NetBIOS Design Allows Traffic Redirection

iago-vL writes "Security researchers at SkullSecurity have demonstrated how the NetBIOS protocol allows trivial hijacking due to its design, through the use of a tool called 'nbpoison' (in the package 'nbtool'). If a DNS lookup fails on Windows, the operating system will broadcast a NetBIOS lookup request that anybody can respond to. One vector of attack is against business workstations on an untrusted network, like a hotel; all DNS requests for internal resources can be redirected (Exchange, proxy, WPAD, etc). Other attack vectors are discussed in a related blog post. Although similar attacks exist against DHCP, ARP and many other LAN-based protocols, we all know that untrusted systems on a LAN means game over. NetBIOS poisoning is much quieter and less likely to break other things."

Disable NetBIOS via DHCP and/or GPO ?!?

[WolphFang]

Disable NetBIOS via DHCP and/or GPO ?!?

Any protocol that can be spoofed can suffer.

[anti-NAT]

Appletalk Name Binding Protocol (NBP) is also likely to be vulernable, as is Novell's Service Advertising Protocol (SAP), was well as Multicast DNS (sort-of-aka Avahi, Zeroconf, Bonjour). At the end of the day, you can't completely trust what somebody else says unless you already explicitly trust them.

Re:Any protocol that can be spoofed can suffer.

[ceoyoyo]

Except I haven't hear of anybody actually using NBP recently, and your machine shouldn't fail over to using zeroconf resolution by default. If you don't ask for an address in a zeroconf domain then your computer shouldn't respond when someone helpfully pipes up "oh, I know where that is!"

I didn't think anyone used netbios anymore either, but it is on by default still, isn't it?

Re:Any protocol that can be spoofed can suffer.

As a CS student, I have to fix this for you:

At the end of the day, you can't completely trust what somebody else says unless there is prior knowledge.

Such as a installed certificate/key.

Setting the Node type to P with a bogus WINS

[anti-NAT]

server address (127.0.0.1) is likely to be a reasonable mitigation.

Does anyone use NetBIOS anymore?

[Arker]

I remember I used to use it in the mid 90s, I actually found it quite useful because it is (was?) an unroutable protocol - IIRC it could be set up so that windows shares were available only through NetBIOS and thus only across one local segment. A couple of other admins were pulling their hair out trying to figure out how to keep those shares from being exploited without cutting them off entirely (and making the users very unhappy) and binding them to NetBIOS only seemed to do the trick nicely. Of course we had control of the local segment and the users who needed the shares were all on it - otherwise it wouldnt have been very useful. But it's been ages since I remember using it for anything at all.

NetBIOS is routable when run over TCP/IP or IPX

[anti-NAT]

as per RFCs 1001 and 1002 for TCP/IP and somewhere else for IPX (IPX packet type 20 IIRC). However, if you ran it over "NetBEUI" or NetBIOS Extended User Interface, rather than IPX or TCP/IP, NetBIOS was running directly over 802.2/LLC i.e. no layer 3 protocol in there, so no routing. I think Microsoft removed this option a number of years ago, which is a shame, because that was a way of ensuring that there was no chance your NetBIOS file and print shares were accessible over the Internet.

Re:NetBIOS is routable when run over TCP/IP or IPX

[Arker]

Ahh yes that would have been the trick I was remembering. It has been a few years.

Re:NetBIOS is routable when run over TCP/IP or IPX

[butlerm]

IPX routing is severely limited compared to IP routing, of course. RIP style route distribution, 15 hop limit, etc. I suppose that could have all been fixed if IPX had taken over the world instead of TCP/IP. In some ways IPX is more like IPv6 than IPv4 is. Too bad IPX had to be weighted down with a number of chatty, broadcast heavy higher level protocols. IPX networks got the equivalent of DNS, what, ten years later?

Ermm... don't you mean NetBUI ?

[WolphFang]

Ermm... don't you mean NetBUI ?

Re:Ermm... don't you mean NetBUI ?

[lkcl]

nooo, congratulations, you've made the exact same mistake that everyone makes. NetBEUI is the equivalent of Ethernet (MAC addresses). NetBIOS is the equivalent of TCP/IP, IPX/SPX etc.

