Playing with netbios shares (smbclient and nmblookup)

So you are on a network and wanna learn info about your neighbours, whats their computer name is, who is logged on share names etc. Windows make most of this information easy for us to obtain. Enter the smbclient, an ftp-like client to access smb/cifs resources and nmblookup is a utilty that is used to lookup Netbios names. Before we begin our enumeration of the network we need to determine the IP's of the live windows clients.

# netdiscover -i eth0 -r 10.0.0.2/24 //Discover live clients that respond to our arp requests

I personally would use nmap for this as it has many other scan techniques than just the arp method. After we identify oue potential target (we are gonna use 10.0.0.2) lets use them in smbclient and nmblookup.

#nmblookup -A 10.0.0.2 //resolve 10.0.0.2 netbios name. The hex code in the second column means something to us. If you get <03> the corresponding text to the left of '<03>' would be the currently logged in user. Below is a list taken from , http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Utilities/Nbtstatrevealswhoisloggedon.html, that list some of the meanings behind the hex code.

Name                Number(h)  Type  Usage
--------------------------------------------------------------------------
         00       U    Workstation Service
         01       U    Messenger Service
<\\--__MSBROWSE__>     01       G    Master Browser
         03       U    Messenger Service
         06       U    RAS Server Service
         1F       U    NetDDE Service
         20       U    File Server Service
         21       U    RAS Client Service
         22       U    Microsoft Exchange Interchange(MSMail
                                                              Connector)
         23       U    Microsoft Exchange Store
         24       U    Microsoft Exchange Directory
         30       U    Modem Sharing Server Service
         31       U    Modem Sharing Client Service
         43       U    SMS Clients Remote Control
         44       U    SMS Administrators Remote Control
                                                             Tool
         45       U    SMS Clients Remote Chat
         46       U    SMS Clients Remote Transfer
         4C       U    DEC Pathworks TCPIP service on
                                                             Windows NT
         42       U    mccaffee anti-virus
         52       U    DEC Pathworks TCPIP service on
                                                             Windows NT
         87       U    Microsoft Exchange MTA
         6A       U    Microsoft Exchange IMC
         BE       U    Network Monitor Agent
         BF       U    Network Monitor Application
             03       U    Messenger Service
               00       G    Domain Name
               1B       U    Domain Master Browser
               1C       G    Domain Controllers
               1D       U    Master Browser
               1E       G    Browser Service Elections
        1C       G    IIS
     00       U    IIS
         2B       U    Lotus Notes Server Service
IRISMULTICAST          2F       G    Lotus Notes
IRISNAMESERVER         33       G    Lotus Notes
Forte_$ND800ZA         20       U    DCA IrmaLan Gateway Server Service

Next we can use smbclient to reveal the shares on a particular system.

# smbclient -N -L 10.0.0.2 //List share names and OS type

-N: Surpases the password prompt, assuming we dont of any passwords
-L: list shares and any other available service it can see.

We can attempt to connect/login to a system share.

# smbclient //10.0.0.2/share -N // try and connect to 'share' on 10.0.0.2

If you are lucky and manage to get into the share, its as of a result of poorly implemented shares. Yon can browse the directory, upload/download files and some other goodness. Type help for a list of commands at your disposal.

# smb> help

Its more difficult to set up a proper share on XP with the appropriate permissions than to set up
a share thats open to everyone. Sounds like the mindset of the typical windows user aint it. I'll admit, i was one of em.

Resources/Good reading:
http://pur3h4t3.blogspot.com/2008/12/scripts.html
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Utilities/Nbtstatrevealswhoisloggedon.html