From proff Sat Sep 28 05:22:07 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id FAA03643 for best-of-security; Sat, 28 Sep 1996 05:22:07 +1000 Received: (sendmail@localhost) by suburbia.net (8.7.4/Proff-950810) id EAA24068; Sat, 28 Sep 1996 04:30:32 +1000 Received: from UNKNOWN(128.148.157.143), claiming to be "brimstone.netspace.org" via SMTP by suburbia.net, id smtpd18974aaa; Sat Sep 28 02:26:51 1996 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <24672-18805>; Fri, 27 Sep 1996 12:20:06 -0500 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id MAA25126; Fri, 27 Sep 1996 12:18:51 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 574042 for BUGTRAQ@NETSPACE.ORG; Fri, 27 Sep 1996 11:57:36 -0400 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id LAA23045 for ; Fri, 27 Sep 1996 11:56:46 -0400 Approved-By: ALEPH1@UNDERGROUND.ORG Received: from pluto.private.cableol.net (pluto.cableol.net [194.168.50.1]) by netspace.org (8.7/8.6.12) with SMTP id EAA17413 for ; Fri, 27 Sep 1996 04:20:46 -0400 Received: from [10.144.1.245] by pluto.private.cableol.net; (5.65v3.2/1.1.8.2/19Mar96-0213PM) id AA18279; Fri, 27 Sep 1996 09:20:54 +0100 Received: (from coxa@localhost) by cableol.net (8.7.4/8.7.3) id JAA03630; Fri, 27 Sep 1996 09:17:34 +0100 Content-Type: text Approved-By: Alan Cox Message-ID: <199609270817.JAA03630@cableol.net> Date: Fri, 27 Sep 1996 09:17:34 +0100 Reply-To: Alan Cox Sender: Bugtraq List From: Alan Cox Subject: Re: NT security et al (Dangers of NetBIOS/NBT?) X-To: nal@spirit.com.au To: Multiple recipients of list BUGTRAQ In-Reply-To: <01BBABE3.B9135B40@raven.spirit.com.au> from "Nick and Debbie Leask" at Sep 26, 96 07:44:07 pm Approved: proff@suburbia.net > I've read fairly similar sentiments about having NetBIOS or NBT floating = > around on our internet/firewall subnets, but I've not heard anyone = > discussing exactly what the dangers of this are. There are obvious = > 'pain's in the butt' when this is happening (such as lots of unnecessary = > deny messages logged against firewall bastion or router logs), but = > that's about all... Can some one expand in detail what the known or = > perceived dangers of NetBIOS or NBT are? o Windows 3.11 has share bugs microsoft will never apparently fix, whereby any share allows the whole disk to be accessed by using a ../../.. type construct and the smbfs client code. o Early windows 95 seems to have the same bug. In both cases this can be a disaster as the windows .PWL files up until the latest Win95 patches are trivially crackable o Windows NT apparently has a bug whereby users can erase the entire NT server disk in the default NT configuration o There is no encryption of data, so all the usual spoofing attacks work o There are ways to trip the clients into doing plain text password authentications (Yum yum ;)) o There is no failed authentication logging on windows, so a dictionary attack can run all week and there won't be so much as a blip in the logs All of these are exploitable over TCP/IP as well. Very handy for breaking into Windows 95 machines on a remote network and adding a binary and changing autoexec. Whether you block outgoing netbios sessions is an open question, blocking incoming ones is a forgone conclusion. Novell netware is only slightly more secure, you do get some protection if that is suitably set up, but users can bring down Novell 3 servers by sending a suitable packet, and can really mess around by broadcasting fake license messages. Since Novell has directed broadcast that can be done across IPX backbones. Alan