Services in More Detail

skip navigation

honeypots for windows
Chapter 3 - Windows Honeypot Modeling
Honeypots for Windows
by Roger A. Grimes
Apress 2005
progress indicator progress indicatorprogress indicator progress indicator

Some Windows services require more discussion to adequately understand which ports they open and what banner text may need to be displayed to a hacker. Here, we’ll look at the following services:

  • RPC

  • NetBIOS

  • RDP

  • Simple TCP/IP Services

  • FTP

  • Telnet Server

  • IIS

  • Exchange Server


RPC runs on TCP and UDP port 135 and is in all versions of Windows from 95 and later (although it did not gain real significance until Windows NT). RPC, which is also used by many other OSs, allows a client system or process to execute commands on a server or server process. In Windows, RPC is used to support the OS’s connections between the different processes it is running. If you were to remove RPC from Windows, Windows would crash. Virtually every Windows process relies on RPC, from the first initial login to the shutdown process, and everything in between.

In Windows, port 135 is also known as the endpoint mapper. When RPC services and processes start up, they are assigned a randomly chosen available port number. These randomly chosen ports are usually above port number 1023. The endpoint mapper process keeps track of which processes are running on which port numbers. When another process wants to contact a RPC service, it first queries the endpoint mapper, which reveals on which port the particular RPC service is listening. The remote process can then directly connect to the requested RPC service.

The RPC server gained attention in 2003, due to the Blaster worm, which exploited Windows NT, 2000, XP, and 2003 machines using a buffer overflow exploit. It was the first major exploit of Windows Server 2003, and it had far-reaching effects within the computer industry. The RPC hole that the worm exploited was announced (along with published exploit code) just three weeks before the worm was released. Immediately, security monitors around the world picked up significant increases in port 135 traffic. Microsoft, all the major Internet security authorities, and even the FBI recommended that people download Microsoft’s RPC patch. Not enough people did, because three weeks later, when the worm was released, it infected over a million PCs.

Because every version of Windows has RPC and needs it to function, you should have that port enabled on a Windows honeypot. Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 include code that further secures RPC services, to help prevent future attack vectors.


Microsoft’s NetBIOS ports are the most common ports running on any Windows computer. Hackers and worms will look for it, probe it, and try to exploit it. It is essential that a Windows honeypot be running or emulating NetBIOS services. This section will describe NetBIOS operations in enough detail so that your honeypot’s scripts and services can return legitimate-looking information to NetBIOS queries.


NetBIOS can be turned off completely in Microsoft’s latest OS versions (Windows 2000 and above). However, many Windows features and older legacy applications still rely on NetBIOS to operate, so you should not disable NetBIOS without testing. In a few years, as older applications and Windows clients fade away, NetBIOS will cease to exist in most networks.

Microsoft Sharing

NetBIOS is the heart of the File and Printing Service and Network Neighborhood, and it runs over ports 137, 138, 139, and 445. NetBIOS is a layer 5 session protocol that allows the advertising and sharing of printers, files, directories, services, and applications across a network. It works above the network layer (it doesn’t understand IP and MAC addresses) and relies on easy-to-read, text-based names.

The workhorse of NetBIOS is the SMB protocol. SMB is a file sharing protocol that rides on top of NetBIOS. NetBIOS, in turn, rides on top of other network protocols, usually TCP or UDP packets.

Starting with Windows 2000, an updated version of SMB was released and is known as the CIFS protocol. CIFS is a suite of protocols that support network object naming, advertising of those objects, and remote connection sessions. CIFS is used by many OSs besides Microsoft, including the hugely popular open-source product, Samba (

Depending on who is discussing the subject, Microsoft’s sharing mechanism may be called CIFS, NetBIOS, or SMB, and all are correct, depending on the context.

NetBIOS Names

NetBIOS names are attractive because they allow users to share resources over networks without needing to remember complicated number series. NetBIOS names are 16 characters long, although only 15 characters can be used for the name in practice. If the name chosen by the end user or computer is less than 15 characters, the protocol will pad the name with zeros until it is 15 characters long. The sixteenth character byte, called a suffix, is reserved to indicate the purpose of the NetBIOS name. Table 3-9 lists some common NetBIOS name suffixes. For more information about these suffixes, see the Microsoft Knowledge Base article 163409, “NetBIOS Suffixes (16th Character of the NetBIOS Name)” at;EN-US;163409.

