Tuesday, June 17, 2008

Guide to DOS

************
INTRODUCTION
************

Quote:
Well, whilst browsing the net looking to expand my knowledge on what other
people thought on the steps of hacking I discovered that there was very little
information for the newbie hacker about the steps to common hacking. So here I
am, sharing my knowledge. We will presume in this guide that the term "hack" is
an attempt to gain access to a resource. We will also presume that your aim is
to gain access to the computer, what you do after that is out of our hands,
please try and be mature though. This guide will also help you learn many other
terms and theories but will not cover them fully because the guides main purpose
is putting hacking into steps to help people understand the logic/mindset of a
hack. It would also be worth emphasizing again that _this guide is for n00bs_

Those of you that have read Hacking Exposed Third Edition will notice that I
have based some ideas from the All Angles of Attack section on it. I have not in
any way copied though, this is what I learnt a lot from and I am just passing my
knowledge onto others. Any ideas taken from the book are written in my words and
in some cases in better wording. Thanks George, Joel and Stuart, you guys 0wn ohmy.gif)



**********
DISCLAIMER
**********

By reading this you agree that any harm or damage that you inflict on yourself
or others' computer's is your fault and not, in any way, ours. We do not
encourage breaking into other peoples computer, but the restrictions sometimes
leave us no choice. However we in no way promote malicious or non-productive
attacks on others computers. This file may be used for personal study only, NOT
for resale or on your own site.


*****************
STEP 1: TARGETING
*****************

-----------------
1.1 IP Addresses
-----------------

To gain access to a computer, you need the number that defines the computer from
every other computer on the net; its IP address. IP stands for Internet Protocol
and address is self explanitory. An IP address comes in this format:

192.98.45.93

Four values up top three number long seperated by dots. The values can be no
higher than 255.


-------------------------
1.2 Getting an IP address
-------------------------

If you do not already have an IP address to "work on" smile.gif then here are a few
easy ways to get one. Remember that these are the basic techniques, there are
others.


----------------------------------------------
1.2.1 Getting an IP address from MSN Messenger
----------------------------------------------

If you have MSN Messenger you can get the person you are talking to IP by
sending them a file. When you are normally chatting with someone you dont have
whats known as a direct connection to their computer. It works like this:


Your PC -----> MSN Server ----> Recipients PC
143.35.78.89 24.67.89.1 67.127.35.9

So if you just tried getting the IP address of you victim while just talking,
you would get the IP of the MSN server. I advise against trying to hack that
(But if you think you can then do us all a favour). When you send them a file,
you establish a direct connection to their computer and not through the MSN
server. While the file is being sent, open your command prompt and type
'netstat' without the colons. This very useful command will give you a list of
connections your pc has established and is trying to establish/mantain:

C:\> netstat

Active Connections

Proto Local Address Foreign Address State
TCP jester:1047 205.188.7.163:5190 ESTABLISHED
TCP jester:1053 64.12.26.0:5190 ESTABLISHED
TCP jester:1054 64.12.27.67:5190 ESTABLISHED
TCP jester:1056 websys.aol.com:http TIME_WAIT
TCP jester:1089 joeblow@pscd.uk.567356.blueyonder.net
ESTABLISHED


You will see one long one that wont be in the form of an IP address, this is a
host address. It will look something like: joeblow@pscd.uk.567356.blueyonder.net
From here you have to do a NS (Name Server) Lookup. This will translate the host
address into an IP address and then you have what you want. Some sites have an
online NS lookup but there are also many programs that do it aswell. One program
that I recommend you download is Cyberkit. This app contains many useful tools
that will help you out greatly, one of those being NS Lookup. You can get
Cyberkit from www.cyberkit.net.


