Investigate NetBIOS to Detect and Guard against Windows Vulnerabilities - dummies

Investigate NetBIOS to Detect and Guard against Windows Vulnerabilities

By Kevin Beaver

You can gather Windows information by poking around with NetBIOS (Network Basic Input/Output System) functions and programs. NetBIOS allows applications to make networking calls and communicate with other hosts within a LAN.

These Windows NetBIOS ports can be compromised if they aren’t properly secured:

  • UDP ports for network browsing:

    • Port 137 (NetBIOS name services)

    • Port 138 (NetBIOS datagram services)

  • TCP ports for Server Message Block (SMB):

    • Port 139 (NetBIOS session services)

    • Port 445 (runs SMB over TCP/IP without NetBIOS)

Unauthenticated enumeration on Windows systems

When you’re performing your unauthenticated enumeration tests, you can gather configuration information about the local or remote systems two ways:

  • Using all-in-one scanners, such as LanGuard or QualysGuard

  • Using the nbtstat program that’s built in to Windows (nbtstat stands for NetBIOS over TCP/IP Statistics)

    image0.jpg

nbtstat shows the remote computer’s NetBIOS name table, which you gather by using the nbtstat -A command. This displays the following information:

  • Computer name

  • Domain name

  • Computer’s MAC address

When running nbtstat against an older Windows 2000 server, you might even be able glean the ID of the user who’s currently logged in.

An advanced program such as LanGuard isn’t necessary to gather this basic information from a Windows system. However, the graphical interface offered by commercial software such as this presents its findings in a prettier fashion and is often much easier to use. Additionally, you have the benefit of gathering the information you need with one tool.

Network shares can contain system vulnerabilities

Windows uses network shares to share certain folders or drives on the system so other users can access them across the network. Shares are easy to set up and work very well. However, they’re often misconfigured, allowing hackers and other unauthorized users to access information they shouldn’t be able to get to.

You can search for Windows network shares by using the Share Finder tool built in to LanGuard. This tool scans an entire range of IP addresses, looking for Windows shares.

image1.jpg

The shares displayed are just what malicious insiders are looking for because the share names give a hint of what type of files might be accessible if they connect to the shares. After the bad guys discover these shares, they’re likely to dig a little further to see whether they can browse the files within the shares.

Countermeasures against NetBIOS attacks

You can implement the following security countermeasures to minimize NetBIOS and NetBIOS over TCP/IP attacks on your Windows systems:

  • Use a network firewall.

  • Use Windows Firewall or some other personal firewall software on each system.

  • Disable NetBIOS — or at least Windows File and Printer Sharing.

    Disabling NetBIOS might not be practical in a network where users and applications depend on file sharing or in a mixed environment where older Windows 2000 and NT systems rely on NetBIOS for file and printer sharing.

  • Educate your users on the dangers of enabling file shares for everyone to access.

Hidden shares — those with a dollar sign ($) appended to the end of the share name — don’t really help hide the share name. Any of the tools can see right through this form of security by obscurity. In fact, if you come across such shares, you’ll want to look at them more closely, as a user may be trying to hide something.