Re: nc help needed.

From: Vijay Kumar (vijay_at_calsoftinc.com)
Date: 09/24/04

  • Next message: Jonathan Loh: "Re: Laptop Encryption & Hibernation"
    To: scream@cogeco.ca, Security Basics <security-basics@securityfocus.com>
    Date: Fri, 24 Sep 2004 18:56:59 +0530
    
    

    Hi,

    Thanks a ton for all the replies. I know that Netbios is using port 139.
    Since the Windows computer is currently accepting null sessions, we
    should be able to connect to this port via netcat. ( am i right ? )
    Have been reading these lines from the documentation, which talks about
    assigning proirity to the netcat session we are trying to establish.
    Hence I am sure this should work, we are mising on something.
    Does anyone has anything to add ?
    Also I am not understanding whether the -s <ip address> should be the
    computer running netcat or the detination (target) machine ?

    "" You will need to bind "in front of" some services that may already be
    listening on those ports. An example is the NETBIOS Session Service
    that is running on port 139 of NT machines that are sharing files. You
    need to bind to a specific source address (one of the IP addresses of
    the machine) to accomplish this. This gives Netcat priority over the
    NETBIOS service which is at a lower priority because it is bound to ANY
    IP address. This is done with the Netcat -s option:

    nc -v -L -e cmd.exe -p 139 -s xxx.xxx.xxx.xxx

    Now you can connect to the machine on port 139 and Netcat will field
    the connection before NETBIOS does. You have effectively shut off
    file sharing on this machine by the way. You have done this with just
    user privileges to boot. ""

    Have not used psexec -> will try it.

    Regards
    Vijay.

    On Fri, 2004-09-24 at 17:55, Scream wrote:
    > using the -p 139 command line switch would attempt to bind to port 139 on
    > the machine you are running it on which being a windows machine is already
    > in use..
    >
    >
    > If you are trying to connect to the remote then it would be , this however
    > will not spawn a cmd session.
    >
    > nc -v ip addr 139
    >
    >
    > ----- Original Message -----
    > From: "Vijay Kumar" <vijay@calsoftinc.com>
    > To: <security-basics@securityfocus.com>
    > Sent: Thursday, September 23, 2004 11:21 AM
    > Subject: nc help needed.
    >
    >
    > > Hi,
    > >
    > > Trying to use the nc command from a windows 2k box :
    > >
    > > nc -v -L -e cmd.exe -p 139 -s xxx.xxx.xxx.xxx
    > >
    > > The error given is : Can't grab xxx.xxx.xxx.xxx:139 with bind.
    > >
    > > s -> destination host where the null sessions on 139 are accepted.
    > >
    > > Any clue, how to to get the cmd working on the remote host ?
    > >
    > > Regards,
    > > Vijay.
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > > --------------------------------------------------------------------------
    > -
    > > Computer Forensics Training at the InfoSec Institute. All of our class
    > sizes
    > > are guaranteed to be 12 students or less to facilitate one-on-one
    > > interaction with one of our expert instructors. Gain the in-demand skills
    > of
    > > a certified computer examiner, learn to recover trace data left behind by
    > > fraud, theft, and cybercrime perpetrators. Discover the source of computer
    > > crime and abuse so that it never happens again.
    > >
    > > http://www.infosecinstitute.com/courses/computer_forensics_training.html
    > > --------------------------------------------------------------------------
    > --
    > >

    ---------------------------------------------------------------------------
    Computer Forensics Training at the InfoSec Institute. All of our class sizes
    are guaranteed to be 12 students or less to facilitate one-on-one
    interaction with one of our expert instructors. Gain the in-demand skills of
    a certified computer examiner, learn to recover trace data left behind by
    fraud, theft, and cybercrime perpetrators. Discover the source of computer
    crime and abuse so that it never happens again.

    http://www.infosecinstitute.com/courses/computer_forensics_training.html
    ----------------------------------------------------------------------------


  • Next message: Jonathan Loh: "Re: Laptop Encryption & Hibernation"

    Relevant Pages

    • Re: nc help needed.
      ... Try to use a different port and see if it is working. ... An example is the NETBIOS Session Service ... the reader of this message is not the intended recipient, ...
      (Security-Basics)
    • Fwd: nc help needed.
      ... I know that Netbios is using port 139. ... assigning proirity to the netcat session we are trying to establish. ... An example is the NETBIOS Session Service ...
      (Security-Basics)
    • RE: SUMMARY: SMB overflow attacks
      ... Your port 1025 may be identifiable using either of these tools, ... SMB still is encapsulated in netbios ... Setup that precludes SMB negotiation and session setup on port 139. ...
      (Vuln-Dev)
    • RE: SUMMARY: SMB overflow attacks
      ... Basically you just point it at a tcp port and see what it says. ... > Based on my own tests, SMB still is encapsulated in netbios ... What they appear to have gotten rid of was the NB Session ...
      (Vuln-Dev)
    • RE: Internal Machine making many attempts to connect to Internet on 1 37
      ... The connections to port 137 seem to be ... it does a NetBios lookup. ... conduit permit icmp host server.ip.address.here any information-reply ... Monitor logging: ...
      (Incidents)