------------------------------------
1.2.2 Getting an IP address from IRC
------------------------------------

Another way of getting an IP address is from IRC (Internet Relay Chat). I wont
go into what IRC is exactly and how to enter IRC. All you have to do when you
are on the IRC channel is give the command: \whois username. Username is where
you put their username. This will give you lots of details about the user and
hopefully the IP address, although it may be in host address format. Some IRC's
hide your IP address though so this wont always work. Here is an example of the
type of output you will get after the whois command:

/whois JoeBlow

JoeBlow is jonboy@ts1-88.f1232.quebectel.com
JoeBlow on #wazzap
JoeBlow using Buffalo.NY.US.XWorld.org BikerBabe's Haven
JoeBlow End of /WHOIS list.

From here you would just do a NS lookup on that host address and you'd get the
IP address you need. Be careful not to get the IRC server IP/host address
though....


----------------------------------------------
1.2.3 Getting an IP address from email headers
----------------------------------------------

The third simple way of getting an IP address is looking at the headers of an
email. Here is an example of an email header:

Received: from 194.117.133.196 by pv1fd.pav1.hotmail.msn.com with HTTP;
Sat, 04 May 2002 09:44:00 GMT
X-Originating-IP: [194.117.133.196]
From: "Joe Blow"
To: bobtheman@hotmail.com
Subject: What are the steps of a common hack?
Date: Sat, 04 May 2002 09:44:00 +0000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_5cc6_4c43_171f"

On the third line down you have the IP address, simple.


-------------------------------------
1.2.4 Static and Dynamic IP addresses
-------------------------------------

Now, just because you got your IP, your not done yet. Here is an important thing
that you must learn about IP addresses. IP addresses come in two forms: Static
and Dynamic. You would ideally like a static IP. Why? Because static IP
addresses are always stay the same. People with broadband/cable or any other
service that leaves you permanently connected will usually have a static IP
address. This is good for you because your target will always been there so you
can take your time. Dynmamic IP addresses belong to anyone who has dialup
connection (probably you) and this means that every time you connect to the
internet, you get a different IP address. This can be an annoying problem
because if get someones IP and they are on dialup, chances are that it has
already changed. However if you get the IP from MSN or IRC, you know they are
online so start now! This is why email headers are sometimes misleading. This is
why people usually prefer to hack servers; they have static IP addresses.

Those are the basic ways of getting IP addresses but there are many other
automated ways. You can get programs that will scan a range of IP's E.g.
213.78.16.0 to 213.78.16.255 and ping them to see if they are active. You can
also use ping to see if a host is alive.


--------
1.3 Ping
--------

That is what ping does, sends a packet to the chosen computer asking it to
respond. The ping will then usually give you a list of times or host not found
which means this IP address is offline/not being used/useless. To ping a host/IP
address, open your command prompt and type

ping hostname

The hostname can be either an IP address or a host address. After you enter that
command you will get one of two responses. The first is a good response:

C:\> ping 65.214.39.8

Pinging [65.214.39.8] with 32 bytes of data:

Reply from 65.214.39.8: bytes=32 time=390ms TTL=237
Reply from 65.214.39.8: bytes=32 time=451ms TTL=237
Reply from 65.214.39.8: bytes=32 time=340ms TTL=237
Reply from 65.214.39.8: bytes=32 time=401ms TTL=237

Ping statistics for 65.214.39.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 340ms, Maximum = 451ms, Average = 395ms

We wont go into detail to as what all of this means but as you can see, we got
some response so that means our target is alive/online. Then the other response:

Pinging 12.12.12.12 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 12.12.12.12:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

As you can see, none of our packets reached the host, this means that the IP
address is not be used so no-one is on the other end of it. This is how some of
those automated IP scanners work; they send pings to a range of hosts and see
which respond. One of the best ping scanners is Pinger by Rhino 9. Its free and
available from www.nmrc.org/files/snt/


****************
STEP 2: SCANNING
****************

----------------------
2.1 How Portscans Work
----------------------

Port scanning is the process of sending various different packets to the victims
ports to determine which ports are LISTENING. That may sound a little complex
but when you use a portscanner you wont really need to know that.

