:: N(etbios)E(numerated)S(ecurity)S(sweep) :: Written by: GABRIEL :: Purpose: Automated Netbios security sweep. :: Details: Attempts to logon to the ipc$ share with a null password and the c$ share as admin :: with a null password. :: Usage: This script takes only 2 parameters; subnet address and timeout in milliseconds. :: Both are required for this script to function. Timeout is dependant upon network the :: connection available and should be adjusted accordingly. I have found a timeout of 1 :: is very effective on a 100 mps lan and conversely a timeout of 5 or more for a broadband :: wan connection. :: ie. ness 192.168.0 5 :: This script is for security auditing ONLY! I am not responsible for your actions. :: You have been warned! @Echo Off Set /a counter=0 Set subnet=%1 Set timeout=%2 Set saveDir=c:\NESS Set aliveFile=%saveDir%\alive.txt Set ipcFile=%saveDir%\ipc.txt Set adminFile=%saveDir%\admin.txt Set auditedFile=%saveDir%\audited.txt Echo. Echo *****************NESS****************** Echo N(etbios)E(numerating)S(ecurity)S(weep) Echo Written by: GABRIEL 09/01/02 Echo *************************************** Echo. Echo Starting sweep of %subnet%.* Echo %subnet%.* >> %auditedFile% :Loop Set /a counter=%counter%+1 If %counter% GEQ 255 Goto :Exit ping -n 1 -w %timeout% %subnet%.%counter% | find "out" > nul If errorlevel 1 Goto :HostUp Goto :HostDown ::Loop end :HostUp Echo %subnet%.%counter% appears to be up. Attempting to access ipc$. Echo %subnet%.%counter% >> %aliveFile% Goto :Ipc ::HostUp end :HostDown Goto :Loop ::HostDown end :Ipc net use \\%subnet%.%counter%\ipc$ "" /user:"" | find "completed" > nul if errorlevel 1 Goto :Secure Echo IPC$ CONNECTED! Attempting to Login as administrator. Echo %subnet%.%counter% >> %ipcFile% nbtstat -A %subnet%.%counter% >> %ipcFile% Echo ********************************************************************* >> %ipcFile% net use \\%subnet%.%counter%\ipc$ /delete > nul Goto :Admin ::Ipc end :Admin net use \\%subnet%.%counter%\c$ "" /user:administrator | find "completed" > nul If errorlevel 1 Goto :Secure Echo C$ CONNECTED! THERE IS NO ADMIN PASSWORD! Echo. Echo %subnet%.%counter% >> %adminFile% net use \\%subnet%.%counter%\c$ /delete > nul Goto :Loop ::Admin end :Secure Goto :Loop ::Secure end :Exit Echo sweep of %subnet%.* completed. Results have been saved to %saveDir% directory. ::Exit end