Exercise 4: Legion
NetBIOS shares, or shared folders, are an inherent part of the Windows operating system. People constantly share folders and files on their devices to allow others easy access to information. This feature of Windows is extremely helpful in a business environment. The problem is that most of those who share folders don't take the time to unshare them when people are done accessing the data. The introduction of high-speed, always-on Internet connections like DSL or cable modems for home users has only compounded this problem. Determining the ranges for the nation's cable modems and DSL lines is a trivial task. Since attackers now know where home users are located, there is a greater chance that they can come across your shares from anywhere in the world. To make things even worse, most people do not bother to password-protect shares, and when they do, the passwords are typically easy to guess.
Many businesses are encouraging employees to work at home. With this new philosophy comes the move from desktop computers to laptops. Now, users are sharing folders and entire drives; then they take their systems home and put that information on the Internet with little or no protection. Attackers can now scan large ranges of Internet addresses looking for those laptops at that information.
There are many share scanners available on the Internet. SMBScanner and ShareSniffer are two of them. This exercise focuses on Rhino9's Legion. Legion is a shareware product that requires registration and a fee if it's used longer than its trial period.
The objective of this exercise is to demonstrate how an attacker can use a program (a free program) to automatically map to your shares from anywhere in the world.
Legion v2.1, available from http://www.nmrc.org/files/snt
Windows-based OS version 98 or a later version
The following are the steps that you are going to perform for this exercise:
Download and install Legion.
Verify that you have an IP address bound to your NIC.
Use Ping to determine if a host is active. Use your host as the target for all scans. Use your actual IP address, not your local host or 127.0.0.1.
Create shares on your system.
Use Legion to automatically find and map to the created shares.
Challenge Procedure Step-by-Step
The following are the detailed steps you are going to perform to install and run Legion:
Download Legion from http://www.nmrc.org/files/snt.
Unzip the Legion file into c:\legion.
Next, install Legion. To do this, double-click the setup.exe icon. When the install program starts, click the icon to install the program.
Verify that your TCP/IP stack is properly functioning. Do this by pinging your local loopback adapter:
Start the scanner by selecting Start, Programs, Legion.The Legion screen appears.
Enter the network adapters' IP address in the Enter Start IP field. Then, insert the network adapters' IP address plus 1 in the Enter End IP field.
After the addresses are entered, click the Scan button.
Click the Map Drive button. Legion automaps a drive for you. To continue, click the OK button.
If the share that was discovered requires a password, you are prompted to enter it. While this program does not have a brute-force password-cracker, there are many on the market that can be used. Some examples are LC3, John the Ripper, and Crack. After the automapping is completed, click OK.
You have a couple of options for the next step. Depending on the type of network you are scanning and the network speeds around you, you can throttle the scan. You can also enter a contiguous range or create your own hosts file. If there are specific devices that you want to scan, it saves a considerable amount of time to scan only those specific devices, instead of the entire range on which they exist.
A single IP address is not considered a range, thus, it will produce an error if you enter it for both the Enter Start IP and Enter End IP fields.
Depending on the number of addresses you are scanning, the scan could take a considerable amount of time.
If the scan does not find any NetBIOS shares, the following screen appears.
A successful scan will list the IP addresses of the devices that have discovered NetBIOS shares.
You can save the scan results into a text file for later review by clicking the Save Text button.
The easy way to prevent people from connecting to your NetBIOS shares is to remove them when they are not needed. If this is not feasible for your situation, make sure that you password-protect them with an appropriately complex password.
Legion is a perfect example of how a person can scan the Internet to find your shares and the information in them.
It is imperative that you know as much about your system as an attacker would know. Periodically run scans so that you can see if there are vulnerabilities on your system.