The Functions Of Netbios Computer Science Essay

NetBIOS was developed by IBM and sytek as an API for client software to access LAN resources anda also for accessing networking services. Netbios has extended its services to use netbios interface to operate on IBM token ring architecture.

Netbios(network basic input/output system) is a program which allows communication between applications of different computer to communicate with in a LAN . netbios allow applications to talk on network and isolate program of hardware dependencies.

In recent Microsoft windows operating systems NetBIOS is included as a part of NETBIOS extended user interface(NetBEUI) and it is also used in Ethernet and token ring. NetBIOS frees the application from understanding the details of network including error recovery and request is provided in the form of a Network control block (NCB) specifies a message location and the name of a destination.

NetBIOS provides services for session and transport services in the OSI model with out any data format . the standard format is provided by NetBUI. Netbios provides two communication modes session and the datagram among which session mode provides conversation between computers which provides error detection and error recovery.

NetBIOS provides an API(application program interface) for software developers which includes network related functions and commands which can be incorporated into software programs. For example, a programmer can use a prewritten NetBIOS function to enable a software program to access other devices on a network. This is much easier than writing the networking code from scratch.

The communication in NetBIOS is carried out using a format called network control blocks . the allocation of these blocks is based on the users program and is reserved for input and output respectively.

Netbios supports connection oriented (TCP) and connectionless(UDP) communication and also broadcaste and multicasting services like naming, session and datagram

FUNCTIONS of NETBIOS

Netbios allows applications to talk to each other using protocols like TCP/IP which supports netbios.netbios is a session/transport layer protocol which can be seen as netbeui and netbt . the main function sof NetBIOS are

Starting and stopping sessions

Name registration

Session layer data transfer(reliable)

Datagram data transfer (un reliable)

Protocol driver and network adapter management functions

General or NETBIOS status

This service helps in gathering the information about aparticular network name and terminate a trace at local or a remote system.

NETBIOS name services

NetBIOS name table (NBT) service processes can be used with active directories components, domains and workgroups. The system details can be enumerated by querying the name service. Add, add group, delete and find, the naming services provide the capability to install a LAN adapter card can be done using netbios name services.

NETBIOS Session Services

Session services provides authentication across workgroups and provides access to resources like files and printers. Once the authentication is done session services provide reliable data transfer by establishing sessions between names over which data can be transmitted. Messages that are send are acknowledge by the receiving station, if an expected acknowledgement is not received the sender retransmit the message

NETBIOS Datagram services

The datagram services are used to define the way in which a host encapsulates information to netbios header , so that when a request occurs the information from the header is extracted and stores it in the cache. Datagram services allows sending messages one by one, broadcast without requiring a connection. The messages can be send to different networks by knoeing individual names or group names.

http://www.fvsolutions.com/Support/index3.htm

2. How can NetBIOS be used to enumerate a Domain, a Host

NetBIOS Enumeration Utility (NBTEnum) is a utility for Windows that can be used to enumerate NetBIOS information from one host or a range of hosts. The enumerated information includes the network transports, NetBIOS name, account lockout threshold, logged on users, local groups and users, global groups and users, and shares.

If run under the context of a valid user account additional information is enumerated including operating system information, services, installed programs, Auto Admin Logon information and encrypted WinVNC/RealVNC passwords. This utility will also perform password checking with the use of a dictionary file. Runs on Windows NT 4.0/2000/XP/2003. PERL source included.

Examples :

* nbtenum -q 192.168.1.1 – Enumerates NetBIOS information on host 192.168.1.1 as the null user.

* nbtenum -q 192.168.1.1 johndoe “” – Enumerates NetBIOS information on host 192.168.1.1 as user “johndoe” with a blank password.

* nbtenum -a iprange.txt – Enumerates NetBIOS information on all hosts specified in the iprange.txt input file as the null user and checks each user account for blank passwords and passwords the same as the username in lower case.

* nbtenum -s iprange.txt dict.txt – Enumerates NetBIOS information on all hosts specified in the iprange.txt

input file as the null user and checks each user account for blank passwords and passwords the same as the username in lower case and all passwords specified in dict.txt if the account lockout threshold is 0.

http://www.secguru.com/link/nbtenum_netbios_enumeration_utility

3. What vulnerabilities are associated with netbios and how they can be exploited?

The following are the some of the vulneabilities of the netbios and their exploitations

Windows NetBIOS Name Conflicts vulnerability

The Microsoft Windows implementation of NetBIOS allows an unsolicited UDP datagram to remotely deny access to services offered by registered NetBIOS names. An attacker can remotely shut down all Domain Logins, the ability to access SMB shares, and NetBIOS name resolution services.

