Penetration Testing mailing list archives
Re: [PEN-TEST] Closing Port 139
From: "Deus, Attonbitus" <Thor () HammerofGod Com>
Date: Fri, 13 Oct 2000 09:47:42 -0700
The main reason that this perception persists is due to an incomplete understanding of the NetBIOS components, which leads to subsequent misconfiguration of filtering parameters. The NetBIOS suite uses both TCP and UDP, depending on the services being requested. For instance, blocking TCP 139 will prevent stateful NetBIOS sessions from being established, but it will not prevent a user from receiving a Net Send message as this service travels over UDP 138 ( as do all NetBIOS datagram services). Nor will it prevent a successful NetBIOS name resolution/registration/release as the NetBIOS name service uses in UDP 137. Therefore, when an admin blocks TCP 139, yet continues to see various successful NetBIOS functions persist, the perception is that the filtering mechanism's operation is inconsistent, when in fact it is doing its job as requested. UDP 137 is the NetBIOS name service, UDP 138 is the datagram service, and TCP 139 is the session service. Conversely, when the admin chooses to block the protocol itself, rather than specific UDP/TCP ports, the same will happen. UDP is Protocol 17, TCP is protocol 6. If you select only Protocol 6 in your IP Protocol filter, then all UDP will function normally. I have also seen people (Ok.. it was me) be in a hurry, forget UDP is 17, and do a packet capture, look at the protocol ID for UDP and enter the hex value as displayed (11) rather than the decimal (17) as the filter input expects. Needless to say, since there is no 11, nothing will happen here when you may expect it to, blah blah blah. That's the skinny on that. --------------------------------------------------------- Attonbitus Deus thor () hammerofgod com ----- Original Message ----- From: "Frank Dimina" <fdimina () RIPTECH COM> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Friday, October 13, 2000 7:31 AM Subject: Re: [PEN-TEST] Closing Port 139
I think people are stating that the NT TCP filtering "gets funny" because they are expecting a stateful type of filter, remember this is not a firewall, it's a router style of blocking all packets on a port. I have never experienced a problem or unexpected result with the NT TCP packet filtering. -----Original Message----- From: Jamie C. Pole [mailto:jpole () JCPA COM] Sent: Thursday, October 12, 2000 3:44 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] Closing Port 139 RE: [PEN-TEST] Closing Port 139 It doesn't work very well at all. NT's packet filtering is really
twitchy,
especially when dealing with those ports that are (nominally, at least) involved in NT network services. This gets even funnier with certain of the NT-based firewalls (MS Proxy Server is NOT a firewall, by the way) that open more ports than they
close.
It's always hysterical to hear a firewall vendor suggest that you need to use OS-based packet filtering to close ports that can't be closed by their firewall product. :-) The only reliable way to kill this port is by firewalling or router ACL's. Jamie -- Jamie C. Pole Principal Consultant J.C. Pole & Associates, Inc. Purveyors of global commercial intelligence and counterintelligence
services
PGP Fingerprint: 6F18 A0E2 DF95 B0F0 A954 A333 B3C4 663E 893A D6F2 -- ----- Original Message ----- From: Anderson, Harry F. To: PEN-TEST () SECURITYFOCUS COM Sent: Thursday, October 12, 2000 1:46 PM Subject: Re: [PEN-TEST] Closing Port 139 How well does this work on just NT? I have been told that the NT packet filtering does not work consistantly with all ports. I have
wanted
to test it but there is just not enought time in the day. - Harry Anderson
Current thread:
- [PEN-TEST] Closing Port 139, (continued)
- [PEN-TEST] Closing Port 139 Kasey Speakman (Oct 12)
- Re: [PEN-TEST] Closing Port 139 Ansar Mohammed (Oct 12)
- Re: [PEN-TEST] Closing Port 139 Deus, Attonbitus (Oct 12)
- Re: [PEN-TEST] Closing Port 139 SMILER (Oct 12)
- Re: [PEN-TEST] Closing Port 139 Marc Maiffret (Oct 12)
- Re: [PEN-TEST] Closing Port 139 Tim Crothers (Oct 12)
- Re: [PEN-TEST] Closing Port 139 Walling, Ken (Oct 12)
- Re: [PEN-TEST] Closing Port 139 Frank Dimina (Oct 12)
- Re: [PEN-TEST] Closing Port 139 Deus, Attonbitus (Oct 12)
- Re: [PEN-TEST] Closing Port 139 Frank Dimina (Oct 13)
- Re: [PEN-TEST] Closing Port 139 Deus, Attonbitus (Oct 13)
- Re: [PEN-TEST] Closing Port 139 Erik Birkholz (Oct 14)
- Re: [PEN-TEST] Closing Port 139 David Pick (Oct 14)
- [PEN-TEST] Closing Port 139 Kasey Speakman (Oct 12)