Slashdot Mirror
NetBIOS Design Allows Traffic Redirection
iago-vL writes "Security researchers at SkullSecurity have demonstrated how the NetBIOS protocol allows trivial hijacking due to its design, through the use of a tool called 'nbpoison' (in the package 'nbtool'). If a DNS lookup fails on Windows, the operating system will broadcast a NetBIOS lookup request that anybody can respond to. One vector of attack is against business workstations on an untrusted network, like a hotel; all DNS requests for internal resources can be redirected (Exchange, proxy, WPAD, etc). Other attack vectors are discussed in a related blog post. Although similar attacks exist against DHCP, ARP and many other LAN-based protocols, we all know that untrusted systems on a LAN means game over. NetBIOS poisoning is much quieter and less likely to break other things."
Disable NetBIOS via DHCP and/or GPO ?!?
leather-dog muksihs
Blog: @muksihs
Appletalk Name Binding Protocol (NBP) is also likely to be vulernable, as is Novell's Service Advertising Protocol (SAP), was well as Multicast DNS (sort-of-aka Avahi, Zeroconf, Bonjour). At the end of the day, you can't completely trust what somebody else says unless you already explicitly trust them.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
server address (127.0.0.1) is likely to be a reasonable mitigation.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
I remember I used to use it in the mid 90s, I actually found it quite useful because it is (was?) an unroutable protocol - IIRC it could be set up so that windows shares were available only through NetBIOS and thus only across one local segment. A couple of other admins were pulling their hair out trying to figure out how to keep those shares from being exploited without cutting them off entirely (and making the users very unhappy) and binding them to NetBIOS only seemed to do the trick nicely. Of course we had control of the local segment and the users who needed the shares were all on it - otherwise it wouldnt have been very useful. But it's been ages since I remember using it for anything at all.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
as per RFCs 1001 and 1002 for TCP/IP and somewhere else for IPX (IPX packet type 20 IIRC). However, if you ran it over "NetBEUI" or NetBIOS Extended User Interface, rather than IPX or TCP/IP, NetBIOS was running directly over 802.2/LLC i.e. no layer 3 protocol in there, so no routing. I think Microsoft removed this option a number of years ago, which is a shame, because that was a way of ensuring that there was no chance your NetBIOS file and print shares were accessible over the Internet.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
Ermm... don't you mean NetBUI ?
leather-dog muksihs
Blog: @muksihs
examination of RFC1001 shows that the NetBIOS protocol is actually DNS with enhancements and a few different meanings of some of the bits. there is therefore absolutely no reason why NetBIOS should not have the DNSSEC security system added to it. ... except, that would mean that microsoft had to do some work, on some code that was written well over twenty years ago. so the trouble is that microsoft doesn't actually have anyone left at the company who understands what was written, let alone why it was written.
and neither really does anyone else. incredibly, comparison of NetBIOS to the Mobile IPv6 protocols developed a few years ago showed the *Mobile IPv6* protocols to be severely lacking.
the entire NetBIOS protocol, apart from the obvious lack of security (because it was designed for LAN use) is incredibly far-sighted.
This attack would easily be prevented by the use of Private VLANs on your network. With PVLANs Clients connected to the LAN can only send Layer 2 frames to the default gateway and other pre-defined shared services such as printing, ad, mail, internet... Typically Private VLANs are very handy in shared/public environments such as hotels, public desktops.
Howto configure PVLANs on a Cisco Cat 3750 switch:
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml
Many other techniques are available to protect a L2 LAN environemnt:
* DHCP snooping (DHCP trusted/untrusted ports)
* Dynamic ARP inspection
* IP Source Guard
* Port security (stickies) and MAC acls
I am packing my bags as I write, and I'm letting the door hit my ass on the way out !! Enough is enough and I just can't takes this anymore !!
So a new flow in the Netbios protocol, tell me something new.
Once we had a rogue router plugged in the network who was happily changing the DNS setting on the Windows workstations. Nothing else, just DNS settings.
