• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

How is this exposed to hacker?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
gigsvoo
Just Arrived
Just Arrived


Joined: 16 Aug 2002
Posts: 0


Offline

PostPosted: Thu Jan 09, 2003 8:44 am    Post subject: How is this exposed to hacker? Reply with quote

Hi there,

On a remote server, if my pages has a link that says something like \\myservername\abc.html, which supposed to be http://www.theserver.com/abc.html, how does this exposed to hackers? How does they intrude my server?
Back to top
View user's profile Send private message
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Thu Jan 09, 2003 11:02 am    Post subject: Reply with quote

if you have \\servername, you are using NETBIOS. You should disable ports 137-139 UDP & TCP and 445 TCP at the firewall. Make sure your webserver has latest patches etc.

Which OS? Which Webserver?
Back to top
View user's profile Send private message Send e-mail
gigsvoo
Just Arrived
Just Arrived


Joined: 16 Aug 2002
Posts: 0


Offline

PostPosted: Thu Jan 09, 2003 11:10 am    Post subject: Reply with quote

The \\ thing in the URL could be the author uses FrontPage to design the page, that it actually forget to convert the relative URL to absolute URL.

Which means to access \\server\something is actually using port 137-139 of TCP and UDP also 445 of TCP? What does these ports does and why 137-139 must be both TCP and UDP?

Let say if it is opened, the hackers/intruders should scan the ports, OK let say they got the port, how do they intrude anywhere? They can go thru \\servername becoz the "servername" does not meant anything to them right? The \\servername could be another machine than the real webserver running.... could be \\servername-alternative rite?
Back to top
View user's profile Send private message
Tom Bair
SF Boss
SF Boss


Joined: 10 Aug 2002
Posts: 16776955
Location: Portland, Oregon USA

Offline

PostPosted: Thu Jan 09, 2003 11:12 am    Post subject: Reply with quote

Gigsvoo,

Follow jasonlambert's instructions exactly. In other words, if you are running a LAN -- be sure to block port 139 AT THE FIREWALL and not before it, otherwise you may lose your file and printer sharing rights within your network.

Tom
Back to top
View user's profile Send private message Visit poster's website
gigsvoo
Just Arrived
Just Arrived


Joined: 16 Aug 2002
Posts: 0


Offline

PostPosted: Thu Jan 09, 2003 11:14 am    Post subject: Reply with quote

Yes, I will do that. Now I wanto understand how intruders do that... by how.
Back to top
View user's profile Send private message
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Thu Jan 09, 2003 3:03 pm    Post subject: Reply with quote

gigsvoo wrote:

Which means to access \\server\something is actually using port 137-139 of TCP and UDP also 445 of TCP? What does these ports does and why 137-139 must be both TCP and UDP?


Those ports are used by microsoft file and printer sharing service. Basically, if you have an MS network, and you want to browse the HD of another PC, you can connect to the computer name by opening a run box, and entering \\<hostname> or \\<ip_address> where hostname/ipaddress are those of the intended victim/server/pc. The port numbers i gave are those used by this service. If you dont like it contact the people who designed the protocol.


gigsvoo wrote:
Let say if it is opened, the hackers/intruders should scan the ports, OK let say they got the port, how do they intrude anywhere? They can go thru \\servername becoz the "servername" does not meant anything to them right? The \\servername could be another machine than the real webserver running.... could be \\servername-alternative rite?


When attacking, we can retrieve the IP address of the server by simply pinging the hostname. (open command prompt, type is "ping www.victim.com"). Using a port scanning tool, we can then identify which services are listening. When we know the IP address of a machine listening for incomming connections, we open a run box, and type in \\<ipaddress we got from the ping command> and click ok. This will try to establish a session with the intended machine.

Even if you have set it to restrict anonymas connections, we can use one of many tools available on the web to brute force (try different combinations) the username and password.

PCWriter wrote:
Gigsvoo,

Follow jasonlambert's instructions exactly. In other words, if you are running a LAN -- be sure to block port 139 AT THE FIREWALL and not before it, otherwise you may lose your file and printer sharing rights within your network.

Tom


Port 445 is also important, though it is only used for NETBIOS connections on Win2k / XP machines i beleive.