Here is an example of a portscan. You open your favourite portscanner and enter
your target IP address and hit enter and you're done (Some portscanners have
more options). The portscanner will first send a packet to port 1 on the victims
pc. The response (or no response) is analysed and then you are told whether the
port is open or not. This is where many portscanners vary, on the type of
packets they send. Here is a basic TCP connect scan (Three-way handshake), this
is what most portscanners do by default:


|--------| 1) SYN sent from client |--------|
| Client | ------------------------------------> | Target |
| | 2) SYN/ACK sent from server | |
| | <------------------------------------ | |
| | 3) ACK sent from client | |
|--------| ------------------------------------> |--------|

That is basically how your computer connects to another computers ports and that
is also how a portscan determines whether or not a port is open.


---------------------
2.2 Types of Portscan
---------------------

We know that portscanning works by sending packets to certain ports. In each of
these packet headers there are what is known as flags:

URG The Urgent Flag indicates that some urgent data has been placed.
ACK The Acknowledgement Number is Valid.
PSH The data should be passed to the Application as soon as possible.
RST It resets the connection.
SYN It synchronizes Sequence Numbers to initiate a connection.
FIN It means that the sender of the flag has finished sending data.


The disadvantage of the first full TCP connect technique is that it is quite
"loud" meaning not very stealthy so a firewall would definately pick it up and
if the user was clever enough, he could notice it aswell. Here are some other
packet techniques that can be used. You wont find any of these open for you to
chose in many portscanners though apart from nmap which is the best portscanner
around but its only for Linux/Unix. If you are running Linux then you can
download nmap from www.insecure.org/nmap. Techniques:


- TCP SYN scan

This technique is called half-open scanning because a full handshake/connection
is not made to the port. A SYN packet is sent to the target. The target will
either respond with a SYN/ACK, from which we can deduce that the port is
LISTENING, or a RST/ACK which usually means the port is not listening. This
technique is stealthier than the full TCP three-way handshake and therefore may
not be logged/discovered by the target.


- TCP FIN scan

This scan takes of advantage of FIN and RST packets but will only usually work
on Unix systems for reasons we wont go into. The client sends a FIN packet to
the port and the port should send an RST for all closed ports.


- TCP "Xmas Tree" scan

This scan is similar to the TCP FIN scan but sends along with the FIN packet,
URG and PUSH packets. As above, the target should send back an RST for all
closed ports.


- TCP Null scan

This scan sends a packet but with no flag, thus the NULL name. The system doesnt
really know how to respond to this so it will, as with the other techniques,
usually send back an RST for all closed ports.

- TCP ACK scan

This scan is another feature of some portscanners. It use to map out firewall
rulesets. This means that it tries to determine the targets firewall
configuration; whether the firewall is simple packet filtering only allowing
only established with the ACK bit set or a more advanced firewall implementing
advanced packet filtering.


Well know you have learnt a bit more about about TCP/IP, packets and flags. Now
you know what your portscanner does, lets go get you a portscanner!


----------------
2.3 Portscanners
----------------

There are many portscanners around to choose from but I will recommend a few and
give you some download links.


>> 7th Sphere Portscanner

This is a simple and popular portscanner that has a simple GUI (graphical user
interface). You can choose your host and then enter the range of ports you want
scannned E.g. 1 to 65536. 7th Sphere will then scan for you and give you the
output in simple text format which you can write to a .txt file for further
reference. It also has a few other useful options for you to explore.

Code:

http://www.7thsphere.com/7thsphere.html

>> SuperScan

This is my personal favourite w1nd0ws portscanner (Not a touch on nmap though
smile.gif. It has many options such as ping before scan, choose a port list to scan,
scan a range of hosts etc. This last option is very very great. It lets you
enter a range of IP's to scan and then it will go through each IP and portscan
it. This allows you to scan large networks. If you've got w1nd0ws then this is
the only portscanner you really need.

Code:

http://www.foundstone.com/knowledge/scanning.html

>> LANguard Network Scanner

This is more than a portscanner. It is a fully featured network scanner than
will not only scan ports of a range of IP's but also scan for vulnerabilites.
Its one of the best hacking tools out there anad will tell you a lot about the
computers you are scanning.