Table 3-9: Common NetBIOS Suffixes



NetBIOS Object Description




Workstation name




Domain or workgroup name




IIS computer name




Messenger service, computer name




Master browser




Messenger service, user name




File server service




Exchange MSMail connector




Exchange Store




Exchange Directory




Exchange Internet Mail Connector




Exchange Message Transfer Agent




Domain master browser




Domain controller machine name






As you can see in Table 3-9, NetBIOS names are associated with a type. NetBIOS name types are unique or group. Unique NetBIOS names are names for computers, services, and shares that are assigned to a single computer resource. Group NetBIOS names are used for describing collections of things, like workgroups and domains. (There are some NetBIOS types other than unique and group, but they aren’t as common.) Together, all three NetBIOS name components—the 15-character name, the suffix, and the type—identify a NetBIOS object. In order to emulate particular Windows computers, you need to create NetBIOS names that support your honeypot environment.

You can run the nbtstat -n command to list local NetBIOS names. Listing 3-1 shows the results of nbtstat -n on my Windows 2000 computer.

Listing 3.1: Nbtstat -n Output

image from book
                NetBIOS Local Name Table  Name                           Type                        Status  ---------------------------------------------------------------- BANNERET                    <00>  UNIQUE                Registered  BANNERETWG                  <00>  GROUP                 Registered  BANNERET                    <20>  UNIQUE                Registered  BANNERET                    <03>  UNIQUE                Registered  PHR                         <1E>  GROUP                 Registered  INet~Services               <1C>  GROUP                 Registered  IS~BANNERET.                <00>  UNIQUE                Registered  PHR                         <1D>  UNIQUE                Registered  ..__MSBROWSE__.             <01>  GROUP                 Registered  GRIMESPL                    <03>  UNIQUE                Registered 
image from book

NetBIOS Operations

Those of us who have been using Windows for more than five years often confuse NetBIOS with Microsoft’s NetBEUI. The NetBIOS Extended User Interface (NetBEUI) protocol was installed by default in older versions of Windows as a way to transport NetBIOS traffic. NetBEUI had many limitations, not the least of which was that it was not routable. NetBEUI was replaced by TCP/IP as the underlying network protocol choice when TCP/IP became ubiquitous. NetBIOS over TCP/IP is called NetBT or NBT. Today, when people say NetBIOS, they mean NetBT specifically.

In most Windows versions, you can enable or disable NetBT as a selection within the TCP/IP protocol properties. When enabled along with file and printer sharing, ports 137 through 139 and 445 (on Windows 2000 and above) become active and listening. Port 137 is the NetBIOS Name Service and is used to map NetBIOS names to IP addresses (when on a TCP/IP network). When a computer requests a NetBIOS name or sends one, this port is involved.

The NetBIOS Name Service runs on UDP, and more rarely, on TCP. When a Windows machine starts up (if NetBT is enabled), the machine will send a NetBIOS broadcast request to register its name. If another machine says it already has the same name, NetBIOS will alert you and display an error. When a NetBIOS machine is shut down, it sends another NetBIOS broadcast packet that announces that it is releasing the name. In theory, this is so another machine can use it, but in practice, this usually doesn’t happen.

Windows computers can register with a WINS server or DNS server to help cut down on broadcasts. When either of these two services are available and answering name resolution requests, computers will query the WINS or DNS server directly, instead of sending out NetBIOS broadcasts. This reduces broadcasts and decreases the chance of name conflict.


After the NetBIOS Name Service converts a NetBIOS name to an IP address, ARP is used to convert the IP address to a MAC address for packet delivery. As soon as the MAC address is learned by the sending computer, the NetBIOS Name Service is no longer needed for that session.

Once NetBIOS name resolution is done, applications and the Windows OS can use one of two choices to send data:

  • Port 138 is the NetBIOS Datagram Service, which provides for the delivery of NetBIOS data via UDP datagrams. Applications that need speed more than they need reliable delivery will choose the NetBIOS Datagram Service.

  • Port 139 is the NetBIOS Session Service, which uses TCP to establish and maintain connection-oriented sessions. Applications and services that need guaranteed, connection-oriented delivery will use the NetBIOS Session Service.

