Global Information Assurance Certification Paper - GIAC ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Security Essentials Bootcamp Style (Security 401)"
at http://www.giac.org/registration/gsecGIAC Level One Security Essentials Practical Assignment
NetBIOS and File Sharing Security in Windows
s.
ht
Mark Wade
rig
ull
Version 1.2f – August 13, 2001
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
Understanding NetBIOS..................................................... 2
or
Figure One: NetBIOS Over IP............................................ 2
th
NetBIOS Names ................................................................ 3
Au
Am I at Risk?..................................................................... 4
2,
Scope ID ........................................................................... 6
00
Fact VS Fiction.................................................................. 6
-2
Conclusion ........................................................................ 7
00
References and Works Cited............................................... 8
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Overview
NetBIOS (Network Basic Input/Output System) is a program that allows different
computers on the same local area network to communicate. NetBIOS frees these
computers’ applications from having to know the intricacies of the network and provides
s.
a means off creating a session between the two PCs. NetBIOS is not a protocol. This is
ht
a common mistake since NetBIOS does have base rules. For example, NetBIOS
rig
contains standard rules when involved in the naming of computers, workgroups,
domains, users and other services utilizing NetBIOS.
ull
The NetBIOS interface was first developed by Sytec Inc. (currently Hughes LAN
Systems) for the International Business Machines Corporation (IBM) in 1983. It ran on a
f
primitive IBM LAN that supported a maximum of 72 devices and utilized proprietary
ns
Sytec
Keyprotocols
fingerprintto=transport
AF19 FA27information.
2F94 998D According
FDB5 DE3D toF8B5
Microsoft,
06E4 who
A169has a long
4E46
tai
working history with IBM, NetBIOS was not originally designed to grow to support
re
today’s massively size networks. Later revisions in the mid-80s made NetBIOS the de
facto when configuring networking system components and programs.
or
This paper focuses on NetBIOS when used over TCP/IP and the security
th
questions about file sharing using the Operating Systems Windows 95, 98, and ME.
When sharing file(s) and/or printer(s) on a LAN, and/or if one has enabled Microsoft
Au
Networking, then what is called shares may be exposed to the Internet. Shares are file
and printer resources that have been enabled for sharing. A lot of times these shares
2,
are exposed without the owner of the machine realizing. They might lack a proper
00
password (a proper password being a password meeting the criteria set by the level of
-2
security one desires on his network or machine) or possibly no password. If somebody
gains access to these shares via the Internet, then they can access your computer and
00
destroy and/or manipulate material located there within. Microsoft has posted a security
bulletin and patch for this vulnerability at
20
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulle
te
tin/MS00-072.asp and the bugtraq has recorded the vulnerability as ID number 1780.
tu
Understanding NetBIOS
sti
In
A NetBIOS request is provided in the form of a Network Control Block (NCB). A
NCB is a 64 bytes data structure and is required in every single command given by
NS
NetBIOS. NCBs specify the message location, name of destination, pointers to buffers,
SA
and various command codes. The NCB must be unaltered until the command is
completed, so it cannot be used for other commands while the command is still
processing. However, once a command has completed, the NCB can be altered, and
©
reused for another command.
NetBIOS provides session and transport services. As seen in Figure One,
NetBIOS is located in the OSI’s (Open Systems Interconnection) session layer and has
a hand in all network communication.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Figure One: NetBIOS Over IP (Anonymous)
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
However, it does not provide a standard frame or data format for transmission. A
standard frame format is provided by a Transport protocol. The Transmission Control
Au
Protocol (TCP) will be focused on in this paper. One can also use NetBIOS Extended
User Interface (Netbeui) instead of TCP. It is not necessary to expand on Netbeui in this
2,
paper, for more information on Netbeui, go to
00
http://hdallen.home.mindspring.com/netb.htm.
