From:	SMTP%"coxa@cableol.net" 27-SEP-1996 18:49:08.14
To:	EVERHART
CC:	
Subj:	BoS:      Re: NT security et al (Dangers of NetBIOS/NBT?)

Resent-Date: Sat, 28 Sep 1996 05:22:11 +1000
Approved-By: ALEPH1@UNDERGROUND.ORG
Content-Type: text
Approved-By:  Alan Cox <coxa@CABLEOL.NET>
Message-ID: <199609270817.JAA03630@cableol.net>
Date: 	Fri, 27 Sep 1996 09:17:34 +0100
Reply-To: Alan Cox <coxa@cableol.net>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Alan Cox <coxa@cableol.net>
X-To:         nal@spirit.com.au
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To:  <01BBABE3.B9135B40@raven.spirit.com.au> from "Nick and Debbie
              Leask" at Sep 26, 96 07:44:07 pm
Approved: proff@suburbia.net
Resent-Message-ID: <"ViXO63.0.3v.Yb2Jo"@suburbia>
Resent-From: best-of-security@suburbia.net
X-Mailing-List: <best-of-security@suburbia.net> archive/latest/420
X-Loop: best-of-security@suburbia.net
Precedence: list
Resent-Sender: best-of-security-request@suburbia.net
Subject: BoS:      Re: NT security et al (Dangers of NetBIOS/NBT?)

> I've read fairly similar sentiments about having NetBIOS or NBT floating =
> around on our internet/firewall subnets, but I've not heard anyone =
> discussing exactly what the dangers of this are.  There are obvious =
> 'pain's in the butt' when this is happening (such as lots of unnecessary =
> deny messages logged against firewall bastion or router logs), but =
> that's about all...  Can some one expand in detail what the known or =
> perceived dangers of NetBIOS or NBT are?

o       Windows 3.11 has share bugs microsoft will never apparently fix,
        whereby any share allows the whole disk to be accessed by using
        a ../../.. type construct and the smbfs client code.

o       Early windows 95 seems to have the same bug. In both cases this
        can be a disaster as the windows .PWL files up until the latest
        Win95 patches are trivially crackable

o       Windows NT apparently has a bug whereby users can erase the entire NT
        server disk in the default NT configuration

o       There is no encryption of data, so all the usual spoofing attacks work

o       There are ways to trip the clients into doing plain text password
        authentications (Yum yum ;))

o       There is no failed authentication logging on windows, so a dictionary
        attack can run all week and there won't be so much as a blip in the
        logs

All of these are exploitable over TCP/IP as well. Very handy for breaking into
Windows 95 machines on a remote network and adding a binary and changing
autoexec.

Whether you block outgoing netbios sessions is an open question, blocking
incoming ones is a forgone conclusion.

Novell netware is only slightly more secure, you do get some protection
if that is suitably set up, but users can bring down Novell 3 servers by
sending a suitable packet, and can really mess around by broadcasting fake
license messages. Since Novell has directed broadcast that can be done
across IPX backbones.

Alan