Intended use: LAN coms - sharing printers,files,rpc calls, messaging, etc

Hacking: Info collecting - users, computers, shares, docs, printers, domains

Ports: 137, 138, 139

Netbios naming scheme to tag what type of resource the computer is:

#nbtstat -n //the service this calls in WINS. -n name flag

List the remote computers name table from IP(can also do reversed -A)

(windows)#nbtstat -a <target ip> //look for interesting codes like 20 or others above ^.

(linux)#nbtscan -v <target ip or CIDR>

List Domains, shares, computers, resources in a network:

(win)#net view <ip>

(lin)#smbclient -L <target ip>

//We can then browse the output of net view (connects to C and mounts it at K:)

(win)#net use K: \\192.168.99.162\C

(lin)#sudo mount.cifs //192.168.99.162/C /media/k_share/ user=,pass=

Nbtscan

NetBIOS scan

# nbtscan -r 10.11.1.0/24 //gives ip list, netbios name, mac, and users present on the machine

Get Table

From Windows Attacker, display NetBIOS table:

C>nbtstat -a 10.130.40.70

Linux, Lookup table names:

# nmblookup -A 10.130.40.70

Null sessions

Windows: C:\>net use \\10.130.40.70\IPC$ "" /u:"" or #net use \\192.168.99.162\IPC$ "" /user:"" //if this works we can try a windows auto null session dump tool #winfo <target ip> -n Linux: # smbclient -L 10.130.40.70 //lin auto dumper #enum4linux <target ip> //a wrapper around rpclient, net, nmblookup, smbclient