[Dshield] Netbios over tcpip never good ? (was spamcop listed )
allan.vanleeuwen at orangemail.nl
Mon Dec 29 11:06:23 GMT 2003
Well ok, you have some valid points :-)
At least we agree on the point that there is more to the internet then just
I actually AM running NTLM based remote control over the internet ... But
access to it has been restricted to a number of fixed Ip's.
I've been doing it like that for years, and I'm very aware of kiddies trying
to crack admin passes, that has also been taken care off.
There may be some dangers in doing this the way I am ... But then again, my
friends Linux box was only running Apache on the outside and he got owned as
Maybe we should ask our ISP's to block port 80 so nasty things like code red
will never spread again :)) And THAT was my actual point ... I hate seeing
stuff get blocked, whatever it is ... The internet should be open, even if
that means there will be some dangers lurking around.
Of course wrapping everything in encryption is better and more secure, but
worrying about skiddies that will come and sniff my unencrypted traffic is
going a bit far I think. Maybe I'm stupid, but I think that's overly
I don't usually map a drive to anyone, but I have been in situations where
it was very handy. Sometimes you cannot 'just' install an FTP server on a
So in short, I agree with you that it's not the most secure thing since
sliced bread (which is pretty damn secure ;)). But neither is Apache or IIS,
let's try not to resort to blocking these things on every possible level.
Problems can be patched, not every hole needs an elephant to close it.
From: Al Reust [mailto:areust at comcast.net]
Sent: zaterdag 27 december 2003 6:11
To: General DShield Discussion List
Subject: Re: [Dshield] Netbios over tcpip never good ? (was spamcop listed)
Hi Allan et Al
I have been away and am trying to catch on mail.
I do enjoy the discussion, some the other replies (that I have seen) have
stated I was being simplistic. Yes I was.
You do bring up some good points, and I will attempt address them and
expand providing food for thought.
The Internet is Many Things and Services, to an extent is a mirror of our
Intranets, we had to have a way to connect them across the Internet.. "We"
control what we want to allow or disallow. A lot of those Intranets are Mix
of OS's. Some of the services you mention are fine on an Intranet level,
they were never intended to reach the Real World.
However if I do anything that requires NetBIOS from Intranet to Internet
(Network/WAN) then I will wrap some kind of Secure tunnel around it.. The
Basic Microsoft Secure tunnel is IPSEC then things like Net Send will work,
NTML will work etc.. The ISP/Backbone provider can block NetBIOS at its
border and I don't have to care that it happens. Or I let them know what I
need to provide as "exceptions" for the port/services.
NTML, I hope you are using Version 2 which does not have the security holes
that the base version has and Forcing NTML V2 for authentication (WAN, go
look at the Local Policy to force NTLMv2). If you are port 80 based then I
hope that you forced it to a SSL connection to wrap around NTLM. That would
mean that domain authentications would work properly and be securely
hidden. Otherwise just send in Plain Clear Text.. But then we are only
adding complexity that you or your "friend" may or may not have knowledge
Map a Drive on a Friends computer, this has many connotations (good and
bad) and possible avenues. NetBIOS is not really needed for that, TCP/IP
works just fine if you have the right setup (It could require something
silly like an LMHosts entry and 445 TCP open in a controlled fashion). Once
again a Secure tunnel is preferred see the Links I will provide below.
What's port 445 used for in Windows 2000/XP?
How can I configure TCP/IP networking while NetBIOS is disabled in Windows
I keep reading and running across various information from time to time. I
have found several interesting and informative articles to help understand
"this" topic of this discussion. Daniel Petri describes a lot of what we
are talking about in more detail, in terms that New Users and some of "Us"
that have forgotten can understand.
You did great on the analogy, however one of the big hooks that allow bad
things to happen to unsuspecting users is NetBIOS over TCP/IP. To a large
part Microsoft automated the Recall Notice with Windows Update.. I have it
turned, Off! It then becomes "My" responsibility to go look. I go Look!