This case alone should give nightmares to any Netbios administrator.
Love many, trust a few, do harm to none.
The fact is as long as Samba 3.x exists we will have NetBios. There are alot of Samba 3.x Domain Controllers that manage "Mutant" NT Domains. What I mean is this. The optimal situation for Linux Samba Domain Controllers is this:
You have an OpenLDAP, Kerberos, and Samba. OpenLDAP is the directory service, Heimdal Kerberos is Single Sign on, and Samba is Legacy NT Domain Compatibility and CIFS File sharing. Between two Linux machines, Samba can DNS to look up shares, and use Kerberos to authenticate to shares. This is all well and good. It is very secure, it doesn't use NTLM or NetBios. In the event of a Windows machine accessing a Share, The Windows machine can use DNS to lookup a share, but can't use Kerberos. It has to use NTLM, because in "NT Domain Mode" everything from 2000 on disables Kerberos and you can't turn it back on without the third party MIT Kerberos for Windows Client. (which most people won't do.)
Now, the problem comes when Windows machines try and log in to a Samba Domain. This is where things get a little weird.
Samba backended with LDAP can have multiple PDCs because OpenLDAP has multi-master support. Samba is not limited to PDCs and BDCs the way NT4 is. You can have multiple layers of Trusting Domains, and all of your Domain Controllers being writable PDCs. in fact, the only real difference between Active Directory and "Open Directory" is: Windows Won't negotiate with it.
(this also applies to Kerberos. Multimaster Kerberos KDC is possible only with OpenLDAP support but thats outside the scope of this discussion.)
Because of this, you can haave multiple PDCs, and multiple NetBios scopes. This is important, because Windows clients always broadcast for their Domain Controller. Unlike with Active Directory, (and other Linux Clients) which uses SRV records to find the Directory services using DNS, Windows clients always broadcast and have a "Browser Election" to find out who the PDC is.
This means that Windows' Boneheadedness about not wanting to talk to anything that is not a "Pure AD" is the problem here.
Samba is still stuck in NT4 times. That's why everyone should get rid of it. The hacks needed to make it work with Windows 7 alone show the age of the software.
I'm aware that the development to get Samba up to the level of WS08R2 is in the work, but it's nowhere near where Microsoft is right now.
Were you just not paying attention? I just said Samba had a whole slew of LDAP and Kerberos functionality that Windows won't work with. Most of what I talked about only takes place when two Linux boxen are together.
Yep. The difference is that you blame Windows and i blame Samba.
"Appletalk Name Binding Protocol (NBP) is also likely to be vulernable, as is Novell's Service Advertising Protocol (SAP), was well as Multicast DNS (sort-of-aka Avahi, Zeroconf, Bonjour). At the end of the day, you can't completely trust what somebody else says unless you already explicitly trust them." - by anti-NAT (709310) on Saturday December 26, @05:47AM (#30555096) Homepage
Here is a VERY OLD 'something' that can fix this problem in BOTH NetBIOS and yes, DNS itself, in the meantime - for the end user: A CUSTOM HOSTS FILE!
Specifically, the "DOMAINNAME/HOSTNAME-to-IP ADDRESS" equation in them, & "hardcoding" it there (so you do NOT get "misdirected" by an attacker of DNS or NetBIOS). That's fairly DEEP into this post, so, if you are interested? Read on:
I use a custom HOSTS file, in addition to the tools others here in this thread have noted (which MANY like FF addons only really function for FireFox/Mozilla products, but don't extend globally to all other webbound applications, & that is part of what HOSTS files give you above the methods you extoll + utilize: "GLOBAL COVERAGE", & of ALL webbound apps, not just FireFox/Mozilla ones via the addons you most likely use yourself...).
HOSTS files can be used to blockout KNOWN "bad" adserves, maliciously coded sites or adbanners, and "botnet C&C servers" too!
