Heavy NetBIOS scanning - new tool?

Jeff Bollinger jeff01 at email.unc.edu
Mon Jun 17 15:24:58 GMT 2002


We've recently seen a lot of heavy NetBIOS scanning  It's interesting 
what they're doing, and I'm not sure I understand it.  Check it out:

The protocol is SAMR (related to the SAM password file?) or possibly the 
SMB PIPE protocol.  Here is a sample of the requests:

rqst CONNECT2(...)
rqst OPEN_DOMAIN(...)
rqst ENUM_DOMAINS(...)
rqst LOOKUP_DOMAIN(...)
rqst OPEN_DOMAIN(...)
rqst ENUM_DOM_USERS(...)
rqst OPEN_USER(...)
rqst QUERY_USER_INFO(...)
rqst QUERY_SEC_OBJECT(...)


It looks like account enumeration, though I have a constant netstat 
process running on the machine that I got the traces from and I see no 
one connected (even via NULL session).  The scan begins with a probing 
of IPC$, ADMIN$, C$, and D$.  I think we're seeing a new tool, possibly 
related to the Fluxay scanner which hit us so hard with RemoteNC. 
Anyone else seen something similar?  Perhaps this is something that is 
trying to remotely crack passwords, as I did notice a local userid 
running through the data field in some of the packets.

Jeff

-- 
Jeff Bollinger
University of North Carolina
IT Security Analyst
105 Abernethy Hall
mailto: jeff_bollinger at unc dot edu

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjzETQsACgkQvoVlxVBmgsXunQCg1Pjc14nTjWiP8FCy+NNDK97E
HMAAoIRhikBeM5Lm+6Iu/0h3MX6lDgiR
=LpiV
-----END PGP SIGNATURE-----



More information about the unisog mailing list