-J-
Back to top
View user's profile Send private message Send e-mail
squidly
Trusted SF Member
Trusted SF Member


Joined: 07 Oct 2002
Posts: 16777215
Location: Umm.. I dont know.. somewhere

Offline

PostPosted: Thu Jan 09, 2003 11:09 pm    Post subject: Reply with quote

Also you if this is in a web page on the server you are opening it upto a lot of bad things besides just sharring of the hard drive. the link was ment to be http://www.theserver.con/abc.html but the editor just made the link to be \\theserver\abc.html you run the risk of then doing something like this \\theserver\abc.html\..\..\..\c:\windows\net run nc -l 8080 -z cmd

That is just another reason that I think requiring Netbios under windows (and haveing it enabled by default) or any OS is a bad idea.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger
gigsvoo
Just Arrived
Just Arrived


Joined: 16 Aug 2002
Posts: 0


Offline

PostPosted: Fri Jan 10, 2003 2:54 am    Post subject: Reply with quote

Thanks Jasonlambert
Back to top
View user's profile Send private message
gigsvoo
Just Arrived
Just Arrived


Joined: 16 Aug 2002
Posts: 0


Offline

PostPosted: Fri Jan 10, 2003 2:58 am    Post subject: Reply with quote

squidly wrote:
... the link was ment to be http://www.theserver.con/abc.html but the editor just made the link to be \\theserver\abc.html you run the risk of then doing something like this \\theserver\abc.html\..\..\..\c:\windows\net run nc -l 8080 -z cmd


Wow... that is dangerous. Btw, is there any tutorial or guides so that I can study and protect the webserver of my company regarding to these types of exploits? Preferably is FREE becoz I dun have sponsor for this incentive project just to POC to management to look into it. Razz

Quote:

That is just another reason that I think requiring Netbios under windows (and haveing it enabled by default) or any OS is a bad idea.


Should this be protected by disabled NETBIOS over TCP/IP? Meaning that there are not available when user enter \\xxxx thru a browser at a remote location? How does that disable thing means and works? Question
Back to top
View user's profile Send private message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Fri Jan 10, 2003 3:07 am    Post subject: Reply with quote

Yeh disable NetBIOS and NB over TCP/IP totally on the net facing interface.

You can keep it on the LAN NIC.
Back to top
View user's profile Send private message Visit poster's website
gigsvoo
Just Arrived
Just Arrived


Joined: 16 Aug 2002
Posts: 0


Offline

PostPosted: Fri Jan 10, 2003 3:31 am    Post subject: Reply with quote

Or can I restrict NetBIOS for my local LAN only? How should I do this? Cool
Back to top
View user's profile Send private message
squidly
Trusted SF Member
Trusted SF Member


Joined: 07 Oct 2002
Posts: 16777215
Location: Umm.. I dont know.. somewhere

Offline

PostPosted: Fri Jan 10, 2003 5:19 am    Post subject: Reply with quote

In the Well you can just unbind the NetBios in the NetWork setting to the external IP (I would still recoment that you fire wall the box)
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger
gigsvoo
Just Arrived
Just Arrived


Joined: 16 Aug 2002
Posts: 0


Offline

PostPosted: Fri Jan 10, 2003 5:46 am    Post subject: Reply with quote

squidly wrote:
In the Well you can just unbind the NetBios in the NetWork setting to the external IP (I would still recoment that you fire wall the box)


How are the steps go under a Windows 2000 box? They are already behind a Checkpoint firewall separated from Internet.
Back to top
View user's profile Send private message
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Fri Jan 10, 2003 10:59 am    Post subject: Reply with quote

From: http://windows.about.com/library/tips/bltip430.htm

Quote:
While NetBIOS was useful in it's time, that time is slowly drawing to a close. If you are using DNS for name resolution on your network (you no longer need WINS), and you have no applications which are dependent on it, you can disable NetBIOS over TCP/IP, and relieve some overhead from your network.

Right-click My network Places, and choose Properties. Right-click the Network connection to disable NetBIOS on (for instance, Local Area Connection), and choose Properties. Select Internet Protocol (TCP/IP) under Components, then click the Properties button. Click the Advanced tab, and when the Advanced settings window appears, click the WINS tab. Select "Disable NetBIOS over TCP/IP" then click OK, OK, OK.



Also See Here:
http://support.microsoft.com/default.aspx?scid=KB;en-us;q299977
Back to top
View user's profile Send private message Send e-mail
gigsvoo
Just Arrived
Just Arrived


Joined: 16 Aug 2002
Posts: 0


Offline

PostPosted: Tue Jan 14, 2003 2:56 am    Post subject: Reply with quote

For some time that I might need to use NETBIOS as sharing folder to colleuges workers around the workgroup. So, does select "Using DNS server for NETBOIS lookup" safe? Shocked
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register