You can obtain reliable HOSTS files from reputable lists for more security online, but also for speed!
(More on that later & WHY/HOW (I use reliable lists for that, such as these HOSTS @ Wikipedia.com -> http://en.wikipedia.org/wiki/Hosts_file or those from mvps.org (a good one this one))
I also further populate & keep current my custom HOSTS file with up to date information in regards to all of those threats, via:
----
A.) Spybot "Search & Destroy" updates (populates HOSTS and browser block lists)
B.) Sites like ZDNet's Mr. Dancho Danchev's blog -> http://ddanchev.blogspot.com/
C.) Sites like FireEye -> http://blog.fireeye.com/
D.) SRI -> http://mtc.sri.com/
----
My HOSTS file incorporates ALL of the entries from the HOSTS files shown @ wikipedia as well... gaining me speed online (by blocking adbanners, which have been compromised many times the past few years now by malscripted exploits (examples below)).
(I combined ALL reputable HOSTS files with one of my own (30,000 entries), & I removed duplicates removed via a Borland Delphi app I wrote to do so called "APK HOSTS File Grinder 4.0++". That program also functions to change the default larger & SLOWER 127.0.0.1 blocking 'loopback adapter' IP address to either 0.0.0.0 (for VISTA/Windows Server 2008/Windows 7, smaller & thus faster than 127.0.0.1 default) or the smallest & fastest 0 "blocking 'IP ADDRESS'" (for Windows 2000/XP/Server 2003 which can STILL use it (& it was added in a service pack on Windows 2000, only on 12/09/2008 MS patch tuesday was it removed for VISTA onwards (& now all these "phunny little bugs" are showing up as FLAWS in this new NDIS6 approach via WFP as well in the firewall, which ROOTKIT.COM has stated (with code too no less on how it is done) -> http://www.rootkit.com/newsread.php?newsid=952 [rootkit.com] [rootkit.com] that it is EASIER TO UNHOOK (than was the design used in Windows 2000/XP/Server 2003))
Another EXCELLENT benefit of HOSTS file usage? More speed online, & also more security + reliability (especially in the case of DNS servers today, per folks like Dan Kaminsky &/or Moxie Marlinspike finding various security vulnerabilities in them the past couple years now)...
SO, to "CIRCUMVENT" THAT WHICH YOU NOTE & to get more speed online (besides/above potentially h
The registry tweaks to prevent any Windows operating system from broadcasting for NB queries has been around for a very long time. (as in, since at least Windows 95)
It is entirely possible to change the behavior to WINS/Unicast only, or turn it off entirely.
Enlightenment is only a click away: http://support.microsoft.com/kb/160177
What you want is to make your host a "P Node".
If you don't want to do that, you can always go here: http://support.microsoft.com/kb/314053
Go to the NBT section. Note the entry for BcastNameQueryCount , change it to zero.
If you do this as part of your corporate build strategy, you could even isolate rogue "Windows" hosts by noting -any- nbquery broadcasts and shutting down those ports a rogues on your client VLANs.
Verbal diarrhea, too-- do you get paid by the word?
No, it's just that you have all the obvious hallmarks of someone who is (a) about 14 years old, (b) some random nutjob, or (c) both.
See subject-line, & realize that this is NOT "english class" & nor is there a grammar + spelling checker forums here either... you are OFF TOPIC to the max.
APK
P.S.=> I also don't see any facts from YOU that disprove the items I posted above either... so much for your EFFETE & off topic 'down mods', eh? apk
"we all know that untrusted systems on a LAN means game over"
Quick, someone inform the Kerberos team at MIT that their software doesn't work, and never has!
This was demonstrated at Defcon..oh I don't know ten years ago. At the time I was like WTF why do people demonstrate what everyone should have known is already painfully obvious... but let them have their fun.
What do you expect when using an insecure naming and transport/rpc system that provides no authentication, no trust model..nothing to prevent all kinds of MITM.
