[3402] in bugtraq
Re: NT security et al (Dangers of NetBIOS/NBT?)
daemon@ATHENA.MIT.EDU (Alan Cox)
Fri Sep 27 13:56:18 1996
Date: Fri, 27 Sep 1996 09:17:34 +0100
Reply-To: Alan Cox <coxa@cableol.net>
From: Alan Cox <coxa@cableol.net>
X-To: nal@spirit.com.au
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <01BBABE3.B9135B40@raven.spirit.com.au> from "Nick and Debbie
Leask" at Sep 26, 96 07:44:07 pm
> I've read fairly similar sentiments about having NetBIOS or NBT floating =
> around on our internet/firewall subnets, but I've not heard anyone =
> discussing exactly what the dangers of this are. There are obvious =
> 'pain's in the butt' when this is happening (such as lots of unnecessary =
> deny messages logged against firewall bastion or router logs), but =
> that's about all... Can some one expand in detail what the known or =
> perceived dangers of NetBIOS or NBT are?
o Windows 3.11 has share bugs microsoft will never apparently fix,
whereby any share allows the whole disk to be accessed by using
a ../../.. type construct and the smbfs client code.
o Early windows 95 seems to have the same bug. In both cases this
can be a disaster as the windows .PWL files up until the latest
Win95 patches are trivially crackable
o Windows NT apparently has a bug whereby users can erase the entire NT
server disk in the default NT configuration
o There is no encryption of data, so all the usual spoofing attacks work
o There are ways to trip the clients into doing plain text password
authentications (Yum yum ;))
o There is no failed authentication logging on windows, so a dictionary
attack can run all week and there won't be so much as a blip in the
logs
All of these are exploitable over TCP/IP as well. Very handy for breaking into
Windows 95 machines on a remote network and adding a binary and changing
autoexec.
Whether you block outgoing netbios sessions is an open question, blocking
incoming ones is a forgone conclusion.
Novell netware is only slightly more secure, you do get some protection
if that is suitably set up, but users can bring down Novell 3 servers by
sending a suitable packet, and can really mess around by broadcasting fake
license messages. Since Novell has directed broadcast that can be done
across IPX backbones.
Alan
