exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

port139_audit.txt

port139_audit.txt
Posted Nov 25, 2003
Authored by clappymonkey

Brief research paper that audits and discusses the true scope of how many hosts on the Internet actually have TCP port 139 listening and are susceptible to attack.

tags | paper, tcp
systems | windows
SHA-256 | 244293ebdd2a973beb2961f77348e04047e69687a1efabdac4ab45d5af3cf75b

port139_audit.txt

Change Mirror Download
TCP Port 139 (netbios-ssn): Fact and Fiction
=============================================

Security professionals and digital miscreants are long familiar with TCP
port 139. The NetBIOS Session port if left open can provide an open gateway
for any number of virtual nasties to slither into a network. Much is made of
port 139 as a potential security vulnerability in many texts and sources (1)
and it is popularly believed that this port poses a significant threat to
the integrity of data and networks (2). This brief paper examines the scope
of port 139 as a potential vulnerability, covers the key technical details
of the testing process, and provides an indication of the measure of how
seriously (or otherwise) administrators are taking this potential threat.


Introduction
============
Port 139 (in open state) has always been held up as a significant threat to
network security. Although this contention is undeniably accurate, there is
much FUD (Fear, Uncertainty and Doubt) concerning this area. A number of
online sources make much of port 139 being a terrific threat to both the
home and business network. Statistical data (3) indicates that UDP ports 135
- 139 and TCP port 137 - 139 are amongst the most commonly scanned ports on
remote computers. Just because something is commonly tested however, does
not necessarily dictate that it is in a state of vulnerability. For example
if a series of burglars were to routinely try and fail to gain access to a
locked door, the door would not be insecure, but would in actuality be doing
the job it was designed to do in keeping intruders at bay. A number of
sources (4) claim that port 139 is open on upwards of 10% of active hosts
connected to the Internet, and this has long been accepted wisdom amongst
security professionals. This paper addresses this key issue, namely how many
hosts are open to intruders using NetBIOS ports? Specifically this paper
focuses on discovering the true scope of active hosts running an open TCP
port 139 (NetBIOS Session Service).


Methodology
===========
The methodology for this study was incredibly simple, namely scan a range of
IP addresses with commonly available network discovery applications, and
discover those hosts with TCP port 139 in an open state. Testing was
conducted using a Pentium 3, 850 MHz computer running the Windows 98
Operating System with internal 56k modem, and standard ISP dial up. Although
Nmap for Win32 was considered as the testing application of choice, it was
the authors intent to simulate the probes that would commonly occour from
the less technical or neophyte computer intruder, referred to in common
parlance as 'script kiddies'. For this reason Windows was selected as the
Operating System of choice, as were a number of 'point and click' port
scanning applications. Of a short list of five possible applications, two
were selected. The scanning activity was predominantly conducted using
SuperScan (version 3.00) from Foundstone Inc. with results compared to those
generated by ShadowScan (version 2.70) to ensure the accuracy and validity
of data. These applications were deliberated selected as they provide
powerful scanning functionalities to naïve users, operate using simple point
and click GUI's, and provide easily detectable signatures for IDS's.

Once the Operating System and relevant port scanning applications had been
selected, a simple scan was conducted against the IP range XXX.XXX.1.1 to
XXX.XXX.255.254. (5) The scan conducted was a visible port 139 enquiry, with
no IDS evasion techniques applied. A Ping sweep was also conducted, as well
as host name identification. The legality of this scan is discussed in a
later section. All scans were conducted during business 'off hours' as this
traditionally is when most script kiddies are presumed to attack and scan
hosts (this belief is largely incorrect as attacks can, and do occour at all
hours day and night.).


Results
=======
Of the 64,770 hosts scanned, 5545 were responsive to a Ping sweep. The
reasons for this may be numerous. Firstly an IP range was selected in a
Scandinavian country, largely because it was assumed that less number of
hosts would be aware of potential port 139 vulnerabilities. Obviously this
is an assumption, and thus incorrect, and my apologies to any Scandinavian
readers for doubting your technical competence. The Internet security
industry is a lot less aggressive in Scandinavia than in the US for example,
and thus potential vulnerabilities (even those as well known as having port
139 open) may be prone to occour with greater regularity. Another reason
Scandinavia was selected was purely on the personal grounds that I have long
liked Monty Python, and one of their musical routines clearly provides a
link to the country on which the scans focused (now if that isn't a clue I
don't know what is!). Of the 5545 responsive hosts, 201 responded with TCP
port 139 in an open state. On the basis of the scan of this IP range only
2.75% of responsive hosts had open TCP port 139. Detailed ennumeration was
not conducted however a probe of all affected hosts using SolarWinds IP
Network Browser, revealed only 9 (of a possible 64,770) hosts with open TCP
port 139 and user shares enabled. Thus of a potential number of hosts in the
thousands only nine were actually vulnerable to basic NetBIOS hacking
methods (6).


