Home page logo

bugtraq logo Bugtraq mailing list archives

Re: NT security et al (Dangers of NetBIOS/NBT?)
From: coxa () cableol net (Alan Cox)
Date: Fri, 27 Sep 1996 09:17:34 +0100

I've read fairly similar sentiments about having NetBIOS or NBT floating =
around on our internet/firewall subnets, but I've not heard anyone =
discussing exactly what the dangers of this are.  There are obvious =
'pain's in the butt' when this is happening (such as lots of unnecessary =
deny messages logged against firewall bastion or router logs), but =
that's about all...  Can some one expand in detail what the known or =
perceived dangers of NetBIOS or NBT are?

o       Windows 3.11 has share bugs microsoft will never apparently fix,
        whereby any share allows the whole disk to be accessed by using
        a ../../.. type construct and the smbfs client code.

o       Early windows 95 seems to have the same bug. In both cases this
        can be a disaster as the windows .PWL files up until the latest
        Win95 patches are trivially crackable

o       Windows NT apparently has a bug whereby users can erase the entire NT
        server disk in the default NT configuration

o       There is no encryption of data, so all the usual spoofing attacks work

o       There are ways to trip the clients into doing plain text password
        authentications (Yum yum ;))

o       There is no failed authentication logging on windows, so a dictionary
        attack can run all week and there won't be so much as a blip in the

All of these are exploitable over TCP/IP as well. Very handy for breaking into
Windows 95 machines on a remote network and adding a binary and changing

Whether you block outgoing netbios sessions is an open question, blocking
incoming ones is a forgone conclusion.

Novell netware is only slightly more secure, you do get some protection
if that is suitably set up, but users can bring down Novell 3 servers by
sending a suitable packet, and can really mess around by broadcasting fake
license messages. Since Novell has directed broadcast that can be done
across IPX backbones.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]