Code:

http://www.webattack.com/get/languardscan.shtml



Well I've only covered three portscanners but you wont need any more, you should
only need one and if you do choose one then I would recommomend LANguard Network
Scanner due to its amount of options and great scanning abilities.


-------------------
2.4 Basic Port List
-------------------

There are many other comprehensive port lists out there but here is a very basic
one:

------------------------------------------------------------
Port Number Service
------------------------------------------------------------
7 echo
17 quote of the day
19 chargen
21 ftp (file transfer protocol)
22 ssh
23 telnet
25 smtp
79 finger
80 http/www
110 pop3
137 netbios name service
138 netbios datagram service
139 netbios session service


---------------------------------------------
2.5 Determining your victims Operating System
---------------------------------------------

Well, we nearly have all the information we need to get on with trying to gain
access to the victims computer. The only thing left is to determine what OS
(Operating System) the victim/server/host is running. This is important as only
certain vulnerabilites apply to certain OS's so its vital to know what you are
working with.


---------------------
2.5.1 Banner Grabbing
---------------------

This is good technique to learn and can also be used to perform a manual
portscan. E.g. Telnetting to every port on a victims computer and noting down which ones
you could connect to you and what services are running. This is what hackers had
to resort to before automated portscanners were written.

Banner grabbing is the art of connecting to a certain port or service and noting
down what response you get from the port daemon (The little "prog" that listens
for connections and then sends out information accorinding to what the user
types/does). Here is an example.

Our targets IP is 123.123.123.123. We need to find out what OS he is running.
Lets try some common ports that give us feedback. We'll try port 80, http. To do
this we telnet to...
*FadE realises he hasnt yet covered telnet*


--------------------
**Sub telnet Guide**
--------------------

Here is a basic guide to telnet to get you accquainted.

Telnet is a protocol that lets you remotely login to another computer. Its lets
you emulate actually being sat at the pc because you can delete, edit and create
new files just as if you WERE sat at it. As you can see, this is a hackers best
friend smile.gif

How do I use Telnet?

If you are running w1nd0ws then you aleady have the default w1nd0ws telnet
client ready to use. Just open your command prompt and enter telnet. Then,
depending on whether you have w1nd0ws 95/98*h4x0r or 2000/NT (I think) you will
either get a telnet popup or a telnet prompt.
If you get the telnet popup then click Connect and then Remote System. You will
then get a little popup menu with three options. Host, port and term type. Enter
your hostname and port and and leave the term type as it is. Connect and you
will then be greeted with a login prompt or some form of prompt depending on
what port you connected to.

If you type telnet and you just get the Micr050ft Telnet> prompt then you are
lucky because this is better. From here you can type: open 123.123.123.123
This will try and connect to port 23 (telnet) on the other computer. You can
change which port you connect to though by adding a port number after the
command: open 123.123.123.123 80
This will try and connect to port 80 (http) of the host.

Once you are connected to a computer, depending on what OS it is, you will have
a variety of telnet commands to use. Here are some w1nd0ws telnet commands that
can be used BEFORE you are connected to a remote computer:

close close current connection
display display operating parameters
open connect to a site
quit exit telnet
set set options (type 'set ?' for a list)
status print status information
unset unset options (type 'unset ?' for a list)
?/help print help information

When you are connected to a computer, as I said, the commands will vary so just
type help or ? to get a list of commands supported by that OS.

One other thing, there are many better telnet clients around than the w1nd0ws
default one. I recommened downloading PuTTY. This is much better than the
default w1nd0ws telnet and has many more options and is much more stable.

Code:

http://www.chiark.greenend.org.uk/~sgta ... nload.html


Well thats all you need to know about telnet to banner grab and connect to
another computer.

--------------------
**End telnet Guide**
--------------------

Okay, back to banner grabbing. We try and connect to port 80 on 123.123.123.123
to see if this gives away any clues to as what OS this host is running.

