COMMAND

    nbstat

SYSTEMS AFFECTED

    WinNT 3.5, 3.51, 4.0 (default configuration)

PROBLEM

    Use

        NBTSTAT -A 123.123.123.123 (use the ip of a known nt box)

    This will return the machine name.  Then put the Machine name  and
    IP address in your lmhosts file.

    Type

        NBTSTAT -R

    This  will  refresh  the  netbios  names.   Under  NT 4.0, this is
    completely unneeded.

    Next you can type commands like

        NET VIEW \\machine 	(shows shares)
        dir \\machine\share	(lists shares if open )

    and  you  can  even  use  User  Manager for Domains,  Chose Select
    Domain and  put in  \\machine.   This will  give you  a listing of
    there  users.   These  both  work  under  NT  4.0  with  net  view
    \\123.123.123.123 There is no need for the NB name.  You may  also
    do:

        NET VIEW \\ftp.foo.com

    After dinking around a little  bit you will find out  how insecure
    NT is with a default config.

    'Nbtstat -a nodename' or 'Nbtstat -A ipaddress' will display much
    information about a remote node. This command will display:

        Active User
        Services running
        NT Domain name
        Nodename
        Ethernet Hardware address

    This  give  a  hacker  doing  password  guessing  two of the three
    pieces of information required to mount shares on a remote system,
    'Domain name' and 'Username'.

    The  local  and  remote  systems  must  be able to communicate via
    ports 137, 138, 139.

SOLUTION You will only be allowed to do this if you have administrator access to the machine in the first place. Further, you will need some level of access in order to be able to even list the shares. If the guest account is disabled (default under NT 4.0), you can't list shares unless you have at least a user level account. The best way to defend against this type of discovery is to block UDP ports 137 and 138, as well as TCP port 139 at the routers that serve your Internet connections. This way, the ports necessary for this command to work will be closed off from external traffic, yet will still function inside your network.