OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NTSecAdvice Archives: Re: Netbios and Nessus

Re: Netbios and Nessus

John Howie (JHowieMSN.COM)
Wed, 17 Nov 1999 07:52:44 -0800

For what its worth... Here are a couple of other ways to get system information:

1) IIS - The system information is returned in each GET/HEAD response;
2) FTP - Try telnet'ing to port 21, go through the authentication sequence user anonymous<CRLF>pass 2) FTP - Try telnet'ing to port 21, go through the authentication sequence user anonymous<CRLF>pass youremailaddress<CRLF> and then type syst; and
3) the biggest hole of all... SNMP (you can even get a full list of users and shares). The OIDs of interest are all detailed in the MIB files that come with the Resource Kit (along with a tool to query the MIB on a machine running SNMP). So your thinking... but I have never installed SNMP so I am safe. Well, if you can use Performance Monitor to watch IP counters you have SNMP installed.

Okay so there were three!

john...
  ----- Original Message -----
  From: Marc
  To: WIN2KSECADVICELISTSERV.NTSECURITY.NET
  Sent: Tuesday, November 16, 1999 11:58 PM
  Subject: Re: Netbios and Nessus

  Your computer name can be obtained via other ways then NetBIOS. I.E. If you run any IIS services it dumps your computer name or if someone traces back an eMail from you they can get your computer name. Workgroup.... an attacker knowing your workgroup is not that big of a deal. The currently logged on user is probably the "worst" thing from your list. That can at least give an attacker a username to brute force so they are not trying to guess user names but hopefully you do not use a password that could be brute forced. It would would have been "scarier" if nessus would have grab a list of users via code that works like netuserenum() or if that failed grab a list of users via "RID grinding." The RID enumeration thing is something that Retina (eeye.com/retina/) does if it fails to get users via the normal calls.

  I guess in short.. turning off NetBIOS because a program was able to grab your name table is not the greatest reason to turn it off. There are a lot more "scary" things that could be grabbed via NetBIOS that would make better reasons for turning off NetBIOS. One example would be further analysis of the name table to learn if the remote system has IIS installed and various other things that a nb name table will tell us that nessus left out.

  Signed,
  Marc
  eEye Digital Security Team
  http://www.eEye.com
    

    -----Original Message-----
    From: NeuRomanCer [mailto:nrcZMEYBBS.ZMEY.COM]
    Sent: Tuesday, November 16, 1999 12:24 PM
    To: WIN2KSECADVICELISTSERV.NTSECURITY.NET
    Subject: Re: Netbios and Nessus

    Correct me if im wrong on the folowing
    as i remember NetBios was something made by IBM and microsoft so that applications have the ability to "talk" through a network using a "common language" or something like that

    the folowing information is only for filtering netbios sessions without interfering with your current work needs for those aplications that would need it

    now on the NT 4 you could filter on what ports you can accept your current conections (if i remeber you could do this only wor LAN adpters i don't remeber if this was available for RAS [im on win 2k right now so i may have forgotten some things] ) this way you could filter incoming conections

    another way to deal with it is to manipulate the network bindings - you could disable the netbios for adapters on your choice
    but as John Howie says "if you don't need the netbios (shares and etc.) stop the server service" - BTW this is the safest

      ----- Original Message -----
      From: Troy A. Parvatton
      To: WIN2KSECADVICELISTSERV.NTSECURITY.NET
      Sent: Tuesday, November 09, 1999 6:34 PM
      Subject: Netbios and Nessus

      After running the Nessus security scanner ( http://www.nessus.org ) against my NT 4.0 Server (I mostly use it as a workstation) machine some information was returned that I am concerned about. Netbios revealed my computer name, workgroup name and username currently logged in. Nessus was able to tell me what OS I was running and in complained about having predictable TCP sequence #'s. Anyway, unlike the more serious security holes that are discussed on this list, this is just some small info that could possibly assist an attacker, so it concerns me.

      I removed the Netbios Interface service (didn't need it) which solved the first problem I listed above. Why is the netbios-ssn still listening on port 139? How can I stop my OS from identifying itself to a Nessus security scan?

      ------------------------------------------------------------------------------------------------------------------------------------------------------------------
      - general/tcp INFO QueSO has found out that the remote host OS is * WindowsNT, Cisco 11.2(10a), HP/3000 DTC, BayStack Switch
      ------------------------------------------------------------------------------------------------------------------------------------------------------------------

      Yeah!! I have a lot to learn about NT and NT security, but while I continue that battle I would appreciate it if anyone could answer my questions.
       
       
      Regards,

      Troy A. Parvatton
      ---------------------------------------------------------------------------------------------------
      I'm not paranoid. That is just something my enemies say about me.
      ---------------------------------------------------------------------------------------------------

This archive was generated by hypermail 2.0b3 on Wed Nov 17 1999 - 10:07:23 CST