NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2000-03

Subject: Re: NetBIOS info
From: Daniel S. Riley (dsrMAIL.LNS.CORNELL.EDU)
Date: Tue Mar 28 2000 - 09:33:34 CST

Next message: Ed Padin: "Re: 8 hours of pinging"
Previous message: vventuraSIA.PT: "Front Page Extensions"
Maybe reply: Daniel S. Riley: "Re: NetBIOS info"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Robert Graham <bugtraqNETWORKICE.COM> writes:
> Don't get mad; get even. I've written a little utility that simply
> reflects NetBIOS queries back at the sender, and saves their
> responses to a file.
[...]
> The cool part is that it seems to penetrate NATs, stateful
> firewalls, and legal barriers.

We've seen a couple of interesting scans from uu.net.nl recently: an
anonymous ftp connection followed immediately by a NetBIOS nameserver
wildcard lookup. The idea seems to be to provoke Windows systems into
sending a NetBIOS ns query to the attacker's system (Hummingbird ftpd
does this on every connection, Microsoft's ftpd doesn't seem to), and
then use the temporary ACL this opens in a stateful firewall to inject
the attacker's NetBIOS queries--a nice example of the kind of mischief
that stateful firewalls can allow if not carefully deployed.

We now block any outgoing traffic with source ports 137-139. Of
course, if we were really serious about security, any servers
reachable from the Internet would be hardened systems out in the DMZ.
As a traditionally wide-open academic site trying to adiabatically
improve our security, we haven't reached that point yet.

other random thoughts:
- separate client and server ports--Windows using port 137 for both
   client and server is poor design
- the less udp allowed through the firewall, the better
- all the usual advice about Internet accessible servers on hardened
   systems in the DMZ applies, perhaps even more so, with statefull
   firewalls--attackers should not be able to provoke any kind of
   response from systems inside the protected net

--
Dan Riley                                         dsrmail.lns.cornell.edu
Wilson Lab, Cornell University      <URL:http://www.lns.cornell.edu/~dsr/>
    "History teaches us that days like this are best spent in bed"

Next message: Ed Padin: "Re: 8 hours of pinging"
Previous message: vventuraSIA.PT: "Front Page Extensions"
Maybe reply: Daniel S. Riley: "Re: NetBIOS info"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]