Re: [PEN-TEST] Closing Port 139

["Deus, Attonbitus" <Thor () HammerofGod Com>]

The main reason that this perception persists is due to an incomplete
understanding of the NetBIOS components, which leads to subsequent
misconfiguration of filtering parameters.

The NetBIOS suite uses both TCP and UDP, depending on the services being
requested.  For instance, blocking TCP 139 will prevent stateful NetBIOS
sessions from being established, but it will not prevent a user from
receiving a Net Send message as this service travels over UDP 138 ( as do
all NetBIOS datagram services).  Nor will it prevent a successful NetBIOS
name resolution/registration/release as the NetBIOS name service uses in UDP
137.

Therefore, when an admin blocks TCP 139, yet continues to see various
successful NetBIOS functions persist, the perception is that the filtering
mechanism's operation is inconsistent, when in fact it is doing its job as
requested.

UDP 137 is the NetBIOS name service, UDP 138 is the datagram service, and
TCP 139 is the session service.

Conversely, when the admin chooses to block the protocol itself, rather than
specific UDP/TCP ports, the same will happen.  UDP is Protocol 17, TCP is
protocol 6. If you select only Protocol 6 in your IP Protocol filter, then
all UDP will function normally.  I have also seen people (Ok.. it was me) be
in a hurry, forget UDP is 17, and do a packet capture, look at the protocol
ID for UDP and enter the hex value as displayed (11) rather than the decimal
(17) as the filter input expects. Needless to say, since there is no 11,
nothing will happen here when you may expect it to, blah blah blah.

That's the skinny on that.
---------------------------------------------------------
Attonbitus Deus
thor () hammerofgod com

----- Original Message -----
From: "Frank Dimina" <fdimina () RIPTECH COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Friday, October 13, 2000 7:31 AM
Subject: Re: [PEN-TEST] Closing Port 139


> I think people are stating that the NT TCP filtering "gets funny" because
> they are expecting a stateful type of filter, remember this is not a
> firewall, it's a router style of blocking all packets on a port.
>
> I have never experienced a problem or unexpected result with the NT TCP
> packet filtering.
>
> -----Original Message-----
> From: Jamie C. Pole [mailto:jpole () JCPA COM]
> Sent: Thursday, October 12, 2000 3:44 PM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: Re: [PEN-TEST] Closing Port 139
>
>
> RE: [PEN-TEST] Closing Port 139
> It doesn't work very well at all.  NT's packet filtering is really
twitchy,
> especially when dealing with those ports that are (nominally, at least)
> involved in NT network services.
>
> This gets even funnier with certain of the NT-based firewalls (MS Proxy
> Server is NOT a firewall, by the way) that open more ports than they
close.
> It's always hysterical to hear a firewall vendor suggest that you need to
> use OS-based packet filtering to close ports that can't be closed by their
> firewall product.  :-)
>
> The only reliable way to kill this port is by firewalling or router ACL's.
>
> Jamie
>
> --
> Jamie C. Pole
> Principal Consultant
> J.C. Pole & Associates, Inc.
>
> Purveyors of global commercial intelligence and counterintelligence
services
> PGP Fingerprint:  6F18 A0E2 DF95 B0F0 A954  A333 B3C4 663E 893A D6F2
> --
>
>
> ----- Original Message -----
> From: Anderson, Harry F.
> To: PEN-TEST () SECURITYFOCUS COM
> Sent: Thursday, October 12, 2000 1:46 PM
> Subject: Re: [PEN-TEST] Closing Port 139
>
>
>      How well does this work on just NT?  I have been told that the NT
> packet filtering does not work consistantly with all ports.   I have
wanted
> to test it but there is just not enought time in the day.
>   - Harry Anderson