NetBIOS (Network Basic Input/Output System) refers to a concept originally conceived by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources. NetBIOS has since been adopted as an industry standard and now it offers network applications a chance to fill up the previous communication gaps by carrying out inter-application communication and data transfer. In a basic sense, NetBIOS allows applications to talk to the network.

A computer is open to NetBIOS if that computer has port 139 open. All "File and Printer Sharing" on a Windows machine runs over this port. Quite A few users on the Internet leave their hard disks exposed on this port. This is one of the first ports hackers want to connect to, and the port that many firewalls and some ISP's block. Port 139 is primarily used by the SMB browser service that fills the information within the "Network Neighborhood" icon on your Windows desktop.

Now that you know a little bit about NetBIOS we can start checking to see whether or not your network(s) are vulnerable. For this one needs to scan the network or a range of IP's to see who has port 139 open. For this I recommend you use LAN Scan, NetCat, or Nmap. Of course there are a wealth of programs out there, so find one that best suits your needs. Once you have finished scanning the network and have found vulnerable IP's and PC's on the LAN then you can start trying to gain access to these machines. First you need to open your start menu and click "Run". Inside the "Run" prompt type:

\\xxx.xxx.xxx.xxx

Obviously you have to replace xxx.xxx.xxx.xxx with the IP or name of the targeted IP/machine. If successful this will open a window which will show the contents of the targets NetBIOS shares. You may now view, download, and in most cases upload and delete files and other documents off the targeted computer. If this does not happen and a password box pops up then you are relatively safe. However it is possible for an intruder to brute force the login information using a number of programs such as SMBgrind, and PQwak. Most programs of this nature will ask for the IP address and share name. Share name is like the name of the folder which is password protected. For example C$

Now I will give a brief explanation of null sessions (No Password or Username) and how attackers use them to gain unauthorized access. Inter-Process Communication is used for data sharing between applications and computers. We will be looking at Windows NT default IPC$ share use for communication between computers. This share is what we use to start to gain access to the target. What we will look at before we start is the NET commands for the console in NT. The net commands that we will be using are "net use" and "net view". Now open the console and pick out your target. Make sure that it is an NT system with port 139 open or you will be wasting your time. Now open your console and type one of the following. TARGET is the name or IP of the computer for example \\192.168.0.1\IPC$ or \\JAYSCOMPUTER\IPC$ By the way, you can test the connection by entering "NET USE \\TARGET\IPC$"

Example 1>     NET USE \\TARGET\IPC$ * /USER:
Example 2>     NET USE \\TARGET\IPC$ * /USER:""
Example 3>     NET USE \\TARGET\IPC$ "" /USER:""
Example 4>     NET USE \\TARGET\IPC$ * /U:
Example 5>     NET USE \\TARGET\IPC$ * /U:""
Example 6>     NET USE \\TARGET\IPC$ "" /U:""

The command varies a little bit on different versions of NT, so you may want to try all of the examples if one doesn't work for you. If the done correctly, and you are able to connect to the IPC$ via a null session you will see something similar to the following:

Type the password for \\TARGET\IPC$:

All you do here is hit the "Enter" key. If the done correctly, and you are able to connect to the IPC$ via a null session you will see something similar to the following:

The command completed successfully.

Now open up Windows Explorer, or the run prompt and type \\TARGET\IPC$ and you will be connected to the IPC$ share. A suprisingly large number of Windows machines also have Administrator accounts with null passwords as well. If you find a machine on your Network with a null admin account you are in trouble. I will go more into detail about that, and how to prevent null sessions and more at a later date. Thanks for reading.

JeiAr