C:\> telnet

Micr050ft Telnet> open 123.123.123.123 80

HTTP/1.1 200 OK
Server: Micr050ft IIS/4.0
Date: 09/03/09
Content Type: text/html
Content-Length: 87

This daemon pratically hands us all the info we need about this OS or in this
case, server, Micr050ft IIS. You will only get something like that when you
connect to a server because they will have port 80 open so people can view the
web page the server is storing. To proove this, open up a Internet Browser and
type in the address of a site followed by :80. This will connect to port 80 of
that server which is the http port which is the web page.

Thats all banner grabbing is. You can do it on any port opened and ready for
connection. Try it out yourself and see what you get.


----------------------------------
2.5.2 Automated OS detection Tools
----------------------------------

Instead of spending hours banner grabbing (I tell a lie, usually takes about 5
minutes) you can also get programs that will try a range of techniques to find
out what OS the target is running. This includes banner grabbing and sending
various packets and analysing the output.

The only OS detection app I've ever used is called RemOS but I fail to remember
where I go that from. Use your search skills smile.gif


****************************
STEP 3: ALL ANGLES OF ATTACK
****************************

After you have identified your target and hopefully gathered a sufficient amount
of information it (open ports, OS etc.) then you are ready for the next step.
Most guides will have a step called enumeration (Gathering info in shares, users
etc of a system) and then Gaining Access (Getting superuser/root priveledges)
But I decided, due to the amount of techniques there are, that I would merge
this into the last big main section.

Therefore, this step is a merely a list of common and some uncommon techniques
to help you get access to a system. It will be in no order apart from the OS
sub-sections. It will also include some mini sections explaining some other
jargon that you may not understand. The OS sub-sections are as follows: w1nd0ws
95/98, w1nd0ws 2000, w1nd0ws NT, the new w1nd0ws XP and Unix. For the w1nd0ws
sections, I recommened you try out some of the techniques listed as they may
work on other w1nd0ws apart from the OS section I've listed them in.



-----------------
3.1 w1nd0ws 95/98
-----------------

w1nd0ws 95/98 has four main ways of remotely exploiting it:

- Hacking Shared Resources
- Trojans
- DoS (Denial of Service)


------------------------------
3.1.1 HACKING SHARED RESOURCES
------------------------------

----------------------------
3.1.1.1 Hacking File Sharing
----------------------------

This is probably the most well known method of entering any w1nd0ws system.
File/Print Sharing is a real smart idea from M$ to allow people to share files
and printers. You can already see chaos on the horizon smile.gif Blank passwords,
easily guessed passwords, file/print sharing enabled on home users systems who
dont need it etc. etc. These are just a few problems that it causes. Why M$ put
it on home edition software is beyond me, I'd say truthfully, that it is more
hacked than used productively.

There is not much you can do by hacking and getting access to a w1nd0ws shared
printer (apart from the obvious mayhem of printing whatever you want, however
many times you want on the poor victims computer smile.gif so I think it would be fair
to concentrate on the file sharing *feature* that runs under M$ w1nd0ws 95/98.

The way to find out whether or not your victim has file sharing allowed is to
use LANguard network scanner (discussed earlier on) or Legion by Rhino9.
LANguard scans a range of IP's as discussed earlier and will also display the
shared resources under the IP address. It will give you lots of information but
if you see a branch under the IP address saying IPC$ or something like that with
a $ on the end, then that is a share. If you right click on the share you can
have LANguard try and crack the password or use a dictionary. The cracking
option is a logical password guesser and the dictionary attack is where you give
LANguard a .txt file full of words, one on each line, and it tries every word in
the file as a password. If the share is badly secured (blank or bad password for
example) then you've hit the jackpot and you've got access to the share. If you
get access to a C$ share, you get access to the whole of their C: drive!

Legion by Rhino9 doesnt have a specific download site so just search for it and
download the small free file. It works similarly to LANguard apart from it only
scans for shares whereas LANguard scans for pretty much everything. This has its
advantages if you're just looking for shares. When it finds shares you'll get
many options including option to crack the password and use a dictionary file.
If you get crack the password then you've struck gold again, go explore but dont
do anything destructive. If you can, leave a message to them telling them about
the problem and how they can solve it.


