What we will look at before we start is the NET commands for the console in NT. The net commands that we will be using are "net use" and "net view". Now open the console and pick out your target. Make sure that it is an NT system with port 139 open or you will be wasting your time. Now open your console and type one of the following. TARGET is the name or IP of the computer for example \\192.168.0.1\IPC$ or \\JAYSCOMPUTER\IPC$ By the way, you can test the connection by entering "NET USE \\TARGET\IPC$"

Example 1>     NET USE \\TARGET\IPC$ * /USER:
Example 2>     NET USE \\TARGET\IPC$ * /USER:""
Example 3>     NET USE \\TARGET\IPC$ "" /USER:""
Example 4>     NET USE \\TARGET\IPC$ * /U:
Example 5>     NET USE \\TARGET\IPC$ * /U:""
Example 6>     NET USE \\TARGET\IPC$ "" /U:""

The command varies a little bit on different versions of NT, so you may want to try all of the examples if one doesn't work for you. If the done correctly, and you are able to connect to the IPC$ via a null session you will see something similar to the following:

Type the password for \\TARGET\IPC$:

All you do here is hit the "Enter" key. If the done correctly, and you are able to connect to the IPC$ via a null session you will see something similar to the following:

The command completed successfully.

Now open up Windows Explorer, or the run prompt and type \\TARGET\IPC$ and you will be connected to the IPC$ share. A suprisingly large number of Windows machines also have Administrator accounts with null passwords as well. If you find a machine on your Network with a null admin account you are in trouble. I will go more into detail about that, and how to prevent null sessions and more at a later date. Thanks for reading.

JeiAr




© Copyright 2002 - GulfTech Computers, All Rights Reserved
Contact GulfTech Computers