How access is gained over a system running the netBIOS server service
and how to prevent it.
This guide was written so that everyone can understand why they should
not enable file/printer sharing, what are these services vulnerable
to, how they are attacked and how to prevent it. **File/Printer sharing
are services which run on port 139 and are known as the netBIOS session
service.They are used to allow access to local printers/files either
in a Local area network(LAN) a Wide Area Network(WAN) or even to the
Internet(WWW)world wide network, i.e everyone.** (NetBIOS is not a
protocol – it is a standard for programming. (15 character naming
convention.))Please correct me if I am wrong. Firstly, I would like
to explain to you the two main vulnerablities of file/printer sharing.
They are:
-
root access to a system
- DoS attack
Note: "root access" is to have superuser access to a system. (If you
ever used a linux system, you would know what this means). A superuser
can control the system as he/she likes.He/she has rights to all the
files/folders and can delete, copy, move, upload & download file.He/she
can even change the permision of files.
Now moving on to how the system is accessed.It is very easy to do
this provided you have the mean to do so.You will need to do the following:
- Confirm that net.exe is installed on your system
- Make sure you logged onto the network
Now the application (net.exe) is a windows application.To find out
if you've got it type net in ms-dos, and if the echo is "Bad command
or file name" then its not on your system.If you get a list of options
then you've got it.To install it you'll have to go to your network
options in Control Panel and then click add.Now click services, and
then select File and printer sharing for microsoft networks. Insert
your windows CD as prompted and then complete the installation.Reboot
and you've got it. Now when i say make sure you logged onto the network
doesn't mean a local network (like at home/office) but it means that
when you use Dial-up networking you should select the option, log
onto network.To do this go to Dial-up networking and right click on
your connection.Click on server types and check the box which reads
"Log on to network".Then connect. Now your ready to connect to any
remote host that has sharing enabled.Now you ask yourself, but how
do you know if a system has sharing enabled?Well, there are numerous
way to find out.I'll give you two example's below:
-
Port Scanning
- nbtstat (manually scan)
Port scanning is fairly simple. Download a port scanner and start
scanning.The sharing service be default runs on port 139.So if the
scan echo's 139 open then that means the system has sharing enabled.
Manual Scanning can be done by again using a microsoft tool called
"nbtstat.exe". nbtstat.exe checks if the sharing service is enabled
on a system.At your ms-dos promp type nbtstat -a `ip-address`. Where
`ip-address` is type the remote systems `i.p address`, e.g If you
want to connect to 213.155.33.205, then you'll type "nbtstat -a 213.155.33.205"
(withouth the quotes).Now if the system has sharing enabled then you'll
get a table which looks something like the one below: Name Type Status
-----------------------------------------------------------------------------
Host <20>
UNIQUE Registered
Hostbug <00>
GROUP Registered
Host machine <03>
UNIQUE Registered
-----------------------------------------------------------------------------
If you want to access your own sharing table just type nbtstat -n
As we see in the table is the Host namr, i.e the share's name and
next to that is a fiqure.The following fiqures are given below with
there detail:
00 Base computer name and Workgroups
01 Master Browser
03 Message Alert service (name of logged in user)
20 Resource Sharing `server service` name
1B Domain master-browser name
1C Domain controller name
1E Domain/workgroup master browser election announcement
Value 20 is the one we are looking for.I wont get into the other value's
(maybe someother time).If there system has value to to its table then
that means that the system has sharing enabled and is accessable.If
the table only show's value 03 then you might as well forget it.An
obviously if you get a reply from the host when typing "nbtstat
-a ip-address" that the host can not be found also means that
the host has'nt got sharing enableded.
Now to get into the system.I'll explain the easy way first, using
a Graphical User Interface(GUI).All you have to do is, go to Start
>> Run >> and type \\ip-address. e.g \\213.155.33.205.Once
the system is connected it will open up a window infront of you, on
your desktop.This window will display all the shares on the system
and you can access these shares as if your on your own PC browsing.
Note. Dont use too much resources of your host else your going to
drop his connecting if his on a 56k or slower line.
Now I will explain to you how to access the system using through
dos, using the net.exe application.Now you are going to create a
virtual drive so that the share you're access can be mounted on
(temporarly).Now in ms-dos type: net use drive \\ip-address\sharename.
Where drive is type in the drive you want the share to be mounted
on, where ip-address is, type in your host i.p and where share name
is type in the shareanme which you got from the "nbtstat table".Once
your done all you have to do is make your virtual drive your current
drive.For example: You mounted your hosts shares on e: then at the
ms-dos promt just type e: and make it your current working directory(cwd).And
then you can also explore this drive as you like.
Note: Instead of drive you can use * for the next free drive SYNTAX:
< net use * \\ip-address\sharename >
One more note is that password protecting your shares wont really
help because there are various tecniques to crack these passwords.
I am not going to get into the Denial of service(DoS) in this guide
but it will be up shortly on the site.Just keep in mind that port
139 is a victim to DoS.
To protect your self against this is either to disable Sharing on
your system.DUH!.Deleting the Fole and printer sharing for microsoft
networks, and then reboot.
Another way is to use a firewall.I
suggest you use the firewall option rather than deleting the microsoft
service. Thats all for this guide, More on the way.
|