Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: NT security et al (Dangers of NetBIOS/NBT?)
From: coxa () cableol net (Alan Cox)
Date: Fri, 27 Sep 1996 09:17:34 +0100


I've read fairly similar sentiments about having NetBIOS or NBT floating =
around on our internet/firewall subnets, but I've not heard anyone =
discussing exactly what the dangers of this are.  There are obvious =
'pain's in the butt' when this is happening (such as lots of unnecessary =
deny messages logged against firewall bastion or router logs), but =
that's about all...  Can some one expand in detail what the known or =
perceived dangers of NetBIOS or NBT are?

o       Windows 3.11 has share bugs microsoft will never apparently fix,
        whereby any share allows the whole disk to be accessed by using
        a ../../.. type construct and the smbfs client code.

o       Early windows 95 seems to have the same bug. In both cases this
        can be a disaster as the windows .PWL files up until the latest
        Win95 patches are trivially crackable

o       Windows NT apparently has a bug whereby users can erase the entire NT
        server disk in the default NT configuration

o       There is no encryption of data, so all the usual spoofing attacks work

o       There are ways to trip the clients into doing plain text password
        authentications (Yum yum ;))

o       There is no failed authentication logging on windows, so a dictionary
        attack can run all week and there won't be so much as a blip in the
        logs

All of these are exploitable over TCP/IP as well. Very handy for breaking into
Windows 95 machines on a remote network and adding a binary and changing
autoexec.

Whether you block outgoing netbios sessions is an open question, blocking
incoming ones is a forgone conclusion.

Novell netware is only slightly more secure, you do get some protection
if that is suitably set up, but users can bring down Novell 3 servers by
sending a suitable packet, and can really mess around by broadcasting fake
license messages. Since Novell has directed broadcast that can be done
across IPX backbones.

Alan



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]