NetBIOS (137-139)

UDP 137 = Name Services

• Maps netbios name to an IP address
• WINS (Windows Internet Name Service) is the service that maps the IP to name

UDP 138 = Datagram Services

• Allows sending/receiving of datagram messages
• Allow communications without sessions

TCP 139 = Session Services

• Allows two netbios names to establish a connection

SMB (445)

Allows sharing of files, disks, directories, printers and sometime COM ports across a network.

---

nbtstat

On windows

Enumerating NetBIOS/SMB
<20> Identifies a server service
$ Identifies a hidden share

nbtstat -A <TargetIP> = List target name table

List domains, computers, and resources:
net view <TargetIP>

Connect to remote resource:
net use K: \\<TargetIP>\<Drive>

On Linux
nbtscan -v <TargetIP/Range>

List target shared resources:
smbclient -L <TargetIP>

Mount a remote share:
mount.cifs //<TargetIP>/<Drive> /mount/point/ user=,pass=

---

Null Sessions

Must establish an anonymous connection to the IPC$ share

On Windows
net use \\<TargetIP>\IPC$ "" /u:""

On Linux
enum4linux <TargetIP>

rpcclient = Executes Microsoft RPC functions

Establish a connection w rpcclient:
rpcclient -N -U "" <TargetIP>

• "help" will list commands
• Has many useful commands

---

SNMP (UDP 161/162)

Used for exchanging management information between network devices

161 = General messages
162 = Trap messages

Four types of commands:

• Read
  • Monitors devices
• Write
  • Configure/change device settings
• Trap
  • Reports sent to monitoring system
• Traversal Operations
  • Determine variables a device supports

SNMPv1 = Most vulnerable/clear text
SNMPv2 = Still weak/clear text
SNMPv3 = More secure but susceptible to brute forcing

How it Works
The management system sends out a request and the agents (network devices) return a response utilizing the Get,GetNext,Set, and Trap messages.

SNMP messages consist of a header and PDU. The header contains the community string that acts as a "secure" password.

Private community strings = write access

Public community strings = read access

MIBs (Management Information Base)
A database of information relevant to the network manager.

Organized in a tree structure; each object has a number and name associated.

---

Attacks against SNMP

Flooding
Floods the SNMP trap management with thousands of trap messages until the SNMP mangement trap is unable to function properly.

Community
Using default community strings to gain privileged access.

Brute Force
Guessing the community strings utilized to gain privileged access.

Obtaining a Community String

Utilize a dictionary attack; this will certainly set off the IDS.

snmpwalk
Uses SNMP GetNext requests to retrieve information from the database.

Knowing an OID will be very useful and can be passed to snmpwalk.
snmpwalk -v 2c <TargetIP> -c <community string>

• -v tells snmpwalk what version of snmp to use

Snmpwalk can be passed an MIB object.
snmpwalk -c public -v1 <TargetIP> <MIB>

snmpset
Uses SNMP Set requests to change or set information on a network device.

• One or more OIDs are required
• a type (string, integer, etc.) and value must be supplied

Checking a value with snmpwalk:
snmpwalk -v 2c -c public <TargetIP> <OID>

Changing a value with snmpset:
snmpset -v 2c -c public <TargetIP> <OID> s <NewValue>

• s tells snmpset to set a string value
• To test if it worked, use snmpwalk again

nmap for snmp
nmap -sU -p 161 --script=<scriptname> <TargetIP>

Scripts:
snmp-brute.nse

• nmap -sU -p 161 --script=snmp-brute --script-args snmp-brute.communitiesdb=<Wordlist>
  • Use a non default community strings wordlist

snmp-hh3c-logins.nse
snmp-info.nse
snmp-interfaces.nse
snmp-ios-config.nse
snmp-netstat.nse
snmp-processes.nse
snmp-sysdescr.nse
snmp-win32-services.nse
snmp-win32-shares.nse
snmp-win32-software.nse
snmp-win32-users.nse