Newer Version of NetBIOS, to work with TCP/IP protocol suite.
-Purpose:
- allow applications on different systems to communicate with one another over LAN.
- Sharing Printers and files, remote procedure calls, exchange messages, and much more.
- May reveal more info about the env, such as computer names, usernames, domains, printers. available shares. etc..
How does it work?
-
PC's on a NetBIOS LAN communicate thru sessions or using datagrams.
-
UDP 137 for name services
- serve the same functionality as DNS records. it translates and maps a NetBIOS name to an IP address.
- A name is the unique 16-bytes address that identifies a NetBIOS resource on the network and is dynamically registered when either services or applications start. Names can be registered as unique names or as group names
- The exact name used by the service is the 15-character computer name plus a 16th character of 0x20. If the computer name is not 15 characters long, it is padded with spaces up to 15 characters. Ex.
CORPSERVER [20]
[MS-BRWS]: NetBIOS Suffix Definitions
NetBIOS name resolution: TCP/IP
- a NetBIOS Name Query is used to resolve the NetBIOS name to an IP address. by using Windows Internet Name Service (WINS)
- Although NetBIOS and NetBIOS names can be used with network protocols other than TCP/IP, WINS was designed specifically to support NetBIOS over TCP/IP (NetBT). WINS is required for any environment in which users access resources that have NetBIOS names. If you do not use WINS in such a network, you cannot connect to a remote network resource by using its NetBIOS name unless you use LM hosts files, and you might be unable to establish file and print sharing connections.
nbtstat -n
-
UDP 138 for datagram services
- NetBIOS Datagram Service (NBDS) permits the sending of messages to a NetBIOS name. It runs on UDP port 138, making it a connectionless communication.
- Allows sending and receiving of datagram messages to and from:
- A speicifc NetBIOS name.
- Broadcast the datagram to all NetBIOS names.
-
TCP 139 for session services
- NetBIOS Session Service (NBSS), most commonly known NetBIOS service.
- Allows two names to establish a connection in order to exchange data.
- For example, file sharing connection.
- Steps:
- NetBIOS name is resolved into an IP address.
- A TCP connection is established between two devices using port 139.
- The device starting the connection sends a NetBIOS Session Request over the TCP connection.
- This includes the NetBIOS name of the application that wants to establish the connection and the NetBIOS name to which to connect.
- If the remote device is listening on that name, there will be a positive response and the session will be established.
SMB Protocol
Server Message Block.
SMB lets you share files, disks, directories, printers and, COM ports across a network.
- Before windows 2000, SMB ran only within NetBIOS over TCP/IP (port 139), therefore a NetBIOS session was required.
Windows 2000 and higher allow us to run of SMB directly over TCP/IP (direct hosting). Using TCP port 445.
Since SMB provides feature manipulating files, sharing, messaging, Interprocess Communication(IPC). It is important to enumerate this service.
Using nbtstat to enumerate NetBIOS.
Ex.
net view [IP] to list domains, computers, and resources shared by a computer in the network.
net use K: \\\\[IP]\\\\files to explore these shares. Mount \\\\files to K: drive
On Linux
smbclient -L [IP] will also display hidden shares such as IPC$, C$, and ADMIN$. Those three shares listed are default administrative shares and have their own specific purpose, IPC is used for Inter-process communication, it can be used to leverage null session attacks.
sudo mount.cifs //[ip]/C /media/K_share/ user=, pass=
Null Session Attacks.
Rely on Common Internet File Systems(CIFS) and Server Message Block(SMB) API, which returns information even to an unauthenticated user. In order for it works, the connection must be established to the administrative share named IPC.
How to see if a machine is vulnerable to Null Session Attack.
net use \\\\[ip]\\IPC$ "" /u:"" . which is doing below steps:
- Establishing a connection to hidden share IPC$.
\\\\[ip]\\IPC$ - connect to IP with a
Null password= "" - and an empty username. =
/u:"" - Once we have a connection, we can use other tools to gather information from the remote machine.
Rpcclient
rpcclient -N -U "" [IP]
SNMP
Simple Network Management Protocol. It is used for exchanging management information between network devices. Ex. It can be used to configure a router or simply check its status.
- In the SNMP, there is a manager and a number of agents. The agents either wait for commands from the manage or send critical messages(trap) to the manager - which usually a System Administrator.
Types of SNMP commands
- Read. Monitor devices, while write command is used to configure devices and change device settings.
- Write. Used to configure devices and change device settings
- Trap. trap is used to "Trap" events from the device and report them back to the monitoring system.
- Traversal Operations are used to determine what variables a certain device supports
Security Realted to SNMP
- SNMPv1 , clear text protocol.
- SNMPv3 newest, brute-force attack
How it works.
- SNMP receives general messages on UDP port 161 and traps messages on UDP 162. SNMP works on the basis that network management system sends out a request and the managed devices(agents) return a response.
- four operations Get, GetNext, Set, and Trap.
SNMP messages
- consist of a header and a PDU(protocol data units). The headers consist of the SNMP version number and the community string, which is used as a form of "secure" password auth in SNMP
- Two types of community strings : Private and Public. Private allow
write, Public allowsread
MIBs (Management Information Base) are a collection of definitions which define the properties of the managed object on the device. ( router, switch, etc.). It is a database of information that is relevant to the network manager.
MIBs are also strucuted as a tree. from the top of the tree down to the point of interest, forms the name of that point called an OID(object Identifier)
Noting all OIDs will start with 1.3.6.1. Each leaf in the tree is a property of the device that can be read or written by the manager. The query have to specify the OID address such as 1.3.6.1.4.1.140.305.
Attacks targetting SNMP
- Flooding DOS - spoofing an SNMP agent and flloding the SNMP
trapmanagement with tens of thousands of SNMP traps, varying in size from 50bytes - 32 kb. until SNMP management trap is unable to function. - Community - Using Default community strings to gain privileged access to systems.
- Brute force - Using a tool to guess the community strings used on a system to achieve elevated prev.
Enumeration SNMP
obtain the community strings first, Sniff the network traffic. or use dictionary attack. Be aware of most current Network INtrusion Detection Systems will alert to this as it see multiple logins with different strings.
Tools for SNMP Enum
Snmpwalk ( part of Net-SNMP suite). uses SNMP GETNEXT requests to query a network entity for a tree of information.
NOTE: if the output returns the OID numerically. Ex. iso.3.6.1.2.1.1.1.1.0 = xxxxxxxx
Install snmap-mibs-downloader pacakge. and comment the fourth line in the following file /etc/snmp/snmp.conf.
Snmpset. uses SNMP SET requests to either set or change information on a network entity. which allows the management application or, the manager to set the value of an attribute in the agent.
NOTE: one or more OIDs must be provided and type value must also be provided
Ex. snmpwalk -v 2c -c public IP system.sysContact.0
output: SNMPv2-MIB::sysContact.0 = STRING: [email protected].
snmpset -v 2c -c public IP system.sysContact.0 s [email protected] - s in here stands for String.
Nmap
sudo nmap -sU -p 161 IP --script snmap-brute.
sudo nmap -sU -p 161 IP --script snmap-brute --script-args snmp-brute.communitiesdb=<wordlist>.