December 27th, 2001 08:42 PM
Netbios (Legacy Continues)
Ok guys, do you really have a concept of how bored I am right now at work?? Ok, this will be my last new thread of the day so I pondered on the idea of what protocol I should utterly blurt about next. Since I seem to be surrounded by Microsoft beaters I figured that we might look into ways to sploit it also. Of course, the major flaw in the Enterprise versions of any Microsoft Operating System is Netbios. This legacy protocol was mainly kept around for backwards operability with it's older operating systems (wasn't that nice of them?). What we are going to bring up will apply to both Windows NT and 2000 but the fixes for the same problem will be different (again, how nice). Netbios works on port TCP/UPD port 135-139 and is completely fundamental with the way that the operating system communicates with other computers on a network (or as most people have learned to call it, Network Neighborhood). Netbios of course is not routable. Unlike TCP/IP it cannot travel across routers or outside of an actual WAN. Wondering why this is really gonna help you? Well....they came out with a revision of this protocol a few years back that is capable of binding with TCP/IP and accessable from WAN connections (how nice). Since the only OS with interactive login that microsoft has ever created is its Enterprise systems we will focus on them (in other words, no Win95, 98 , ME, etc...) The main issue with Netbois is the great right out of the box vulnerability known as the IPC$ (interprocess communication) share. This wide open share is necessary for system functionality so it cannot be removed but Microsoft decided to secure it by making it hidden (in a perfect world I guess that would work). Regardless, this share will allow for anonymous connections. What I mean by this is that you can actually connect to the share without needing a username or pwd. Of course, you really haven't gone anywhere merely be connecting to the system but it does give you a great avenue for research. By connecting to this share you can view pwd policy (lockout etc), account names, printers, domains, etc.... This is a very useful tool considering having the username is 50% of the work. Also, checking the SID/UID can help you find out who is trully the administrator (in case a security minded person actually changed the default account). Of course, in order to perform this functions you have to be either using Samba (for unix kin) or Windows NT/2000. Again, if you are wanting to learn how to use the net commands then open up the command prompt and type net /? and you'll see all the arguements there.
To secure this lil bug of a protocol you should do a number of things. One, unbind netbios from any outbound interfaces on the network (you will never need netbios across a WAN connection) or you can filter the appropriate ports on the firewall. The second is to check for any open shares across the system itself (why make it easy for them?). The third and probably most important for this topic would be to disable the anonymous connection feature of the IPC$ share. With Windows 2000 there is a local security policy that you can set to disable anonymous access. But in NT you must dive into the reg to correct this issue (so what's new?) The path is:
Create a value with data type REG_DWORD and name it RestrictAnonymous and finnaly give it a value of 1
Note: The next protocol on the agenda is SNMP since I feel like walking around the information gathering idea. If you have any questions just let me know.