Security Incidents: Re: Port 445 increase?

[Daniel Polombo <polombo () cartel-securite fr>]

Eric Monti wrote:
> TCP 445 is the Windows 2000 equivalent for what used to be port 139 in Windows NT. It is the new NetBIOS over TCP port or "nbsession". 
Huh, no. Win2k introduced the possibility to run SMB directly over 
TCP/IP, removing the need for the NetBIOS layer. So while tcp/445 is 
ultimately used by the same services as the well-known NetBT ports 
(usually tcp/137, udp/137, udp/138 and tcp/139), namely file and printer 
sharing, there is no NetBIOS layer to decode.
> The fact that the scan (if thats what it is) also does an nbname lookup further reinforces the likelihood that either someone is looking for open shares or other holes via NBT, or that someone is actually accessing your Windows 2000 shares (warez repository?). 
Probably the former, given that the scan uses different methods to try 
to access shared resources. One would expect an established connection 
to use one or the other, but not both.
> If thats a Win2k system, turn on some auditing and see what is actually going on (to an extent... Win2k/NT logging 
> leaves a lot to be desired) or throw up a sniffer that can decode NetBIOS over TCP.
Not NetBIOS. Just SMB. Ethereal (among others) should be able to isolate 
the traffic you want to watch.
--
Daniel


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com