This article will give a brief account of what such a seemingly familiar thing as NetBIOS. What information can it provide for a potential attacker/pentester.
The demonstrated scope of reconnaissance techniques relates to internal, that is, isolated and inaccessible networks. As a rule, any even the smallest company has such networks.
Per se NetBIOS is used, as a rule, to obtain a network name. And that will be enough to do at least 4 things.
Host Discovery
Because NetBIOS can use UDP as a transport, its speed allows it to discover hosts on very large networks. So, for example, the tool nbtscan, which is included in the package of the same name, can resolve network addresses like 2/192.168.0.0 in just 16 seconds (it can put the network), while traditional TCP scanning will take tens of minutes. This feature can be used as a host sweep technique on very large networks of which nothing is known before running nmap. Although the result does not guarantee 100% detection, since windows hosts will mainly respond, and not all of them, it will still allow you to determine in what ranges live hosts are located.
Host Identification
Using the results of getting names from ip addresses:
you can see: in addition to the fact that the name reveals the owner of the workstation (although this is by no means always the case), one of the addresses clearly stands out from the others. We can see that the name has been received KALI. This behavior is typical for unix-realizations SMB/NetBIOS included in the software package samba or very old Windows 2000.
Getting a name KALI, while on other hosts it isunknown> testifies to the presence of the so-called null session. With default settings SMB-servers on linux inclined towards it. Null-session it only allows you to absolutely anonymously (and we didn’t enter any passwords, as you can see on the screenshot) to get a lot of additional information, such as the local password policy, a list of local users, groups and a list of shared resources (share):
Often on Linux SMB-servers are publicly available balls not only for reading, but even for writing. The presence of both of them carry various threats, the use of which is beyond the scope of this article.
NetBIOS also allows you to get the names of all types that the workstation stores:
in this case, this allows you to find out that the host is also a domain controller ARRIVA.
It is also worth noting further that NetBIOS allows you to get mac-address. Moreover, unlike arp requests, NetBIOS requests can go beyond the subnet. This can be useful if, for example, you need to find a laptop or specific hardware on the network, knowing its manufacturer. Since the first three octets mac-addresses identify the manufacturer, then you can send out such NetBIOS- queries all known subnets to try to find the right device (http://standards-oui.ieee.org/oui.txt).
Determination of belonging to domain
Often, when moving through internal corporate networks, it is necessary to attack a workstation included in a domain (for example, to raise privileges to the level of a domain administrator) or vice versa. In this case NetBIOS again, this might help:
In this case, using NetBIOS all names of all types have been retrieved. Among them, you can see, in addition to the name of the PC (what has already been received before), also the name of the working group. By default for windows it is usually something like WORKGROUP or IVAN-PC, but if the workstation is in a domain, then its workgroup is the domain name.
Thus, with the help NetBIOS you can find out if the workstation is in the domain and, if so, in which one.
If you need to get a list of domain hosts within a subnet, then one broadcast request with the name of the desired domain is enough:
as a result, all hosts in this domain will respond.
Multihomed host discovery
And finally, one more, probably very little known technique, which is simply indispensable for finding ways into secure, perhaps even physically isolated, networks. These can be workshop networks of enterprises stuffed with controllers. Access to this network for an attacker means the ability to influence the technological process, and for the enterprise the risk of incurring huge losses.
So, the bottom line is that even if the network is isolated from the corporate network, then often some administrators, either out of their laziness or something else, like to raise another network card on their PCs to access this very network. At the same time, all this happens, of course, bypassing all the rules of corporate firewalls. Convenient, yes, but not very secure, if you are hacked, then you will become a bridge to this network and will be held responsible.
However, there is one problem for an attacker - to find the very administrator who joined the secure network in such an illegal way. Moreover, this is not an easy problem for the network security people themselves. In large enterprises, this is a truly difficult task, like finding a needle in a haystack.
In this situation, there would be two obvious options for an attacker:
1. try to use each PC in the corporate subnet as a gateway to the desired network. This would be very convenient, but this is rare, because on windows hosts ip forwarding almost always disabled. Moreover, such a check is possible only within its own subnet, and it also requires the attacker to know exactly the target address from the isolated network.
2. try to remotely enter each host and execute a banal command ipconfig/ifconfig. And it's not all smooth sailing. Even if the attacker secured the rights of a domain administrator, no one canceled firewalls and local firewalls. So this task is not 100% automated. As a result, it remains painful to go to each host, overcoming firewalls (often blocking exactly 445 / tcp port), in the hope of finally seeing the desired network interface.
However, everything is much simpler. There is one extremely simple trick that allows you to get a list of network interfaces from a given host. Let's say we have a host:
this is reverse resolve ip-address → network name. If we now try to do a direct resolve network name → ip address:
then we learn that this host is also a gateway (apparently) in some other network. It is worth noting that in this case the request was broadcast. In other words, only hosts on the attacker's subnet will hear it.
If the target host is outside the subnet, then you can send a targeted request:
In this case, you can see that the target is outside the attacker's subnet. Using the -B switch, it was specified that the request should be sent to a specific address, and not to a broadcast one.
Now it remains only to quickly collect information from the entire subnet of interest, and not from one address. To do this, you can use a small python-script:
And after a few seconds:
It is the dedicated host, in this impromptu case, that would become the attacker's first target if he pursued the 172.16.1/24 network.
Duplicate names on different ips indicate that the host also has two network cards, but already on the same subnet. It is worth noting here that NetBIOS does not disclose alias-s (which can easily be calculated via arp requests as ip with the same mac). In this case IP addresses have different mac.
Another example of using this technique is public Wi-Fi. Sometimes you can find a situation where among the guest devices, personnel working in a closed corporate segment are connected to the public network. Then, with the help of this reconnaissance technique, an attacker will very quickly be able to chart a path for himself to enter a closed network:
In this case, among the 65 public Wi-Fi clients, there were two workstations with an additional interface, probably related to the corporate network.
If sometimes between network segments or directly at workstations there is traffic filtering on port 445 / tcp, which prevents remote login to the system (remote code execution), then in this case, to resolve names by NetBIOS the 137/udp port is used, the deliberate blocking of which is almost never encountered, since this will greatly affect the convenience of working on the network, for example, the network environment may disappear, etc.
As the saying goes, enumeration is the key
Is there any protection from this? It does not exist, because this is not a vulnerability in everything. This is just the regular functionality of what little there is by default. windows (In linux behavior is slightly different). And if you, suddenly inconsistently, bypassing the rules of network routing, are included in a closed segment, then an attacker will definitely find you and do it very quickly.
Source: habr.com