Re:Ermm... don't you mean NetBUI ?

[LO0G]

Not quite. NetBEUI is a transport like TCP/IP or SPX. NetBIOS is an API. Like all APIs, it describes a set of semantics on how the underlying networking protocol behaves and because of that it can be layered on top of any protocol.

RFC 1001/1002 describe how to implement the API semantics required by the NetBIOS API on top of TCP/IP.

Re:Ermm... don't you mean NetBUI ?

[lkcl]

you're talking to the person who implemented samba's 2nd nmbd improvements, back in 1996, and demonstrated the world's first multi-workgroup / multi-PDC server on microsoft's campus, in about 1998.

NetBIOS is NOT an "API". or - it is, but only in the sense that most early implementations were user-space (in the same way that WINSOCK.DLL was userspace), and RFC 1001/1002 showed how to _proxy_ what is effectively its own transport (equivalent to TCP/IP) and naming service (equivalent to DNS) over other transports at the same ISO layer.

it's very unfortunate and particularly sad that the robustness of the NetBIOS naming / registration service (in the face of absolute ignorance and total misconfiguration) is not respected, studied, improved and modernised.

it's also rather unfortunate that the "scope" field, which was what the DNS "zone" field was renamed as, was not respected by early windows implementations. this _could_ have been re-used for its original purpose: the DNS "zone". in this way, NetBIOS _could_ have been extended out onto the Internet, could have been extended with DNSSEC, and thus turned into something very very useful and very exciting.

but - as i mentioned in an earlier post, we're relying on microsoft engineers to implement it, and all the ones who understand this stuff retired as millionaires quite some time ago, now.

Re:Ermm... don't you mean NetBUI ?

[OnlineAlias]

Actually, not even close. You have made a mistake rarely anyone makes. Ethernet is layer 2. TCP/IP and IPX/SPX and NetBEUI is layer 3(even though NetBEUI isn't routable). NetBIOS is a layer 5 up protocol, but really doesn't fit will in the OSI model at all because technically it isn't a network protocol.

And I don't know what the hell everyone is talking about "quit using" NetBIOS or whatever, practically every modern MS application uses it extensively.

This hack falls firmly within the "duh" category. The next time I go into a coffee shop and start talking SQL or native MS Exchange in the clear to something I'll make sure I have my guard up.

Re:Ermm... don't you mean NetBUI ?

[OnlineAlias]

Ha! An old schooler. I remember back then I was examining some of this work. Everyone started running WINS servers on the net, trying to figure out how to scale and secure everything. It was fun, but man, there were so many problems in the modern era of the hacking mafia I don't see any way that it could have worked. Perhaps if NetBIOS had been improved at the rate the other protocols were over the same time, it could have happened... Keep in mind that Microsoft held on to NetBIOS like a rabid badger until the very end, and even tried to crush your Samba program like a bug (as I am sure you are aware). I think I'm happier using protocols on the net that Microsoft has little control over.

Re:Ermm... don't you mean NetBUI ?

"...and all the ones who understand this stuff retired as millionaires quite some time ago, now."

yes, and overpaid way too much, do I think

- yoda

Re:Ermm... don't you mean NetBUI ?

[butlerm]

NetBIOS is NOT an "API"

Once upon a time, there was a standard INT 5C interface that was used by DOS programs to control the the NetBIOS functions built into some LAN adapter cards or other add on NetBIOS software. That no doubt is why the functionality was called "NetBIOS", because it was intended as a networking oriented parallel with the regular ROM BIOS.

"NetBIOS" is an awfully funny name for a network protocol, and of course originally it wasn't a network protocol at all, it was a higher level interface to lower level protocols such as NBF and NBT. Of course NetBEUI (NetBIOS Extended User Interface) wasn't originally a "protocol" either, but later became associated with the non-routable NetBIOS Frames or NBF protocol for some strange reason.