Port 138 is most often used for browser service notifications and in making the resources available in Network Neighborhood. As anyone who has used the Windows Network Neighborhood feature can share, the Network Neighborhood discovery process can be time-consuming and error-prone. For that reason, most applications use the more reliable services of port 139. The bulk of NetBIOS traffic, especially file and printer sharing data exchanges, are sent via the NetBIOS Session Service.

Starting with Windows 2000, Microsoft took reliance on the NetBIOS protocol suite out of SMB communications. The CIFS file protocol, also known as SMB over TCP/IP, occurs on port 445. On Windows 2000 and above, if NBT is enabled, SMB communications occur over both NetBIOS ports and CIFS. If NBT is disabled, SMB communications occur on only port 445. NBT can be disabled only if all necessary communicating computers can use port 445.

Table 3-10 summarizes the different NetBIOS ports. No matter what role your Windows honeypot is mimicking, it should have these ports open. However, Windows honeypots prior to Windows 2000 should not have port 445.

Table 3-10: NetBIOS Ports

NetBIOS Service




Name Service



137 can be TCP, but it is much less common than UDP. NetBIOS Name Service is much like DNS, but for Microsoft NetBIOS names. It resolves NetBIOS names to IP addresses on a TCP/IP network.

Datagram Service



Used by applications and services needing speedy, but not necessarily reliable, delivery of NetBIOS communications. Used in Network Neighborhood browsing.

Session Service



Used by applications and services needing reliable, connection-oriented NetBIOS data delivery. It carries the bulk of NetBIOS traffic on a typical Windows network.

Microsoft CIFS



On Windows versions 2000 and above, this port remains open, even if NetBIOS over TCP/IP is disabled. It can be closed only by turning off file and printer sharing.

There are several good and detailed sources on NetBIOS, including the following links:

  • “NetBIOS: Friend of Foe?” (

  • Implementing CIFS, “Introduction” (

  • “Windows Internet Naming Service (WINS): Architecture and Capacity Planning” (

NetBIOS/CIFS Attacks

Common hacker attacks against NetBIOS and CIFS are host enumeration and share exploits. Host enumeration is the process of discovering what computers and services are available through name requests. Any Windows machine, by default, will allow other machines and tools to query it for registered NetBIOS names. Prior to Windows 2000, even an anonymous remote user over the Internet with access to the NetBIOS ports could learn the computer name, logged-in user name, printer shares, file shares, domain name, domain controllers, and names and locations of other services (like IIS and Exchange Server). Using this information, hackers could explore the network using machine and user names in potential exploits. Letting hackers enumerate a Windows PC is considered a very high-risk event. Common NetBIOS enumeration tools include nbtscan (, Winfo (, and the NetBIOS Auditing Tool (

Hackers and Internet worms are constantly looking for weakly password-protected shares. It is very common for users to establish folder shares that are either not password-protected or weakly password-protected. The hackers and worms can enumerate shares and try to guess passwords. But how often are weakly password-protected shares actually created in the real world? The fact is that some of the Internet’s most popular and fastest spreading worms rely on infecting weak shares as their primary method for spreading. Windows 9x and early clients are considered difficult to protect because their sharing mechanisms contain bugs, even if you use strong passwords.

If you are trying to protect your network, always block ports 137 through 139 and 445 at the firewall. If you’re running a Windows honeypot, make sure you have those ports open. If hackers use a port scan and find those ports open, they will know they’ve found a Windows machine. You can create emulation scripts to send back basic information to probes on the NetBIOS ports, or use the mere presence of an open NetBIOS port to trap worms.

For example, the Bugbear worm ( arrives as an e-mail attachment. Once executed, it drops a RAT (remote-access trojan, described in Chapter 1) and keystroke logger, and then begins traveling the network, looking for and infecting files on weakly protected NetBIOS shares. A honeypot with open NetBIOS ports could capture the worm by logging its share-infecting routine. You could then execute the text captured in the log in a safe environment and learn the activities of the worm. This is what antivirus vendors did the day the worm was discovered. Disassembling its code alone was not the quickest way to learn what it did. Watching the worm in action and recording its activities were the most expedient ways to handle it.


