| < Day Day Up > |
|
We’ve just reviewed some tools that let you connect to Windows computers and SMB file shares. But from a hacker’s standpoint, he still needs to gather information to locate target systems and guess login credentials. Nbtstat can help.
Nbtstat is a Windows command-line tool that can be used to display information about a computer’s NetBIOS connections and name tables. The nbtstat command can gather information such as a system MAC address, NetBIOS name, domain name, and any active users. It was designed as a tool for system administrators; however, like many network tools, it can be used for a darker purpose as well, as we shall soon see.
Typing nbtstat at a Windows command prompt will tell us all about its usage:
C:\nbtstat Displays protocol statistics and current TCP/IP connections using NBT(NetBIOS over TCP/IP). NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-s] [S] [interval] ]
The following tables gives you details about the options available.
Nbtstat Option | Description |
---|---|
-a <NetBIOS name> | Lists the remote machine’s name table given its name. This is repeated for each network interface. |
-A <IP Address> | Lists the remote machine’s name table given its IP address. This is repeated for each network interface. |
-c | Lists the remote name cache including the IP addresses. For example: Name Type Host Address Life [sec] ------------------------------------------ KAITAIN <20> UNIQUE 10.0.1.7 585 KAITAIN <00> UNIQUE 10.0.1.7 585 |
-n | Lists local NetBIOS names. For example: --------------------------------------- ATREIDES <00> UNIQUE Registered ATREIDES <20> UNIQUE Registered IMPERIAL HOUSES <00> GROUP Registered IMPERIAL HOUSES <1E> GROUP Registered IMPERIAL HOUSES <1D> UNIQUE Registered ..__MSBROWSE__. <01> GROUP Registered |
-r | Lists names resolved by broadcast and via WINS. |
-R | Purges and reloads the remote cache name table. |
-RR | Sends Name Release packets to WINs and then starts Refresh. |
-s | Lists sessions table converting destination IP addresses to host names via the hosts file. This is repeated for each network interface. |
-S | Lists sessions tables with the destination IP addresses. This is repeated for each network interface. |
[interval] | Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. |
If we’re local to the system, we can use nbtstat to monitor information about our local sessions, check on and purge the WINS name cache, and do it all in real time by specifying an interval (in seconds) at the end of the command. For example, the command nbtstat –S 2 will monitor the current open NetBIOS sessions between the local system and others on the network, and it will update that listing every two seconds.
C:\>nbtstat -S 2 NetBIOS Connection Table Local Name State In/Out Remote Host Input Output ---------------------------------------------------------------------------- WINBOX <03> Listening WINBOX Connected In 192.168.1.102 10KB 208KB WINBOX Listening JDOE <03> Listening
This shows us that someone has connected to one of our shares from 192.168.1.102. We can now monitor its activity.
The more powerful side of nbtstat, however, is apparent when we use it with the –a and –A flags against particular hosts. Let’s see what kind of information we can get from our friend 192.168.1.102:
C:\>nbtstat -A 192.168.1.102 NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- MYCOMPUTER <00> UNIQUE Registered MYDOMAIN <00> GROUP Registered MYCOMPUTER <03> UNIQUE Registered MYCOMPUTER <20> UNIQUE Registered MYDOMAIN <1E> GROUP Registered MYUSER <03> UNIQUE Registered MYDOMAIN <1D> UNIQUE Registered ..__MSBROWSE__.<01> GROUP Registered MAC Address = 00-50-DA-E9-87-5F C:\>
Nbtstat returns a name table containing NetBIOS services active on the host. But before we can get anything useful out of this table, we need to know a bit about NetBIOS to interpret it.
We can make sense of the names that are listed by focusing on the combination of the <##> NetBIOS code and the type. First we see a <00> UNIQUE. This NetBIOS code indicates that the workstation service is running and lists the system’s NetBIOS name. So we can determine that the system is named MYCOMPUTER.
The next line reads <00> GROUP. This indicates the workgroup or domain name to which the system belongs. In this case, the system belongs to MYDOMAIN.