NetBIOS is DNS with enhancements

[lkcl]

examination of RFC1001 shows that the NetBIOS protocol is actually DNS with enhancements and a few different meanings of some of the bits. there is therefore absolutely no reason why NetBIOS should not have the DNSSEC security system added to it. ... except, that would mean that microsoft had to do some work, on some code that was written well over twenty years ago. so the trouble is that microsoft doesn't actually have anyone left at the company who understands what was written, let alone why it was written.

and neither really does anyone else. incredibly, comparison of NetBIOS to the Mobile IPv6 protocols developed a few years ago showed the *Mobile IPv6* protocols to be severely lacking.

the entire NetBIOS protocol, apart from the obvious lack of security (because it was designed for LAN use) is incredibly far-sighted.

Re:NetBIOS is DNS with enhancements

[drinkypoo]

Nobody should be using NetBIOS any more. Autoconfiguration with IP is more than good enough. Anyone with a crappy $20 router can sit back and let DHCP handle configuration, and we all have TCP/IP. Microsoft has been telling people to blow NetBIOS out their ass for years now, but they provided it for backwards compatibility. There's no way to make it safe while retaining that feature, and there's no reason to make it safer when no one should be using it.

Re:NetBIOS is DNS with enhancements

[OnlineAlias]

Well, just try disabling NetBIOS in a large enterprise. See how much stuff breaks...your first big-time IT job just became your last.

Re:NetBIOS is DNS with enhancements

[GIL_Dude]

NetBIOS doesn't have anything to do with autoconfiguration or DHCP though. Of course people have DHCP. NetBIOS over TCP/IP though is a layer that allows machines to find each other sans DNS. For example say you have three machines on your home network behind a NAT router. You share a printer from one of them (yes, I mean Windows machines). Unless you have setup hosts files or a home DNS server (which most home users with a three machine network WON'T do), then the machines use a NetBIOS broadcast to find each other. Even in many corporate networks this isn't disabled. Name resolution of a "short name" (for example L3B3ABC-7 instead of L3B3ABC-7.test.example.com) will go this route:
DNS (with the local machine's primary DNS suffix appended - so the query is L3B3ABC-7.test.example.com)
DNS (with the primary DNS suffix devolved one level appended - so the query is L3B3ABC-7.example.com)
Any other configured (GPO) DNS search suffixes
A NetBIOS subnet only broadcast for the short name

It is this last query that they are saying can easily be poisoned.

It is probably trivial to code up something to do this. I imagine the sample of a WPAD file for Firefox or IE autoconfiguration could work as a denial of service of sorts (routing you to a non-existent proxy or something) - possibly even attempting a proxy man-in-the-middle attack. The others (Exchange, SMB file shares, etc.) would seem to be only a small denial of service. If those servers were accessible they would have been found via DNS so they aren't available anyway. And the protocols require authentication so the attacking machine couldn't spoof more than the naming service for those. The proxy one though would be the interesting one.

Re:NetBIOS is DNS with enhancements

[butlerm]

That could have been true had NetBIOS commonly been run over a routable protocol and had NetBIOS name servers supported a recursive name resolution scheme. Most NetBIOS networks in the early days were far from it. If you don't have a routable protocol and a means to configure what address the name server lives on, and you don't have an inter-name server name query resolution protocol, you end up with the much more typical broadcast and election scheme on small networks and perhaps a handful of name servers on large ones.

I mean, when Microsoft wanted a recursive name resolution protocol for Active Directory, they didn't invent a way to extend NetBIOS name resolution to make it recursive, instead they added a bunch of extensions to DNS for the purpose. Not that NetBIOS name resolution couldn't have been so extended, of course. DHCP solves the NBNS (now "WINS") name server determination problem quite well too., and NetBIOS over TCP ("NBT") the routing problem.

Re:NetBIOS is DNS with enhancements

[Bert64]

Protocols requiring authentication just make things more interesting, you can hijack the connection and then steal or man in the middle the authentication details when the client sends them.

Layer 2 Separation

[Euzechius]

This attack would easily be prevented by the use of Private VLANs on your network. With PVLANs Clients connected to the LAN can only send Layer 2 frames to the default gateway and other pre-defined shared services such as printing, ad, mail, internet... Typically Private VLANs are very handy in shared/public environments such as hotels, public desktops.

