HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 23 guests and 2 members online
EH-Net Donations

Enter Amount:
$
Google Ads
EH-Net News Feeds
Latest Additions
Book Recommendations



 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Incident Responsearrow NetBios Issue
Ethical Hacker Community Forums
January 08, 2009, 12:36:07 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: ChicagoCon 2-Day Ethical Hacking Conference with MS Blue Hats Oct 31 - Nov 1. Tickets Only $100! www.chicagocon.com/content/view/103/51/
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: NetBios Issue  (Read 1308 times)
0 Members and 1 Guest are viewing this topic.
scucci
Newbie
*
Offline Offline

Posts: 23


View Profile
« on: September 18, 2008, 02:47:52 PM »
Currently we have a system open on our CheckPoint firewall that enables all traffic from the outside (i know this is horrible, and I'm trying to have this fixed). But I saw in our logs today that it was accessed via port 139 multiple times. I know this is a NetBios port and I'm concerned. I can't think of any legitimate reason to have a machine connect to that port from the outside world.

My question is, where should I start looking to see if this machine was compromised? Are there any tools that can be run? Logs that I should look at? Any advice would be of great help.

Thanks

Matt
Logged
toggmeister
Newbie
*
Offline Offline

Posts: 22


View Profile
« Reply #1 on: September 18, 2008, 03:18:45 PM »
Netstat -an will give you connections established, hopefully nothing from the outside  Cry

procexp.exe will give you a list of running processes, check out extraneous or if you have been done over they could using a system process to cloak there access.

What about another question, do you need netbios on your network, can you close this and other ports, is this in the DMZ, if it is close everything you can to reduce your attack vectors:

Port 139 (TCP) and Port 137 (UDP)

This is closed by following the following procedure:

•   Right click My Network Places
•   Select properties
•   Double-click Local area connection
•   Click Properties
•   Double click TCP/IP Connections
•   Click advanced
•   Click WINS
•   Tick disable NetBIOS over TCP/IP


For extra security, you should also deselect file and printer sharing on the Local area connection main page, general tab

Port 445

Port 445 can be disabled on the host by using the following instructions :

•   Select Start
•   Select Run
•   Type in Regedt32
•   Locate the following key in the registry:

o   HKLM\System\CurrentControlSet\Services\NetBT\Parameters

•   Double-click on the key TransportBindName.
•   Delete the value (\Device\), and leave the box blank.

•   Close the Registry Editor
•   Reboot your computer.

TCP Port 445 is now closed.  This can be confirmed on the localhost by running the netstat command

Port 135 (TCP)

RPC services can't be disabled but the parameters referencing the listening interfaces can be modified to bind this port to the localhost (127.0.0.1) and thus disallow access from external connections :

•   Create a registry key file with the following contents:

-------------------------- cut here -----------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rpc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rpc\Linkage]
"Bind"=hex(7):31,00,00,00,00,00

-------------------------- cut here ------------------------------

•   Save as 135.reg
•   Double-click 135.reg

The keys are now written to the registry.

By default RPC listens on all network interfaces, this can be modified by creating the following Registry key and string (ListenOnInternet REG_SZ = N
) at the following location:

•   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs

When this value is set to N (NO)  the port 135 is listening only on interfaces listed in the value "Bind"=1 which correspond to 127.0.0.1 the localhost.
(or MS TCP Loopback interface)

Disable DCOM

This is achieved by setting the following string (EnableDCOM Reg_Sz = N) in the registry key:

•   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole

Reboot the machine.

Port 135 is now bound to localhost. This can be confirmed on the localhost by running the netstat command

Just locked down a 2K3 server with this and lots of other tweaks you really need to assess what you actually need open and what services you need to run.

Hope this helps

Togg
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.7 | SMF © 2006-2008, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.034 seconds with 23 queries.
 
Sponsors

cwnp_moto__120x90.gif

Polls
How many security events including conferences and training do you attend a year:
 
Support EH-Net

Support EH-Net by
Buying all of your
Amazon items using
the search bar above.
cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!
Recent Forum Topics
Vote For EH-Net

progenic.com
Click here to Vote!

binarica.com
Binarica Logo

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2009 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.