Conclusion
==========
Although this is by far an in-depth statistical analysis of all Internet
hosts (or even ones that would be of interest to the 'average' script kiddie
who dreams of nothing more than defacing the CIA and making a name for
themselves), this brief audit does provide some interesting results. From
doing nothing more than a basic SYN/ACK port scan and SNMP query using
automated tools, potential attackers can quickly and efficiently find
vulnerable hosts. The numbers of hosts available for possible NetBIOS
vulnerability exploitation are, on the basis of this audit, far lower than
traditionally assumed. Perhaps it is thanks to the well publicised nature of
NetBIOS vulnerabilities (7), or because NetBIOS ports are those that are
most often routinely probed (8) by inexperienced computer intruders, but
whatever the reason the numbers of hosts with this vulnerability seems to
have decreased far beyond the traditionally accepted numbers. One area that
was not focused on during this audit, and is a deficiency the author is
aware of is domestic DSL. Domestic subscribers to 'always on' broadband
services face a potentially grave threat from NetBIOS intrusions through TCP
port 139 (to highlight just one route in). Commercially available and
freeware firewalls must keep track of this, and home users must be made
aware of the potential of this variety of attack.


Notes
=====
1 - Hacking the hacker: How a consultant shut down a malicious user on a
client's FTP server (http://techrepublic.com.com/5100-6329-5055990.html),
Penetration Testing: Re: [PEN-TEST] Closing Port 139
(http://lists.insecure.org/lists/pen-test/2000/Oct/0204.html), Get back to
security basics
(http://insight.zdnet.co.uk/hardware/chips/0,39020436,2126042,00.htm),
Peeping Through Port 139 (http://www.citypaper.com/2000-05-03/cyber.html),
are just some of the 11,700 results tuned up on a recent Goggle search (with
the string 'port 139 hacking').

2 - Software and services vendor Internet Security Systems even have gone so
far as to define it as "the single most dangerous port on the Internet"
(http://www.iss.net/security_center/advice/Exploits/Ports/139/default.htm),
a definition which is a arguably a tad overwrought.

3 - ISC / SANS daily trends (http://isc.sans.org/trends.html), DShield
(http://www.dshield.org).

4 - The Top Tens of Port Scanning
(http://www.btinternet.com/~shawweb/george/hacks/topten.html), NetBIOS
Hacking (http://www.rishabhdara.com/newsread.php?newsid=31), to name but
two.

5 - See Legal Note section below for further details.

6 - As discussed in the FAQ for the USENET newsgroup alt.hacking
(http://www.dsinet.org/textfiles/faqs/alt-hacking-FAQ/9.html), and countless
other places online.

7 - Numerous on and off-line sources discuss this, including, 'Hacking
Exposed' (Scambray, McClure, Kurtz), The Happy Hacker (Meinel), DCE/RPC over
SMB: Samba and Windows NT Domain Internals (Leighton) and many more (NetBIOS
hacking and NULL connections are discussed in the majority of modern books
on computer and network security, as well as large number of websites,
mailing lists, and newsgroups).

8 - ISC / SANS daily trends (http://isc.sans.org/trends.html).


Legal Note
==========
The scanning activity undertaken, as part of the research of this paper was
as transparent as I could possible make it. Undoubtedly my activities have
been recorded by hosts in the IP range scanned, as no effort was made to
obscure my location. As yet no hosts have contacted me, however I will be
contacted all affected 'high risk' hosts (i.e. those that are susceptible to
simple NetBIOS hacking) and informing them of my findings. The research
undertaken in preparation for this paper was not conducted in such a way as
to cause harm to any remote host, and the author will not be releasing any
details of affected or scanned hosts. This information has been removed from
local hard disk, but is available upon request only to CERT, governmental
agencies or law enforcement. No details will be passed to individual
security researchers at this, or any future time. Although port scanning is
considered intrusive by nature, it was a vital and necessary part of the
research process. Information gathered was not pursued in the interests of
gaining unauthorised access, but in an effort to define the true scope of a
long known about security vulnerability, and see whether the problem is any
closer to having been resolved. In conclusion, it is the authors hope that
his willingness to disclose information to appropriate agencies,
organisations and individuals, as well as the good intent governing the
audit process will be of use should the matter ever arise.


.:clappymonkey:.11/03
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close