9.3 The NetBIOS Name Service


The NetBIOS name service is accessible through UDP port 137. In particular the service can process NetBIOS Name Table (NBT) requests, commonly found in environments where Windows is being used along with workgroups, domains, or active directory components.

9.3.1 Enumerating System Details

You can easily enumerate the following system details by querying the name service:

  • NetBIOS hostname

  • The domain of which the system is a member

  • Authenticated users currently using the system

  • Accessible network interface MAC addresses

The inbuilt Windows nbtstat command can enumerate these details remotely. Example 9-13 shows how it can be run against 192.168.189.1.

Example 9-13. Using nbtstat to dump the NetBIOS name table
C:\> nbtstat -A 192.168.189.1            NetBIOS Remote Machine Name Table        Name               Type         Status     ---------------------------------------------     WEBSERV        <00>  UNIQUE      Registered     WEBSERV        <20>  UNIQUE      Registered     OSG-WHQ        <00>  GROUP       Registered     OSG-WHQ        <1E>  GROUP       Registered     OSG-WHQ        <1D>  UNIQUE      Registered     .._  _MSBROWSE_  _.<01>  GROUP       Registered     WEBSERV        <03>  UNIQUE      Registered     _  _VMWARE_USER_  _<03>  UNIQUE      Registered     ADMINISTRATOR  <03>  UNIQUE      Registered     MAC Address = 00-50-56-C0-A2-09

The information shown in Example 9-13 shows that the hostname is WEBSERV, the domain is OSG-WHQ, and two current users are _ _vmware_user__ and Administrator. Table 9-3 lists common NetBIOS name codes and descriptions.

Table 9-3. Common NetBIOS Name Table (NBT) names and descriptions

NetBIOS code

Type

Information obtained

<00>

UNIQUE

Hostname

<00>

GROUP

Domain name

<host name><03>

UNIQUE

Messenger service running for that computer

<use rname><03>

UNIQUE

Messenger service running for that individual logged-in user

<20>

UNIQUE

Server service running

<1D>

GROUP

Master browser name for the subnet

<1B>

UNIQUE

Domain master browser name, identifies the PDC for that domain

9.3.2 Attacking the NetBIOS Name Service

The NetBIOS name service is vulnerable to a number of attacks if UDP port 137 is accessible from the Internet or a nontrusted network. MITRE CVE lists these issues, shown in Table 9-4.

Table 9-4. NetBIOS name service vulnerabilities

CVE name

Date

Notes

CVE-1999-0288

25/09/1999

Malformed NBNS traffic results in WINS crash.

CVE-2000-0673

27/07/2000

NBNS doesn't perform authentication, which allows remote attackers to cause a denial of service by sending a spoofed Name Conflict or Name Release datagram.

CAN-2003-0661

03/09/2003

NBNS in Windows NT 4.0, 2000, XP, and Server 2003 may include random memory in a response to a NBNS query, which can allow remote attackers to obtain sensitive information.



Network Security Assessment
Network Security Assessment: Know Your Network
ISBN: 059600611X
EAN: 2147483647
Year: 2006
Pages: 166
Authors: Chris McNab

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net