-2
NetBIOS provides the choice to choose between two communication modes,
datagram or session. Datagram mode sends each message independently. This is
00
referred to a connectionless communication. In this form of communication, all stations
on the network are continually checking for datagrams. When a station finds a datagram
20
addressed to its name, it receives the message. There is no form of acknowledgement
te
that this machine received the message so you cannot guarantee safe passage of any
tu
messages you send. When utilizing datagrams you can either send messages to a
specific workstation or broadcast to the entire network.
sti
Session mode is connection oriented and lets two names (not two machines)
In
establish a connection. A session connection only looks at names, meaning you could
have a connection setup between two devices on the same machine. The session
NS
method allows larger messages to be handled, and provides error detection and
recovery. If a message is not received successfully, an error is returned to the
SA
application.
©
NetBIOS Names
The purpose of NetBIOS names is to identify resources on a network.
Applications use these names to start and end sessions. Most of the time these
Key fingerprint
sessions = AF19 FA27
will be between 2F94 998Dbut
two machines FDB5
oneDE3D F8B5 06E4
can configure A169 4E46
a single machine with
multiple applications, each of which could have a unique NetBIOS name. Each station
that supports an application also has a NetBIOS station name that is user defined. If it
isn’t user defined then NetBIOS derives the name by internal means.
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.16 aplhanumeric characters make up NetBIOS. Microsoft, however, limits these
names to 15 characters and uses the 16th character as a NetBIOS suffix. The purpose
of the NetBIOS suffix is to indentify the functionality installed or the registered device or
service. The NetBIOS name space is flat, not hierarchical like DNS. For the NetBIOS
name to be registered, the combination of characters must be unique within network. To
s.
gain a deeper understanding of NetBIOS, lets look at how it registers itself. When the
ht
client machine boots up, it broadcasts its NetBIOS information to every machine on the
rig
network. If another client on the network already has the name, it responds with a
broadcast stating that it already has registered the NetBIOS name. At this point the new
ull
machine on the network stops trying to register. If not other machine on the network
responds, the client finishes the registration process.
f
There are two types of names in a NetBIOS environment, unique and group. A
ns
unique
Key name must= not
fingerprint AF19match
FA27any
2F94other
998Dname
FDB5on the network.
DE3D F8B5 06E4A group name does not
A169 4E46
tai
have to be unique and all processes that have a given group name belong to the group.
Each NetBIOS node maintains a table of all names currently owned by that node.
re
NetBIOS is what makes file sharing possible. When located within a workgroup
or
or domain, you use NetBIOS to establish a connection when talking to shares located
th
on other machines in your network. Some consider NetBIOS to be a dangerous
convenience in the Windows Operating System. This paper discusses file sharing
Au
security but there are also many other risks associated with NetBIOS such as
intelligence gathering using nbtstat.exe, allowing unwanted connections via command
2,
lines, and also allowing machines to be able to gain certain privileges you might not
00
want them to have. These security holes can be plugged with the appropriate practices.
-2
This paper concentrates on enforcing file-sharing security but the above should also be
considered when looking to see if your machine is at risk.
00
Am I at Risk?
20
te
There are several factors to take into consideration when figuring out whether or not
tu
you are at risk. First, check to see if file and printer sharing for Microsoft Networks is
installed as a network component on your machine. Just double click the network icon
sti
in the control panel, select the configuration tab and click on File & Print Sharing. If the
In
boxes on this screen are checked, then file sharing is enabled.
Also, check to see if file and printer sharing for Microsoft Networks is bound to
NS
TCP/IP on an adapter used for the Internet. Go back to the network icon located in the
SA
control panel and double click it. Highlight the TCP/IP protocol that is pointing to your
Network Interface Card. Click on Properties and then on the Bindings tab. If Client for
Microsoft Networks and File and printer sharing for Microsoft Networks are installed
©
then your adapter has file sharing enabled.
If you want to disable the above file sharing, follow the following directions:
1. On the desktop, double-click on My Computer.
Key fingerprint = AF19
2. Double-click FA27 2F94
on Control 998D FDB5 DE3D F8B5 06E4 A169 4E46
Panel.
