Remote Network Penetration via NetBios Hack/Hacking

These are basic techniques but very useful when penetration testing any Windows based network, the techniques were discovered on WinNT but are still very valid on Windows2000 and in some cases Windows2003 due to backwards compatibility.

This article is being written in a procedural manner. I have approached it much like an intruder would actually approach a network penetration. Most of the techniques discussed in this text are rather easy to accomplish once one understands how and why something is being done.

When targetting a given network, the first thing an intruder would do, would be to portscan the remote machine or network. A lot of information can be gathered by a simple port scan but what the intruder is looking for is an open port 139 – the Default NetBios port. It’s surprising how methodical an attack can become based on the open ports of a target machine. You should understand that it is the norm for an NT machine to display different open ports than a Unix machine.

Intruders learn to view a portscan and tell wether it is an NT or Unix machine with fairly accurate results. Obviously there are some exceptions to this, but generally it can be done.

Recently, several tools have been released to fingerprint a machine remotely, but this functionality has not been made available for NT.

Information gathering with NetBIOS can be a fairly easy thing to accomplish, albeit a bit time consuming. NetBIOS is generally considered a bulky protocol with high overhead and tends to be slow, which is where the consumption of time comes in.

If the portscan reports that port 139 is open on the target machine, a natural process follows. The first step is to issue an NBTSTAT command.

The NBTSTAT command can be used to query network machines concerning NetBIOS information. It can also be useful for purging the NetBIOS cache and preloading the LMHOSTS file. This one command can be extremely useful when performing security audits.

Interpretation the information can reveal more than one might think.

Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval]

The column headings generated by NBTSTAT have the following meanings:

Here is a sample NBTSTAT response of my NT Box:

Unique (U): The name may have only one IP address assigned to it. On a network device, multiple occurences of a single name may appear to be registered, but the suffix will be unique, making the entire name unique.

Group (G): A normal group; the single name may exist with many IP addresses.

Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer, this configuration is necessary to permit the registration. Maximum number of addresses is 25.

Internet Group (I): This is a special configuration of the group name used to manage WinNT domain names.

Domain Name (D): New in NT 4.0.

An intruder could use the table above and the output from an nbtstat against your machines to begin gathering information about them. With this information an intruder can tell, to an extent, what services are running on the target machine and sometimes what software packages have been installed. Traditionally, every service or major software package comes with it’s share of vulnerabilities, so this type of information is certainly useful to an intruder.

The next step for an intruder would be to try and list the open shares on the given computer, using the net view command, Here is an example of the net view command used against my box with the open shares C:\ and C:\MP3S\

This information would give the intruder a list of shares which he would then use in conjunction with the net use command, a command used to enable a computer to map a share to it’s local drive, below is an example of how an intruder would map the C Share to a local G: drive which he could then browse:

However, If the intruder was targetting a large network rather than a single remote computer, the next logical step would be to glean possible usernames from the remote machine.

A network login consists of two parts, a username and a password. Once an intruder has what he knows to be a valid list of usernames, he has half of several valid logins.

Now, using the nbtstat command, the intruder can get the login name of anyone logged on locally at that machine. In the results from the nbtstat command, entries with the <03> identifier are usernames or computernames. Gleaning usernames can also be accomplished through a null IPC session and the SID tools

The IPC$ (Inter-Process Communication) share is a standard hidden share on an NT machine which is mainly used for server to server communication. NT machines were designed to connect to each other and obtain different types of necessary information through this share. As with many design features in any operating system, intruders have learned to use this feature for their own purposes. By connecting to this share an intruder has, for all technical purposes, a valid connection to your server. By connecting to this share as null, the intruder has been able to establish this connection without providing it with credentials.

To connect to the IPC$ share as null, an intruder would issue the following command from a command prompt:

c:\>net use \\[ip address of target machine]\ipc$ "" /user:""

If the connection is successful, the intruder could do a number of things other than gleaning a user list, but lets start with that first. As mentioned earlier, this technique requires a null IPC session and the SID tools. Written by Evgenii Rudnyi, the SID tools come in two different parts, User2sid and Sid2user. User2sid will take an account name or group and give you the corresponding SID. Sid2user will take a SID and give you the name of the corresponding user or group. As a stand alone tool, this process is manual and very time consuming. is a perl script written by Mnemonix that will automate this process of SID grinding, which drastically cuts down on the time it would take an intruder to glean this information.

At this point, the intruder knows what services are running on the remote machine, which major software packages have been installed (within limits), and has a list of valid usernames and groups for that machine. Although this may seem like a ton of information for an outsider to have about your network, the null IPC session has opened other venues for information gathering. The Rhino9 team has been able to retrieve the entire native security policy for the remote machine.

Such things as account lockout, minimum password length, password age cycling, password uniqueness settings as well as every user, the groups they belong to and the individual domain restrictions for that user – all through a null IPC session. This information gathering ability will appear in Rhino9’s soon to be released Leviathan tool. Some of the tools available now that can be used to gather more information via the IPC null session will be discussed below.

