These are basic techniques but very useful when penetration testing any Windows based network, the techniques were discovered on WinNT but are still very valid on Windows2000 and in some cases Windows2003 due to backwards compatibility.<\/p>\n
This article is being written in a procedural manner. I have approached it much like an intruder would actually approach a network penetration. Most of the techniques discussed in this text are rather easy to accomplish once one understands how and why something is being done.<\/p>\n
When targetting a given network, the first thing an intruder would do, would be to portscan the remote machine or network. A lot of information can be gathered by a simple port scan but what the intruder is looking for is an open port 139 – the Default NetBios port. It’s surprising how methodical an attack can become based on the open ports of a target machine. You should understand that it is the norm for an NT machine to display different open ports than a Unix machine. <\/p>\n
Intruders learn to view a portscan and tell wether it is an NT or Unix machine with fairly accurate results. Obviously there are some exceptions to this, but generally it can be done. <\/p>\n
Recently, several tools have been released to fingerprint a machine remotely, but this functionality has not been made available for NT.<\/p>\n
Information gathering with NetBIOS can be a fairly easy thing to accomplish, albeit a bit time consuming. NetBIOS is generally considered a bulky protocol with high overhead and tends to be slow, which is where the consumption of time comes in.<\/p>\n
If the portscan reports that port 139 is open on the target machine, a natural process follows. The first step is to issue an NBTSTAT command.<\/p>\n
The NBTSTAT command can be used to query network machines concerning NetBIOS information. It can also be useful for purging the NetBIOS cache and preloading the LMHOSTS file. This one command can be extremely useful when performing security audits. <\/p>\n
Interpretation the information can reveal more than one might think.<\/p>\n
The column headings generated by NBTSTAT have the following meanings:<\/p>\n Here is a sample NBTSTAT response of my NT Box:<\/p>\nUsage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval]<\/code><\/p>\n\r\nSwitches\r\n -a Lists the remote computer's name table given its host name. \r\n -A Lists the remote computer's name table given its IP address. \r\n -c Lists the remote name cache including the IP addresses.\r\n -n Lists local NetBIOS names. \r\n -r Lists names resolved by broadcast and via WINS. \r\n -R Purges and reloads the remote cache name table. \r\n -S Lists sessions table with the destination IP addresses. \r\n -s Lists sessions table conversions.\r\n<\/pre>\n
\r\nInput \r\n Number of bytes received. \r\nOutput \r\n Number of bytes sent. \r\nIn\/Out \r\n Whether the connection is from the computer (outbound)\r\n or from another system to the local computer (inbound). \r\nLife \r\n The remaining time that a name table cache entry will \"live\"\r\n before your computer purges it. \r\nLocal Name \r\n The local NetBIOS name given to the connection. \r\nRemote Host \r\n The name or IP address of the remote host. \r\nType \r\n A name can have one of two types: unique or group. \r\n The last byte of the 16 character NetBIOS name often\r\n means something because the same name can be present\r\n multiple times on the same computer. This shows the last\r\n byte of the name converted into hex. \r\nState \r\n Your NetBIOS connections will be shown in one of the \r\n following \"states\": \r\n\r\nState Meaning<\/strong>\r\n \r\nAccepting An incoming connection is in process.\r\n\r\nAssociated The endpoint for a connection has been created\r\n and your computer has associated it with an IP\r\n address.\r\n\r\nConnected This is a good state! It means you're connected\r\n to the remote resource.\r\n\r\nConnecting Your session is trying to resolve the name-to-IP\r\n address mapping of the destination resource.\r\n\r\nDisconnected Your computer requested a disconnect, and it is\r\n waiting for the remote computer to do so.\r\n\r\nDisconnecting Your connection is ending.\r\n\r\nIdle The remote computer has been opened in the current\r\n session, but is currently not accepting connections.\r\n\r\nInbound \t An inbound session is trying to connect.\r\n\r\nListening \t The remote computer is available.\r\n\r\nOutbound \t Your session is creating the TCP connection.\r\n\r\nReconnecting If your connection failed on the first attempt,\r\n it will display this state as it tries to reconnect.\r\n<\/pre>\n