From Bernd.Lehle@RUS.Uni-Stuttgart.DE Fri Sep 13 18:15:58 1996 Received: from artemis.rus.uni-stuttgart.de (artemis.rus.uni-stuttgart.de [129.69.18.28]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id SAA03907 for ; Fri, 13 Sep 1996 18:14:43 +1000 Received: from visbl.rus.uni-stuttgart.de (visbl.rus.uni-stuttgart.de [129.69.50.72]) by artemis.rus.uni-stuttgart.de with ESMTP id KAA13241 (8.6.13/IDA-1.6); Fri, 13 Sep 1996 10:13:02 +0200 Received: (from bernd@localhost) by visbl.rus.uni-stuttgart.de (8.7.5/8.7.3) id KAA16377; Fri, 13 Sep 1996 10:12:19 +0200 (DST) From: Bernd Lehle Message-Id: <199609130812.KAA16377@visbl.rus.uni-stuttgart.de> Subject: Attacks against NetBIOS via TCP/IP To: BUGTRAQ@NETSPACE.ORG, best-of-security@suburbia.net Date: Fri, 13 Sep 1996 10:12:19 +0200 (DST) X-pgp-fingerprint: 3E B0 35 8D 59 D5 AE AA 5A F9 60 80 9E E0 55 48 X-Joke: If cryptography is outlawed, only #%8fd 26(@^($$ X-Mailer: ELM [version 2.4 PL24 PGP6] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Hi there, after a talk with our PC/Intel guy at the Computer Center about what's goig on right now with the PCs in our network I came to the following alarming idea: In TCP/IP dominated networking environments like universities there is an increasing number of PCs running Windows (3.11/95/NT) with NetBIOS Services like sharing drives and printers. Normally NetBIOS (OSI-Layer 5) is transported via NETBEUI (OSI-Layer 3/4) which is a LAN-only protocol, that cannot be routed. However, there is also the possibility of encapsulating the NetBIOS ser- vices in TCP/IP which then can be routed through a Campus LAN or out into the Internet. Maybe due to it's history as a LAN protocol, NetBIOS over TCP/IP commu- nicates almost entirely with broadcasts (IP and Ethernet). This has been verified with a sniffer. So security does not seem to be an issue. So it should be easy for someone who knows the odds and ends of NetBIOS to either modify the TCP/IP stack of Windows, so it tries to send NetBIOS requests through TCP/IP specifically to remote machines, or use a UNIX Box (e.g. Linux) with NetBIOS related services (Samba) to launch an attack against a remote Windows box. It does not seem to be very tempting to hack a Windows PC, but on the shared disks of Windows PCs in University offices there is often im- portant data like grades or similar. Does anybody have experience with problems, attacks or defences for this kind of setup ? We're trying to consider this problem in detail soon, but first we have to arrange a meeting with the PC guys and the (heavily UNIX-inclined) security guys :-) -- > Bernd Lehle - Stuttgart University Computer Center * A supercomputer < > Visualization / Security / Astrophysics * is a machine < > lehle@rus.uni-stuttgart.de Tel:+49-711-685-5531 * that runs an < > http://www.tat.physik.uni-tuebingen.de/~lehle * endless loop < > pgp? -> finger bernd@visbl.rus.uni-stuttgart.de * in 2 seconds <