NBTStat

 < Day Day Up > 



We’ve just reviewed some tools that let you connect to Windows computers and SMB file shares. But from a hacker’s standpoint, he still needs to gather information to locate target systems and guess login credentials. Nbtstat can help.

Nbtstat is a Windows command-line tool that can be used to display information about a computer’s NetBIOS connections and name tables. The nbtstat command can gather information such as a system MAC address, NetBIOS name, domain name, and any active users. It was designed as a tool for system administrators; however, like many network tools, it can be used for a darker purpose as well, as we shall soon see.

Implementation

Typing nbtstat at a Windows command prompt will tell us all about its usage:

C:\nbtstat Displays protocol statistics and current TCP/IP connections using NBT(NetBIOS over TCP/IP). NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n]         [-r] [-R] [-s] [S] [interval] ]

The following tables gives you details about the options available.

Nbtstat Option

Description

-a <NetBIOS name>

Lists the remote machine’s name table given its name. This is repeated for each network interface.

-A <IP Address>

Lists the remote machine’s name table given its IP address. This is repeated for each network interface.

-c

Lists the remote name cache including the IP addresses. For example:
NetBIOS Remote Cache Name Table

Name Type Host Address Life [sec]

------------------------------------------

KAITAIN <20> UNIQUE 10.0.1.7 585

KAITAIN <00> UNIQUE 10.0.1.7 585

-n

Lists local NetBIOS names. For example:
Name                  Type Status

---------------------------------------

ATREIDES <00> UNIQUE Registered

ATREIDES <20> UNIQUE Registered

IMPERIAL HOUSES <00> GROUP Registered

IMPERIAL HOUSES <1E> GROUP Registered

IMPERIAL HOUSES <1D> UNIQUE Registered

..__MSBROWSE__. <01> GROUP Registered

-r

Lists names resolved by broadcast and via WINS.

-R

Purges and reloads the remote cache name table.

-RR

Sends Name Release packets to WINs and then starts Refresh.

-s

Lists sessions table converting destination IP addresses to host names via the hosts file. This is repeated for each network interface.
The names are resolved with the %SYSTEMROOT%\SYSTEM32\DRIVERS\etc\hosts file.

-S

Lists sessions tables with the destination IP addresses. This is repeated for each network interface.

[interval]

Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics.

If we’re local to the system, we can use nbtstat to monitor information about our local sessions, check on and purge the WINS name cache, and do it all in real time by specifying an interval (in seconds) at the end of the command. For example, the command nbtstat –S 2 will monitor the current open NetBIOS sessions between the local system and others on the network, and it will update that listing every two seconds.

C:\>nbtstat -S 2                  NetBIOS Connection Table Local Name             State    In/Out  Remote Host           Input   Output ---------------------------------------------------------------------------- WINBOX         <03>  Listening WINBOX               Connected  In   192.168.1.102          10KB    208KB WINBOX               Listening JDOE           <03>  Listening

This shows us that someone has connected to one of our shares from 192.168.1.102. We can now monitor its activity.

The more powerful side of nbtstat, however, is apparent when we use it with the –a and –A flags against particular hosts. Let’s see what kind of information we can get from our friend 192.168.1.102:

C:\>nbtstat -A 192.168.1.102        NetBIOS Remote Machine Name Table    Name               Type         Status --------------------------------------------- MYCOMPUTER     <00>  UNIQUE      Registered MYDOMAIN       <00>  GROUP       Registered MYCOMPUTER     <03>  UNIQUE      Registered MYCOMPUTER     <20>  UNIQUE      Registered MYDOMAIN       <1E>  GROUP       Registered MYUSER         <03>  UNIQUE      Registered MYDOMAIN       <1D>  UNIQUE      Registered ..__MSBROWSE__.<01>  GROUP       Registered MAC Address = 00-50-DA-E9-87-5F C:\>

Nbtstat returns a name table containing NetBIOS services active on the host. But before we can get anything useful out of this table, we need to know a bit about NetBIOS to interpret it.

We can make sense of the names that are listed by focusing on the combination of the <##> NetBIOS code and the type. First we see a <00> UNIQUE. This NetBIOS code indicates that the workstation service is running and lists the system’s NetBIOS name. So we can determine that the system is named MYCOMPUTER.

The next line reads <00> GROUP. This indicates the workgroup or domain name to which the system belongs. In this case, the system belongs to MYDOMAIN.

