Thursday, November 26, 2009

Playing with netbios shares (smbclient and nmblookup)

So you are on a network and wanna learn info about your neighbours, whats their computer name is, who is logged on share names etc. Windows make most of this information easy for us to obtain. Enter the smbclient, an ftp-like client to access smb/cifs resources and nmblookup is a utilty that is used to lookup Netbios names. Before we begin our enumeration of the network we need to determine the IP's of the live windows clients.

# netdiscover -i eth0 -r //Discover live clients that respond to our arp requests

I personally would use nmap for this as it has many other scan techniques than just the arp method. After we identify oue potential target (we are gonna use lets use them in smbclient and nmblookup.

#nmblookup -A //resolve netbios name. The hex code in the second column means something to us. If you get <03> the corresponding text to the left of '<03>' would be the currently logged in user. Below is a list taken from ,, that list some of the meanings behind the hex code.

Name                Number(h)  Type  Usage
00 U Workstation Service
01 U Messenger Service
01 G Master Browser
03 U Messenger Service
06 U RAS Server Service
1F U NetDDE Service
20 U File Server Service
21 U RAS Client Service
22 U Microsoft Exchange Interchange(MSMail

23 U Microsoft Exchange Store
24 U Microsoft Exchange Directory
30 U Modem Sharing Server Service
31 U Modem Sharing Client Service
43 U SMS Clients Remote Control
44 U SMS Administrators Remote Control

45 U SMS Clients Remote Chat
46 U SMS Clients Remote Transfer
4C U DEC Pathworks TCPIP service on
Windows NT

42 U mccaffee anti-virus
52 U DEC Pathworks TCPIP service on
Windows NT

87 U Microsoft Exchange MTA
6A U Microsoft Exchange IMC
BE U Network Monitor Agent
BF U Network Monitor Application
03 U Messenger Service
00 G Domain Name
1B U Domain Master Browser
1C G Domain Controllers
1D U Master Browser
1E G Browser Service Elections
00 U IIS
2B U Lotus Notes Server Service
2F G Lotus Notes
33 G Lotus Notes
20 U DCA IrmaLan Gateway Server Service
Next we can use smbclient to reveal the shares on a particular system.

# smbclient -N -L //List share names and OS type

-N: Surpases the password prompt, assuming we dont of any passwords
-L: list shares and any other available service it can see.

We can attempt to connect/login to a system share.

# smbclient // -N // try and connect to 'share' on

If you are lucky and manage to get into the share, its as of a result of poorly implemented shares. Yon can browse the directory, upload/download files and some other goodness. Type help for a list of commands at your disposal.

# smb> help

Its more difficult to set up a proper share on XP with the appropriate permissions than to set up
a share thats open to everyone. Sounds like the mindset of the typical windows user aint it. I'll admit, i was one of em.

Resources/Good reading:

No comments:

Post a Comment