# netdiscover -i eth0 -r 10.0.0.2/24 //Discover live clients that respond to our arp requests
I personally would use nmap for this as it has many other scan techniques than just the arp method. After we identify oue potential target (we are gonna use 10.0.0.2) lets use them in smbclient and nmblookup.
#nmblookup -A 10.0.0.2 //resolve 10.0.0.2 netbios name. The hex code in the second column means something to us. If you get <03> the corresponding text to the left of '<03>' would be the currently logged in user. Below is a list taken from , http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Utilities/Nbtstatrevealswhoisloggedon.html, that list some of the meanings behind the hex code.
Name Number(h) Type UsageNext we can use smbclient to reveal the shares on a particular system.
00 U Workstation Service 01 U Messenger Service
<\\--__MSBROWSE__> 01 G Master Browser
03 U Messenger Service 06 U RAS Server Service 1F U NetDDE Service 20 U File Server Service 21 U RAS Client Service 22 U Microsoft Exchange Interchange(MSMail
23 U Microsoft Exchange Store 24 U Microsoft Exchange Directory 30 U Modem Sharing Server Service 31 U Modem Sharing Client Service 43 U SMS Clients Remote Control 44 U SMS Administrators Remote Control
45 U SMS Clients Remote Chat 46 U SMS Clients Remote Transfer 4C U DEC Pathworks TCPIP service on
42 U mccaffee anti-virus 52 U DEC Pathworks TCPIP service on
87 U Microsoft Exchange MTA 6A U Microsoft Exchange IMC BE U Network Monitor Agent BF U Network Monitor Application 03 U Messenger Service 00 G Domain Name 1B U Domain Master Browser 1C G Domain Controllers 1D U Master Browser 1E G Browser Service Elections 1C G IIS 00 U IIS 2B U Lotus Notes Server Service
IRISMULTICAST 2F G Lotus Notes
IRISNAMESERVER 33 G Lotus Notes
Forte_$ND800ZA 20 U DCA IrmaLan Gateway Server Service
# smbclient -N -L 10.0.0.2 //List share names and OS type
-N: Surpases the password prompt, assuming we dont of any passwords
-L: list shares and any other available service it can see.
We can attempt to connect/login to a system share.
# smbclient //10.0.0.2/share -N // try and connect to 'share' on 10.0.0.2
If you are lucky and manage to get into the share, its as of a result of poorly implemented shares. Yon can browse the directory, upload/download files and some other goodness. Type help for a list of commands at your disposal.
# smb> help
Its more difficult to set up a proper share on XP with the appropriate permissions than to set up
a share thats open to everyone. Sounds like the mindset of the typical windows user aint it. I'll admit, i was one of em.