----------------------------
3.1.1.2 Obtaining the hashes
----------------------------

This vulnerability was discovered by L0pht security group.

If the target has file sharing enabled then this may also work but is hard to
pull off. This exploit is based around the Win9x hashes. To store the username
and password on a win9x system, they are merged together and cryptographically
scrambled, the result is called a hash. The hash is in some form sent around the
system every 15 minutes. If, though, you can somehow send the identical hashed
authentication, you will automatically mount the win9x share. This is very hard
to pull of and requires good programming skills. This technique is known as
replaying the win9x authentication hash. For more info on this vulnerability,
read the security advisory that L0pht released on this topic:

Code:

http://www.atstake.com/research/advisor ... replay.txt



-------------------------------
3.1.1.3 Remote Registry Hacking
-------------------------------

Another stupid M$ tool that 1/1000 people use is the Remote Registry Service.
For this to work though, a number of conditions must be present and tasks
completed:

- Remote Registry Service must be installed (Its not default so the user would
have to do it)
- You will at minimum need to enter some form of password.

It is rare though to find this installed on a system so chances are you will
never have to use this exploit, or will never get the chance to. If you do
happen to get access though, will you will be able to edit the targets registry
freely to your liking. If you know a lot about the registry then you can get
full access the the target by changing some keys.


-------------
3.1.2 TROJANS
-------------

This section will be a very small one as there is little to say about trojans
apart from they are considered very lame by many hackers including myself.
Mainly script kiddies use these kind of tools as they invlove no intelligence
and "hack" someone by clicking a button. Nevertheless, I feel its important that
you should know something about them so I will explain what trojans are and
discuss some well known trojans.

A trojan is a destructive program that masquerades as a benign application.
Unlike viruses, Trojan horses do not replicate themselves but they can be just
as, if not much more destructive than a virus depending on how and what the user
commands the trojan to do.

Trojans usually have two parts to them; a client and a server. You have the
client on your system and your task is to get the server on the victims computer
and executed. When executed, the trojan server will open a specific port and
listen for a connection. The connection will be coming from your client, you
simply open the client, enter the ip and port and it should connect to the port
that the server is listening on. It will connect to the server and you will have
pretty much total control over the victims computer. After the server has been
executed on the victims computer, it installs various entries in the registry
and .ini files so that the trojan starts up whenever the computer starts up.
Common places to add a startup value:

Registry: [HKLM\Software\Micr050ft\w1nd0ws\CurrentVersion\Run]
Startup Files: win.ini, autoexec.bat etc.

It would be good practive to check these locations every once in a while and
look for anything suspicious E.g. "Server"="C:\\w1nd0ws\\server.exe" in Run.

After the server has done its dirty work, it will either melt or go into hiding
(usually in a w1nd0ws system folder). Thats pretty much all you need to know
about trojans. If you want to enter the ways of the scripts kiddie/common
asshole wannabe hacker then here are some common trojans that are quite widely
used:

- Sub7
- Back Orifice
- Netbus


-----------------------
3.1.3 DENIAL OF SERVICE
-----------------------

Denial of Service attacks are attacks that will deny you access to certain
things. This is a bad definition in my opinion and my definition of DoS attacks
are attacks that overflow/crash, cause some form of brute damage to the target
system. An example of a DoS attack is a SYN flood attack. This is when the
attackers sends lots of SYN packets to the target. The target system then
reserves lots of memory for replies and the further connections that should
follow. The SYN packets will not have an IP to return to though smile.gif
So the target is left with all this memory being used up and the system will
eventually crash and if its a server for a website, the website will be taken
offline. This is just one example of a DoS attack, there are many. It is now
though (unfortunately) done by programs which gives it a certain lame rating.
Here are some DoS titles for you to explore:

Ping of Death
Teardrop
land
WinNuke (King of all lameness so DO NOT ask anyone how to use this or where to
get it from unlesss you want your ass flamed to a burden)

Okay so there you have the common ways of entering a system running Win9x. Now
onto the w1nd0ws 9x older brother, w1nd0ws 2000.


