ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Title: |||| Using NetBIOS |||| Date: June 25, 1998 Author: rootwurm ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ the other day i was talking to a friend and i said something like "yeah, i got in through netbios" he just looked at me like i was retarded. the fact is, most people either don't care, or don't know about the fun you can have with netbios. another fact is, that netbios runs on port 139. and if you know ANYTHING about computers, you know that that is definatly the OOB exploit port. micro$oft did an awesome OOB patch that simply CLOSED THE DAMN NETBIOS PORT! well, actually, i think that was the first patch...newer versions actually fixed the shit and left 139 open. ok, here's a quick rundown on what netbios is.. (note: i'm just telling you this from memory, some facts are probably a little off....look elsewhere for an in-depth, technical explantaion.) netbios lets windoze 95 (l)users share files over an internal network. The reason i say an internal network is because netbios is non-routable, meaning it can't "find it's way" around the internet. It's extremely fast because it doesn't carry as much overhead (like tcp/ip which has more overhead so it can be routed) netbios uses port 113 to get the hostname information and the dir information, and port 139 is used for the actual connection. most computers ARE running netbios, and a quick way to find out is to do a 'netbios statis' on them. to do that, simply take their hostname (we'll use pah-pm2-1-60.vci.net (my current ip address) for example) before you can use nbtstat, you have to make sure your computer is setup for netbios. don't worry, when we setup your computer to use netbios, you won't be vunerable to this 'attack'. the only time you become vunerable is when you're sharing files. i'll talk more about this later on. to verify that you are setup to use netbios, click on Start > Settings > Control Panel and double-click the 'network' icon. you should see a list of installed adapters and a few clients you are running. TCP/IP will be one of them (you couldn't be on the internet without it) and most likely Client For Microsoft Networks is another. Check to make sure NetBEUI is installed, and if it isn't, click on Add and goto Microsoft, then NetBEUI. good old WindowsRestart(tm) will ask you for the 95 disk and then say "you changed something! oh my god! i'm going to have to completely reset all my settings!! reboot me! reboot me! (or something similar to that :-) after you've rebooted, double click My Computer and then double-click Dial-Up Networking. click once on your dial up networking connection, and then click on File and Properties. click on the Server Types tab and make sure "logon to network" is checked. once you've made sure all that's right, connect to the net. now, in the Run box, (on the start menu in win95) type: nbtstat -A 205.241.254.60 (if you have the numerical ip) or nbtstat -a pah-pm2-1-60.vci.net (if you don't feel like resolving it) that should come back with a bunch of names in a 'dos' box. if it says "host not found." then that person is either not sharing files, or they don't have win95. otherwise, it should come back with some names and shit. the names change from computer to computer because everyone names their computer something different. mine's named JENNY (jenny is this chick that lives right down the street and she is GOD!) so we'll use mine for an example. if you want to find out what your computer is named, or change it, goto the control panel, then Network, then Identification. now, in the run box, type notepad c:\windows\lmhosts. lmhosts DOES NOT HAVE AN EXTENSION BUT IT HAS A PERIOD! it will ask you to create the file the first time, just click YEP. now, in lmhosts, type 205.241.254.60 JENNY all on one line, with nothing else on that line. now save it and in the run box type \\JENNY be sure you get the right slashes, it makes ALL the difference. \\ means "it's on the network" where // means "its on the local drive" now, if they are offering stuff, it should give you a box much like when you double-click on your hard drive. browse at will. if you get "Please enter a password to make connection \\JENNY\IPC$ then the computer isn't sharing files. sorry, but you're s.o.l., move on to your next victim. if you don't get a box or anything, you can also try typing this in the run box. net view \\jenny it will either show you some stuff that is offered, or tell you that that computer is not taking requests. if it gives you some 'shared' resources, try typing \\jenny\resource in the run box (where 'resource' is whatever is being shared) sometimes it will ask you for a password, and most of the time just hitting enter will work. some other things you can try is just 'ping jenny' to ping 205.241.254.60, as well as 'telnet jenny' etc....the network will look for 'jenny' on your dns server, and if it doesn't resolve there, it will check lmhosts blah, that was confusing, i know, but if i didn't make sense on something, then EMAIL ME! goddamn it! you'll never learn if you don't ask! i won't bite you....well, at least i promise not to draw blood :-) NOTE:messing with netbios isn't as fun as it used to be because microsoft disables it be default now. in win95A it was enabled by default, sharing all drives with no password (if netbeui is installed on the remote machine, which most isp's 'install' disks will put netbeui on) usually you have to target large corporate networks that aren't technically literate (schools are a great place to start) i'm currently looking into writing a 'backdoor' proggie that will share a users drive but not change the icon. i've already found the registry entry, i just need to work out a few more kinks. it'll probably be a while before i get around to making it. rootwurm (rootwurm@pheces.org) LONG LIVE THE FLAMING TURD!!! BOOYAH! http://www.pheces.org ((((((((((((((((((((((((((((((((((((((#yep))))))))))))))))))))))))))))))))))))))