Name | Code | Usage |
---|---|---|
<computer_name> | 00 | Workstation service |
<computer_name> | 01 | Messenger service |
<\\--__MSBROWSE__> | 01 | Master browser |
<computer_name> | 03 | Messenger service |
<computer_name> | 06 | RAS server service |
<computer_name> | 20 | File server service |
<computer_name> | 21 | RAS client service |
<computer_name> | BE | Network monitor agent |
<computer_name> | BF | Network monitor application |
<username> | 03 | Messenger service |
<domain> | 00 | Domain name |
<domain> | 1B | Domain master browser |
<domain> | 1C | Domain controllers |
<domain> | 1D | Master browser |
<domain> | 1E | Browser service elections |
<INet~Services> | 1C | IIS |
<IS~computer_name> | 00 | IIS |
The third line contains a <03> code, which is used by the messenger service. Once again, it appears to be listing the computer name. But if we see a <03> entry with the computer name, we should also see another <03> entry further down in the table with a different listed name. Lo and behold, in the sixth line, we see a line that lists MYUSER as the name. Since <03> NetBIOS codes always come in pairs, listing both the system’s NetBIOS name and currently logged-in user, you can use a process of elimination to determine which one is which.
Although details on the NetBIOS codes are beyond the scope of this book, Table 6-2 shows some of the more common codes. For more on NetBIOS hex codes, go to http://jcifs.samba.org/src/docs/nbtcodes.html.
We’ve used nbtstat to determine some extremely useful information. We know the domain name to which this system belongs as well as a valid username on the system. All we need now is the password.
Even though NetBIOS is nonroutable, NBT is routable. By using the –A flag, we can run nbtstat against any system that is connected to the Internet and is allowing NBT traffic that passes over ports 137, 138, and 139.
Another piece of information that is provided by nbtstat is the system’s hardware Ethernet address (or MAC address). In this case, the MAC address for 192.168.1.102 was 00-50-DA-E9-87-5F. The MAC hardware address is 48 bits and expressed as 12 hexadecimal digits, or six octets. The first (left) 6 digits (three octets) represent the vendor of the network interface, and the last (right) 6 digits (three octets) represent the interface serial number for that particular vendor. The first six digits are referred to as the Organizationally Unique Identifier (OUI).
Here are a few examples of common OUIs:
SUN MICROSYSTEMS INC. (08-00-20)
The Linksys Group, Inc. (00-06-25)
3COM CORPORATION (00-50-DA)
VMWARE, Inc. (00-50-56)
In our example, the system had a MAC address of 00-50-DA-E9-87-5F, so the manufacturer of the network interface on this system was 3COM (00-50-DA). A MAC address of 08-00-20-00-07-E1 represents an interface manufactured by Sun Microsystems (08-00-20), and a MAC address of 00-06-25-51-CC-77 has an interface manufactured by Linksys.
An nbtstat command on the system reveals the following:
C:\>nbtstat -A 192.168.1.47 NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- NT4SERVER <00> UNIQUE Registered INet~Services <1C> GROUP Registered IS~NT4SERVER...<00> UNIQUE Registered NT4SERVER <20> UNIQUE Registered WORKGROUP <00> GROUP Registered NT4SERVER <03> UNIQUE Registered WORKGROUP <1E> GROUP Registered WORKGROUP <1D> UNIQUE Registered ..__MSBROWSE__.<01> GROUP Registered ADMINISTRATOR <03> UNIQUE Registered MAC Address = 00-50-56-40-4C-23
This system is named NT4SERVER and has a MAC address of 00-50-56-40-4C-23. This OUI (00-50-56) identifies the vendor as VMware, Inc. VMware manufactures virtual machine software for servers and desktops (see Chapter 3), which indicates that this system is possibly a virtual NT Server running under a separate host’s operating system.
Note | The complete public OUI listing is available for download at http://standards.ieee.org/regauth/oui/ index.shtml. Some vendors have opted not to make their OUI information public. |
Because all Windows boxes by default share this information freely to function on a network, they don’t log attempts to retrieve this information in the event log. Firewalls and intrusion-detection systems are the most common way to block and detect this kind of traffic from the outside.
| < Day Day Up > |
|