View previous topic :: View next topic |
Author |
Message |
gigsvoo Just Arrived
Joined: 16 Aug 2002 Posts: 0
|
Posted: Thu Jan 09, 2003 8:44 am Post subject: How is this exposed to hacker? |
|
|
Hi there,
On a remote server, if my pages has a link that says something like \\myservername\abc.html, which supposed to be http://www.theserver.com/abc.html, how does this exposed to hackers? How does they intrude my server?
|
|
Back to top |
|
|
Jason Forum Fanatic
Joined: 19 Sep 2002 Posts: 16777215
|
Posted: Thu Jan 09, 2003 11:02 am Post subject: |
|
|
if you have \\servername, you are using NETBIOS. You should disable ports 137-139 UDP & TCP and 445 TCP at the firewall. Make sure your webserver has latest patches etc.
Which OS? Which Webserver?
|
|
Back to top |
|
|
gigsvoo Just Arrived
Joined: 16 Aug 2002 Posts: 0
|
Posted: Thu Jan 09, 2003 11:10 am Post subject: |
|
|
The \\ thing in the URL could be the author uses FrontPage to design the page, that it actually forget to convert the relative URL to absolute URL.
Which means to access \\server\something is actually using port 137-139 of TCP and UDP also 445 of TCP? What does these ports does and why 137-139 must be both TCP and UDP?
Let say if it is opened, the hackers/intruders should scan the ports, OK let say they got the port, how do they intrude anywhere? They can go thru \\servername becoz the "servername" does not meant anything to them right? The \\servername could be another machine than the real webserver running.... could be \\servername-alternative rite?
|
|
Back to top |
|
|
Tom Bair SF Boss
Joined: 10 Aug 2002 Posts: 16776955 Location: Portland, Oregon USA
|
Posted: Thu Jan 09, 2003 11:12 am Post subject: |
|
|
Gigsvoo,
Follow jasonlambert's instructions exactly. In other words, if you are running a LAN -- be sure to block port 139 AT THE FIREWALL and not before it, otherwise you may lose your file and printer sharing rights within your network.
Tom
|
|
Back to top |
|
|
gigsvoo Just Arrived
Joined: 16 Aug 2002 Posts: 0
|
Posted: Thu Jan 09, 2003 11:14 am Post subject: |
|
|
Yes, I will do that. Now I wanto understand how intruders do that... by how.
|
|
Back to top |
|
|
Jason Forum Fanatic
Joined: 19 Sep 2002 Posts: 16777215
|
Posted: Thu Jan 09, 2003 3:03 pm Post subject: |
|
|
gigsvoo wrote: |
Which means to access \\server\something is actually using port 137-139 of TCP and UDP also 445 of TCP? What does these ports does and why 137-139 must be both TCP and UDP?
|
Those ports are used by microsoft file and printer sharing service. Basically, if you have an MS network, and you want to browse the HD of another PC, you can connect to the computer name by opening a run box, and entering \\<hostname> or \\<ip_address> where hostname/ipaddress are those of the intended victim/server/pc. The port numbers i gave are those used by this service. If you dont like it contact the people who designed the protocol.
gigsvoo wrote: |
Let say if it is opened, the hackers/intruders should scan the ports, OK let say they got the port, how do they intrude anywhere? They can go thru \\servername becoz the "servername" does not meant anything to them right? The \\servername could be another machine than the real webserver running.... could be \\servername-alternative rite? |
When attacking, we can retrieve the IP address of the server by simply pinging the hostname. (open command prompt, type is "ping www.victim.com"). Using a port scanning tool, we can then identify which services are listening. When we know the IP address of a machine listening for incomming connections, we open a run box, and type in \\<ipaddress we got from the ping command> and click ok. This will try to establish a session with the intended machine.
Even if you have set it to restrict anonymas connections, we can use one of many tools available on the web to brute force (try different combinations) the username and password.
PCWriter wrote: |
Gigsvoo,
Follow jasonlambert's instructions exactly. In other words, if you are running a LAN -- be sure to block port 139 AT THE FIREWALL and not before it, otherwise you may lose your file and printer sharing rights within your network.
Tom |
Port 445 is also important, though it is only used for NETBIOS connections on Win2k / XP machines i beleive.
