Security Incidents mailing list archives
Re: NetBIOS info
From: dsr () MAIL LNS CORNELL EDU (Daniel S. Riley)
Date: Tue, 28 Mar 2000 10:33:34 -0500
Robert Graham <bugtraq () NETWORKICE COM> writes:
Don't get mad; get even. I've written a little utility that simply reflects NetBIOS queries back at the sender, and saves their responses to a file.
[...]
The cool part is that it seems to penetrate NATs, stateful firewalls, and legal barriers.
We've seen a couple of interesting scans from uu.net.nl recently: an anonymous ftp connection followed immediately by a NetBIOS nameserver wildcard lookup. The idea seems to be to provoke Windows systems into sending a NetBIOS ns query to the attacker's system (Hummingbird ftpd does this on every connection, Microsoft's ftpd doesn't seem to), and then use the temporary ACL this opens in a stateful firewall to inject the attacker's NetBIOS queries--a nice example of the kind of mischief that stateful firewalls can allow if not carefully deployed. We now block any outgoing traffic with source ports 137-139. Of course, if we were really serious about security, any servers reachable from the Internet would be hardened systems out in the DMZ. As a traditionally wide-open academic site trying to adiabatically improve our security, we haven't reached that point yet. other random thoughts: - separate client and server ports--Windows using port 137 for both client and server is poor design - the less udp allowed through the firewall, the better - all the usual advice about Internet accessible servers on hardened systems in the DMZ applies, perhaps even more so, with statefull firewalls--attackers should not be able to provoke any kind of response from systems inside the protected net -- Dan Riley dsr () mail lns cornell edu Wilson Lab, Cornell University <URL:http://www.lns.cornell.edu/~dsr/> "History teaches us that days like this are best spent in bed"
Current thread:
- Re: NetBIOS info Daniel S. Riley (Mar 28)