Table 6-2: Common NetBIOS Codes

Name

Code

Usage

<computer_name>

00

Workstation service

<computer_name>

01

Messenger service

<\\--__MSBROWSE__>

01

Master browser

<computer_name>

03

Messenger service

<computer_name>

06

RAS server service

<computer_name>

20

File server service

<computer_name>

21

RAS client service

<computer_name>

BE

Network monitor agent

<computer_name>

BF

Network monitor application

<username>

03

Messenger service

<domain>

00

Domain name

<domain>

1B

Domain master browser

<domain>

1C

Domain controllers

<domain>

1D

Master browser

<domain>

1E

Browser service elections

<INet~Services>

1C

IIS

<IS~computer_name>

00

IIS

The third line contains a <03> code, which is used by the messenger service. Once again, it appears to be listing the computer name. But if we see a <03> entry with the computer name, we should also see another <03> entry further down in the table with a different listed name. Lo and behold, in the sixth line, we see a line that lists MYUSER as the name. Since <03> NetBIOS codes always come in pairs, listing both the system’s NetBIOS name and currently logged-in user, you can use a process of elimination to determine which one is which.

Although details on the NetBIOS codes are beyond the scope of this book, Table 6-2 shows some of the more common codes. For more on NetBIOS hex codes, go to http://jcifs.samba.org/src/docs/nbtcodes.html.

We’ve used nbtstat to determine some extremely useful information. We know the domain name to which this system belongs as well as a valid username on the system. All we need now is the password.

Even though NetBIOS is nonroutable, NBT is routable. By using the –A flag, we can run nbtstat against any system that is connected to the Internet and is allowing NBT traffic that passes over ports 137, 138, and 139.

Retrieving a MAC Address

Another piece of information that is provided by nbtstat is the system’s hardware Ethernet address (or MAC address). In this case, the MAC address for 192.168.1.102 was 00-50-DA-E9-87-5F. The MAC hardware address is 48 bits and expressed as 12 hexadecimal digits, or six octets. The first (left) 6 digits (three octets) represent the vendor of the network interface, and the last (right) 6 digits (three octets) represent the interface serial number for that particular vendor. The first six digits are referred to as the Organizationally Unique Identifier (OUI).

Here are a few examples of common OUIs:

  • SUN MICROSYSTEMS INC.   (08-00-20)

  • The Linksys Group, Inc.   (00-06-25)

  • 3COM CORPORATION   (00-50-DA)

  • VMWARE, Inc.   (00-50-56)

In our example, the system had a MAC address of 00-50-DA-E9-87-5F, so the manufacturer of the network interface on this system was 3COM (00-50-DA). A MAC address of 08-00-20-00-07-E1 represents an interface manufactured by Sun Microsystems (08-00-20), and a MAC address of 00-06-25-51-CC-77 has an interface manufactured by Linksys.

An nbtstat command on the system reveals the following:

C:\>nbtstat -A 192.168.1.47        NetBIOS Remote Machine Name Table    Name               Type         Status --------------------------------------------- NT4SERVER      <00>  UNIQUE      Registered INet~Services  <1C>  GROUP       Registered IS~NT4SERVER...<00>  UNIQUE      Registered NT4SERVER      <20>  UNIQUE      Registered WORKGROUP      <00>  GROUP       Registered NT4SERVER      <03>  UNIQUE      Registered WORKGROUP      <1E>  GROUP       Registered WORKGROUP      <1D>  UNIQUE      Registered ..__MSBROWSE__.<01>  GROUP       Registered ADMINISTRATOR  <03>  UNIQUE      Registered MAC Address = 00-50-56-40-4C-23

This system is named NT4SERVER and has a MAC address of 00-50-56-40-4C-23. This OUI (00-50-56) identifies the vendor as VMware, Inc. VMware manufactures virtual machine software for servers and desktops (see Chapter 3), which indicates that this system is possibly a virtual NT Server running under a separate host’s operating system.

Note 

The complete public OUI listing is available for download at http://standards.ieee.org/regauth/oui/ index.shtml. Some vendors have opted not to make their OUI information public.

Because all Windows boxes by default share this information freely to function on a network, they don’t log attempts to retrieve this information in the event log. Firewalls and intrusion-detection systems are the most common way to block and detect this kind of traffic from the outside.



 < Day Day Up > 



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2004
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net