[Dshield] Netbios over tcpip never good ? (was spamcop listed)

Al Reust areust at comcast.net
Sat Dec 27 05:10:57 GMT 2003

Hi Allan et Al

I have been away and am trying to catch on mail.

I do enjoy the discussion, some the other replies (that I have seen) have 
stated I was being simplistic. Yes I was.

You do bring up some good points, and I will attempt address them and 
expand providing food for thought.

The Internet is Many Things and Services, to an extent is a mirror of our 
Intranets, we had to have a way to connect them across the Internet.. "We" 
control what we want to allow or disallow. A lot of those Intranets are Mix 
of OS's. Some of the services you mention are fine on an Intranet level, 
they were never intended to reach the Real World.

However if I do anything that requires NetBIOS from Intranet to Internet 
(Network/WAN) then I will wrap some kind of Secure tunnel around it.. The 
Basic Microsoft Secure tunnel is IPSEC then things like Net Send will work, 
NTML will work etc.. The ISP/Backbone provider can block NetBIOS at its 
border and I don't have to care that it happens. Or I let them know what I 
need to provide as "exceptions" for the port/services.

NTML, I hope you are using Version 2 which does not have the security holes 
that the base version has and Forcing NTML V2 for authentication (WAN, go 
look at the Local Policy to force NTLMv2).  If you are port 80 based then I 
hope that you forced it to a SSL connection to wrap around NTLM. That would 
mean that domain authentications would work properly and be securely 
hidden.  Otherwise just send in Plain Clear Text.. But then we are only 
adding complexity that you or your "friend" may or may not have knowledge of.

Map a Drive on a Friends computer, this has many connotations (good and 
bad) and possible avenues. NetBIOS is not really needed for that, TCP/IP 
works just fine if you have the right setup (It could require something 
silly like an LMHosts entry and 445 TCP open in a controlled fashion). Once 
again a Secure tunnel is preferred see the Links I will provide below.

What's port 445 used for in Windows 2000/XP?


How can I configure TCP/IP networking while NetBIOS is disabled in Windows 


I keep reading and running across various information from time to time. I 
have found several interesting and informative articles to help understand 
"this" topic of this discussion. Daniel Petri describes a lot of what we 
are talking about in more detail, in terms that New Users and some of "Us" 
that have forgotten can understand.

You did great on the analogy, however one of the big hooks that allow bad 
things to happen to unsuspecting users is NetBIOS over TCP/IP. To a large 
part Microsoft automated the Recall Notice with Windows Update.. I have it 
turned, Off! It then becomes "My" responsibility to go look.  I go Look!

If you really start digging in the knowledge base at Microsoft and look at 
WAN connections you find information that basically tells you to use IPSEC 
for those connections.   At the simplest level with you having NetBIOS over 
TCP/IP enabled (WAN) I can find your IP address and start Brute Force 
Cracking Your Administrator Password! Then I own You and Your Computer! The 
Least that would happen is that when, You try to log into your own computer 
that you would find that it denies you access (the account is locked), that 
is presuming that you properly applied Security Policy for failed password 
attempts. Otherwise you have no idea how many people are currently 
attempting to break into Your Local Administrator account. Or the ones that 
have Suceeded.. Who owns Your Computer?

So while you are willing to place yourself at Risk; to have the Friend that 
you are trying to Help by remote connections, are you really doing Him/Her 
a Service or just trying to circumvent things through open holes. 
Realistically, setup an inexpensive FTP Server, there are "Free" that Force 

NET SEND is fine on an Intranet, normally used/restricted to the Domain 
Administrators. It was not meant to be applied to the Internet.

Remote control over Remote Servers, there are tools that can be installed 
that are easy to operate that do not use simple NetBIOS, and wrap secure 
tunnels around the communications. Please let me know where to setup my 
packet sniffer. It you are doing this un-protected, then you really do not 
own Your Servers. Some 13 year old may own them.. They just have to figure 
out what would be Fun to do to them..

Now as you have stated, there are things the Microsoft should be/are 
fixing. There are things that would presumed that Administrators have 
control over the "Intranets/home pc's" that would take care of it. In this 
case ISP's have to take a more active role, they "own": the Gateway/Network 
that is being abused. Had Microsoft really informed ISP's that the problem 
existed and provided recommendations (this also presumes that ISP's are 
willing to listen to the Evil Giant) to block NETBIOS over TCP/IP then 
Blaster would have never happened. Had ISP's both the knowledge and 
understanding to insure that bad protocols would not be routed "in" their 
gateway and then routed "out" their gateway Blaster and a lot of other 
things would not be happening. But, they are making Profit from Users that 
are being abused! Do You enjoy paying money to be abused?

But then, this could lead back to the AOL discussion about how they control 
AOL users computers for the "Safer, more Secure Internet"

Yes this is still simplistic.. For a very complex issue...


At 05:54 PM 12/16/2003 +0100, you wrote:
>Sorry but I have to disagree on a lot of your points.
>You are obviously somebody who thinks the internet is just FTP, HTTP and
>There are lots of reasons why ports 137,139 and 445 could be used for legal
>reasons on the internet.
>I might want to send a message using the NET SEND command.
>I might need to access a website that uses NTLM authentication instead of
>plain text.
>I might want to map a drive to a friends computer..
>I might need to control my servers at work, from home ... Over netbios of
>Netbios is used for a lot of other stuff as well.
>I think it's wrong to close ports just because there are known
>vulnerabilities on it ... My opninion is, it's better to patch the holes in
>the software then just disable the whole thing coz it's an 'evil port'.
>Suppose FORD MOTORS sends out an advisory explaining that the door to the
>drivers seat could be dangerous to get into, because it has a little hook
>somewhere that some ppl have hurt themselves on ... Would you say 'Ok, from
>now on I'll just get into the other door, and work my way to the drivers
>seat someway inside the car', or would you just remove the hook that FORD
>has warned about ?
>Sorry about my really bad english, I hope the analogy was somewhat
>comprehensible to most of you ... English is obviously not my native
>-----Original Message-----
>From: Al Reust [mailto:areust at comcast.net]
>Sent: dinsdag 16 december 2003 7:16
>To: General DShield Discussion List
>Subject: RE: [Dshield] mail1.giac.net spamcop listed]
>Hello All
>SCRAPE, as I drag out the Soap Box
>I partially agree, there is one thing that I do not agree on. I can see No
>Reason that NetBIOS over TCP/IP is ever Good! That allows a remote user to
>do silly thing like enumerate user accounts and password age etc.. That is
>why we block 135, 137~139, 445 and more at the Firewall.
>A statement of what "services" are blocked and various ports associated for
>a User or a Small Business that are purchasing connectivity should be in
>terms of the service agreement. The User expects to be "automatically
>protected," they are upset when they are not. They thought they were
>automatically. One of the recent "complaints" are ISP's are not proactive
>and allow bad things through. Which side are we on?
>* If All ISP's blocked just NetBIOS over TCP/IP the script kiddies would
>have to get more knowledgeable and creative. No More browsing the Network
>Neighborhood no matter which ISP.
>* If All ISP's blocked most other ports to Dialup that could get a user in
>trouble a large number of "Us" or Virus Companies etc.. would not be needed.
>* If All ISP's tailored require ports to what the Small Business needed we
>would not see various things happening are happening today.
>* If all ISP's only accepted port 25 connections to the local mail server
>from a directly connected IP host, or other allowances via IP only then
>SPAM would not happen.
>* If all ISP's did all of the Above we would not have seen
>Blaster/derivatives and MS would not have had to patch the OS or several
>other things that are allowed, because of the current state of the
>The World could have gone on in that "ignorant state of bliss," as it was
>before people found out you really could do things with/across Just TCP/IP
>So an appropriate Statement would be, this is done in "Your Protection" and
>if You have requirements that require other network services we will be
>happy to discuss and accommodate. Our goal is to provide the Safest, most
>complete services that we can. Then discuss what comes to "our" level of
>expertise. "We" then mitigate what needs to happen. Everyone knows after
>that discussion.
>So we are now stuck, with building Routers that can block large portions of
>the world and still let script kiddies attempt to break the local
>"administrator" password (NetBIOS derived) on someone else's computer
>across networks.. Then they plant things that make all our lives miserable.
>While "We" are still putting Pressure on ISP's to protect us.. Why?
>Lets get "our" stories straight. If we offer a recommendation to block
>these ports and why then  accommodate the "risks" for small business, it
>all can be accommodated/mitigated. But the information has to be
>intelligently presented.
>Otherwise we all need to get an AOL 9.0 Account (they are violating
>everything).. If you believe their advertisements it is now the Safest,
>most Sanitized Internet.. and You do not know what they doing... See
>precious threads.. LOL..
>Scrape as the soap box goes back into the closet..
>If You have a tirade then you are welcome to send me offline.  It any of
>this strikes sense in what we have discusses in the over last few months.
>Then discuss it.
>De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen
>bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt,
>wordt u verzocht de inhoud niet te gebruiken en de afzender direct te
>informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft
>genomen om virussen in deze email of attachments te voorkomen, dient u ook
>zelf na te gaan of virussen aanwezig zijn aangezien Orange niet
>aansprakelijk is voor computervirussen die veroorzaakt zijn door deze
>The information contained in this message may be confidential and is
>intended to be only for the addressee. Should you receive this message
>unintentionally, please do not use the contents herein and notify the sender
>immediately by return e-mail. Although Orange has taken steps to ensure that
>this email and attachments are free from any virus, you do need to verify
>the possibility of their existence as Orange can take no responsibility for
>any computer virus which might be transferred by way of this email.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list