Penetration Testing is a method to examine the security of computer systems or networks. This process involves through analysis of the system for any vulnerabilities occurred due to improper system, hardware or software errors. If any security issues are found then the impact of the issue and technical solution for the problem will be given to the system owner. In this process the tester uses his knowledge and resources to behave in the same manner as hacker. There are different types of penetration tests, depending on the tests and threats measured.
NetBIOS is network basic input and output system is used to access any network resource within a local area network. Using NetBIOS applications can identify any resource in the local area network such as file sharing and printer sharing etc. NetBIOS is application layer interface or a protocol is used for writing client/server applications.
As we know well known protocols used in the internet are transport control protocol (TCP), user datagram protocol (UDP) and SCTP at the transport level. Transport level protocol is used to provide connection oriented, reliable, full duplex communication between end points where as UDP provides connection less, unreliable communication between end points. SCTP protocol is used mainly in telecom domain for implementing diameter based communication between SCP and SDP. As we know the UDP header size is less than TCP header size. If the application wants to send the data with high speed then it should use UDP for communication or if the application wants to send data reliably then it should go for TCP or SCTP. NetBIOS will come in the session layer of OSI model or application layer of TCP model. In windows NetBIOS application can only IPV4 for communication between end points.
NetBIOS applications use UDP protocol (with default port num 137) for name registration and resolving with NetBIOS name server. The NetBIOS applications can use TCP (with default port 139) and UDP (with default port 138) for session and data traffic between NetBIOS client application and NetBIOS server application.
NetBIOS name is sixteen byte in length used to identify any network resource in the subnet. NetBIOS application generates the NetBIOS name using computer name suffix with special byte. The value of the sixteen byte indicates the type of the service. The possible different types of services is 2 power 8 -1 = i.e. 255. When NetBIOS application wants to communicate with a specific NetBIOS process then application should use a unique name. If the NetBIOS application wants to communicate with multiple NetBIOS applications then it should use a group name. In windows File sharing takes place with the help of Server service. When this server service starts it will registers the NetBIOS name (with computer name suffix with ox20) by broadcasting in the network or unicasting with NetBIOS name server. Workstation service and messenger service also generates NetBIOS names using computer name of the system suffix with special value.
When NetBIOS application starts it will register its NetBIOS name by sending NetBIOS registration request either by broadcasting in the subnet or unicast to the NetBIOS name server. If the name is already registers then application will get a negative response. IP address is used to identify the system uniquely within the organization and also in internet. If any NetBIOS application wants communicates with remote NetBIOS application it should know the internet protocol address(IP). The NetBIOS name server is a distributed database contains map of NetBIOS name and ipaddress. The NetBIOS application uses UDP protocol for resolving NetBIOS names with their ip addresses. If the network doesn't contain NetBIOS name server configured then NetBIOS application should broadcast name resolving query in the subnet. In this case the destination machine will respond with the proper reply. When the application stops it will unregister its NetBIOS name with the NetBIOS name server by sending a request or broadcast in the local subnet. NetBIOS server is very much similar to DNS server.
In Windows administrator can configure any node using with different node types. The following are different node types.
1) B node: In this case each node will broadcast the packet with NetBIOS name for finding IP address. Only the NetBIOS assigned system will respond with it's corresponding IP address.
There are basically two problems associating with this approach.
Broadcast will increase the network traffic and unnecessary.
The two or more system can be with same NetBIOS name.
2) P node: In this case NetBIOS name server is maintained. It is basically a server application which listens NetBIOS requests and processes the NetBIOS requests. NetBIOS server will maintain a distributed database which a map of NetBIOS name and ipaddress. Whenever any NetBIOS request comes server will look up in database and responds for the request. Each computer system will registers it's NetBIOS name with the NetBIOS name server during start up of the operating system. If the name is already exists in the NetBIOS name server database then server should not allow registration for that computer node. Each computer system will send address resolution request to name server for finding ip address for corresponding to the NetBIOS name.
3) M node: In this case node first broad cast the request in the local subnet for 3 times. If it didn't get any response then it will send a request to NetBIOS server.
4) H node: In this case node first sends a name resolution request to the NetBIOS Server. If it didn't get any response then it will broadcast in the local subnet.
In windows name resolution takes place in the following order.
1) Search in the NetBIOS cache
2) If it doesn't find any entry in the cache NetBIOS application sends a query to NetBIOS name server.
3) If NetBIOS application doesn't get any response from NetBIOS name server then broadcasts the request in the local subnet.
4) If NetBIOS application doesn't get any response then it will search in the Lmhosts system file.
5) If NetBIOS application doesn't find then it searches in dns cache. If doesn't find then it will send a query request to dns server. In this step it will only use computer name but not the suffix 1 byte.
With the help of NetBIOS we can share the files in the network. When user shares any folder he will specify read/write permissions for the folder and he can also specify who can access it. User should be very cautious when he shares any folders. He must not share any system related files. If the end user who is accessing these shared folder can copy any malicious programs in to these folders.
Using Nbtstat utility will give the following information (nbtstat command in windows)
1) System name
2) List local NetBIOS names.
3) List session tables with the destination ip address
4) List names resolved by broadcast and WINS
5) List NBT cache of remote machine names and ip address.
With the help of this information hacker can know the information about operating system, processes, user ids etc. As we know the ipv4 address is 32 bit address. As lack of enough public ip address organizations will use NAT for mapping between private ip's of local systems with the public ip. Firewall is implemented as set of policies. Each policy can consist of set of rules. These rules will be applied on the packet headers or data depending on the rules. If the firewall allows the traffic coming and going from through all NetBIOS ports then hacker can penetrates the system and if the system allows NULL session. A null session is unauthenticated connection to an older version of windows based systems. NULL session will be opened on TCP port 139. Using null session and remote procedure calls hacker can enumerate userids, groups, passwords, services etc. A null session can also used for DOS attacks. Dos attacks will increase load on the system and hence system will not respond for legitimate requests.
How to mitigate these problems:
1) Administrators can configure firewalls in such a manner to avoid traffic coming to and going from NetBIOS ports.
2) If at all if the administrator wants to allow the traffic coming to or going from NetBIOS ports then he should allow only for minimal number of systems.
3) Should allow NULL sessions
4) When share is allowed then use tight passwords for accessing the share folder
5) Use very strong passwords which should include alphanumeric characters, special symbols.
6) Don't allow access to the systems with the guest accounts
7) User must not share system related files while sharing the folder
8) User must not allow sharing root folder of the hard drive.
Microsoft has came to know issues lot of security issues. They are not supporting this NetBIOS API from Windows server 2008 and Windows vista.
CONCLUSION:!--Content ends here!-->
Need an essay? You can buy essay help from us today!