Skip to main content

Windows network risks - NetBIOS, SMB and null sessions


Some of the biggest security risks through information leakage, affecting Windows computers is the Windows network itself, and the protocols used to share files and printers amongst local computers in a local Windows network, particularly SMB and NetBIOS, taking advantage of default hidden shares. Here we describe a discovery technique also known as null sessions, that can provide additional in-depth information about a remote computer, that can further be used to compromise it and take control over it.

The Windows network implementation has a specific interface that can be queried via TCP-IP ports 139 and 445. The problem exists on many Windows installations due to the fact that default security configurations are allowing it. The first step an attacker would take, is to perform a TCP scan on your Windows computer. If improperly protected, your computer may have these ports open and they may expose a lot of information, through using the so called null sessions technique. What happens is that the attacker can open a communication channel through these ports as anonymous user with a null password; this channel can then be used further in order to obtain additional information about your computer, like network information, users and groups, shares, registry values and so on, through using the SMB and NetBIOS protocols.

The most effective way to protect your computer against null session attacks is to block ports 139 and 445 (TCP/UDP) on your computer. This leaves the attacker with no way to connect to the ports and therefore they cannot perform such queries and your security configuration has significantly improved. But there's more you can do. The best way to protect yourself from this problem is to disable access to SMB information on your computer, by configuring explicit anonymous connections through security options accessible from Control Panel – Administrative Tools – Local Security Policy. Once opened, go to Local Policy – Security options, and look for an entry called ''Additional restrictions for anonymous connections''. Set this entry to the most secure setting, which is ''No access without explicit anonymous permissions''. You may need to reboot computer after changing this value, for it to take full effect. What happens then, is that once an attacker will attempt again to connect to your computer and harvest information with this method, an access denied error message will be received and no information will further be disclosed. But once again, blocking access to ports 139 and 445 will protect your computer from this problem, that can otherwise be used to acquire additional information about your computer, and in the end, take control over it.
Labels:

Comments

Post a Comment

Popular posts from this blog

Hi! I'm Java...

Java is a computer programming language. It enables programmers to write computer instructions using English based commands, instead of having to write in numeric codes. It’s known as a “high-level” language because it can be read and written easily by humans. Like English, Java has a set of rules that determine how the instructions are written. These rules are known as its “syntax”. Once a program has been written, the high-level instructions are translated into numeric codes that computers can understand and execute. Who Created Java? In the early nineties, Java was created by a team led by James Gosling for Sun Microsystems. It was originally designed for use on digital mobile devices, such as cell phones. However, when Java 1.0 was released to the public in 1996, its main focus had shifted to use on the Internet. It provided more interactivity with users by giving developers a way to produce animated webpages . Over the years it has evolved as a successful language for
1 comment
Read more

I'm the Server Operating System

Server Operating System A server operating system is software that was especially developed to serve as a platform for running multi-user computer programs, applications that are networked and programs critical to business computing. This type of operating system (OS) often comes bundled with the most common types of applications deployed in the client-server model, a term used to indicate the exchange of information between computers. For example, a hypertext transfer protocol (HTTP) or web server hosts or "holds" the text files, images files and scripts that work together to form a website. When someone connects to the Internet and types in a web address, the server that holds the files of the site delivers or "serves" the requested pages to the client computer or the machine that made the request. Frequently used applications in the client-server model handle operations for sharing files and printers across a network, hosting and serving web pages via the
Post a Comment
Read more

A Hit Count Using Java Servlet's Session Tracking

import java.io.*; import javax.servlet.*; import javax.servlet.http.*; public class SessionTracker extends HttpServlet {         public void doGet(HttpServletRequest req,HttpServletResponse res)         throws ServletException,IOException         {                res.setContentType("text/html");                PrintWriter out=res.getWriter();                HttpSession session=req.getSession(true);                Integer count=(Integer)session.getValue("tracker.count");                if(count==null)                {                         count=new Integer(1);                }else{                         count=new Integer(count.intValue()+1);                }                session.putValue("tracker.count",count);                out.println("<HTML><BODY><H1>SESSION TRACKING DEMO</H1>");                out.println("You've visited this page "+count+((count.intValue()==1)?" time.":"times."
2 comments
Read more