Security Basics mailing list archives
Re: NetBIOS Messenger spam - how did it get in?
From: stef <stefmit () starband net>
Date: Wed, 30 Oct 2002 12:48:31 -0600
It is not as simple as it was presented here - in theory it could be done through source routing (and this assuming that all devices on the way "cooperate" in letting you do that) - you first do a traceroute from the station you want to reach it from, to the external interface of the NAT-in device, then record all hops, then create packets source-routed with all the hops included, and the last one the 192.x.y.z internal address ... but due to many routers not allowing source-routing, this will probably fail :( Stef On Tuesday 29 October 2002 03:13 pm, Daniel Miessler wrote:
Hmm. I am wondering where the attacker is going to put this route that you mention so that it routes right past your NAT.It can not be stressed enough that NAT alone is _no protection at all_, there must be some filtering or you are running wide open looking for trouble. By adding a route to the network you can directly reach the machines from outside the NAT box, something like[1] # route add -net 192.168/16 gw 123.123.123.123 would do. Then just ping around to find what hosts are alive... It is raining on the Internet. Don't leave your house with the windows open... [1] Assuming the corporate LAN uses 192.168.0.0--192.168.255.255 as their internal addresses and the gateways external IP is 123.123.123.123. ---- In other words, NAT gains you pretty much nothing for security. The existance of your network behind a NATting device might not beimmediatelyobvious to someone scanning from the outside, but anyone watchingtrafficfrom your NAT device will be able to figure out pretty easily thatthere isa network behind that one IP address, and if they care to probe to seewhatis there, the NAT does not do much to protect the network. Randy Graham -----Original Message----- From: Schuler, Jeff [mailto:Jeff.Schuler () hit cendant com] Sent: Wednesday, September 25, 2002 1:17 PM To: security-basics () securityfocus com Subject: Network Address Translation insecurities I am looking for information regarding the insecurities andvulnerabilitiesthat exist in Network Address Translation. One of our admins feelsthatbecause everything is NAT'd that there is no way anyone can break intothesystems that are NAT'd. I know that this is not a completely accurate statement but need to find some research and documentation regardingthis.All our systems are behind at least one firewall so please don'tadvise meto install a firewall as extra security as they are already there. Ijustwant to make sure that we are not overlooking serious vulnerabilitiesjustbecause the box is behind a NAT. In order to justify doingvulnerabilitytesting on some of our internal systems I need to demonstrate the insecurities in NAT. Thanks in advance Jeff Schuler -----Original Message----- From: Damon McMahon [mailto:inst_karma () hotmail com] Sent: Thursday, October 24, 2002 11:36 PM To: security-basics () securityfocus com Subject: NetBIOS Messenger spam - how did it get in? Greetings, The gateway host of my small workgroup has just become a 'victim' of the recent spate of SPAM using the NetBIOS MessengerService.However, I'm seeking advice on how it managed to get through what Ithoughtwas a reasonably secure gateway. The gateway is a Windows 2000 hostwhichconnects to the internet via an external IP dynamically assigned by myISP,and to an internal network via a 192.168.0.0/24 IP assigned by theWindowsInternet Connection Sharing service. I have ZoneAlarm Pro installedon thegateway, which allows NetBIOS traffic over the 192.168.0.0/24 subnetbutrejects NetBIOS traffic from any other IP. This rule is explicitlydefinedin the ZA Pro configuration, and appears to be working as the ZA Prologsare full of rejected packets from internet IPs attempting to accessNetBIOSports on the host. From what I understand, such a firewallconfigurationshould discard any traffic to ports 135, 137-139 from any hosts not ontheinternal network. Clearly there has been a breach. The only possible explanation I can conceive is that the source of the NetBIOS messagespoofedit's IP address to be in the 192.168.0.0/24 range: 1. Is thispossible? Iwould have thought any packet with such a spoofed IP address would bedeemednon-routable by any of the routers between the source host and mine,andhence would never make it to my host? 2. If this is possible, isthere anyinexpensive [preferably free!] method of configuring Windows 2000(with orwithout ZA Pro) to filter packets on the basis of interface as well asIPaddress? For example, BSD variants come with an inbuilt firewallcalled ipfwwhich enables you to construct a rule denying all packets with anaddress192.168.0.0/24 from passing via the external interface, while allowingsuchpackets to pass via the internal interface. 3. Are there any other explanations for this intrusion? Any advice will be most appreciated. Please email me on inst_karma A T hotmail D O T com if you requiremoredetailed information.
Current thread:
- NetBIOS Messenger spam - how did it get in? Damon McMahon (Oct 28)
- RE: NetBIOS Messenger spam - how did it get in? Jason Coombs (Oct 29)
- RE: NetBIOS Messenger spam - how did it get in? Daniel Miessler (Oct 30)
- Re: NetBIOS Messenger spam - how did it get in? stef (Oct 31)
- RE: NetBIOS Messenger spam - how did it get in? Daniel Miessler (Oct 30)
- RE: NetBIOS Messenger spam - how did it get in? Jef Feltman (Oct 30)
- <Possible follow-ups>
- Re: NetBIOS Messenger spam - how did it get in? Chris Berry (Oct 29)
- Re: NetBIOS Messenger spam - how did it get in? Shayla Anthony (Oct 29)
- RE: NetBIOS Messenger spam - how did it get in? Damon McMahon (Oct 31)
- RE: NetBIOS Messenger spam - how did it get in? Jason Coombs (Oct 29)