NetBIOS, LAN Manager Compromised by Hacker Tools

SMBRelay Exploits Windows Networking If you've been waiting for a really good reason to upgrade the security of your Windows network, one Sir Dystic, of the infamous hacker group Cult of the Dead Cow, has come up with one. His utility, SMBRelay, coupled with Security Software Technology's L0phtCrack password-cracking software, vastly simplifies the process of breaking passwords collected from Windows-based LAN and Internet hosts. Unblocking the SMB SMBRelay takes advantage of a long-known vulnerability in the Server Message Block (SMB) file sharing protocol. SMB is layered onto NetBIOS, the networking application interface first created by IBM and adopted by Microsoft for DOS. When you share a Windows directory or drive over a local area network, you are most likely utilizing SMB over NetBIOS over NetBEUI, IPX, or

TCP/IP. Both SMB and NetBIOS have evolved over time, and Microsoft has endeavored to maintain backward compatibility with its older "dialects." But this backward compatibility means that when a SMB session is initiated, a more primitive "plain text" level of authentication can often be negotiated that provides for maximum exposure of the password data. Additionally, because SMB was developed to facilitate file and print sharing on local networks, a Windows client will automatically attempt to log onto an SMB server. In the process, the host and client will exchange password hashes. These pairs of password hashes (the challenge from the host plus the response from the client) can be "sniffed" and saved for later cracking. Middleman Grabs Authentication More insidious than network sniffing is session hijacking. An attacker makes himself the "man in the middle" by virtually interposing himself between the client and host. To expedite things, the attacker can send a client of the targeted host an HTML e-mail message with a link to a NetBIOS share on the web server. As the target's computer attempts to establish a NetBIOS connection, the attacker steps in, intercepts the client's credentials, and passes them off as his own. Sir Dystic's SMBRelay automates the process by functioning first as a data relay between the client and host, sending on all but the authentication data. Then the attacker disconnects the client and binds the host to a new IP relay address that the attacker can log on to, all the while maintaining the original client's host privileges. At the same time NTLM password hashes exchanged by the client and host are collected and saved to a text file. Taking It to the Next Level The primary weakness with NetBIOS, also inherited by LAN Manager, lies in its willingness to negotiate security to the lowest common denominator when handling SMB sessions. For this reason, password hash collecting and man-in-the-middle attacks on the NetBIOS/SMB protocols are not new. Microsoft has admitted that, "Recent improvements in computer hardware and software algorithms have made these protocols vulnerable to widely published attacks for obtaining user passwords." To this end Microsoft developed NT LAN Manager version 2 (NTLMv2), a 128-bit encrypted version of NT LAN Manager that does not depend on the exchange of password hashes for authentication. To lock out weaker protocol dialects, however, NTLM must be disabled so that session authentication defaults to NTLMv2. Enabling NTLMv2 exclusively on Windows networks is covered in Microsoft Knowledge Base article Q239869. Eliminating Unnecessary Services One aspect of making a software product "user friendly" is anticipating all the possible ways in which it might be used. For Microsoft, this means covering a lot of bases, and so installations of the Windows 9.x operating systems tend to throw in the kitchen sink. But as a result, you will be left with a lot of services running you probably don't need; worse, they could pose considerable security risks. To start with, on standalone machines NetBIOS and NetBIOS shares should be turned off. Secure Design has a page on Basic Windows 9.x Security that runs down the steps you can take to shut down unneeded Windows network services. As a further check of your computer security, a number of security firms such as Sdesign and Gibson Research will scan your computer over the Internet for open ports and exposed NetBIOS traffic. The SMB and other NetBIOS exploits depend on attackers finding an open NetBIOS port on the targeted machine. According to SDesign, 22 percent of the systems they scan are open on port 139, which is required for NetBIOS connections. Security consultants recommend blocking TCP/UDP ports 135, 137, and 139, and UDP port 138 at the firewall to prevent SMBRelay-type cracking attempts. Many ISPs block these ports in order to ensure their own network security and that of their customers. In any case, especially those home users with "always-on" high-speed Internet service should deploy a personal firewall. All the major anti-virus software companies sell personal firewalls, and Zone Labs provides its popular ZoneAlarm personal firewall free to individuals and non-profit organizations.