NetBIOS pulls a lot of sensitive data about the target network,
including users and network shares, which is why it is regarded as the first
option for enumeration. Windows uses NetBIOS for file and printer
sharing.
To identify network devices over TCP/IP, Windows systems are allocated a
unique 16-character ASCII string called the NetBIOS name. Of these, 15 are
utilized for the device name and the remaining 16 are reserved for the service
or record type.
Attackers use NetBIOS enumeration to obtain the following:
- The list of computers that belong to a domain
- The list of shares on the individual hosts in a network
- Policies and passwords
NetBIOS Name List
Name | NetBIOS Code | Type | Information Obtained |
---|---|---|---|
<host name> | <00> | UNIQUE | Hostname |
<domain> | <00> | GROUP | Domain Name |
<host name> | <03> | UNIQUE | Messenger service running for the computer |
<username> | <03> | UNIQUE | Messenger service running for the logged-in-user |
<host name> | <20> | UNIQUE | Server service running |
<domain> | <1D> | GROUP | Master browser name for the subnet |
<domain> | <1B> | UNIQUE | Domain master browser name, which identifies the primary domain controller (PDC) for the domain |
<domain> | <1E> | GROUP | Browser service elections |
TOOLS
- NBTSTAT Utility is a Windows Utility that helps troubleshoot NetBIOS name resolution problems. nbtstat -a <IP_ADDRESS>, can be executed to obtain the NetBIOS name table of a remote computer. nbstat -c, can be executed to get the contents of the NetBIOS name cache.
- NetBIOS Enumerator is an enumeration tool that shows how to use remote network support and deal with other web protocols, such as SMB.
- Nmap: The nbtstat script of NSE allows attackers to retrieve the target's NetBIOS names and MAC addresses. By default, the script displays the name of the computer and the logged-in user. However, if the verbosity is turned up, it displays all names related to that system using the command nmap -sV -v --script nbstat.nse <target_ip_address>.
- Net View utility is used to obtain a list of all the shared resources of a remote host or workgroup. net view \\<IP>, can be used to display specific computer resources, and adding /ALL can show hidden shares as well. net view /domain:<domain name>, displays all the shares in the domain.
- Global Network Inventory
- Advanced IP Scanner
- Hyena
- Nsauditor Network Security Auditor
Enumerating User Accounts
Enumerating user accounts using the PsTools suite helps control and manage remote systems from the command line. The following are some
commands for enumerating use accounts:
- PsExec can launch interactive command prompts on remote systems and remote-enabling tools such as ipconfig.
- PsFile is to list the files on the local system opened by remote systems.
- PsGetSid translates SIDs to their display name and vice versa.
- PsKill - kills processes by name or process ID
- PsInfo - lists information about a system
- PsList - lists detailed information about processes
- PsLoggedOn - shows who is logged on locally and via resource sharing
- PsLogList - dumped event log records
- PsPasswd can change an account password on local or remote systems.
- PsShutdown - shut down and optionally reboot a local or remote computer.
You might be interested in,
- Phases of Hacking
- Introduction to Enumeration
- SNMP Enumeration
- LDAP Enumeration
- NTP, NFS and SMTP Enumeration
- DNS Enumeration
- Telnet, SMB, FTP and TFTP Enumeration
- Other Enumeration Techniques (IPSec, VoIP, RPC, Unix/Linux, IPv6, and BGP)
We hope this helps. If you have any suggestions or doubts you can add a
comment and we will reply as soon as possible.
No comments:
Post a Comment