Reminds me of the people who blaim Microsoft for allowing their "secure" passwords to be circumvented in the event their hard drive was taken out of their PCs and mounted into another system.
As is the case with full disk encryption secure alternatives are available.
WHAT IS WRONG WITH YOU?
the security for the horse and buggy was compromised by experts who simply offered the horse a carrot. This allowed full access and control to the vehicle. Experts are at a loss to fix this security hole, and are actively encouraging users to upgrade to a newer technology.
"Won't Work With" ....
I'm running Server 2008 with the domain and forest at 2008 level, ALL of my machines are set up to use KerberosV5 and LDAP, the only ones that even occasionally give me trouble about it are some legacy Server 2003 boxes (XP seems to work fine or maybe I'm just deluding myself, which is what I would think too, if I hadn't checked the logs) and the ONLY reason they give me trouble about it is because they were originally connected to an SBS2003 domain. Vista and 7, if I have a problem with them, it's that occasionally they get it in their mind to be too secure for the legacy boxes, actually occasionally is the wrong word as it has only happened once.... So to say that Windows WON'T work with Kerberos and LDAP is just plain wrong, could the utilities for it be better, yes... and I won't argue that windows has a long way to go. However nor will I say that Samba's efforts are wasted, although from my perspective as I do mostly windows admin it is a little bit ironic, that as far as I can tell their interaction with the Microsoft AD folks has mostly been a help to the MS guy's to make AD more reliable and secure.
Any and all content posted above may be ignored, considered irrelevant, or otherwise dismissed.
The problem is that MS implement something, and samba has to play catch up... If samba would implement something first, MS would simply ignore it and do their own thing instead.
Also if MS implements something, they keep it as secret and obfuscated as possible - making it difficult for someone else to reverse engineer and implement, groups like samba openly document what they do making it easy for third parties to create their own implementations.
What we really need are standards which are decided independently, with equal access for everyone.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
You are using Samba in a Client Capacity, not a Domain Control Capacity. Apples and Oranges.
What I was refering to is when Samba 3.x Domain Controllers are all that is present. i.e. no Windows Servers. Windows Clients will not negotiate Kerberos with Samba. They treat Samba like NT4. And if you try to switch on Kerberos Realm mode using k5setup, it disables NT Domain support. The only thing you can do is install MIT KfW.
Outside of being completely amused by your rantings at others for criticizing your awful posting style, I am highly amused that you have honestly made the absolute worst mistake an IT security professional can make: believing that you have found a solution that someone can't break. I'm glad you think you are clever, and I encourage you to keep a healthy level of confidence. However, your solution isn't exactly flawless, and rather than showing healthy confidence, you're over posting, becoming belligerent toward others, and generally being a prick.
Mod me down for honesty, I won't care.
On the topic of securing your network, everyone alive knows that this is the only way to do it with certainty:
http://www.thirdeyeconcept.com/demotivationals/tec66_demotivational.jpg
Randimal: AT-CG-CG-AT-CG-AT-AT-CG-CG-AT-AT-CG-AT-CG-CG-AT-CG-AT-AT-CG-AT-CG-CG-AT-AT-CG-CG-AT-CG-AT-AT-CG
"However, your solution isn't exactly flawless" - by ihuntrocks (870257) on Saturday December 26, @10:44PM (#30560500)
Oh, really? Where EXACTLY might those flaws be?? Give us specifics, because I'd love to hear it!
So, instead of your "adhominem no detail general b.s." replies?? How about those specifics... I'll be waiting!
(AND, because I will just tear up what you write in seconds with easy work-arounds... so, please - "go for it", & tell us what those "flaws" might be, ok? This? This I have to see/hear here... this will be some FUN, assuming this egomaniac patronizer will even speak in reply after this)
----
"Outside of being completely amused by your rantings at others for criticizing your awful posting style" - by ihuntrocks (870257) on Saturday December 26, @10:44PM (#30560500)
Do you have a PHD in English? No?? Didn't think so - not that it'd matter anyhow: "critiques of writing style" from anyone is just a matter of opinion... but, opinions from those without degrees in said language??? Please...
