Re: NetBIOS info

[dsr () MAIL LNS CORNELL EDU (Daniel S. Riley)]

Robert Graham <bugtraq () NETWORKICE COM> writes:
> Don't get mad; get even. I've written a little utility that simply
> reflects NetBIOS queries back at the sender, and saves their
> responses to a file.
[...]
> The cool part is that it seems to penetrate NATs, stateful
> firewalls, and legal barriers.

We've seen a couple of interesting scans from uu.net.nl recently: an
anonymous ftp connection followed immediately by a NetBIOS nameserver
wildcard lookup.  The idea seems to be to provoke Windows systems into
sending a NetBIOS ns query to the attacker's system (Hummingbird ftpd
does this on every connection, Microsoft's ftpd doesn't seem to), and
then use the temporary ACL this opens in a stateful firewall to inject
the attacker's NetBIOS queries--a nice example of the kind of mischief
that stateful firewalls can allow if not carefully deployed.

We now block any outgoing traffic with source ports 137-139.  Of
course, if we were really serious about security, any servers
reachable from the Internet would be hardened systems out in the DMZ.
As a traditionally wide-open academic site trying to adiabatically
improve our security, we haven't reached that point yet.

other random thoughts:
 - separate client and server ports--Windows using port 137 for both
   client and server is poor design
 - the less udp allowed through the firewall, the better
 - all the usual advice about Internet accessible servers on hardened
   systems in the DMZ applies, perhaps even more so, with statefull
   firewalls--attackers should not be able to provoke any kind of
   response from systems inside the protected net

--
Dan Riley                                         dsr () mail lns cornell edu
Wilson Lab, Cornell University      <URL:http://www.lns.cornell.edu/~dsr/>
    "History teaches us that days like this are best spent in bed"