----------------
3.2 w1nd0ws 2000
----------------

Again, this is a list of certain techniques to use on the system running this OS
(Win2k). Try them all and learn what you can from them.

-----------------------------------------------
3.2.1 Using net use to establish a null session
-----------------------------------------------

As in all w1nd0ws versions, there are countless problems with its default
configurations and netbios exploits. Netbios exploits probably account for
around 75% of all attacks on w1nd0ws 2000/NT systems. For this technique to
work, the target must have port 139 open, the netbios session port. We then go
on to enter a command to establish a null session:

C:\> net use \\ip.add.goes.here\share$ "" /u:""

A common example would be:

C:\> net use \\123.123.123.123\IPC$ "" /u:""

Now, lets look at that command more carefully. net use is the basic command that
we use to connect to remote shares. \\123.123.123.123 is the IP address. IPC$ is
the share name. The end part of this command is important. The /u:"" means
anonymous user.

/u = Anonymous user
"" = Null password

If this command is successful then you are connected to the target and you can
execute various commands to help you map out the system. If this doesnt work
then you are out of luck and you will get a message along the lines of "Access
is denied". This means your user is smarter than you think and have disabled
anonymous logins. A very good idea. To restrict anonymous logins, open Regedit
and find HKLM\SYSTEM\CurrentControlSet\Control\LSA. If the key RestrictAnonymous
is not already there then create it and make the value 2 to restrict ALL
anonymous logins. This will stop YOU from a large percentage of hacking attacks.


---------------------------------------------------
3.2.2 Using net view to view domains once connected
---------------------------------------------------

If your null session attempt was successful then one of the first things you
should do is execute the net view command. This command is very simple and will
show you all domains on the network (If it is a network). Here is the help for
net view:

The syntax of this command is:


NET VIEW [\\computername [/CACHE] | /DOMAIN[:domainname]]
NET VIEW /NETWORK:NW [\\computername]

As you can see, you can use net view to recognise by computer name or by domain.
Up to you, try out both and see which gets the results. If you dont know what
domains are available then try enterring the following command: net view
/domain. This will give you a list of domains on the network.

C:\> net view /domain
Domain
-----------------------------------------------------------
WORKGROUP
SMARTASS
JOHNNY5
SOMEONE

You can then use the net view command to list the computers on a domain:

C:\> net view /domain:smartass
Server Name Remark
----------------------------------------------------------------
\\JOHNBOY Lam0 kiddie
\\MENTOR l3370 haX0r
\\Micr050ft Built-in obselesence...
\\FADE Lateral Thinker...


------------------------------------------
3.2.3 Using nbtstat to obtain NetBIOS info
------------------------------------------

nbtstat is a great built in command that is used to get a remote systems NetBIOS
Name Table. This is very useful to your studies of the system. Lets says that
123.123.123.123 has NetBIOS port 139 open and we want some more info on his
users/domain/network:

C:\> nbtstat -A 123.123.123.123
NetBIOS Remote Machine Table Name

Name Type Status
----------------------------------------------------------
DOM1 <00> GROUP Registered
DOM2 <20> GROUP Registered
SEV9 <1e> UNIQUE Registered
ANYNAME <03> UNIQUE Registered
ADMIN <00> UNIQUE Registered


This is where I used to get lost in guides; my table looks nothing like that!
Chances are it wont as we arent really focusing on hacking a network but you
will see the advantages of that as you read on. If you are hacking a standard
internet user then chances are he doesnt even have File/Print Sharing/NetBIOS
enabled so your chances of pulling this off are slim.

The nbtstat command can also be used with a host address instead of an IP
address. This is done by replacing the uppercase A with a lowercase one:

C:\> nbtstat -a jowblow@tids.12-4434.ac.uk

This would get the same results, just using a host address to identify instead.