Question about NetBIOS

[J_K9]

I have tried Googling for this, but nothing came up: once I read something saying that "NetBIOS is an inbuilt trojan", I'm not sure if I saw it here on AO or somewhere else. Is this true, I mean I know some of its capabilities and disadvantages, but an inbuilt trojan...? Thanks in advance,

J_K9

[banshee]

Hi,
yes, netbios could be viewed, up to a certain extent as a 'trojan' (though the term trojan is probably not what you meant). It is however a well know vulnerability (and very well documented) which can be easily exploited.

Here are some links explaining the types of attacks that could be made.
http://www.crawlclick.com/forum/showthread/t-250.html
http://www.governmentsecurity.org/fo...showtopic=1522

I would highly recommend that you disable this service on your computer to minimize the risks of being attacked (you can do so by going in the control panel section, followed by services).

Hope this helps.

all the best,
banshee

[Riot]

I would not go as far to say it was a built in Trojan but it is something like it you said you know about netbios so you should know how it works and what you can do with it. Now a days most ISP block the netbios ports and it is becoming harder to exploit not to hard because the last survey I looked at on the subject said 1 in 12 or 1 in 10 comps had netbios running. so it really is not a build in Trojan but more of a device that people don’t know how to Handel like most things.

[J_K9]

Hey thanks guys for the info. I think that we NEED to have netbios enable in this LAN i'm in - God knows why! Just for the reference, here's a result of nbtstat -n:

Code:

H:\>nbtstat -n

Local Area Connection 2:
Node IpAddress: [172.21.10.215] Scope Id: []

                NetBIOS Local Name Table

       Name               Type         Status
    ---------------------------------------------
    J_K9       <00>  UNIQUE      Registered
    SCHOOL         <00>  GROUP       Registered
    J_K9       <20>  UNIQUE      Registered
    SCHOOL         <1E>  GROUP       Registered

Local Area Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

    No names in cache

H:\>

Thanks for the links banshee.

[EDIT]

Although with all the money this place has, IMO they've got some pretty damn good security!

[/EDIT]

Cheers,

[Nokia]

Originally posted by banshee
Hi,
yes, netbios could be viewed, up to a certain extent as a 'trojan' (though the term trojan is probably not what you meant). It is however a well know vulnerability (and very well documented) which can be easily exploited.

I would highly recommend that you disable this service on your computer to minimize the risks of being attacked (you can do so by going in the control panel section, followed by services).

You are right that it could be look upon as a very basic form of trojan and yes it is a pretty well known vulnerability, however if the right steps are taken it is not always a vulnerability that is easily exploited.

Also, you should'nt start telling people to disable this unless you know what type of setup they have.

If it is a stand alone home computer then yes it should be disabled.

If it is on a LAN (as this one is) well then it may be the case that disabling NetBIOS would mean that this particular machine would not be able to communicate with the rest of the LAN and you would have in effect caused a form of DoS.

Fortunatley this looks like a school computer and J_K9 is unlikley to be able to disable NetBIOS anyway.

To answer the question, Its not a built in trojan as such, if some one did exploit it, mostly, the would be able to veiw certain files and printers on your LAN (unless your sys admin is quite poor, which I wouldnt have thought he was working in a school.) In some cases it is possible to alter,delete and make new files and possibly veiw files that aren't of the shared type. Genrally they could get a "feel" for your LAN, whats on it and how its setup.

If they are allowed to alter and make new files then it is possible that then they could install the server part of a trojan and take things from there. Again certain condidtions need to be right and is quite unlikley to happen if you have a half decent sys admin.

On a network it is alot harder to exploit than if it is just a stand alone box with a direct internet connection and NetBIOS enabled.

[banshee]

Nokia: yes, you are right, a lot of networks DO depend on it... I assumed that it was a stand alone computer. However, networks that do require to have netbios open should do close monitoring of its use (this can be done by using an IDS monitoring ports 137-139).

all the best,
banshee

[psadornas]

what ports should be blocked?

[Nokia]

Ports - [TCP] 137, 138 & 139. Obviously in conjunction with disabling NetBIOS.

You could also disable LMHOSTS Lookup as an extra precaution.

[psadornas]

My PCCillin Firewall keeps on alarming when I am on the internet. (Dial-up)
When I check the log, it says NetBIOS Browsing.. is it related to the vulnerability mentioned above?

[Nokia]

Yes, it is related.

I presume that it was an incoming connection attempt?

If its incoming it will just be someone scanning port 139 / trying to establish a NetBIOS connection with you - as long as your firewall says it has rejected it, you can be happy that it is working as it should. It is quite a common entry in a firewall log IMHO. Unless you get continued attempts from the same source to connect to port 139, you have nothing to worry about as your firewall is doing its job.

Somebody else asked that question here and got the "expert" answer so to speak.

One thing I have noticed is that the built in firewall in XP is very good at blocking illegitimate NetBIOS connection requests.