[Dshield] Netbios over tcpip never good ? (was spamcop listed)

Johannes B. Ullrich jullrich at sans.org
Tue Dec 16 17:29:04 GMT 2003

> There are lots of reasons why ports 137,139 and 445 could be used for legal
> reasons on the internet.

The question about Netbios over untrusted networks is not about
'legality'. The real question is if it makes sense or not

> I might want to send a message using the NET SEND command.

yes. But what would that accomplish? The recipient has no idea where the
message came from. The message can be intercepted as well. So you have
no confidentiality or authentication whatsoever, diminishing the
usefulness of these messages. In addition, if you need to keep your
system open for 'NET SEND', you will have to accept all the popup spam
as well.

> I might need to access a website that uses NTLM authentication instead of
> plain text.

If you try to protect the content of the website, and don't trust the
connection enough to use clear text, you probably have https setup
anyway. NTLM will just 'encrypt' the authentication. In addition, make
sure that you are not sending the LanMan hash with your NTLM data.
(e.g. you need to apply the System Key fix...)
> I might want to map a drive to a friends computer..

doing so over an unprotected network is risky at best. Microsoft will
tell you not to do so ;-).

> I might need to control my servers at work, from home ... Over netbios of
> course.

Could you please send me the IPs for these servers? I can always use
more hardware ;-)

> Netbios is used for a lot of other stuff as well.
> I think it's wrong to close ports just because there are known
> vulnerabilities on it ... My opninion is, it's better to patch the holes in
> the software then just disable the whole thing coz it's an 'evil port'.

Its not a matter of patching. Netbios is not supposed to be secure. If
you need to connect to systems/networks via Netbios, use a VPN.

CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 786 1563            
  fax: (617) 786 1550                          jullrich at sans.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031216/2c616b90/attachment.bin

More information about the list mailing list