Vulnerable systems:

Microsoft Windows 95

Microsoft Windows 98

Microsoft Windows NT

Microsoft Windows 2000

NetBIOS Name Conflicts, defined in RFC 1001 (15.1.3.5), occur when a unique NetBIOS name has been registered by more than one node. Under normal circumstances, name conflicts are detected during the NetBIOS name discovery process. In other words, a NetBIOS name should only be marked in conflict when an end node is actively resolving a NetBIOS name.

The delivery of an unsolicited NetBIOS Conflict datagram to any Microsoft Windows operating system will place a registered NetBIOS name into a conflicted state. Conflicted NetBIOS names are effectively shut down since they cannot respond to name discovery requests or be used for session establishment, sending, or receiving NetBIOS datagrams.

The security implications of conflicting a NetBIOS name depend upon the NetBIOS name affected. If the NetBIOS names associated with the Computer Browser service are conflicted, utilities such as Network Neighborhood may become unusable. If the Messenger Service is affected, the “net send” command equivalents are unusable. If NetLogon is conflicted, Domain logons can not be authenticated by the affected server, thus allowing an attacker to systematically shutdown the NetLogon service on all domain controllers in order to deny domain services. Finally, conflicting the Server and Workstation Services will stop access to shared resources and many fundamental NetBIOS services such as NetBIOS name resolution.

Microsoft Windows 9x NETBIOS password verification vulnerability.

A vulnerability exists in the password verification scheme utilized by Microsoft Windows 9x NETBIOS protocol implementation. This vulnerability will allow any user to access the Windows 9x file shared service with password protection. Potential attackers don’t have to know the share password.

Vulnerable systems:

– Microsoft Windows 95

– Microsoft Windows 98

– Microsoft Windows 98 Second Edition

Immune systems:

– Windows NT 4.0

– Windows 2000

Anyone can set a password to protect Microsoft Windows 9x system’s shared resources. But a vulnerability in the password verification scheme can be used to bypass this protection. To verify the password, the length of the password depends on the length of the data sent from client to server. That is, if a client sets the length of password to a 1 byte and sends the packet to server, the server will only compare the first byte of the shared password, and if there is a match, the authentication will be complete (the user will be granted access). So, all an attacker need to do is to guess and try the first byte of password in the victim. Windows 9x remote management system is also affected since it adopts the same share password authentication method.

Exploit:

Here is one simple example to demonstrate this bug. Get samba source package and modify source/client/client.c like this:

— samba-2.0.6.orig/source/client/client.c Thu Nov 11 10:35:59 1999

+++ samba-2.0.6/source/client/client.c Mon Sep 18 21:20:29 2000

@@ -1961,12 +1961,22 @@ struct cli_state *do_connect(char *serve

DEBUG(4,(” session setup okn”));

+/*

if (!cli_send_tconX(c, share, “?????”,

password, strlen(password)+1)) {

DEBUG(0,(“tree connect failed: %sn”, cli_errstr(c)));

cli_shutdown(c);

return NULL;

}

+*/

+

+ password[0] = 0;

+ c->sec_mode = 0;

+ do{

+

+ password[0]+=1;

+

+ }while(!cli_send_tconX(c, share, “?????”, password, 1));

Flaw in NetBIOS Could Lead to Information Disclosure

Network basic input/output system (NetBIOS) is an application-programming interface (API) that can be used by programs on a local area network (LAN). NetBIOS provides programs with a uniform set of commands for requesting the lower-level services required to manage names, conduct sessions, and send datagrams between nodes on a network. 

This vulnerability involves one of the NetBT (NetBIOS over TCP) services, namely, the NetBIOS Name Service (NBNS). NBNS is analogous to DNS in the TCP/IP world and it provides a way to find a system’s IP address given its NetBIOS name, or vice versa. 

Under certain conditions, the response to a NetBT Name Service query may, in addition to the typical reply, contain random data from the target system’s memory. This data could, for example, be a segment of HTML if the user on the target system was using an Internet browser, or it could contain other types of data that exist in memory at the time that the target system responds to the NetBT Name Service query. 

An attacker could seek to exploit this vulnerability by sending a NetBT Name Service query to the target system and then examine the response to see if it included any random data from that system’s memory. 

If best security practices have been followed and port 137 UDP has been blocked at the firewall, Internet based attacks would not be possible.

To exploit this vulnerability, an attacker would have to be able to send a specially-crafted NetBT request to port 137 on the target system and then examine the response to see whether any random data from that system’s memory is included. In intranet environments, these ports are usually accessible, but systems that are connected to the Internet usually have these ports blocked by a firewall. 