3. Double-click on Network.
4. From the Configuration tab, click on the File & Print Sharing button.
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.5. Turn off file sharing and print sharing by clicking each box to remove the check
marks.
6. Click on the OK button.
7. Select the TCP/IP protocol that is pointing to your Ethernet card or USB cable
modem.
s.
8. Click on the Properties button and click on the Bindings tab.
ht
9. Click to uncheck the boxes next to "Client for Microsoft Networks" and "File and
rig
printer sharing for Microsoft Networks". NOTE: If there is more than one listing of
TCP/IP, steps 7-9 should be repeated.
ull
Click the OK button twice and restart your computer.
f
Also check to see if Share(s) have actually been configured for file(s) and
ns
printer(s). Check =toAF19
Key fingerprint see ifFA27
options
2F94for filesFDB5
998D and printers are checked
DE3D F8B5 under
06E4 A169 4E46File and Print
tai
Sharing. A big area of vulnerability involved with file sharing is the use of easily cracked
re
passwords. A NetBIOS password that provides good security is one that is at least 8
characters long, a mixture of alphabetic letters and numeric digits, not a recognizable
or
word or phrase, not something associated with you, different from your other previous
th
passwords, and still something you can remember.
There is no risk if you do not have files shared. Some administrators don’t want
Au
their users to be able to create file shares. To uninstall NetBEUI from a machine follow
these directions as taken from http://cable-dsl.home.att.net/index.htm#CaseB:
2,
00
1. Open Control Panel - Network.
-2
2. If NetBEUI is not installed in the Configuration list:
a. Click Add.
00
b. Select Protocol.
c. Click Add.
20
d. Select Microsoft as the Manufacturer, and then NetBEUI as the
te
Network Protocol.
tu
e. Click OK twice to close the Network windows.
f. Restart your computer if prompted to do so, and then reopen Network.
sti
3. If you do want to share files or printers on a local area network, enable File and
In
Print Sharing:
a. Click on File and Print Sharing.
NS
b. Check (enable) the desired options for files and/or printer(s).
c. Click OK twice to close the Network windows.
SA
4. Restart your computer if prompted to do so, and then reopen Network.
5. Unless you normally logon to Microsoft Networks (e.g., Windows NT/2000/XP
©
servers), Primary Network Logon should be set to Windows Logon.
6. UN-bind TCP/IP from Microsoft Networking for all instances of TCP/IP that
point to a network adapter (including Dial-Up Adapter):
a. Open TCP/IP Properties by double-clicking on the TCP/IP entry in the
Configuration
Key fingerprint = AF19 FA27 list2F94
that998D
points to a DE3D
FDB5 network adapter.
F8B5 If you4E46
06E4 A169 get the long
message starting "You have asked to change TCP/IP properties for a dial-
up adapter...", click OK.
b. Click on the Bindings tab.
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.c. UN-check the option File and Printer Sharing for Microsoft Networks
d. UN-check the option Client for Microsoft Networks.
e. Click OK twice to close the Network windows. If you get the message
"You have not selected any drivers to bind with. Would you like to select
one now?", click No.
s.
7. Restart your computer if prompted to do so, and then reopen Network.
ht
8. Make sure that NetBIOS is not enabled on all instances of TCP/IP that point
rig
to a network adapter (including Dial-Up Adapter):
a. Open TCP/IP Properties by double-clicking on the TCP/IP entry in the
ull
Configuration list that points to a network adapter. If you get the long
message starting "You have asked to change TCP/IP properties for a dial-
f
up adapter...", click OK.
ns
b. Click= on
Key fingerprint theFA27
AF19 NetBIOS tab. FDB5 DE3D F8B5 06E4 A169 4E46
2F94 998D
tai
c. UN-check (if checked) the option I want to enable NetBIOS over TCP/IP.
d. Click OK twice to close the Network windows.