RDP is the protocol used with Windows Terminal Server and related services. By default, it runs over port TCP 3389. Several years ago, Microsoft bought the rights to some of Citrix’s Winframe remote-connectivity technology, which led to Microsoft Terminal Server. Terminal Server allows one or more remote computers to use thin-client software to run applications on a server.

The Terminal Server feature set is included in Windows 2000 and Windows 2003 as an optional installed component. It is called Terminal Services, Application Mode in Server 2003. Microsoft expanded the Terminal Services and RDP technology to allow system administrators to be able to remotely manage Windows 2000, XP, and Server 2003 computers. Using the RDP protocol and clients, up to two remote connections can be made for administrative purposes. In Windows XP, the remote administration feature is called Remote Desktop, and in Windows Server 2003, it is called Remote Desktop for Administration.

The latest versions of RDP encrypt the communication sessions so that no data beyond the initial login name is sent in clear text. To date, the only known attack against RDP and Terminal Services is a brute-force, password-guessing attack. However, you may want to open port 3389 to see if hackers are interested in it.


Older Citrix’s remote clients and Microsoft RDP clients can connect to any of Microsoft’s Terminal Server products (although the newer features may not be available).

Simple TCP/IP Services

For reasons unknown to me, but probably having to do with a large client needing the feature set, since Windows NT Server 4.0, Microsoft has provided the following five rarely used Simple TCP/IP services in a TCP/IP add-on component:

  • Character Generator, running on TCP and UDP port 19

  • Daytime, running on TCP and UDP port 13

  • Discard, running on TCP and UDP port 9

  • Echo, running on TCP and UDP port 7

  • Quote of the Day, running on TCP and UDP port 17

These services are installed and removed as one component. Consequently, if you use one of the ports, you should use them all, and open them for both UDP and TCP.

I usually don’t open these ports on my honeypots, because I don’t want to fool hackers into thinking they’ve found a Unix box and because so few exploits exist for these services.


When a client connects to an FTP server for the first time, it uses TCP port 21. This is known as the control channel. But after the initial connection, the port can be changed based on the FTP mode, which is usually requested by the client. In standard mode, after a client connection is made, data is transferred on TCP port 20. That’s why in port numbering lists, you will always see FTP listed as FTP 21-Control and FTP 20-Data. If the client and server support passive mode (also known as port mode), the client sends a PASV command over the control port. The FTP server then opens a random TCP port between 1024 and 5000, and tells the client the port number. Microsoft’s command-line FTP client, ftp.exe, supports only standard mode. Internet Explorer 5.0 and above support both standard and passive modes.

How does this affect your honeypot if you are going to emulate FTP? First, always advertise port 21. If you want to mimic interactive FTP capabilities, you may want to dynamically open port 20 after the client successfully connects. Also, consider whether or not your FTP honeypot will respond to the PASV command. If you are trying to emulate the FTP service running on IIS, it should.

If you want to build a low-interaction script or service for the hacker to interact with, Microsoft FTP has the following characteristics:

  • FTP must be installed as an add-on component of IIS. It does not exist as a stand-alone component.

  • Windows supports standard and passive mode FTP.

  • Strangely, unlimited logins can be attempted by default. Windows does not disconnect the session because of too many login attempts or too many bad passwords.

  • Authentication can be anonymous or NTLM.

  • The default connection timeout is 900 seconds.

  • The default directory is C:\Inetpub\ftp.

  • Directory listings (returned to the client when they send the DIR command) can be MS-DOS style (mm-dd-yy time filesize filename), which is the default, or Unix-style (ACLs owner group filesize datespelledout timeam/pm filesize filename).

When you connect to a Microsoft FTP service, the banner looks similar to Listing 3-2 (the items within angle brackets are variables).

Listing 3.2: Microsoft FTP Service Login Banner

image from book
 Connected to <domain name or host IP address>  220 <machinename> Microsoft FTP Service (Version 5.0).  User (<domain name or IP address>:(none)): <login name>  331 Password required for <login name>.  Password:  230 User <login name> logged in.  ftp> 
image from book

The FTP Service version number is displayed by default and relates to the version of IIS installed. This is true except for the latest version with IIS 6.0, which does not display a version number. With that lone exception, a hacker finding an active Microsoft FTP Service can often fingerprint the IIS version pretty quickly.