With the null IPC session, an intruder could also obtain a list of network shares that may not otherwise be obtainable. For obvious reasons, an intruder would like to know what network shares you have available on your machines. For this information gathering, the standard net view command is used, as follows:

c:\>net view \\[ip address of remote machine]

Depending on the security policy of the target machine, this list may or may not be denied. Take the example below (ip address has been left out for obvious reasons):

As you can see, the list of shares on that server was not available until after the IPC null session had been established. At this point you may begin to realize just how dangerous this IPC connection can be, but the IPC techniques that are known to us now are actually very basic. The possibilities that are presented with the IPC share are just beginning to be explored.

Once this list of shares had been given, the intruder could then proceed to issue the net use commands as described above.

By By Mr. B10nde – Updated by Darknet

Posted in: Hacker Culture, Networking Hacking Tools, Windows Hacking

, , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

18 Responses to Remote Network Penetration via NetBios Hack/Hacking

  1. Dade Murphy September 7, 2006 at 7:28 am #

    ok ive been goin crazy trying this method that ive read on so many websites. but none of them ever solve my problem. im at a college dorm network and i keep getting a system 67 error whenever i try to use the “net use” command. im typin everthing write, im pretty sure anyway. but yeah im stuck and its drivin me nuts. anyhelp?

  2. Darknet September 7, 2006 at 7:57 am #

    Hi Dade, you should check out this System Error 67. Also note this wont always work if you are trying to map IPC$, also try C$ and D$.

  3. Dade Murphy September 7, 2006 at 8:23 am #

    ive actually went to that link mabe an hour or two before i posted my msg. im lookin at all those suggestions and they dont seem like they would help.

  4. Dade Murphy September 7, 2006 at 5:08 pm #

    hye now im just getting a system 53 when i try:
    net use c: \\$

  5. sammy September 8, 2006 at 4:47 pm #

    i always get same error whatever i do
    System error 53 has accoured

    The network path was not found..!!

    wat is this
    i m tryin to hack the same network in which i m present.!!
    wat should i do..!!

  6. kazem September 12, 2006 at 1:19 pm #

    i want e-book for netbios

  7. darin September 18, 2006 at 8:38 pm #

    it sounds cool, i have tried it but not much sucess keep getting error 67. can you all send me some more cool commands, or an e-book.


  8. SchiznaK October 2, 2006 at 10:00 am #

    just a question, if im trying to net use someone else, can i only do it to actual folders theyve shared over toe netowrk, and also whats the syntax if theres a space in the folder name

    net use m: \\1234.5678.9.0\SharedDocs —-This would work fine


    net use m: \\1234.5678.9.0\My Documents —-This wouldnt work, it

    just tells me the proper syntax of the command

  9. SchiznaK October 2, 2006 at 10:16 am #

    I solved that problem, well, i woked around it. Now i got one more query it says access denied when i try to access program files, but is there a way to get around this?

  10. bunora October 2, 2006 at 10:34 am #

    im on a linux machine, any equivalent commands ??

  11. Darknet October 2, 2006 at 7:35 pm #

    bunora: Check out Samba, smbclient

    If there’s a space in the name I believe you need to put quotes around the strong.

  12. quads October 13, 2006 at 6:18 pm #

    I sneak into user spaces provided by admin but am only able to see them see file only (not even read only)
    i cant open them Access denied query
    and not able to paste them on local drive source file in use query

    How to overcome this tiny little problem

  13. sikander November 1, 2006 at 1:35 pm #

    i using LAN cable i got tons of coputer alongwith opening port 139 but almost at every pc when i use the command net view \IP its give me error 123 whts the hell it tht plz help me wht should i do. either its security problem or anything other. Opss might i wirtten bit long but plz answer me

  14. psiren January 19, 2007 at 4:15 am #

    can any one help me about the system error 123??
    when i use the ipc$ then and when i use the net view [IP address]
    “system error 123 has accourred”

    what does this mean?

  15. mathan February 9, 2007 at 6:42 am #

    In my lab i have the ip address and gateway of in AB domain

    but in the same server in CD domain and gateway of

    in CD domain it has internet connection but in AB not have the internet connection

    i know the local system administrator password…. for that purticular system now i how to change my domain and how to make the net connection to that computer……?

  16. shakil ahmad haqani October 21, 2008 at 7:54 pm #

    this is good article for beginners…

  17. Sifiso December 15, 2008 at 2:44 pm #

    Hi There,

    I have read your article on NetBios attacks and have
    made an attempt to do it.

    I have gone as far as creating a drive on my PC to view the
    remote PC’s documents but, when i open it, it says the drive is not accessible.

    Please help, your co=operation will be appreciated.
    looking forward to hearing from you.


  18. spitfire14 January 17, 2009 at 2:04 am #

    host not found