re
9. Restart your computer if prompted to do so.
or
10. Close Control Panel.
th
Scope ID Au
A NetBIOS Scope ID provides an extended naming service for the NetBIOS over
2,
TCP/IP (known as NBT) module. The primary purpose of a NetBIOS scope ID is to
00
isolate NetBIOS traffic on a single network to only those nodes with the same NetBIOS
-2
scope ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS
name. The NetBIOS scope ID on two hosts must match, or the two hosts will not be
00
able to communicate. It also allows computers to use the same computer name if they
20
have different scope IDs. The Scope ID becomes a part of the NetBIOS name, making
the name unique. A strong Scope ID is a good way to protect against outside intrusion.
te
This is because computers running NetBIOS over TCP/IP with Scope ID are invisible to
tu
other computers that do not have the same Scope ID. By default, the Scope ID is not
set so normally such computers utilizing NetBIOS of TCP/IP is visible to everyone. By
sti
initiating the Scope ID, one basically locks out outside users trying to connect to your
In
NetBIOS session. For Windows 95 and 98, WINS must be enabled on the machine.
NS
Fact VS Fiction
SA
Before jumping the gun and spending unnecessary time in locking down your
©
system, here are some things to keep in mind about file sharing. Your machine is not
automatically threatened because File and Printer Sharing is enabled. It is only
vulnerable if you have created unsafe file shares, which the above section can help you
identify. Using strong passwords following the above rule set helps limit the chance of
somebody cracking your share. Also, keep in mind removing Client for Microsoft
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Networks does not protect ones machine. The larger risk comes from the server
component (i.e. File and Printer Sharing for Microsoft Networks) not the client
component (i.e. Client for Microsoft Networks). If you remove Client for Microsoft
Networks, you remove your ability to save passwords, so think about which one you
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.remove before you press that remove button. Finally, keep in mind that if you had
unsafe file sharing enabled on your computer and you fixed the problem, you still might
have been compromised. Run a virus checker to see if anybody has installed a virus or
Trojan on your machine.
s.
Conclusion
ht
rig
So file sharing in Windows 95, 98, and ME can carry a lot of risks, but it also
brings a lot of rewards. Utilizing this document can help you secure file sharing. You
ull
also have a deeper understanding on how file sharing occurs through NetBIOS and
windows networking. NetBIOS and file sharing have changed drastically since the late
f
ns
80s and networking technology is heading to new places. But these operating systems
will Key fingerprint
always = AF19
be around andFA27 2F94
newer 998D FDB5
interfaces DE3D
will be F8B5
based on06E4 A169
the old 4E46Keeping up
ones.
tai
with the past will prepare you for the future.
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.References and Works Cited
Allen, Doug. Doug’s Networking Pages. 1/6/01.
URL: http://hdallen.home.mindspring.com/netb.htm
s.
Anonymous. NETBIOS Overview. 9/27/97
ht
URL:
rig
http://support.baynetworks.com/library/tpubs/html/router/soft1200/117358AA/B_39.HTM
ull
Beal, Melissa. Definition of NetBIOS. 7/27/01.
f
URL: http://searchwin2000.techtarget.com/sDefinition/0,,sid1_gci212633,00.html
ns
Key fingerprint
Bugtraq. = AF19 FA27
Microsft Windows 2F94
9x/Me 998D
Share FDB5
Level DE3DByp.
Password F8B510/10/00.
06E4 A169 4E46
tai
URL: http://www.securityfocus.com/bid/1780
re
Lirik. NT NetBIOS Hacking. 3/31/99.
or
URL: http://www.seclabs.org/netbios/netbios.htm
th
Microsoft. Security Bulletin MS00-72. 02/16/00. Au
URL:
2,
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS0
0-072.asp
00
-2
Microsoft. Using and Troubleshooting the TCP/IP Scope ID. 8/8/01.
URL: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q138449
00
20
Navas, John. Cable Modem / DSL Tuning Guide. 9/26/99.
URL: http://cable-dsl.home.att.net/index.htm#CaseB
te
tu
Navas, John. The Navas Group Home Page. 12/7/01.
sti
URL: http://cable-dsl.home.att.net/netbios.htm#Risk
In
NeonSurge. Understanding NetBIOS. 01/29/01.