Howto configure PVLANs on a Cisco Cat 3750 switch:
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml

Many other techniques are available to protect a L2 LAN environemnt:
* DHCP snooping (DHCP trusted/untrusted ports)
* Dynamic ARP inspection
* IP Source Guard
* Port security (stickies) and MAC acls

Re:Layer 2 Separation

[darkpixel2k]

Howto configure PVLANs on a Cisco Cat 3750 switch:

Can you tell all the small-time hotel owners out there how to do that with a dlink or netgear device... ;)
I would bet that most of the hotel owners out there aren't the Hilton, Ritz, or Embassy. And possibly even those big guys wouldn't want to spend a butt-load of money on *all* their hotels for pvlan capable switches when a netgear device would work well. Maybe they would for hundred or thousand room hotels in NY, Vegas, etc...but we have one down the road that's ~20 rooms...

Re:Layer 2 Separation

[Euzechius]

If you are able to hook up all the rooms to a single switch (eg 24 or 48 ports) it's easier! You only need Private Vlan Edge functionality to seperate Layer 2 between rooms. Private VLAN Edge functionality can already be found on the pure Layer2 switches like 2960 or ESW series.

Netbios = epic fail

[Krneki]

So a new flow in the Netbios protocol, tell me something new.

Once we had a rogue router plugged in the network who was happily changing the DNS setting on the Windows workstations. Nothing else, just DNS settings.

This case alone should give nightmares to any Netbios administrator.

Re:Netbios = epic fail

[VGPowerlord]

Couldn't they just as easily run a DHCP server and do the same thing?

That is, assuming addresses are being set via DHCP.

Samba 3 Domain Controllers and Mutant NT Domains

[Zombie+Ryushu]

The fact is as long as Samba 3.x exists we will have NetBios. There are alot of Samba 3.x Domain Controllers that manage "Mutant" NT Domains. What I mean is this. The optimal situation for Linux Samba Domain Controllers is this:

You have an OpenLDAP, Kerberos, and Samba. OpenLDAP is the directory service, Heimdal Kerberos is Single Sign on, and Samba is Legacy NT Domain Compatibility and CIFS File sharing. Between two Linux machines, Samba can DNS to look up shares, and use Kerberos to authenticate to shares. This is all well and good. It is very secure, it doesn't use NTLM or NetBios. In the event of a Windows machine accessing a Share, The Windows machine can use DNS to lookup a share, but can't use Kerberos. It has to use NTLM, because in "NT Domain Mode" everything from 2000 on disables Kerberos and you can't turn it back on without the third party MIT Kerberos for Windows Client. (which most people won't do.)

Now, the problem comes when Windows machines try and log in to a Samba Domain. This is where things get a little weird.

Samba backended with LDAP can have multiple PDCs because OpenLDAP has multi-master support. Samba is not limited to PDCs and BDCs the way NT4 is. You can have multiple layers of Trusting Domains, and all of your Domain Controllers being writable PDCs. in fact, the only real difference between Active Directory and "Open Directory" is: Windows Won't negotiate with it.

(this also applies to Kerberos. Multimaster Kerberos KDC is possible only with OpenLDAP support but thats outside the scope of this discussion.)

Because of this, you can haave multiple PDCs, and multiple NetBios scopes. This is important, because Windows clients always broadcast for their Domain Controller. Unlike with Active Directory, (and other Linux Clients) which uses SRV records to find the Directory services using DNS, Windows clients always broadcast and have a "Browser Election" to find out who the PDC is.

This means that Windows' Boneheadedness about not wanting to talk to anything that is not a "Pure AD" is the problem here.

Re:Samba 3 Domain Controllers and Mutant NT Domain

[lukas84]

Samba is still stuck in NT4 times. That's why everyone should get rid of it. The hacks needed to make it work with Windows 7 alone show the age of the software.

I'm aware that the development to get Samba up to the level of WS08R2 is in the work, but it's nowhere near where Microsoft is right now.

