Network Security Assessment: Know Your Network

The NetBIOS name service is accessible through UDP port 137. In particular the service can process NetBIOS Name Table (NBT) requests, commonly found in environments where Windows is being used along with workgroups, domains, or active directory components.

9.3.1 Enumerating System Details

You can easily enumerate the following system details by querying the name service:

  • NetBIOS hostname

  • The domain of which the system is a member

  • Authenticated users currently using the system

  • Accessible network interface MAC addresses

The inbuilt Windows nbtstat command can enumerate these details remotely. Example 9-13 shows how it can be run against 192.168.189.1.

Example 9-13. Using nbtstat to dump the NetBIOS name table

C:\> nbtstat -A 192.168.189.1 NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- WEBSERV <00> UNIQUE Registered WEBSERV <20> UNIQUE Registered OSG-WHQ <00> GROUP Registered OSG-WHQ <1E> GROUP Registered OSG-WHQ <1D> UNIQUE Registered .._ _MSBROWSE_ _.<01> GROUP Registered WEBSERV <03> UNIQUE Registered _ _VMWARE_USER_ _<03> UNIQUE Registered ADMINISTRATOR <03> UNIQUE Registered MAC Address = 00-50-56-C0-A2-09

The information shown in Example 9-13 shows that the hostname is WEBSERV, the domain is OSG-WHQ, and two current users are _ _vmware_user__ and Administrator. Table 9-3 lists common NetBIOS name codes and descriptions.

Table 9-3. Common NetBIOS Name Table (NBT) names and descriptions

NetBIOS code

Type

Information obtained

<00>

UNIQUE

Hostname

<00>

GROUP

Domain name

<host name><03>

UNIQUE

Messenger service running for that computer

<use rname><03>

UNIQUE

Messenger service running for that individual logged-in user

<20>

UNIQUE

Server service running

<1D>

GROUP

Master browser name for the subnet

<1B>

UNIQUE

Domain master browser name, identifies the PDC for that domain

9.3.2 Attacking the NetBIOS Name Service

The NetBIOS name service is vulnerable to a number of attacks if UDP port 137 is accessible from the Internet or a nontrusted network. MITRE CVE lists these issues, shown in Table 9-4.

Table 9-4. NetBIOS name service vulnerabilities

CVE name

Date

Notes

CVE-1999-0288

25/09/1999

Malformed NBNS traffic results in WINS crash.

CVE-2000-0673

27/07/2000

NBNS doesn't perform authentication, which allows remote attackers to cause a denial of service by sending a spoofed Name Conflict or Name Release datagram.

CAN-2003-0661

03/09/2003

NBNS in Windows NT 4.0, 2000, XP, and Server 2003 may include random memory in a response to a NBNS query, which can allow remote attackers to obtain sensitive information.

Related

Категории