We are in 2020 and I present an article about the flaws related to a bad configuration of NetBios !! I already hear some say "What's wrong with you man?".
A recent study carried out in December 2019 by French researchers shows that more than 60% of Windows systems using the NetBios service use a standard configuration and are poorly secured, thus allowing anyone to access the content of their shared folders in few minutes. NetBios is a must in IT security and a blessing for hackers during the network information gathering/enumeration phase, whenever they are looking to collect network information or obtain sensitive users or either company's files.
NetBios is a standard communication service, unfortunately, it is often poorly secured or even sometimes not secured at all.
NetBios offers the ability to explore all a network. We can thus have the list of the PCs connected into the network, the different workgroups and with a little knowledge, we can even find the user of a machine. NetBIOS is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network.
As indicated above, NetBios is not a communication protocol but a service present mainly on Microsoft environments which uses ports:
- 135 (Remote location service)
- 137 (NetBios-ns - NETBIOS Name Service)
- 139 (NetBios-dgm - NETBIOS Datagram Service)
- 445 (SMB)
When targeting a given network or system, the first thing a hacker does would be to scan the machine since a lot of information can be collected from a simple network ports scan. Referring to the topic of this article, in our case what the hacker is looking for is an open port 139, which is the default NetBios port.
Before to move further, you will need Samba (the client tools only, the server isn't necessary) to be installed on your machine. This Linux tool will allow you to play and involve your machine into Windows networks. If you don't know how to install Samba, you can head over to www.samba.org. If you are using Ubuntu or Debian, you can install it very easily using the below command:
HOW TO INSTALL SAMBA ON UBUNTU/DEBIAN AND OTHER DERIVED DISTRIBUTIONS
sudo apt -y install samba samba-common samba-common-bin smbclient
When you have finished installing Samba, you can make sure that the program works correctly by invoking the "
help" command from your terminal:
SCAN THE NETWORK FOR MACHINES WITH PORT 139 OPEN
We will now consider that you are currently carrying out a security audit on behalf of one of your customers who asked you to test the reliability of their network. We will, therefore, start by scanning the network using Nmap in order to check if a machine is connected via port 139 since it is the one used by default by NetBios.
nmap -Pn -sC -sS -sV -O -p 139 xxx.xxx.xxx.xxx/xx
Of course, don't forget to replace "xxx.xxx.xxx.xxx/xx" by the CIDR or the IP you wish to scan for NetBios opened port.
Note: For security reasons, some information on the above screenshot has been hidden.
As you can see from the above screenshot, we have one potential target with port 139 open. The next step for us is to find the name with which this machine is registered on the network. Basically, without this information, we will be unable to request any share information from these machines.
To achieve our goals, we will use "
nmblookup" which is present by default in the "
samba-common-bin" package. The "
-A" parameter is used to identify a remote computer.
nmblookup -A xxx.xxx.xxx.xxx
On the screenshot above, you can see that we have just identified the name of the machine referenced here by "SERVER". Now that we have it we will use "
smbclient" from our terminal and try the first approach on this machine to see if we can go further.
smbclient -L //SERVER -I xxx.xxx.xxx.xxx -N
-L" parameter is invoked to list the shared folder(s) if any available. The "
-I" parameter is used to indicate the IP address of the machine we wish to connect and the "
-N" parameter is used to avoid the password prompt.
Well done! We have just identified an interesting folder called "share". The last step for us is to create a connection to access this folder and find out whether it's password protected or not. To do this simply use the following command:
smbclient //SERVER/share -I xxx.xxx.xxx.xxx -N
No, you're not dreaming! It only took us a few minutes to detect a badly secured machine, establish a connection via the NetBios service and list the contents of its share folder.
WHAT ARE THE RISKS OF THIS TYPE OF ATTACK
The first thing to remember is that this is not a vulnerability resulting from a security breach. The problem of this vulnerability resides in the configuration of the machine targeted by the attacker.
It is very difficult to draw up a complete list of the risks associated with this kind of attack. But a malicious hacker can easily steal sensitive files or folders by using, for example, the command "
smb: \> get remote_file local_file
Or he can inject a document, a photo or even a program containing a virus on the machine and wait patiently for someone to click on it using the "
smb: \> put local_file remote_file
Only very few people understand how to properly set up shares, and Windows doesn't really prompt users about improper configurations. It's far easier to set up a share and open it to everyone than actually customize the share with proper permissions. The fact that this article demonstrates how easy it is to intrude upon a poorly protected Windows share should serve as a warning.
SECURING WINDOWS NETBIOS SERVICES
NetBios services are designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose these services directly to the Internet or, in general, to an environment where untrusted clients can directly access these services. Different options are available to mitigate this issue and protect your server or device:
- Disable NetBios/NetBT and SMB services if you are not using them.
- Use your firewall to filter inbound connections to SMB and NetBios/NetBT services, and only allow the trusted IPs and hosts.
- Install the Operating System security updates as soon as possible and ensure SMBv1 is not in use.