Re:Samba 3 Domain Controllers and Mutant NT Domain

[Zombie+Ryushu]

Were you just not paying attention? I just said Samba had a whole slew of LDAP and Kerberos functionality that Windows won't work with. Most of what I talked about only takes place when two Linux boxen are together.

Re:Samba 3 Domain Controllers and Mutant NT Domain

[lukas84]

Yep. The difference is that you blame Windows and i blame Samba.

ANY OF THEM ARE FIXABLE, this way... apk

"Appletalk Name Binding Protocol (NBP) is also likely to be vulernable, as is Novell's Service Advertising Protocol (SAP), was well as Multicast DNS (sort-of-aka Avahi, Zeroconf, Bonjour). At the end of the day, you can't completely trust what somebody else says unless you already explicitly trust them." - by anti-NAT (709310) on Saturday December 26, @05:47AM (#30555096) Homepage

Here is a VERY OLD 'something' that can fix this problem in BOTH NetBIOS and yes, DNS itself, in the meantime - for the end user: A CUSTOM HOSTS FILE!

Specifically, the "DOMAINNAME/HOSTNAME-to-IP ADDRESS" equation in them, & "hardcoding" it there (so you do NOT get "misdirected" by an attacker of DNS or NetBIOS). That's fairly DEEP into this post, so, if you are interested? Read on:

I use a custom HOSTS file, in addition to the tools others here in this thread have noted (which MANY like FF addons only really function for FireFox/Mozilla products, but don't extend globally to all other webbound applications, & that is part of what HOSTS files give you above the methods you extoll + utilize: "GLOBAL COVERAGE", & of ALL webbound apps, not just FireFox/Mozilla ones via the addons you most likely use yourself...).

HOSTS files can be used to blockout KNOWN "bad" adserves, maliciously coded sites or adbanners, and "botnet C&C servers" too!

You can obtain reliable HOSTS files from reputable lists for more security online, but also for speed!

(More on that later & WHY/HOW (I use reliable lists for that, such as these HOSTS @ Wikipedia.com -> http://en.wikipedia.org/wiki/Hosts_file or those from mvps.org (a good one this one))

I also further populate & keep current my custom HOSTS file with up to date information in regards to all of those threats, via:

----

A.) Spybot "Search & Destroy" updates (populates HOSTS and browser block lists)

B.) Sites like ZDNet's Mr. Dancho Danchev's blog -> http://ddanchev.blogspot.com/

C.) Sites like FireEye -> http://blog.fireeye.com/

D.) SRI -> http://mtc.sri.com/

----

My HOSTS file incorporates ALL of the entries from the HOSTS files shown @ wikipedia as well... gaining me speed online (by blocking adbanners, which have been compromised many times the past few years now by malscripted exploits (examples below)).

(I combined ALL reputable HOSTS files with one of my own (30,000 entries), & I removed duplicates removed via a Borland Delphi app I wrote to do so called "APK HOSTS File Grinder 4.0++". That program also functions to change the default larger & SLOWER 127.0.0.1 blocking 'loopback adapter' IP address to either 0.0.0.0 (for VISTA/Windows Server 2008/Windows 7, smaller & thus faster than 127.0.0.1 default) or the smallest & fastest 0 "blocking 'IP ADDRESS'" (for Windows 2000/XP/Server 2003 which can STILL use it (& it was added in a service pack on Windows 2000, only on 12/09/2008 MS patch tuesday was it removed for VISTA onwards (& now all these "phunny little bugs" are showing up as FLAWS in this new NDIS6 approach via WFP as well in the firewall, which ROOTKIT.COM has stated (with code too no less on how it is done) -> http://www.rootkit.com/newsread.php?newsid=952 [rootkit.com] [rootkit.com] that it is EASIER TO UNHOOK (than was the design used in Windows 2000/XP/Server 2003))

Another EXCELLENT benefit of HOSTS file usage? More speed online, & also more security + reliability (especially in the case of DNS servers today, per folks like Dan Kaminsky &/or Moxie Marlinspike finding various security vulnerabilities in them the past couple years now)...