----
"I am highly amused that you have honestly made the absolute worst mistake an IT security professional can make: believing that you have found a solution that someone can't break." - by ihuntrocks (870257) on Saturday December 26, @10:44PM (#30560500)
Do you have any degrees in Computer Sciences as well, after giving that "professional opinion" of yours? No again?? I didn't think so...
Now, personally here?
Well - I happen to be in possession of 2 of those to my credit though, as well as 16++ yrs. of professional experience in this field (ranging from a tech (where I started in collegiate academia yrs. ago), thru network administration, & eventually into Programmer-Programmer/Analyst roles + finally into Software Engineer titles) - do you have that????
Do you have appearances in internationally & quite respected publications in this art & science also (from newspapers, books, magazines, & more, as far back as 12++ yrs. ago) to your credit, as I have (inclusive of commercial code to YOUR credit & code that was a FINALIST 2 yrs. in a row in the hardest area there is @ Microsoft Tech-Ed 2000-2001 (iirc)?????
E.G. on my end ->
"My Name is Ozymandias: King of Kings - Look upon my works, ye mighty, & DESPAIR..."
----
Windows NT Magazine (now Windows IT Pro) April 1997 "BACK OFFICE PERFORMANCE" issue, page 61
(&, for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program increasing its performance by up to 40% via my work) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row).
WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)
PC-WELT FEB 1998 - page 84, again, my work is featured there
WINDOWS MAGAZINE, WINTER 1998 - page 92, insert section, MUST HAVE WARES, my work is again, there
PC-WELT FEB 1999 - page 83, again, my work is featured there
CHIP Magazine 7/99 - page 100, my work is there
GERMAN PC BOOK, Data Becker publisher "PC Aufrusten und Repairen" 2000, where my work is contained in it
HOT SHAREWARE Numero 46 issue, pg. 54 (PC ware mag from Spain), 2001 my work is there, first one featured, yet again!
Also, a British PC Mag in 2002 for many utilities I wrote, saw it @ BORDERS BOOKS but didn't buy it... by that point, I had moved onto other areas in this field besides coding only...
Lastly, being paid for an article that made me money over @ PCPitstop in 2008 for writing up a guide that has people showing NO VIRUSES/SPYWARES & other screwups, via following its point, such as THRONKA sees here ->
"This is how you keep your shit secure, folks. You'd better learn this one now." - by Anonymous Coward on Saturday December 26, @10:45PM (#30560506)
Well, I don't think I'd QUITE put it the way YOU did, because what I wrote above on HOSTS files only, is really only a SMALL PART of what a Windows user can do nowadays & for YEARS now to be far more secure.
This would be the rest (for Windows 2000/XP/Server 2003 & even VISTA/Windows Server 2008, & Windows 7) that you would need to do to secure a modern Windows NT-based OS variant:
----
HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA/Windows Server 2008/Windows 7, & make it "fun-to-do" via CIS Tool Guidance (&, beyond):
http://www.tcmagazine.com/forums/index.php?s=b9b1492c5935162b63d69a9989abed1c&showtopic=2662
----
Which has gone over 250,000++ views in 1.5 yrs. time online, across 15 forums, & has been made @ most of those, either a:
1.) A "sticky/pinned" thread
2.) Rated 5/5 stars
3.) An "Essential Guide"
AND, which even got me PAID for that security guides' (for Windows) creation over @ PCPitstop.com as well, for New Year's 2008 in fact... &, which saw the likes of THIS, as to feedback on its effectiveness from others than applied ALL of its points:
----
http://www.xtremepccentral.com/forums/showthread.php?t=28430
PERTINENT QUOTE/EXCERPT:
"...recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual. Now I don't recommend this for the average joe, but it if can work for a kids PC it can work for anything! Now, i substituted OpenDNS and activated the Adult Content filter with them for this kids computer. I know its not perfect, but will catch over 99.5% of said sites."
and
http://www.xtremepccentral.com/forums/showthread.php?s=10f9ba9ad5ff990aaae1e7ec91f593a2&t=28430&page=3
"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)"
Thronka - forums member @ xtremepccentral.com
----
"Nuff said" on that account (& I am NOT the one doing that "last bit of saying it", either, per my quote of others above)...
