The Guides to (mostly) Harmless Hacking

What's New! Chat with Hackers How to Defend Your Computer The Guides to (mostly) Harmless Hacking Happy Hacker Digests (old stuff) Hacker Links Hacker Wargames Meet the Happy Hacksters Help for Beginners Hacker Bookstore Humor It Sucks to Be Me! How to Commit Computer Crime (not)! What Is a Hacker, Anyhow? Have a Great Life! News from the Hacker War Front

How to Use Nbtstat

To get started, bring up the cmd.exe command. Click Start -> Run and type cmd.exe in the command line box. This brings up a black screen with white letters. Once it is up, we will play with the nbtstat command. To get help for this command, just type:

C:\>nbtstat help

One way to use the nbtstat command is to try to get information from another computer using either its domain name (for example test.target.com), its numerical Internet address (for example, happyhacker.org's numerical address is 206.61.52.30), or its NetBIOS name (if you are on the same LAN).

C:\>nbtstat -a 10.0.0.2

Local Area Connection:
Node IpAddress: [10.0.0.1] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
OLDGUY <00> UNIQUE Registered
OLDGUY <20> UNIQUE Registered
WARGAME <00> GROUP Registered
INet~Services <1C> GROUP Registered
IS~OLDGUY......<00> UNIQUE Registered
OLDGUY <03> UNIQUE Registered
WARGAME <1E> GROUP Registered
ADMINISTRATOR <03> UNIQUE Registered

MAC Address = 52-54-00-E4-6F-40

What do these things tell us about this computer? Following is a table explaining the codes you may see with an nbtstat command (taken from the MH Desk Reference, written by the Rhino9 team).

Name Number Type Usage =========================================================
<computername> 00 U Workstation Service
<computername> 01 U Messenger Service
<\\_MSBROWSE_> 01 G Master Browser
<compname> 03 U Messenger Service
<computername> 06 U RAS Server Service
<computername> 1F U NetDDE Service
<computername> 20 U File Server Service
<computername> 21 U RAS Client Service
<computername> 22 U Exchange Interchange
<computername> 23 U Exchange Store
<computername> 24 U Exchange Directory
<computername> 30 U Modem Sharing Server Service
<computername> 31 U Modem Sharing Client Service
<computername> 43 U SMS Client Remote Control
<computername> 44 U SMS Admin Remote Control Tool
<computername> 45 U SMS Client Remote Chat
<computername> 46 U SMS Client Remote Transfer
<computername> 4C U DEC Pathworks TCPIP Service
<computername> 52 U DEC Pathworks TCPIP Service
<computername> 87 U Exchange MTA
<computername> 6A U Exchange IMC
<computername> BE U Network Monitor Agent
<computername> BF U Network Monitor Apps
<username> 03 U Messenger Service
<domain> 00 G Domain Name
<domain> 1B U Domain Master Browser
<domain> 1C G Domain Controllers
<domain> 1D U Master Browser
<domain> 1E G Browser Service Elections
<INet~Services>1C G Internet Information Server
<IS~Computer_name>00 U Internet Information Server

To keep this Guide from being ridiculously long, we'll just explain a few of the things what we learned when we ran nbtstat -a against 10.0.0.2:

* it uses NetBIOS
* its NetBIOS name is Oldguy
* one of the users is named Administrator
* it runs a web site with Internet Information Server, and maybe an ftp (file transfer protocol) server
* it is a member of the domain Wargame
* it is connected on a local area network and we accessed it through an Ethernet network interface card (NIC) with a MAC Address of 52-54-00-E4-6F-40.

When using nbtstat over the Internet, in most cases it will not find the correct MAC address. However, sometimes you get lucky. That is part of the thrill of legal hacker exploration. OK, OK, maybe getting a thrill out of a MAC address means I'm some kind of a freak. But if you are reading this, you probably are freaky enough to be a hacker, too.

**************
Newbie note: MAC stands for media access control. In theory every NIC (network interface card) ever made has a unique MAC address, one that no other NIC has. In practice, however, some manufacturers make NICs that allow you to change the MAC address.
**************

**************
Evil Genius tip: sneak your computer onto a LAN and use it to find the MAC address of a very interesting computer. Crash it, then give yours the same MAC, NetBIOS name and Internet address as the very interesting computer. Then see what you can do while faking being that computer. That's why I get a charge out of discovering a MAC address, so stop laughing at me already.
**************

**************
You can get fired, expelled, busted and catch cooties warning: Faking all that stuff is something you would be better off doing only on your own test network, or with written permission from the owner of the very interesting computer.
**************

Now that we know some basic things about computer 10.0.0.2, also known as Oldguy, we can do some simple things to learn more. We can connect to it with a web browser to see what's on the web site, and with ftp to see if it allows anonymous users to download or upload files. In the case of Oldguy, anyone can browse the web site. However, when we try to connect to its ftp server with Netscape by giving the location ftp://10.0.0.2, it returns the message "User Mozilla@ cannot log in.

**************
Newbie note: The people who programmed Netscape have always called it Mozilla, after a famous old movie monster. As a joke they have stuck obscure mentions of Mozilla into the operations of Netscape. Mozilla lovers recently spun off a pure Mozilla browser project that has the web site http://www.mozilla.org.
**************

Next: the Net View Command -->

Carolyn's most
popular book,
in 4th edition now!

For advanced
hacker studies,
read Carolyn's

Subscribe to Happy Hacker

Email:

Visit this group

Return to the index of Guides to (mostly) Harmless Hacking!