More Netbios

Topics including TCP/IP, OSI, Netbios, exploiting share, proxies and much more
Post Reply
User avatar
weazy
Ex-Admin
Posts: 1688
Joined: Sun Jul 07, 2002 10:02 am
Location: any given
Contact:

More Netbios

Post by weazy » Sat Jul 26, 2003 1:37 am

How not to be noisey!
by blackgold

Ok this is a first of it's kind on Hdc and maybe even that web.

Section >1.....Why you need to know!
section >2.....What techniques
secion >3.......Common sense....
section >4 ....Conclusion.


Section >.1

I'll start off by getting you to think of what gets you noticed ,even before you attempt an actuall hack.
Theirs many many ids (intrusion detection programs ) out their and many firewalls protecting a vast ammount of servers and personal computers.
Now most commonly your used to starting up gfi languard network security scanner or superscan or many other tcp based scanners which in a while i will tell you why their a total waste of time in todays world.

A tcp scanner is basically this...

attacker target
Syn -->
<-- Syn/Ack
Syn -->

What you see here is called a 3 way handshake .
That is the way tcp works when establishing a connection and in this case, your tcp port scanner.
You fire up your scanner and within a matter of split secounds youve been noticed by either a firewall or an ids program just sitting their waitting .
Your whole hack now is usless.

But wait theirs still hope



Section >2a

You have the i.p. (internet address)
Next you go to a site that offers various onlne utilities.
These being traceroute ,ping, nslookup ,whois, finger and in some cases online scanners.
You can use all these tools (ill get to the scanners in a while) to dig up info without the need to be noticed.
Now after ussing these tools you have choices open up to you on where to proceed .
You may have found telephone numbers , contact names,addresses,and even got creative and used xferret to search many search engines for more goodies.
Also you may have noticed they run a dns server on that particular server and you know that tcp port 53) is listening for connections .

Now so far you can try social engineering your way into the target or find valuable info such as open ports services accounts passwords etc.
All while not being noticed

Open ports you say hmmm.

Example convo.

them
hallo microsoft how may i help you?

you
Hallo this is you isp doing a random survey of cutomures that use our service.

Them
Will this take long i'm really busy?

You
No girl this will only take a minute of your time.

Them
Ok what do you need?

You
Are you infront of a computer now girl?

Them
Yes.

You
Ok i need to know what services your company use on our network.

Ok you get the idea.
Info that you might have gathered from the unsuspection person is
open ports
operating systems
firewalls
how many employees use the computers (more the better
How competent they are?
Usernames
Passwords
Etc----->>>>>>

Now you didn't even have to fire up your scanner now did you?
But on a side this can turn around affecting your hack also.
All people are not stupid and in some cases you are stupid compared to them.

Section >2b

Scanning ussing an online scanner as mentioned earlier.
Ok if you know of any php based webservers you can get nmaop made in php as a client server script.
You upload nmap php sever on to your website and use the client from your computer while going through many proxies and thus making you hard to track down.
Caution.
Make sure this website has no information on you to trace back to you..









Other techniques are ussing Nmap. (linux),. NmapWin.(windows).
Theirs no point in discussing the linux version as theirs alot of docs at the Nmap owners site (Fyodoor)on it's use.
But i have come up with a way of ussing NmapWin the same as you use nmap for linux.
You need to get a program that will capture packets on your system.
One of them being. http://www.networkactiv.com/
What you do is fire up that packet capturing program to capture .syn packets only and filter out all the rest of the noise.
Next you fire up Nmapwin and set the following options.
For scanning type set it to .syn..
For discover set it to don't ping.
For options unselect os Detection.
For timing set to Normal(depending on how carefull you are)

Ok when thats done Just enter in the most common port numbers .e.g 21,22,23,25,52,79,80,81,110,111,135,139,389,445,5000,etc
Now Say you want to try and see if port 21 is open,you put in port 21 and press scan and if you see a responce in your packet capturing proggy that looks like this it means it's listening(open)

Type Size Source IP Destination IP sPort dPort Date/Time
Tcp theirs yours 21 4133 31:33:7

you will see in the window also info on

either a rst (reset) packet or a syn/ack packet if you get a syn/ack you know the port is listening(open).


This info is only for ppl that use windows ,to help you get the most out of a scanner.


Section>3
Common tips ive found out through learning.
If you sent a single packet to port 135 and it's open then probability it is a windows box
To make sure and maybe get a version send another singal packet to port 139.
If both are open then it's more than likely a windows 98 box,windows/me box.
Or maybe if you didn't find them open try port 445 smb used on windows 2000 and upwards.
Also port 5000 upnp mostly windows 2000 and upwards.

So you can detect an operating system by sending 3 or 4 single syn packets.
This is not perfectly accurate but it is roughly 90% accurate if not more.

section>4

So what i'm trying to point out to people and hopfully help them is .
Don't use those scanners because your creating alot of network noise and it will be noticed.
Take your time studying the target days weeks whatever you need.
Try not make any direct connection with them ussing your own computer.Internet cafes, mobile phone etc
Be stealthy in your methods.
And use your head.


here is a little text about TCP/IP flags to make somethings clear for n00bs : (written by someone else)

----------------------------------------------------
I wrote this small white paper to introduce you to the flags
in TCP headers. I hope you'll gain knowledge from this, and
if not.. bad luck ;-) So let's begin :

The TCP-header contains about 6 fields with one bit for flags.
There are currently 6 flags in a TCP-header and those are :

URG = This flag lets the receiving TCP-module know that the
the field of the Urgent Pointer points to urgent data.
(The TCP-Module needs to process urgent data than any
other data)

ACK = This flag notes that the field ACK-number has a valid
ACK-number. This helps TCP trusting the DATA.

PSH = This flag calls a PUSH. If this flag is on, then the
TCP-module has to send the data from the segment directly
to the target application. Normally, the TCP-Module would
keep the incoming data in a buffer and sends them untill
the target application's buffer is full. The PSH-flag lets
the TCP-Module know that the data of this segment does not
have to arrive in the buffer. Telnet-Applications for example
uses this flag. Because of that, TCP sends the inputted keys
of the user directly to the Telnet-server. This lets the user
see the typed-letters immediately, without lag.

RST = This flag asks the receiving TCP-module to let the connection
recover (reset). TCP sends a msg with this RST-flag if there
are any problems detected with the connection. Most of the
applications stops when they receive this flag, but it's
possible with the help of the RST-flag advanced algorithms
to write which programs can recover from crashes in hardware
or software.

SYN = This flag instructs the receiving TCP-Module to synchronize
sequence numbers. TCP uses this flag to let the receiving
TCP-Module know that the sender wants send new data.

FIN = This flag lets the receiving TCP-Module know that the sender
is finished with sending of data. This flag stops the data-
stream in one-way. The receiving TCP-Module has to send a
msg with the FIN-flag to close the whole connection.


Well that's a short introduction to TCP-Flags, for more information
i would recommend you to read RFC's, and other TCP/IP related books,
text-files and documents.
--The Devil is in the Details--

Post Reply