Vulnerability Development mailing list archives

RE: Possible probe of port 137 using udp 50?????

From: "Skinner, Kit" <KSkinner () sandstream com>
Date: Mon, 13 Aug 2001 12:12:20 -0500

Port 137 with protocal UDP 50 is used for NetBIOS communication.  Its often
used by Windows machines to identify themselves and their services.  Its
also used in the NT authentication process.

If you have NAT enabled, perhaps the local system was initiating a NetBIOS
session with the remote.  This would happen is someone were using the local
system as a client to browse or authenticate against the remote.

Another possibility, but I'm not familiar with the exact order of the steps
would be someone logging into a Web site and the Web site offering NTLM
authentication.  I don't know this is sound, so I would appreciate if
someone else would confirm or deny, but if someone connected to a Web page
or site that required authentication using NTLM it *MIGHT* send back the
request via 137-NetBIOS to establish the authentication.  This seems like
the wrong way to do it though.  I would assume the server would send back a
message via port 80 telling the client it needs to authenticate via NTLM and
the client then attempt to initiate a session.

In any event, its not a good idea to have NetBIOS available outside your LAN
and shouldn't be necessary, unless your applications specifically use it
(which almost no web programs do).

Hope this helps,
-Kit

-----Original Message-----
From: Carder James O CNIN CONT
[mailto:CarderJO () cninexchsrv08 crane navy mil]
Sent: Monday, August 13, 2001 8:10 AM
To: 'bugtraq () securityfocus com'; 'SECURITY-BASICS () securityfocus com';
'vuln-dev () securityfocus com'
Subject: Possible probe of port 137 using udp 50?????


Hi Everybody,

        Just got a quick question.  I was reviewing logs on my shadow box
and noticed that for a period of a couple hours we had packet conversation
between two hosts ( one local and one remote ) through port 137 using udp
50.  My PIX acl's dont have any ruleset to allow this network in at all
except through say port 80 to our web servers.  Is this a known attack or
probe?  Thanks.

James Carder

Current thread:

Possible probe of port 137 using udp 50????? Carder James O CNIN CONT (Aug 13)
- <Possible follow-ups>
- RE: Possible probe of port 137 using udp 50????? Skinner, Kit (Aug 13)