If you really start digging in the knowledge base at Microsoft and look at
WAN connections you find information that basically tells you to use IPSEC
for those connections. At the simplest level with you having NetBIOS over
TCP/IP enabled (WAN) I can find your IP address and start Brute Force
Cracking Your Administrator Password! Then I own You and Your Computer! The
Least that would happen is that when, You try to log into your own computer
that you would find that it denies you access (the account is locked), that
is presuming that you properly applied Security Policy for failed password
attempts. Otherwise you have no idea how many people are currently
attempting to break into Your Local Administrator account. Or the ones that
have Suceeded.. Who owns Your Computer?
So while you are willing to place yourself at Risk; to have the Friend that
you are trying to Help by remote connections, are you really doing Him/Her
a Service or just trying to circumvent things through open holes.
Realistically, setup an inexpensive FTP Server, there are "Free" that Force
NET SEND is fine on an Intranet, normally used/restricted to the Domain
Administrators. It was not meant to be applied to the Internet.
Remote control over Remote Servers, there are tools that can be installed
that are easy to operate that do not use simple NetBIOS, and wrap secure
tunnels around the communications. Please let me know where to setup my
packet sniffer. It you are doing this un-protected, then you really do not
own Your Servers. Some 13 year old may own them.. They just have to figure
out what would be Fun to do to them..
Now as you have stated, there are things the Microsoft should be/are
fixing. There are things that would presumed that Administrators have
control over the "Intranets/home pc's" that would take care of it. In this
case ISP's have to take a more active role, they "own": the Gateway/Network
that is being abused. Had Microsoft really informed ISP's that the problem
existed and provided recommendations (this also presumes that ISP's are
willing to listen to the Evil Giant) to block NETBIOS over TCP/IP then
Blaster would have never happened. Had ISP's both the knowledge and
understanding to insure that bad protocols would not be routed "in" their
gateway and then routed "out" their gateway Blaster and a lot of other
things would not be happening. But, they are making Profit from Users that
are being abused! Do You enjoy paying money to be abused?
But then, this could lead back to the AOL discussion about how they control
AOL users computers for the "Safer, more Secure Internet"
Yes this is still simplistic.. For a very complex issue...
At 05:54 PM 12/16/2003 +0100, you wrote:
>Sorry but I have to disagree on a lot of your points.
>You are obviously somebody who thinks the internet is just FTP, HTTP and
>There are lots of reasons why ports 137,139 and 445 could be used for legal
>reasons on the internet.
>I might want to send a message using the NET SEND command.
>I might need to access a website that uses NTLM authentication instead of
>I might want to map a drive to a friends computer..
>I might need to control my servers at work, from home ... Over netbios of
>Netbios is used for a lot of other stuff as well.
>I think it's wrong to close ports just because there are known
>vulnerabilities on it ... My opninion is, it's better to patch the holes in
>the software then just disable the whole thing coz it's an 'evil port'.
>Suppose FORD MOTORS sends out an advisory explaining that the door to the
>drivers seat could be dangerous to get into, because it has a little hook
>somewhere that some ppl have hurt themselves on ... Would you say 'Ok, from
>now on I'll just get into the other door, and work my way to the drivers
>seat someway inside the car', or would you just remove the hook that FORD
>has warned about ?
>Sorry about my really bad english, I hope the analogy was somewhat
>comprehensible to most of you ... English is obviously not my native
>From: Al Reust [mailto:areust at comcast.net]
>Sent: dinsdag 16 december 2003 7:16
>To: General DShield Discussion List
>Subject: RE: [Dshield] mail1.giac.net spamcop listed]
>SCRAPE, as I drag out the Soap Box
>I partially agree, there is one thing that I do not agree on. I can see No
>Reason that NetBIOS over TCP/IP is ever Good! That allows a remote user to
>do silly thing like enumerate user accounts and password age etc.. That is
>why we block 135, 137~139, 445 and more at the Firewall.