Telnet Server

Telnet Server (Tlntsvr.exe) is available in Windows 2000, XP, and Server 2003. When a telnet client connects to Telnet Server, the client is allowed to log in with a user account name and password.

It is interesting to note that, by default, Microsoft’s Telnet Server allows only NTLM-authenticated connections. You can edit the Registry to allow other forms of authentication (such as LAN Manager or Kerberos), but you might be able to use this tidbit to your advantage. When a hacker connects to the server, the banner your honeypot returns can deny the login connection due to the lack of appropriate NTLM credentials, as shown in Listing 3-3.

Listing 3.3: Telnet Server Logon Banner Text

image from book
 NTLM Authentication failed due to insufficient credentials.  Please login with clear  text username and password  Server allows NTLM authentication only  Server has closed connection  Connection to host lost.  H:\Security Tools>  Microsoft (R) Windows 2000 (TM) Version 5.00 (Build 2195)  Welcome to Microsoft Telnet Client  Telnet Client Build 5.00.99206.1  Escape Character is 'CTRL+]'  You are about to send your password information to a remote computer in Internet  zone. This might not be safe. Do you want to send it anyway(y/n): 
image from book

Windows network administrators can use telnet to remotely administer their network, but its command-line nature leaves much to be desired. Consequently, in Windows 2000 and Server 2003, two administrative connections to Microsoft Terminal Services are allowed. Terminal Services runs on TCP port 3389. On honeypots emulating new Windows servers, you may want to open this port to give the server an authentic feel.


The first version of IIS was released with Windows NT 3.51 Service Pack 3. All versions support HTTP, FTP, and NNTP. The earlier versions also had Gopher, but Gopher was discontinued when Internet search engines replaced its functionality. Microsoft’s ASP language, an SMTP virtual server, Index Server, and ISAPI filters were added in the middle versions. Version 6.0 has some new components, including the Background Intelligent Transfer Service (BITS) and Internet Printing.

All along, IIS has been a popular, and therefore often attacked, web server. Having IIS emulation on your honeypot will probably increase its malicious traffic twofold, if not more. Mimicking IIS is probably one of the more complex issues for an emulated honeypot, although several honeypots do offer limited interaction via scripts. We will work with an IIS script in Chapter 7. Here, we will cover some of the basic essentials when mimicking an IIS server.

IIS Versions

First, you need to make sure that you place the correct version of IIS with the correct OS. IIS has several versions, running from 1.0 to 6.0. Table 3-11 shows the IIS versions and their associated OSs.

Table 3-11: IIS Versions and Related Operating Systems

IIS Version

Released With


Windows NT Server 3.51 with Service Pack 3


Windows NT Server 4.0 Service Pack 2 or lower


Windows NT Server 4.0 Service Pack 3 or higher


Windows NT Server 4.0 Service Pack 3 or higher with Windows NT Option Pack added


Windows 2000


Windows XP Professional


Windows Server 2003

When a client connects to IIS and requests content, IIS returns the content prepended with header information (called an HTTP header). The header information is returned to assist browsers with displaying the content correctly. Many web servers return their application name and version number in the header field called Server. Although this value can be modified to say anything, most web administrators aren’t security experts and don’t bother. Hackers can probe IIS and read the HTTP header to determine which IIS version is running, which reveals the host OS version because of the known relationship shown in Table 3-11.

There are many ways of reading the HTTP header, but one of the most popular methods is using Netcat (, a utility introduced in Chapter 1.You can use Netcat to connect to port 80 of a web server, type in GET HEAD/ HTTP/1.0 and press Enter twice to return the HTTP header. In Listing 3-4, I used Netcat to check the IIS version of a web site.

Listing 3.4: Using Netcat to Retrieve IIS HTTP Headers

image from book
 nc 80  GET HEAD/ HTTP/1.0  HTTP/1.1 200 OK  Server: Microsoft-IIS/5.0  Date: Sun, 31 Aug 2003 17:23:38 GMT  Connection: Keep-Alive  Content-Length: 655  Content-Type: text/html  Set-Cookie: ASPSESSIONIDSQDRSSQR=IADHIFBBGBKNDHIGBIBGDELC; path=/  Cache-control: private 
image from book

The first two lines are what I typed in, followed by the returned HTTP header indicating the web site is running IIS 5.0. This also tells me that the web server is probably running on Windows 2000. If I were a hacker, I would then begin to research and use exploits known to work against IIS 5.0 or Windows 2000.

If you plan to offer interaction with IIS on your emulated honeypot, make sure the IIS version matches the underlying operating system.

IIS Directory Structure

Many times, after hackers learn that the web server is running IIS, they then try a buffer overflow exploit, like Code Red. Whatever buffer overflow exploit they run, if it is successful, they usually end up with a command-line prompt on the web server. An IIS emulation session can act like the exploit was successful and give the hacker a fake file directory structure. IIS installs by default to the C:\Inetpub folder, with its component subfolders directly beneath. Table 3-12 shows the default folders and subfolder locations of an IIS installation.

Table 3-12: Default IIS Folders and Subfolders


Default Subfolder

Main IIS folder










Script files


Sample files


Administrative scripts


By merely returning the default subdirectory structure to hackers, you’ll probably be able to capture uploaded files and tricks they had planned to do with the web server.

IIS Virtual SMTP Servers

Spammers are targeting IIS servers looking for virtual SMTP servers, because most web administrators leave them as open relays. If you telnet to an IIS virtual SMTP server (on port 25), you’ll get banner text resembling Listing 3-5.

Listing 3.5: IIS Virtual SMTP Server Banner Text

image from book
 220 <computername> Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713  ready at  Sat, 30 Aug 2003 22:44:51 -0400 
image from book

The version number reveals the IIS version, so if you include this emulation, be sure the virtual SMTP banner backs up the IIS version.

The banner text is slightly different than Exchange Server SMTP banner text. The IIS virtual SMTP server says ESMTP MAIL Service. Exchange Server shows ESMTP Server (Microsoft Exchange Internet Mail Service <version>).

Exchange Server

Exchange Server is one of Microsoft’s best-selling products and comprises a large portion of the Internet and corporate mail server market. The most popular versions are 5.0, 5.5, 2000, and 2003. Most Exchange Server servers support SMTP (port 25), POP3 (port 110), NNTP (port 119), and IMAP4 (port 143) protocols and their secured SSL/TLS cousins (ports 465, 995, 563, and 993, respectively). Since Exchange Server 2000, it has supported Active Directory and LDAP integration (ports 389 and 390). It also allows users with a browser to connect to the Exchange database, through IIS, and retrieve their e-mail (using functionality called Outlook for Web Access). Within a local area network, Exchange Server uses RPC to communicate between Exchange servers and clients, not SMTP as some people suspect.


Both SSL and TLS use digital certificates to authentic the server and to provide an encrypted communications channel between the client and the server.

The banners Exchange Server replies with are determined by the mail service connection. Listing 3-6 lists the banner replies for Exchange Server with SMTP, POP3, IMAP4, and NNTP.

Listing 3.6: Banner Text Received from Various Exchange Server Services

image from book
 220 <machine name> ESMTP Server (Microsoft Exchange Internet Mail Service  <version>) ready  + OK Microsoft Exchange POP3 server version 5.5.2448.8 ready  + OK Microsoft Exchange 2000 POP3 server version 6.5.6803.0  (<machine name>) ready  *  OK Microsoft Exchange IMAP4rev1 server version 5.5.2448.8 (<machine name>) ready  200 OK Microsoft Exchange Internet News Service Version 5.5.2448.8 (posting  allowed) 
image from book

progress indicator progress indicatorprogress indicator progress indicator

Honeypots for Windows
Honeypots for Windows (Books for Professionals by Professionals)
ISBN: 1590593359
EAN: 2147483647
Year: 2006
Pages: 119

Similar book on Amazon
Honeypots: Tracking Hackers
Honeypots: Tracking Hackers
Know Your Enemy: Learning about Security Threats (2nd Edition)
Know Your Enemy: Learning about Security Threats (2nd Edition)
Virtual Honeypots: From Botnet Tracking to Intrusion Detection
Virtual Honeypots: From Botnet Tracking to Intrusion Detection
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code © 2008-2017.
If you may any questions please contact us: