dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
12571

ChrisDAT
djSpinnerCee
join:2002-02-26
Hollis, NY

ChrisDAT to Cronk

Member

to Cronk

Re: Need to block NetBIOS?

Maybe I should add that I have one WinPC (NT4Wks) on my LAN that still runs NetBT, and I do not worry about the security implications of doing so -- that's because the real danger is exposing the Win TCP/IP protocol stack to the outside, and my NAT router does the job.

Because of this, my NT box will attempt to resolve Win NetBIOS names when other name resolution fails (hosts, DNS, [WINS], local broadcast) -- for me this is no problem -- what's interesting is how often it is successful -- the NT box runs an Apache HTTPd (on a non-well-known port) and the log does reverse name lookups -- it almost baffles me how many Win boxes not only respond (the NBName ports are not blocked, or there is no NAT in play), but respond with default system names, and more importantly the default workgroup "WORKGROUP" (the NT event log security auditing displays this info) -- this could be a bad thing because PCs in the same workgroup are considered trusted peers by the software such that strong authentication is not required. I'd call that ripe for exploitation.

One thing that should be of interest to everyone is that some very elementary apps can/will do this with NetBT enabled -- ping, tracert, or any other app that does reverse lookups will "try" NetBIOS name resolution eventually (usually as the last resort) -- there is a reg entry that controls the name provider search order, but it escapes me at the moment. Disabling NetBT will prevent this behavior.

While there's probably no harm in querying a remote IP for its name, to the remote (router log) it will certainly look like an exploit attempt (it is after all looking for information). It's also possible that in the future, hijacked [secured?] boxes may have a surprise response [malicious] for PCs that attempt to query its NetBIOS info (you didn't hear it from me).

I started this for one reason, and I went into something else, lol -- There may be situations when you cannot avoid using NetBT because you have a "box" or application that can only do NetBIOS over TCP/IP (printer, UNIX box, etc), or you run WINS on the LAN etc, so the fact that an incoming attack is prevented by your broadband router [NAT] is sufficient, and you shouldn't lose any sleep because of it.

I have no stats to back this up, but it's been a long time since I've seen an email or BHO type hijack or trojan that attacks the LAN PCs from the inside, most seem to be looking for fame and fortune on the internet by attacking the ISP subnet that you are on and beyond [they don't appear to be very LAN-aware, yet].

BIGMIKE
Q
Premium Member
join:2002-06-07
Gainesville, FL

1 edit

BIGMIKE to Cronk

Premium Member

to Cronk
Click for full size
WHERE HAVE YOU BEEN?
With Port 139 Blocker you can disable NetBios: Port 139 with just one click. Re-enabling it is also a simple one click process. For Windows 95\98\Me.

»www.personal-computer-tu ··· /ptb.htm

post test
»whacker4.hackerwhacker.c ··· ools.php
Tracing Port 139 to Ip Address
Cronk
join:2005-07-16

Cronk

Member

Ok thanks to all for the help. I feel like I have an understanding now of the whole netbios situation.