Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: Question about NetBIOS

  1. November 12th, 2004, 12:01 PM #11
    MrNiceGuy
    MrNiceGuy is offline
    Banned
    Join Date
    Aug 2004
    Posts
    18
    NetBIOS is just one of the first steps in a system compromise, allowing you to enumerate the host for other possible vunerabilities; i.e. CIFS/SMB exploits, etc. All these posts mention ports 137 & 139, but none mentioned SMB over NetBIOS .... port 445, which is just as dangerous, if not more.

    So in all respects, it's not really NetBIOS that is dangerous... But the services, and applications that utilize it.
    Reply With Quote Reply With Quote
  2. November 12th, 2004, 02:55 PM #12
    sec_ware
    sec_ware is offline
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    Before elaborating about NBT (Netbios over TCP/IP) I want to correct some misinformation
    - assuming that my information is correct


    Confusion of SMB over TCP/IP and NBT

    As is well known, NBT uses the ports 137, 138 (udp) and 139 (tcp). The service message block
    (SMB) over Netbios uses these very same ports.
    Since Windows 2000 it is possible to circumvent NBT to run SMB over TCP/IP directly,
    hence omiting the NBT layer. This technique uses port 445, while SMB over NBT
    uses 137-139.

    As you can see in your firewall logs, while attempting a shared ressources connection,
    both ports 139 and 445 are used if NBT is activated; but Port 445 only, if NBT is deactivated.
    Port 445 however has priority if the OS has the choice.

    Netbios

    To summarize (maybe ):
    Netbios is useful and can be activated in a trusted network environment.
    At least two requirements however: Block 137,138,139 on your router to
    an outer world - completely. Monitor 137-139 activity inside your trusted
    network to detect attempts of spreading of some malicious code inside
    your so-called trusted netword.

    Netbios should be deactivated, and in addition the ports (plus 445) blocked, on a
    stand-alone PC with, for example, broadband access. If you firewall detects
    outgoing activity on port 137-139 (plus 445), you should check for its source.

    Cheers!
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)
    Reply With Quote Reply With Quote
  3. November 12th, 2004, 05:39 PM #13
    J_K9
    J_K9 is offline
    Senior Member
    Join Date
    Jul 2004
    Posts
    548
    Thanks you very much everyone, you have all been really helpful, and if I've learnt anything today, this is it! banshee: you mentioned using an IDS to monitor ports 137-139, if I did this, the admin of this network wouldn't say anything to me about it right? As I'm using Windows, should I set up WinSnort on my computer?

    I remember scanning a guy's computer in this network (with his permission) and if I remember correctly port 139 DID come up...

    Cheers,

    J_K9
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules