A couple of folks asked me to give a better explanation of how packets with
(IP (UDP (NetBios (Message Server Block command) ) ) ) can pose a threat on
ports 137 and 138
>From what I see it works this way
1) Firewalls protect networks
2) Networks frequently contain LAN servers and PCs
3) When you do your sniffing homework and use a sniffer to examine the
LAN network operating systems you see that they all follow a layered
architecture and they all perform about the same Regardless of the hype
from vendors In fact an application that performs poorly on one LAN
operating system can usually be observed to perform poorly on other LAN
operating systems
4) LAN operating system architecture is like this
Networked PC LAN Server
Client part of application Server part of application
Reads & Writes to Microsoft MSB Reads & Writes to Microsoft MSB
Banyan or Novell or Windows NT OS Banyan or Novell or Windows NT OS
Some flavor of Unix Some flavor of Unix
Intel based PC Intel based Server
The LAN applications dont really talk to the LAN operating system. They
talk to MicroSofts Message Server Block protocol which is simply transported
across the network by the LAN operating system
5) MicroSofts Message Server Block protocol is the soft chewy center of the
LAN communication between parts of an application You can write your own C
code to read and write to Message Server Block through Redirector
6) What manner of beast would receive IP(UDP(NetBios(MSB))) packets over its
network interface card and then retransmit the NetBios(MSB) part of the same
packet over the same network interface card Well Windows NT and Windows 95
frequently do this And HP OpenView running on desktop HP minis will do the
same thing in some configurations
7) The security of networked Windows NT machines is quite poor The security
of networked Windows 95 machines is non-existant Of course YOU dont have
any of these machines at YOUR site Or at least you pretend you dont know that
you do
Bet you didn't know that crackers can reconfigure a Windows 95 machine on
the fly and reboot it WHILE STILL MAINTAINING THE ORIGINAL NETWORK
CONNECTIONS In fact they can connect into it and reboot it so that it
uses BootP to grab an IP address from your DHCP server WHILE STILL
MAINTAINING THEIR ORIGINAL NETWORK CONNECTION from outside Seen it done
Have sniffer traces to prove it
8) Back to firewalls and protecting networks If you permit people to
connect into your network through ports 137, 138 or 139 you may get a
nasty surprise from some sly cracker who reconfigures part of your network
before your realize it At very least they may access your data and
applications
9) If you are connected to the Internet and you dont run a firewall then
you will get screwed in a way you dont like The only question is when
I really dont think I overstated anything Everything mentioned in this
post is based on sniffer traces and real life observations by myself and
other cyberworld explorers
MeOwMyX
|
|