-J-
|
|
Back to top |
|
|
squidly Trusted SF Member
Joined: 07 Oct 2002 Posts: 16777215 Location: Umm.. I dont know.. somewhere
|
Posted: Thu Jan 09, 2003 11:09 pm Post subject: |
|
|
Also you if this is in a web page on the server you are opening it upto a lot of bad things besides just sharring of the hard drive. the link was ment to be http://www.theserver.con/abc.html but the editor just made the link to be \\theserver\abc.html you run the risk of then doing something like this \\theserver\abc.html\..\..\..\c:\windows\net run nc -l 8080 -z cmd
That is just another reason that I think requiring Netbios under windows (and haveing it enabled by default) or any OS is a bad idea.
|
|
Back to top |
|
|
gigsvoo Just Arrived
Joined: 16 Aug 2002 Posts: 0
|
Posted: Fri Jan 10, 2003 2:54 am Post subject: |
|
|
Thanks Jasonlambert
|
|
Back to top |
|
|
gigsvoo Just Arrived
Joined: 16 Aug 2002 Posts: 0
|
Posted: Fri Jan 10, 2003 2:58 am Post subject: |
|
|
squidly wrote: |
... the link was ment to be http://www.theserver.con/abc.html but the editor just made the link to be \\theserver\abc.html you run the risk of then doing something like this \\theserver\abc.html\..\..\..\c:\windows\net run nc -l 8080 -z cmd |
Wow... that is dangerous. Btw, is there any tutorial or guides so that I can study and protect the webserver of my company regarding to these types of exploits? Preferably is FREE becoz I dun have sponsor for this incentive project just to POC to management to look into it.
Quote: |
That is just another reason that I think requiring Netbios under windows (and haveing it enabled by default) or any OS is a bad idea. |
Should this be protected by disabled NETBIOS over TCP/IP? Meaning that there are not available when user enter \\xxxx thru a browser at a remote location? How does that disable thing means and works?
|
|
Back to top |
|
|
ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
Posted: Fri Jan 10, 2003 3:07 am Post subject: |
|
|
Yeh disable NetBIOS and NB over TCP/IP totally on the net facing interface.
You can keep it on the LAN NIC.
|
|
Back to top |
|
|
gigsvoo Just Arrived
Joined: 16 Aug 2002 Posts: 0
|
Posted: Fri Jan 10, 2003 3:31 am Post subject: |
|
|
Or can I restrict NetBIOS for my local LAN only? How should I do this?
|
|
Back to top |
|
|
squidly Trusted SF Member
Joined: 07 Oct 2002 Posts: 16777215 Location: Umm.. I dont know.. somewhere
|
Posted: Fri Jan 10, 2003 5:19 am Post subject: |
|
|
In the Well you can just unbind the NetBios in the NetWork setting to the external IP (I would still recoment that you fire wall the box)
|
|
Back to top |
|
|
gigsvoo Just Arrived
Joined: 16 Aug 2002 Posts: 0
|
Posted: Fri Jan 10, 2003 5:46 am Post subject: |
|
|
squidly wrote: |
In the Well you can just unbind the NetBios in the NetWork setting to the external IP (I would still recoment that you fire wall the box) |
How are the steps go under a Windows 2000 box? They are already behind a Checkpoint firewall separated from Internet.
|
|
Back to top |
|
|
Jason Forum Fanatic
Joined: 19 Sep 2002 Posts: 16777215
|
Posted: Fri Jan 10, 2003 10:59 am Post subject: |
|
|
From: http://windows.about.com/library/tips/bltip430.htm
Quote: |
While NetBIOS was useful in it's time, that time is slowly drawing to a close. If you are using DNS for name resolution on your network (you no longer need WINS), and you have no applications which are dependent on it, you can disable NetBIOS over TCP/IP, and relieve some overhead from your network.
Right-click My network Places, and choose Properties. Right-click the Network connection to disable NetBIOS on (for instance, Local Area Connection), and choose Properties. Select Internet Protocol (TCP/IP) under Components, then click the Properties button. Click the Advanced tab, and when the Advanced settings window appears, click the WINS tab. Select "Disable NetBIOS over TCP/IP" then click OK, OK, OK. |
Also See Here:
http://support.microsoft.com/default.aspx?scid=KB;en-us;q299977
|
|
Back to top |
|
|
gigsvoo Just Arrived
Joined: 16 Aug 2002 Posts: 0
|
Posted: Tue Jan 14, 2003 2:56 am Post subject: |
|
|
For some time that I might need to use NETBIOS as sharing folder to colleuges workers around the workgroup. So, does select "Using DNS server for NETBOIS lookup" safe?
|
|
Back to top |
|
|
|