07. januar 2002 - 10:12Der er
17 kommentarer og 1 løsning
NetBIOS session attack
Jeg har TDC bredbånd med ZoneAlarm sw firewall. Den registrerer nu at en anden host via ADSL-linien forsøger en NetBIOS session. Men hvordan gør han i praksis det? (altså opretter en session mod mig). Jeg troede kun NetBIOS blev brug på LAN.
Hvis den alarm du modtager er et \'angreb\' mod port 137 udp er det med stor sandsynlighed en af de utallige dårligt konfigurerede MS servere der er på internettet. Når man laver en session til en sådan maskine tror den starks at du er med i dens netværk og forsøger at få kontakt til dig via netbios. Hvis det afvises så ignorer det. Hvis du ikke vil ignorere det så forbered dig på en lang kamp med uvidende folk der ikke aner at deres server sender disse data ud og påstår at der ikke er noget galt fordi de har det nyeste antivirus program installeret.
Man kan slå det fra ved at slå netbios over TCP/IP fra på serveren.
port are open by default yes. ADSL routers have build in filters though to block these ports.
Another ways of blocking it is by firewalling (even a simple one like zone alarm) or TCP filtering on the net card (mostly used by web servers)
the credentials will be asked for the local PC or domain. it is still a good idea to block these ports since most hacking is made by password guessing techniques.
make sure that your guest account is disabled if you are using win2k or XP
-> dr.m Does this really mean that a host not protected by a CPE router/firewall is wide open for remote browsing (and thus hacking) via the ADSL line using NetBIOS? I didn\'t think it was that easy to hack!
Anyway, what I imagined was that since TDC Bredbånd is bridged Ethernet, then some other host in the same access domain (that is, towards the same DSLAM) would be able to use some LAN protocol like NetBIOS/NetBEUI to attack me. But that\'s not the case, or?
->victor44 Jeg har slået NetBIOS fra. Og jeg kører ikke som server.
yes. Guessing password however is not always easy. If the password is easy then using a dictionary to guess many passwords per second (programs do that) will bring results fast, brute force will take much longer depending on the password complicity and CPU power. If you want to thing like a hacker, then you will be smarter, I once sew a company that mapped drives on a remote network through netbios over a 45 mb internet connection, all is password protected all are happy. it took me 10 minutes to crack it and I didn\'t use password guessing... I just realized that since they map drives, then all I needed and hoped for was that the actual mapping bat file was not ACLed properly. I was right. the user name and password was there in clear text. Fortunately I was consulting for them so we got it under control.
the point is, YES! if you are not protected by router access-lists, port filtering, firewall or anything to block these ports (and other important ones) then you are at potential risk.
I am not sure into how ISP\'s act to protect end users, but I never relay on it. that is also why it is important to use NTFS on your OS and follow many other DO\'s and DON\'T DO\'s on Microsoft platform and networking generally.
on NT systems (meaning NT 4.0, win2k and XP) you have a feature called auditing where you can monitor many things such as failed or successes privilege use.
Firewalls often has that as well and you can then use free tools like \"syslog\" to read the log file and alert you. I do not consider Zone alarm and black ice as proper firewalls but it\'s OK for personal PC\'s.
if you are in doubt on rather your ISP has some sort of filtering process along the long routing way, give them a call and ask to talk with anybody else then a sales man :-)
->dr.m Great answer. The true expertism shines thru! Maybe you can clear up a related question. I have reported to the \"abuse-guy\" (abuse@isp....) some heavy scans on my ADSL line. But is it really illegal to scan ports, or when is the line crossed towards a real crime?
->victor44 Ok, jeg misforstod. Det jeg kan se er at jeg bliver angrebet af en host i samme subnet som mig selv. Så derfor er det nok ikke en server som jeg har opsøgt.
Men det kræver vel at de specifikt bruger min IP adresse for at starte en NetBIOS session? Kører MS så bare hele subnettet igennem og prøver alle addresser?
I am not 100% sure about the Danish law, but I am almost sure that it is illegal to port scan. One can innocently say \"but why? If you try to open a door and it is closed, is that a burglary attempt?\" but then again with scanning it more like trying different keys so yes. In many countries it is considered as hacking attempt and it is punishable.
About IP\'s... when you get on the Internet, you receive a \"real\" IP, on ADSL it is most often static and on modems it is most often dynamic. Hackers can try to use that IP. If you are in a network where, then you often have 1 single IP on the router or firewall and then all PC\'s use NAT to go on the Internet. That is a good technology for 3 main reasons.
1. Cost effective. A company does not need to by so many IP address.
2. Decrease the size of the net. The Internet was not designed to have so many hosts. It has simply flourished beyond what they have expected it to be. With NAT you don\'t use that many IP\'s (next generation of IP addressing is already developed so we can have unlimited IP\'s... almost)
3. Security. Which is relevant here. A hacker will need to have a lot more knowledge in order to pass NAT. he will need to hack the device (gateway, router, firewall) first, then know your internal IP and hack your machine...
Anyway, you don\'t need to be on the same sub mask to connect with netbios to another network! That’s why we have routers. Not all protocols can be routed but that is a whole different story...
OK doc, So I tried to fight back against this NetBIOS attack fella. But when I run \\\\<his-IP> I just get \"The network name cannot be found\". Well, in fact when I enter my own IP address there I get the same response (but that may be for some other reason?). Furthermore, I don\'t get anything besides \"Unable to browse the nework\" when clicking the network neighborhood icon.
Is he using special protocol for his attack? (My OS is W98).
Sounds like you have more then just TCP/IP installed but I could be wrong.
He is only using TCP/IP OS doesn\'t matter here except for the higher risk due to win9x architecture, which is not designed for security! Could I get his IP? I could probably tell you something from it.
...Another possibility is that your firewall software reports falsely, never say never.
It is a good idea to remove unused protocols. All you need for the Internet is TCP/IP. Other protocols are sometimes used for games although you can use TCP/IP for games as well.
Usually simple basic firewalling allows all outgoing traffic but restricts incoming traffic based on different rules like port number. (Different rules according to firewall capability and how high it is on the OSI model. but again, different story) This might explain why he can try to connect to you but you cannot connect to him using this port.
sorry, all I could find in my quick search was the abuse email address which I am sure you already have.
it is not just for some reason that you can\'t do it. it might be that the other side is blocking that port, it might be that you have more then TCP/IP installed and your binding order is not using TCP/IP first.
if you are trying a remote IP, then it might be that your ISP is not allowing that method. your attacker then must have a different ISP. there are many possibilities as you can see.
try running \\\\127.0.0.1 that is your loop address
the good news is that since you are alerted of that activity, you are most likely protected.
the reason I like NT technology so much is for security reasons. you can have different kind of permissions defined on the folder or file level.
If a hacker gains access through poor networking, he will still need the right credentials to access important files.
->dr.m Tried a dedicated scanning tool for NetBIOS, and it worked. I\'m quite surprised how easy it is to access files on other hosts. I wonder why the ISPs don\'t inform better about such threats... The points are your\'s.
Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.
Ny bruger
Nybegynder
Opret
Preview