How could an attacker exploit this vulnerability? 

An attacker could seek to exploit this vulnerability by sending NetBT Name Service queries to a target system and then examining the responses for arbitrary data from the target system’s memory. 

NetBIOS Name Server Protocol Spoofing (Patch available)

Microsoft has released a patch that eliminates a security vulnerability in the NetBIOS protocol implemented in Microsoft Windows systems. This can be exploited to cause a denial of service attack.

Affected Software Versions:

 – Microsoft Windows NT 4.0 Workstation

 – Microsoft Windows NT 4.0 Server

 – Microsoft Windows NT 4.0 Server, Enterprise Edition

 – Microsoft Windows NT 4.0 Server, Terminal Server Edition

 – Microsoft Windows 2000

The NetBIOS Name Server (NBNS) protocol, part of the NetBIOS over TCP/IP (NBT) family of protocols, is implemented in Windows systems as the Windows Internet Name Service (WINS). By design, NBNS allows network peers to assist in managing name conflicts. Also by design, it is an unauthenticated protocol and therefore subject to spoofing. A malicious user could misuse the Name Conflict and Name Release mechanisms to cause another machine to conclude that its name was in conflict. Depending on the scenario, the machine would as a result either be unable to register a name on the network, or would relinquish a name it already had registered. The result in either case would be the same – the machine would not respond requests sent to the conflicted name anymore.

If normal security practices have been followed, and port 137 UDP has been blocked at the firewall, external attacks would not be possible.

A patch is available that changes the behavior of Windows systems in order to give administrators additional flexibility in managing their networks. The patch allows administrators to configure a machine to only accept a name conflict datagram in direct response to a name registration attempt, and to configure machines to reject all name release datagrams. This will reduce but not eliminate the threat of spoofing. Customers needing additional protection may wish to consider using IPSec in Windows 2000 to authenticate all sessions on ports 137-139.

Patch Availability:

 – Windows 2000:

   http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23370

 – Windows NT 4.0 Workstation, Server, and Server, Enterprise

   Edition:Patch to be released shortly.

 – Windows NT 4.0 Server, Terminal Server Edition: Patch to be

   released shortly.

4. How can the security problems associated with netbios be mitigated?

Defending against external NetBIOS connections

If NetBIOS has to be allowed, the first step is to ensure that only a very small number of devices are accessible.  As you’ll see, leaving your network open to external NetBIOS traffic significantly increases the complexity of system hardening.  Complexity is the enemy of system assurance.

Next, ensure that the exposed systems are hardened by,

Disabling the system’s ability to support null sessions

Defining very strong passwords for the local administrator accounts

Defining very strong passwords for shares, assuming you absolutely have to have shares on exposed systems

Keeping the Guest account disabled

Under no circumstances allowing access to the root of a hard drive via a share

Under no circumstances sharing the Windows or WinNT directories or any directory located beneath them

Crossing your fingers

Mitigating Factors

Any information disclosure would be completely random in nature.

By default, Internet Connection Firewall (ICF) blocks those ports. ICF is available with Windows XP and Windows Server 2003.

To exploit this vulnerability, an attacker must be able to send a specially crafted NetBT request to port 137 on the destination computer and then examine the response to see whether any random data from that computer’s memory is included. For intranet environments, these ports are typically accessible, but for Internet-connected computers, these ports are typically blocked by a firewall

Some of the ways in which the intruder can be prevented from attacking the target system are

Limit the network hosts that can access the service.

Limit the user who accesses the service.

Configure service which allows only authenticated connections.

Limit the degree of access that would permit a user to change configuration of networks.

links

http://www.securiteam.com/windowsntfocus/5WP011F2AA.html

http://www.securiteam.com/windowsntfocus/5MP02202KW.html

http://www.securiteam.com/windowsntfocus/5DP03202AA.html

http://www.secguru.com/link/nbtenum_netbios_enumeration_utility

http://www.securityzero.com/uploaded_files/vulnerabilities_report.pdf

http://www.securiteam.com/exploits/5JP0R0K4AW.html

http://www.windowsitpro.com/article/netbios/information-disclosure-vulnerability-in-microsoft-netbios.aspx

http://www.informit.com/articles/article.aspx?p=130690&seqNum=11

http://www.microsoft.com/technet/security/Bulletin/MS03-034.mspx

http://marc.info/?l=bugtraq&m=96480599904188&w=2

http://descriptions.securescout.com/tc/14002

http://www.securityspace.com/smysecure/viewreport.html?repid=3&style=k4

http://blogs.techrepublic.com.com/security/?p=196