COMMAND
nbtstat
SYSTEMS AFFECTED
WinNT 3.5, 3.51, 4.0 (default configuration)
PROBLEM
Use
NBTSTAT -A 123.123.123.123 (use the ip of a known nt box)
This will return the machine name. Then put the Machine name and
IP address in your lmhosts file.
Type
NBTSTAT -R
This will refresh the netbios names. Under NT 4.0, this is
completely unneeded.
Next you can type commands like
NET VIEW \\machine (shows shares)
dir \\machine\share (lists shares if open )
and you can even use User Manager for Domains, Chose Select
Domain and put in \\machine. This will give you a listing of
there users. These both work under NT 4.0 with net view
\\123.123.123.123 There is no need for the NB name. You may also
do:
NET VIEW \\ftp.foo.com
After dinking around a little bit you will find out how insecure
NT is with a default config.
'Nbtstat -a nodename' or 'Nbtstat -A ipaddress' will display much
information about a remote node. This command will display:
Active User
Services running
NT Domain name
Nodename
Ethernet Hardware address
This give a hacker doing password guessing two of the three
pieces of information required to mount shares on a remote system,
'Domain name' and 'Username'.
The local and remote systems must be able to communicate via
ports 137, 138, 139.
SOLUTION
You will only be allowed to do this if you have administrator
access to the machine in the first place. Further, you will need
some level of access in order to be able to even list the shares.
If the guest account is disabled (default under NT 4.0), you
can't list shares unless you have at least a user level account.
The best way to defend against this type of discovery is to block
UDP ports 137 and 138, as well as TCP port 139 at the routers
that serve your Internet connections. This way, the ports
necessary for this command to work will be closed off from
external traffic, yet will still function inside your network.