|
-
January 5th, 2004, 05:22 PM
#1
Senior Member
 Netbios Through Webpages Getting List of Usernames????
I'm a network administrator at a company. We are currently having a problem with people downloading a valid list of usernames from our webserver. I ran a network security program called Retina, and it says they are going through Netbios. I'm wondering how they are doing it. I know you can use a program like Retina, but i wondering if there is a way they are doing it through just code on a webpage or some other way/program besides one such as Retina.
Any help would be greatly appreciated
-
January 5th, 2004, 05:41 PM
#2
Senior Member
If i remember retina right, it gives quite a detailed report of the problem, is that not been of any help?
I wouldn`t of thought the problem would be connected to netBios, cause surely if its a web server it will be locked down so the only way to connect to it would be through the http service?
-
January 5th, 2004, 05:58 PM
#3
This is whats called a NetBIOS null session or anonymous NetBios session. This allows people to enumerate all sorts of information from NetBIOS. There are many tools for enumerating NetBIOS accounts,shares,users,machines,policies and other information. The one I use is called enum.exe and will even perfrom a dictionary attack on the accounts it enumerates. This can be disbled through the "Local Security Policy" under the "Security" settings section by setting the "Additional Restrictions for Anonymous Connections" (There are a few options I think) or as a domain security policy via the MMC from the PDC. The most relevant key is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\
RestrictAnonymous:REG_DWORD:"1"
This will disable anonymous NetBios sessions. There are other values for for this key in XP/2000 that allow more control but they may break certain fuctionality with NT or 98 machines.
-Maestr0
EDIT:I hope 'they' arent doing this from the internet. Allowing incoming NetBios connections from the internet is a big security risk, unless absolutely neccesary I would block all NetBios ports at the network perimeter.
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
January 5th, 2004, 06:49 PM
#4
Senior Member
Thanks so much for the information, but unfortunatly this is exactly what retina told me. I'm a little more curious on how exactly they are access it....
-
January 5th, 2004, 06:58 PM
#5
The one I use is called enum.exe
Greeeeaat tool. It is a favorite of mine. 
RestrictAnonymous:REG_DWORD:"1"
Actually, there are several tools (Nessus being one of them) that can get around this if the value is set to 1. In the name of best practice, set the value to 2.
Also, here is a baseline reg file that I use on all servers. I, of course, lock it down as needed but nothing hits my network with anything less than the following settings. To use this, simply copy the contents to a txt file, rename the file with the .reg suffix and then right click it and hit MERGE. Reboot your server and run a security tool against the box. I assure you that the score will go up.
Windows Registry Editor Version 5.00
#This file reflects baseline security settings.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"NullSessionPipes"=hex(7):00,00
"NullSessionShares"=hex(7):00,00
"RestrictNullSessAccess"=dword:00000001
"AutoShareServer"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"LMCompatibilityLevel"=dword:00000004
"RestrictAnonymous"=dword:00000002
"NoLMHash"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsNT\Printers]
"DisableWebPrinting"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
"NtfsDisable8dot3NameCreation"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"ProtectionMode"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet]
"Ports"=hex(7):31,00,31,00,30,00,30,00,2d,00,31,00,32,00,30,00,30,00,00,00,00,\
00
"PortsInternetAvailable"="Y"
"UseInternetPorts"="Y"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"SynAttackProtect"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"CachedLogonsCount"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000001
"LegalNoticeCaption"="LEGAL WARNING"
"LegalNoticeText"="WARNING: Unauthorized use of this computer is prohibited."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Optional"=hex(7):00,00
"Os2"=hex(2):00,00
"Posix"=hex(2):00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
"Os2LibPath"=hex(2):00,00
#This disables WebDAV
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters]
"DisableWebDAV"=dword:00000001
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
January 5th, 2004, 09:38 PM
#6
Senior Member
Perhaps im completely off track but surely to exploit a NetBIOS null session you`ll need to be able to acess the NetBIOS ports? Now surely this is a major securuty risk and on a web server i`d be more worried about the fact these are accesible in the first place.
-
January 5th, 2004, 09:55 PM
#7
I'm a network administrator at a company. We are currently having a problem with people downloading a valid list of usernames from our webserver. I ran a network security program called Retina, and it says they are going through Netbios. I'm wondering how they are doing it. I know you can use a program like Retina, but i wondering if there is a way they are doing it through just code on a webpage or some other way/program besides one such as Retina.
Call me paranoid... but are you asking us HOW TO HACK A WEB SERVER ? You have been given good information on how to PROTECT it.. BUT
I'm a little more curious on how exactly they are access it....
you want details on how exactly one would arry out the attack... hmmmmm ..
I would prefer that you explain yourself better before we continue..
Cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
January 5th, 2004, 10:00 PM
#8
Yeah, actually, the simple approach to all of this is to disable NetBIOS outright. This can be done from the advanced tab under TCP/IP properties.
Hmmmm, now undertak3r has made me paranoid.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
January 5th, 2004, 10:29 PM
#9
hey, just because you are paranoid doesnt mean people arent following you  ...BTW, where can you get enum? i googled for it and got a hit, but it was a batch renamer and a file lister.
slick
\"Look, Doc, I spent last Tuesday watching fibers on my carpet. And the whole time I was watching my carpet, I was worrying that I, I might vomit. And the whole time, I was thinking, \"I\'m a grown man. I should know what goes on my head.\" And the more I thought about it... the more I realized that I should just blow my brains out and end it all. But then I thought, well, if I thought more about blowing my brains out... I start worrying about what that was going to do to my goddamn carpet. Okay, so, ah-he, that was a GOOD day, Doc. And, and I just want you to give me some pills and let me get on with my life. \" -Roy Waller
-
January 5th, 2004, 10:52 PM
#10
Senior Member
I'm interested in how they are doing it because finding out how to block it is only half the knowledge. How are you to further your knowledge if you can't find out how they are gonna hit you, and do it before they do, to find out how your server really holds up
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
