Netbios
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Netbios

  1. #1
    Senior Member
    Join Date
    Jan 2004
    Posts
    199

    Netbios

    Is there anyway to tell if anyone currently has , or has in the past created a netbios session with my computer ? I'm running winXP.

    Thanks in advance.
    -

  2. #2
    Member
    Join Date
    Jan 2003
    Posts
    47
    yeah do you have a firewall they will normaly log that type of thing or if you dont get an ids (search google) or zone alarm net bios sessions will show up on port 139

  3. #3
    Senior Member
    Join Date
    Jan 2004
    Posts
    199
    Yes, that would be one method, but i was looking more to if any log files are created etc.
    -

  4. #4
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    For seeing if there's someone connected to you in real time, you can do a netstat -n at the command prompt. If there is a connection to you on port 139 then someone is in a netbios session( or I guess they could just be connected to you on port 139 without being in a netbios session). as for past sessions, you should be able to go into the event viewer under control panel>administrative tools, and I think that will log netbios connections. I'm not positive though. Hope that helped.

  5. #5
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    If configured in the Local, Domain, or Domain Controller Security Policy MMC Snap-In (depending on which version and what type of net it's on), h3r3tic is correct.

    Just remember, if the computer in question in in a Windows Domain, the Domain's security policy overrides the local one, so it would have to be set up on the DC. If it's stand-alone or workgroup, configure it in the local security policy.

  6. #6
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    Is there anyway to tell if anyone currently has , or has in the past created a netbios session with my computer ? I'm running winXP.
    The event logs (as h3r3tic mentioned) should tell you if there was a connection to your computer, but only if logs are enabled. (It keeps track of remote log ins, anyway) In Xp home, they are disabled by default.

    576869746568617 is also correct, but again, only if it is set up ahead of time. This is called pre-incident preperation, and someone did a tutorial on this awhile ago. In a default state, XP doesn't tell you much.

    If al l you have is the built in XP firewall, then this link should help you tweak it .
    http://www.microsoft.com/technet/tre...erstanding.asp

  7. #7
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    Might also consider downloading an good IDS. A pretty painless one is GFI S.I.M. (system integrity monitor). It's a free download, but doesn't ave a very rich featureset. Overall, it's good though. For a more powerful/customizable IDS, get snort.

  8. #8
    Senior Member
    Join Date
    Jan 2004
    Posts
    199
    I know this is sort of answering my own question, but just incase anyone else wanted to find the same thing, if you type "nbtstat -s" into a dos command window you will be presented with a table showing all the current sessions (incoming and outgoing).
    -

  9. #9
    Junior Member
    Join Date
    Oct 2002
    Posts
    4
    HELP HELP, got a win xp home computer thats almost gone the virus i have replicates, even when i dont a OS, when i did a F Disk, the virus went phsyco and wont let any system restore work, how do i get ride of NET Bios

  10. #10
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397

    Disabling NetBIOS

    Neo_diablos:

    NOTE: You computer will not be able to share files on o network as a result of these modifications: If you need to be able to do this, skip down past "NetBIOS should effectively be disabled"

    Disabling NetBIOS
    On XP (Home or Pro), go to the properties for your network card or modem and make sure that "File and Printer Sharing" is not checked. Also, go to "Internet Protocol (TCP/IP)" and select properties. Select the "Advanced" button and then the "WINS" tab. Check the box beside "Disable NetBIOS over TCP/IP (it's about 3/4 the way down.) Click Apply and OK. Next, Go into "Control Panel" then "Administrative Tools" and then "Services"

    Disable the following services: (the previous step should have done this for us, but it is always best to double-check )

    TCP/IP NetBIOS Helper Service
    Remote Access Auto Connection Manager
    Simple Network Monitoring Protocol (if installed)
    NOTE: SNMP isn't part of NetBIOS, but can be forced to divulge similar information if enumerated.

    NetBIOS should effectively be disabled.

    As an added measure, or if you need to be able to share files on a network, install a personal or hardware firewall and block TCP/UDP ports 135-139 and 445.

    You might want to also take the time to harden the TCP/IP protocol stack a little further...this is not for the faint of heart as it involves modification of the registry. There are programs available that will do this for you, such as Tweak Manager.

    These changes will make the computer less suseptable to DoS and SYN flooding, but performance may suffer....In my experience it has been un-noticeable.

    Open your registry with regedit and find HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

    Create the following DWORD values and set them to the numeric value in quotes. If the DWORD value already exsists, just change the numeric value.

    EnableDeadGWDetect = "0"
    EnableICMPRedirect = "0"
    EnablePMTUDiscovery = "0"
    KeepAliveTime = "300,000"
    NoNameReleaseOnDemand = "1"
    PerformRouterDiscovery = "0"
    SynAttackProtect = "2"

    Restart Windows

    After all this, search through the forums and learn how to disable the default accounts in XP, as well as give the "Administrator" and "Guest" accounts strong passwords. Also disablew remote assistance if you haven't already done so.


    Hope it helps

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •