Thursday, 31 March 2011

NetBIOS connection - So What's the Big Deal?

  • Anyone with a NetBIO S connection to your computer can easily get a full dump of all your usernames, groups, shares, permissions, policies, services and more using the Null user.



  • The above syntax connects to the hidden Inter Process Communication 'share' (I PC $) at IP address 192.34.34.2 with the built- in anonymous user (/u:"") with ("") null password.



  • The attacker now has a channel overwhich to attempt various techniques.



  • The CIFS/SMB and NetBIOS standards in Windows 2000 include API s that return rich information about a machine via TCP port 139 - even to unauthenticated users.

    C: \>net use \\192.168.104.81 \IPC$ "" /u: ""
    The enumeration of machines and resources in a domain also makes it easier for an attacker to break in. If he is able to anonymously obtain the names of all of the machines in a domain, and then list the resource shares on those machines, it is only a matter of time before he finds a share which is open to "Everyone". Other possibilities include password cracking for a username that was enumerated, planting a backdoor for later access, dumping sensitive information etc.
    Let us see how a null session is established and how a remote computer can be enumerated from the command line prompt of a windows machine. In the example shown below, we can see that establishing a null session on the target host reveals that the system root can be easily compromised as the default setting of 'Everyone' may not have been changed, and the shares are visible to all.


In a NULL session, the TCP/IP connection to port 139 is made first with the following: net use \\127.0.0.1.i\ipc$ "" /user:"". This is followed by using the session layer protocols SMB and NetBIOS to access the hidden remote IPC share IPC$. The IPC$ is a special hidden share which allows communication between two processes on the same system (Inter Process Communication). The IPC$ share is an interface to the 'server' process on the machine. It is also associated with a pipe so it can be accessed remotely. This technique was programmatically written into an old exploit called the Red Button attack. This was addressed and fixed by Microsoft in Service Pack 3 for NT 4.0.

Once the attacker has a list of the remote shares, he could then attempt to map to a remote share. An example of the command structure for the attack is shown in the screenshot above. This attack will only work if the share is not password protected or shared out to the 'everyone' group.

Access to the hard drive is a serious security breach. Even if the attacker does not map a drive, he can gather sensitive information such user accounts, password policy and similar data that he can exploit later to continue his attack on the system. This may not be apparent to the victim initially, and the attacker can take the advantage of the time lapse for more information gathering and planting malicious code such as a virus or a Trojan. The open file share attack generally makes Trojan planting extremely easy to do. For instance, an intruder might try to place a key logger batch into the start-up folder to collect further information and perhaps log on later as an authenticated users.

0 comments:

Post a Comment

Powered by Blogger.