>A statement of what "services" are blocked and various ports associated for
>a User or a Small Business that are purchasing connectivity should be in
>terms of the service agreement. The User expects to be "automatically
>protected," they are upset when they are not. They thought they were
>automatically. One of the recent "complaints" are ISP's are not proactive
>and allow bad things through. Which side are we on?
>* If All ISP's blocked just NetBIOS over TCP/IP the script kiddies would
>have to get more knowledgeable and creative. No More browsing the Network
>Neighborhood no matter which ISP.
>* If All ISP's blocked most other ports to Dialup that could get a user in
>trouble a large number of "Us" or Virus Companies etc.. would not be
>* If All ISP's tailored require ports to what the Small Business needed we
>would not see various things happening are happening today.
>* If all ISP's only accepted port 25 connections to the local mail server
>from a directly connected IP host, or other allowances via IP only then
>SPAM would not happen.
>* If all ISP's did all of the Above we would not have seen
>Blaster/derivatives and MS would not have had to patch the OS or several
>other things that are allowed, because of the current state of the
>The World could have gone on in that "ignorant state of bliss," as it was
>before people found out you really could do things with/across Just TCP/IP
>So an appropriate Statement would be, this is done in "Your Protection" and
>if You have requirements that require other network services we will be
>happy to discuss and accommodate. Our goal is to provide the Safest, most
>complete services that we can. Then discuss what comes to "our" level of
>expertise. "We" then mitigate what needs to happen. Everyone knows after
>So we are now stuck, with building Routers that can block large portions of
>the world and still let script kiddies attempt to break the local
>"administrator" password (NetBIOS derived) on someone else's computer
>across networks.. Then they plant things that make all our lives miserable.
>While "We" are still putting Pressure on ISP's to protect us.. Why?
>Lets get "our" stories straight. If we offer a recommendation to block
>these ports and why then accommodate the "risks" for small business, it
>all can be accommodated/mitigated. But the information has to be
>Otherwise we all need to get an AOL 9.0 Account (they are violating
>everything).. If you believe their advertisements it is now the Safest,
>most Sanitized Internet.. and You do not know what they doing... See
>precious threads.. LOL..
>Scrape as the soap box goes back into the closet..
>If You have a tirade then you are welcome to send me offline. It any of
>this strikes sense in what we have discusses in the over last few months.
>Then discuss it.
>De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen
>bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt,
>wordt u verzocht de inhoud niet te gebruiken en de afzender direct te
>informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft
>genomen om virussen in deze email of attachments te voorkomen, dient u ook
>zelf na te gaan of virussen aanwezig zijn aangezien Orange niet
>aansprakelijk is voor computervirussen die veroorzaakt zijn door deze
>The information contained in this message may be confidential and is
>intended to be only for the addressee. Should you receive this message
>unintentionally, please do not use the contents herein and notify the
>immediately by return e-mail. Although Orange has taken steps to ensure
>this email and attachments are free from any virus, you do need to verify
>the possibility of their existence as Orange can take no responsibility for
>any computer virus which might be transferred by way of this email.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see:
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen
bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt,
wordt u verzocht de inhoud niet te gebruiken en de afzender direct te
informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft
genomen om virussen in deze email of attachments te voorkomen, dient u ook
zelf na te gaan of virussen aanwezig zijn aangezien Orange niet
aansprakelijk is voor computervirussen die veroorzaakt zijn door deze
The information contained in this message may be confidential and is
intended to be only for the addressee. Should you receive this message
unintentionally, please do not use the contents herein and notify the sender
immediately by return e-mail. Although Orange has taken steps to ensure that
this email and attachments are free from any virus, you do need to verify
the possibility of their existence as Orange can take no responsibility for
any computer virus which might be transferred by way of this email.
More information about the list