share
Operating Systems & Network Security Dr. Carl Pulley [email protected]
Friday, 20 November 2009
Example Scenario Attacker has port scanned a client and found port 139 (NetBIOS Session Service) open Attacker now attempts to enumerate shares (eg. files and printers) a client has access to they can exploit default accounts to do this they can determine trust relationships uploading allows malware to spread downloading allows for information leakage Friday, 20 November 2009
During an attack, enumeration is the stage where by an attacker is now trying to determine usernames, groups, trust relationships, service types and versions, etc. that networked clients may have. The prior stages of host identification and port scanning have already identified networked clients and the possible services that they may be running.
NetBIOS Able to work over various transport layers Networked resources identified by a unique name/identifier 15 ASCII bytes identify resource 1 byte identifies resource (cf. TCP/IP port) NetBIOS name server (eg. WINS) associates names with network locations DHCP has a WINS option names are cached Friday, 20 November 2009
WINS is an example implementation of a NetBIOS name server. NetBIOS is normally restricted to a single subnet - extra network infrastructure is needed to overcome this restriction. Typically, when running NetBIOS over TCP/IP, network locations will be IP addresses. Clients NetBIOS name is not the same as its hostname! When NetBIOS runs over TCP/IP, it’s known as NBT - these lecture notes will primarily assume the use of NBT.
Resource Identifiers
Friday, 20 November 2009
Resource Identifiers
Friday, 20 November 2009
NetBIOS Name Server Originally located clients using broadcast messages very noisy, fragile and non-scalable! Central name server solves this issue new clients register with name server name server queried for client location clients distinguished by how they query for location of other network clients
Friday, 20 November 2009
Original idea was to broadcast for a target node and then get target to send a unicast message back to source. Once source and target knew each others location, communication could ensue! Such clients are broadcast nodes. Point-to-point nodes use NetBIOS name servers to locate clients and then communicate with clients directly. Mixed nodes prefer to use broadcasts to locate clients and then fail over to using point-topoint. Hybrid nodes prefer to use point-to-point to locate clients and then fail over to broadcasts. NBT name requests (these are used to locate IP addresses for NetBIOS names) can be built in scapy using: IP(dst=”target.com”)/UDP(sport=RandShort(),dport=”netbios_ns”)/NBNSQueryRequest (QUESTION_TYPE=”NB”, QUESTION_NAME=”ComputerName”) NBT node status requests (these are used to list known NetBIOS names) can be built in scapy using: IP(dst=”target.com”)/UDP(sport=RandShort(),dport=”netbios_ns”)/NBNSQueryRequest (QUESTION_TYPE=”NBSTAT”, QUESTION_NAME=”*”) Due to the fact that NetBIOS is designed to run over multiple transport layers, you send the query using send and need to sniff returning packets yourself! The following code allows NBT responses to be captured: sniff(filter=”udp and src port 137”,prn=handle_nbt,store=False) where handle_nbt is some user defined python function for handling NBT response packets. By default, when receiving node status responses, scapy incorrectly formats the NBT responses as instances of NBNSQueryResponse. This typically means you have to reformat the packet UDP payload to be of the correct type (ie. NBNSNodeStatusResponse). This can be achieved with: pkt[UDP].decode_payload_as(NBNSNodeStatusResponse) where pkt is the response packet. See RFC 1002 for more information on the NetBIOS packet structure.
NBT Ports Port
Protocol
Description
137
UDP
NetBIOS Name Service
138
UDP
NetBIOS Datagram Service
139
TCP
NetBIOS Session Service
Friday, 20 November 2009
NBT = NetBIOS over TCP/IP port 137: used to register and query NetBIOS names. In scapy you use the NBNSRequest and NBNSQueryRequest constructors to create these packets. port 138: used to establish a NetBIOS message based connection. In scapy you use the NBTDatagram constructor to create these packets. port 139: used to establish a NetBIOS stream based connection. In scapy you use the NBTSession constructor to create these packets.
NetBIOS Attacks Name server cache poisoning fake client name registrations Name server spoofing spoof responses to NetBIOS NS queries transaction ID is normally incremented! DOS the name server!
Friday, 20 November 2009
Shares Resources attached to clients may be shared across a network organised as tree structures Shared resources identified by the client name (eg. WINS/DNS name or IP address) and a share name \\myclient\sharedresource Share name postfix of $ indicates the share is hidden eg. C$, PRINT$, ADMIN$ and IPC$ Friday, 20 November 2009
C$ typically denotes a share on the C: drive of a windows PC. IPC$ is a virtual share that allows for inter-process communication.
SMB/CIFS Historically ran on top of NetBIOS Session and Datagram Services (SMB) Can also run on top of TCP/IP via port 445 (CIFS) dynamic DNS used to replace reliance on NetBIOS name servers User and share level security models
Friday, 20 November 2009
Dynamic DNS implemented using DHCP and a local DNS server.
Workgroups and Domains Workgroup is a collection of clients that maintain their own security information distributed security Domain maintains its own security information centralised security
Friday, 20 November 2009
Null Sessions SMB/CIFS allows clients (by default) to connect without usernames or passwords specify a null username and password! Enables one to list users and groups machines and shares security identifiers for users and hosts
Friday, 20 November 2009
Intention is for trusted domains to be able to enumerate shares etc. Using smbclient -L target.com, you can enumerate shares via null sessions. In addition, the same tool provides an FTP-like interface for interacting with these shares (see the smbclient man pages for further details).