APK
P.S.=>
"You make it secure YOURSELF. if you can't, get off the internet, because you will get fucked later." - by Anonymous Coward on Saturday December 26, @10:45PM (#30560506)
I don't think I'd put it QUITE that way, but, you DO have a point... apk
tl:dr 4 CAPS + offtopic & modding himself up
http://tech.slashdot.org/comments.pl?sid=1490078&cid=30557548
tl:dr (downrate the goof I am replying to here for overuse of caps and for being blatantly off topic). TIA.
Now, in regards to your rather pointless off topic reply that has no technical merit to it related to the subject at hand here:
You fail to realize that others reading here can easily infer that you are merely another bot master or malware maker who uses the internet to steal from others online.
Those reading can also infer that you do not want others to be aware of how to stop you from doing so.
Personally, I rather strongly suspect that is your reason for modding down people who tell others how the HOSTS file and other techniques are easily done, for Windows users (and more OS types, & in many cases, like this one since the IP stacks of most use a BSD derivant), to protect themselves from the likes of yourself and other criminals like you online.
You also perform mods upwards of your anonymous coward postings by using your registered account to do so first, after posting as an anonymous coward as you have, and then later using your registered account here to mod your anonymous coward posts upward. I have seen this, and caught one person here ADMITTING TO IT, more than once. That's pitiful (and that's to those like you too).
GOOD ADVICE/FOOD FOR THOUGHT FOR YOU:
----
A.) Quit doing your off topic replies in ALL CAPS
B.) Quit your ad hominem attack trolling, and instead contest a person's technical points rather than do an all caps foaming at the mouth raging reply as you have, quoted above.
C.) Stay on topic.
D.) Quit modding yourself up so obviously via multiple accounts and ac accounts or replies.
E.) Take your add/adhd meds + dyslexia therapy & remedial reading classes.
F.) "Hooked on PHONICS" is "4U"
G.) Don't use the name of the Lord in vain, on a personal note.
----
I hope that did not send you into a bipolar "RaGe" over there, lol, & you did not break things around you in a fit. Somehow, lol, just based on that foaming at the mouth reply in "*** ALL CAPS ***" above from you? Yes, I could see that going on where you are. LMAO!
It is obvious that either you do not know how to read, and that you are stuck with your off topic rants you spew onto the pages of the forums here on slashdot because of that, or, you are nothing more than a troll with a personal axe to grind.
The only form of so-called attack you possess, is ad hominem (attacking the poster instead of his points he makes)!
That's quite invalid in logical argument.
I suspect this may simply be because your technical knowledge of this area is that of the extremely unskilled who are often stuck with "I can't understand what you wrote" replies or "grammar and spelling checking".
That, alongside other trollish tactics like ad hominem attacks and unjustified downward moderations, is the province of the off topic troll and technically challenged in this section (which is not the English class section of slashdot - as there is no such forums section here anyhow).
All you have are your:
----
A.) Technically unjustified downward moderations
B.) Your ALL CAPS rants
C.) Your off topic raving
D.) Self-modding yourself "insightful"
----
On that last one?
It's obvious you did that, as it's easily done.
(So, give us a break - explain that & justify that and tell us how you are on topic here - explain how you were insightful, & to what that was on topic here, won't you? You are guilty of off topic trollery on your part & that is about it... and you KNOW it!)
You were FAR from "insightful" on this topic, & instead, mostly truly + absolutely indicative of transparent stupidity on your part in your reply (in addition to h