SO, to "CIRCUMVENT" THAT WHICH YOU NOTE & to get more speed online (besides/above potentially h

Trivially Preventable

[golden.radish]

The registry tweaks to prevent any Windows operating system from broadcasting for NB queries has been around for a very long time. (as in, since at least Windows 95)

It is entirely possible to change the behavior to WINS/Unicast only, or turn it off entirely.

Enlightenment is only a click away: http://support.microsoft.com/kb/160177

What you want is to make your host a "P Node".

If you don't want to do that, you can always go here: http://support.microsoft.com/kb/314053

Go to the NBT section. Note the entry for BcastNameQueryCount , change it to zero.

If you do this as part of your corporate build strategy, you could even isolate rogue "Windows" hosts by noting -any- nbquery broadcasts and shutting down those ports a rogues on your client VLANs.

Re:Trivially Preventable

[squiggleslash]

The registry tweaks to...

I don't think "Trivially Preventable" means the same thing to you compared to the majority of Windows users.

Re:Trivially Preventable

[Bert64]

And people complain that using a commandline on linux is difficult...

DEAR GOD

WHAT IS WRONG WITH YOU?

In other news...

[CPE1704TKS]

the security for the horse and buggy was compromised by experts who simply offered the horse a carrot. This allowed full access and control to the vehicle. Experts are at a loss to fix this security hole, and are actively encouraging users to upgrade to a newer technology.

Re:Samba 3 Domain Controllers and Mutant NT Domain

[kantos]

"Won't Work With" ....

I'm running Server 2008 with the domain and forest at 2008 level, ALL of my machines are set up to use KerberosV5 and LDAP, the only ones that even occasionally give me trouble about it are some legacy Server 2003 boxes (XP seems to work fine or maybe I'm just deluding myself, which is what I would think too, if I hadn't checked the logs) and the ONLY reason they give me trouble about it is because they were originally connected to an SBS2003 domain. Vista and 7, if I have a problem with them, it's that occasionally they get it in their mind to be too secure for the legacy boxes, actually occasionally is the wrong word as it has only happened once.... So to say that Windows WON'T work with Kerberos and LDAP is just plain wrong, could the utilities for it be better, yes... and I won't argue that windows has a long way to go. However nor will I say that Samba's efforts are wasted, although from my perspective as I do mostly windows admin it is a little bit ironic, that as far as I can tell their interaction with the Microsoft AD folks has mostly been a help to the MS guy's to make AD more reliable and secure.

Re:Samba 3 Domain Controllers and Mutant NT Domain

[Bert64]

The problem is that MS implement something, and samba has to play catch up... If samba would implement something first, MS would simply ignore it and do their own thing instead.
Also if MS implements something, they keep it as secret and obfuscated as possible - making it difficult for someone else to reverse engineer and implement, groups like samba openly document what they do making it easy for third parties to create their own implementations.

What we really need are standards which are decided independently, with equal access for everyone.

Re:Samba 3 Domain Controllers and Mutant NT Domain

[Zombie+Ryushu]

You are using Samba in a Client Capacity, not a Domain Control Capacity. Apples and Oranges.

What I was refering to is when Samba 3.x Domain Controllers are all that is present. i.e. no Windows Servers. Windows Clients will not negotiate Kerberos with Samba. They treat Samba like NT4. And if you try to switch on Kerberos Realm mode using k5setup, it disables NT Domain support. The only thing you can do is install MIT KfW.

Re:Do YOU have a PHD in English or Psychiatry? apk

[ihuntrocks]

Outside of being completely amused by your rantings at others for criticizing your awful posting style, I am highly amused that you have honestly made the absolute worst mistake an IT security professional can make: believing that you have found a solution that someone can't break. I'm glad you think you are clever, and I encourage you to keep a healthy level of confidence. However, your solution isn't exactly flawless, and rather than showing healthy confidence, you're over posting, becoming belligerent toward others, and generally being a prick.

Mod me down for honesty, I won't care.

On the topic of securing your network, everyone alive knows that this is the only way to do it with certainty:

http://www.thirdeyeconcept.com/demotivationals/tec66_demotivational.jpg