Friday, 20 November 2009
Example Scenario Attacker has port scanned a client and found port 139 (NetBIOS Session Service) open Attacker now attempts to enumerate shares (eg. files and printers) a client has access to they can exploit default accounts to do this they can determine trust relationships uploading allows malware to spread downloading allows for information leakage Friday, 20 November 2009
During an attack, enumeration is the stage where by an attacker is now trying to determine usernames, groups, trust relationships, service types and versions, etc. that networked clients may have. The prior stages of host identification and port scanning have already identified networked clients and the possible services that they may be running.
NetBIOS Able to work over various transport layers Networked resources identified by a unique name/identifier 15 ASCII bytes identify resource 1 byte identifies resource (cf. TCP/IP port) NetBIOS name server (eg. WINS) associates names with network locations DHCP has a WINS option names are cached Friday, 20 November 2009
WINS is an example implementation of a NetBIOS name server. NetBIOS is normally restricted to a single subnet - extra network infrastructure is needed to overcome this restriction. Typically, when running NetBIOS over TCP/IP, network locations will be IP addresses. Clients NetBIOS name is not the same as its hostname! When NetBIOS runs over TCP/IP, it’s known as NBT - these lecture notes will primarily assume the use of NBT.
Resource Identifiers
Friday, 20 November 2009
Resource Identifiers
Friday, 20 November 2009
NetBIOS Name Server Originally located clients using broadcast messages very noisy, fragile and non-scalable! Central name server solves this issue new clients register with name server name server queried for client location clients distinguished by how they query for location of other network clients
Friday, 20 November 2009
Original idea was to broadcast for a target node and then get target to send a unicast message back to source. Once source and target knew each others location, communication could ensue! Such clients are broadcast nodes. Point-to-point nodes use NetBIOS name servers to locate clients and then communicate with clients directly. Mixed nodes prefer to use broadcasts to locate clients and then fail over to using point-topoint. Hybrid nodes prefer to use point-to-point to locate clients and then fail over to broadcasts. NBT name requests (these are used to locate IP addresses for NetBIOS names) can be built in scapy using: IP(dst=”target.com”)/UDP(sport=RandShort(),dport=”netbios_ns”)/NBNSQueryRequest (QUESTION_TYPE=”NB”, QUESTION_NAME=”ComputerName”) NBT node status requests (these are used to list known NetBIOS names) can be built in scapy using: IP(dst=”target.com”)/UDP(sport=RandShort(),dport=”netbios_ns”)/NBNSQueryRequest (QUESTION_TYPE=”NBSTAT”, QUESTION_NAME=”*”) Due to the fact that NetBIOS is designed to run over multiple transport layers, you send the query using send and need to sniff returning packets yourself! The following code allows NBT responses to be captured: sniff(filter=”udp and src port 137”,prn=handle_nbt,store=False) where handle_nbt is some user defined python function for handling NBT response packets. By default, when receiving node status responses, scapy incorrectly formats the NBT responses as instances of NBNSQueryResponse. This typically means you have to reformat the packet UDP payload to be of the correct type (ie. NBNSNodeStatusResponse). This can be achieved with: pkt[UDP].decode_payload_as(NBNSNodeStatusResponse) where pkt is the response packet. See RFC 1002 for more information on the NetBIOS packet structure.
NBT Ports Port
Protocol
Description
137
UDP
NetBIOS Name Service
138
UDP
NetBIOS Datagram Service
139
TCP
NetBIOS Session Service
Friday, 20 November 2009
NBT = NetBIOS over TCP/IP port 137: used to register and query NetBIOS names. In scapy you use the NBNSRequest and NBNSQueryRequest constructors to create these packets. port 138: used to establish a NetBIOS message based connection. In scapy you use the NBTDatagram constructor to create these packets. port 139: used to establish a NetBIOS stream based connection. In scapy you use the NBTSession constructor to create these packets.
NetBIOS Attacks Name server cache poisoning fake client name registrations Name server spoofing spoof responses to NetBIOS NS queries transaction ID is normally incremented! DOS the name server!
Friday, 20 November 2009
Shares Resources attached to clients may be shared across a network organised as tree structures Shared resources identified by the client name (eg. WINS/DNS name or IP address) and a share name \\myclient\sharedresource Share name postfix of $ indicates the share is hidden eg. C$, PRINT$, ADMIN$ and IPC$ Friday, 20 November 2009
C$ typically denotes a share on the C: drive of a windows PC. IPC$ is a virtual share that allows for inter-process communication.
SMB/CIFS Historically ran on top of NetBIOS Session and Datagram Services (SMB) Can also run on top of TCP/IP via port 445 (CIFS) dynamic DNS used to replace reliance on NetBIOS name servers User and share level security models
Friday, 20 November 2009
Dynamic DNS implemented using DHCP and a local DNS server.
Workgroups and Domains Workgroup is a collection of clients that maintain their own security information distributed security Domain maintains its own security information centralised security
Friday, 20 November 2009
Null Sessions SMB/CIFS allows clients (by default) to connect without usernames or passwords specify a null username and password! Enables one to list users and groups machines and shares security identifiers for users and hosts
Friday, 20 November 2009
Intention is for trusted domains to be able to enumerate shares etc. Using smbclient -L target.com, you can enumerate shares via null sessions. In addition, the same tool provides an FTP-like interface for interacting with these shares (see the smbclient man pages for further details).