URL: http://www.ladysharrow.ndirect.co.uk/NT/understanding_netbios.htm
NS
SA
Winston, Gavin. NetBIOS Specification. 1999.
URL: http://members.tripod.com/~Gavin_Winston/NETBIOS.HTM
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Last Updated: January 18th, 2021
Upcoming Training
Cyber Threat Intelligence Summit & Training 2021 Virtual - US Eastern, Jan 21, 2021 - Feb 01, 2021 CyberCon
SANS Cyber Security West: Feb 2021 , Feb 01, 2021 - Feb 06, 2021 CyberCon
Open-Source Intelligence Summit & Training 2021 Virtual - US Eastern, Feb 08, 2021 - Feb 23, 2021 CyberCon
SANS Secure Japan 2021 , Japan Feb 22, 2021 - Mar 13, 2021 CyberCon
SANS Scottsdale: Virtual Edition 2021 , Feb 22, 2021 - Feb 27, 2021 CyberCon
SANS London February 2021 , United Kingdom Feb 22, 2021 - Feb 27, 2021 CyberCon
SANS Cyber Security East: March 2021 , Mar 01, 2021 - Mar 06, 2021 CyberCon
SANS Secure Asia Pacific 2021 , Singapore Mar 08, 2021 - Mar 20, 2021 CyberCon
SANS Secure Asia Pacific 2021 Singapore, Singapore Mar 08, 2021 - Mar 20, 2021 Live Event
SANS Cyber Security West: March 2021 , Mar 15, 2021 - Mar 20, 2021 CyberCon
SANS Riyadh March 2021 , Kingdom Of Saudi Mar 20, 2021 - Apr 01, 2021 CyberCon
Arabia
SANS Secure Australia 2021 Canberra, Australia Mar 22, 2021 - Mar 27, 2021 Live Event
SANS Munich March 2021 , Germany Mar 22, 2021 - Mar 27, 2021 CyberCon
SANS Secure Australia 2021 Live Online , Australia Mar 22, 2021 - Mar 27, 2021 CyberCon
SANS 2021 , Mar 22, 2021 - Mar 27, 2021 CyberCon
SANS Cyber Security Mountain: April 2021 , Apr 05, 2021 - Apr 10, 2021 CyberCon
SANS SEC401 (In Spanish) April 2021 , Spain Apr 12, 2021 - Apr 23, 2021 CyberCon
SANS Cyber Security East: April 2021 , Apr 12, 2021 - Apr 17, 2021 CyberCon
SANS London April 2021 , United Kingdom Apr 12, 2021 - Apr 17, 2021 CyberCon
SANS Autumn Australia 2021 Sydney, Australia Apr 12, 2021 - Apr 17, 2021 Live Event
SANS Autumn Australia 2021 - Live Online , Australia Apr 12, 2021 - Apr 17, 2021 CyberCon
SANS Secure India 2021 , Singapore Apr 19, 2021 - Apr 24, 2021 CyberCon
SANS Baltimore Spring: Virtual Edition 2021 , Apr 26, 2021 - May 01, 2021 CyberCon
SANS Cyber Security Central: May 2021 , May 03, 2021 - May 08, 2021 CyberCon
SANS Security West 2021 , May 10, 2021 - May 15, 2021 CyberCon
SANS Cyber Security East: May 2021 , May 17, 2021 - May 22, 2021 CyberCon
SANS In French May 2021 , France May 31, 2021 - Jun 05, 2021 CyberCon
SANS Stockholm May 2021 , Sweden May 31, 2021 - Jun 05, 2021 CyberCon
SANS Cyber Security Central: June 2021 , Jun 07, 2021 - Jun 12, 2021 CyberCon
SANS SOC Training 2021 , Jun 14, 2021 - Jun 19, 2021 CyberCon
SANS Cyber Defence Asia Pacific 2021 - Live Online , Australia Jun 28, 2021 - Jul 10, 2021 CyberConYou can also read
