HackNotes Windows Security Portable Reference phần 4 pps

HACKNOTES begins to take on some meaning. With a simple UDP probe

from the nbtstat application, we’ve learned that

■ The NetBIOS name of 192.168.100.105 is PHALANX.

■ PHALANX is running the Workstation service.

■ PHALANX is running the File Server service.

■ PHALANX is a member of the HACKNOTES domain.

■ PHALANX is a Domain Master Browser for the HACKNOTES

domain.

■ PHALANX is a Domain Controller for the HACKNOTES domain.

Voilà! Using only a Microsoft-provided network diagnostic tool

(which is installed by default on all Windows operating systems),

we’ve found an active domain and its domain controller. When Win￾dows 2000 was just starting to appear in most corporate environments,

most NetBIOS name tables would include the logged in username as a

<03> UNIQUE tag for the Windows Messenger service. While that’s

not usually the case today, always keep your eyes peeled for multiple

<03> UNIQUE entries—any of those that don’t match the NetBIOS

hostname are legitimate usernames on the system.

The nbtstat utility provides a wealth of information that can be used

to map a Windows network’s layout. By enumerating the name table of

each NetBT-enabled server, we can see all the domains and workgroups

that we’ll have available for our more invasive hacking activity later.

But running nbtstat -A against all the IPs that we have hits for is a chore.

Wouldn’t it be great if someone had come up with a tool to do multiple

NetBIOS name table queries?

Chapter 3: Enumeration: Social Engineering, Network Style 39

HackNote / HackNotes Windows Security Portable Reference / O’Dea / 222785-0 / Chapter 3 Enumeration Overview

NetBIOS Name Type Description

[nbname] <00> UNIQUE Workstation Service on host [nbname]

[nbname] <01> UNIQUE

[nbname] <03> UNIQUE

Messenger Service on host [nbname]

[nbname] <20> UNIQUE File Server Service on host [nbname]

[nbname] <22> UNIQUE

[nbname] <23> UNIQUE

[nbname] <24> UNIQUE

Microsoft Exchange Interchange on [nbname]

Microsoft Exchange Store on [nbname]

Microsoft Exchange Directory on [nbname]

[username] <03> UNIQUE Messenger Service for user [username]

[domain] <00> GROUP System is member of [domain]

[domain] <1B> UNIQUE Domain Master Browser

[domain] <1C> GROUP Domain Controller

Table 3-2. NetBIOS Name Type Definitions

P:\010Comp\HackNote\785-0\ch03.vp

Friday, June 13, 2003 8:09:03 AM

Color profile: Generic CMYK printer profile

Composite Default screen

The utility nbtscan by Steve Friedl of Unixwiz.Net (http://www.

unixwiz.net/tools/nbtscan.html) does a fine job of conducting name table

queries across a range of addresses. This tool also simplifies the output of

the name table and does the name type parsing for us. So instead of indi￾cating a file server as <20> UNIQUE, nbtscan lists the IP address as

SHARING. The documentation on the nbtscan homepage is excellent; if

you’d like to try running large scale NetBIOS name table queries, a tool

like nbtscan will be a great help.

Hide NetBIOS Name Service

Other than blocking NetBIOS Name service traffic (UDP/137) at every

access control device possible, Name Table enumeration can be pre￾vented by disabling the NetBIOS over TCP/IP helpers. These services

support SMB communication with systems prior to Windows 2000, so

proceed with caution—do not just flip this switch on your PDC and go

home for the weekend.

To disable NetBIOS over TCP/IP on Windows 2000, XP, and 2003:

1. From the Network Connections control panel applet,

right-click your network interface and select Properties.

2. Select Internet Protocol (TCP/IP) and click Properties.

3. Click Advanced.

4. Select the WINS tab.

5. In the NetBIOS setting frame, select Disable NetBIOS over

TCP/IP (see Figure 3-2).

6. Click OK to close the Advanced Settings and TCP/IP

Properties dialog boxes.

7. Click Close to exit the Interface Properties dialog box.

8. Confirm fix by attempting an nbtstat -A against your own

IP address.

SMB Session Service Probing

The NetBIOS session service manages the connections of SMB-enabled

applications such as Windows file sharing. When not properly config￾ured, this service can also expose heaps of useful information to non-au￾thenticated users including available file shares, valid user and group

names, and user account policies such as account lockout thresholds.

But before we can get any of this information, we will need to authenti￾cate to the remote host. How can we do that? Read on . . . .

It’s frustrating to begin a discussion of anonymous authentication

without prefacing it with “in the old days.” While conscientious Internet

40 Part I: Hacking Fundamentals

HackNote / HackNotes Windows Security Portable Reference / O’Dea / 222785-0 / Chapter 3

P:\010Comp\HackNote\785-0\ch03.vp

Friday, June 13, 2003 8:09:04 AM

Color profile: Generic CMYK printer profile

Composite Default screen