3.1.5 - IP Behavior IV - Microsoft Networking
Content
6 - 1
Microsoft Networking – SANS ©2000 – 2003
1
Microsoft Networking
This module on Microsoft Networking and Security is intended to introduce you to the protocols used
by Microsoft hosts and the accompanying security risks. One of the main problems/advantages with
the Microsoft architecture is that it lends itself to the “ease-of-use” by users and administrators. This
is one of the reasons that Microsoft software is so popular; it is just easier to use for the novice user
than, say, Solaris or Linux. This is good for the user and the administrator, but the downfall is that
“ease-of-use” often implies lack of security for an unprotected network. You must keep in mind that
Microsoft or Windows networks are intended for use on intranets with a perimeter that blocks
outsiders.
We will examine some of the problems associated with the Microsoft protocols. The student will be
able to analyze Microsoft networking traffic and determine what the purpose of the traffic is.
Because this is an often exploited route into a network, you will see scans of ports associated with
MS functions and attempts to find vulnerabilities on your own network.
6 - 2
Microsoft Networking – SANS ©2000 – 2003
2
Objectives
• The goal of this module is to:
– Explain a typical Microsoft network
– Present an understanding of TCP/IP behavior of
Microsoft networking
– Emphasize computer security implications
The “Objectives” of this course will be to familiarize the student with the components of a typical
Microsoft network. We’ll examine how components on the network communicate with each other
using TCP/IP. Much of the emphasis will be on security implications of the rather open Microsoft
protocols.
While Windows facilitates peer networking such as file sharing, security has often taken a back seat
to the users’ unobstructed interface for using MS network protocols. Microsoft Windows 9x variants
do not have a secure file system because one is not provided with the operating system. Microsoft
Windows NT, while providing a more secure file system, requires additional attention to make it
secure. Windows 2000 has made great strides in offering features that can be used to better secure
the host and communications among Windows 2000 hosts.
6 - 3
Microsoft Networking – SANS ©2000 – 2003
3
Pre-Win2k Network
Communications
primaryDC
192.168.10.20
Mbrowser
192.168.10.34
WINShost
192.168.10.
9
armstrong
192.168.10.7
indurain
192.168.10.54
julich
192.168.10.3
lemond
192.168.10.10
hampsten
192.168.10.53
printer1
192.168.10.
4
Shared
Files
Perimeter Defense
Look at the slide “Pre-Win2K Communications” to see what Windows networks
looked like before Windows 2000. In this network, there are many NetBIOS workstations
communicating with each other and servers. The servers are primaryDC that represents the
primary domain controller for authentication, Mbrowser – the master browser responsible for
maintaining a list of hosts for your viewing via the Network Neighborhood, and WINShost that is
responsible for pairing NetBIOS host names and IP numbers.
Each host has a NetBIOS name (for instance armstrong) that uniquely identifies it. NetBIOS is an
application program interface (API) for communication among computers. It basically allows
applications to talk over the network. NetBIOS depends on a lower level transport to communicate
between hosts. Hosts on this network communicate with each other via NetBIOS over TCP/IP, also
known as (NBT). In years past this protocol was NetBEUI; that was a very chatty
broadcast protocol. It had a limitation that it could only support 255 nodes in a given Windows
network. Obviously, with the growth of networks, this limitation was a problem.
NBT offers several services:
1) A name service (WINS)
2) Two communication services
a) datagrams – this is a broadcast protocol for Windows hosts that offers no reliability (comparable
to UDP)
b) session – this is a host to host protocol for Windows hosts that offers the promise of reliability
(comparable to TCP)
Some of the NetBIOS ports are as follows:
137 – NetBIOS name service (NetBIOS to IP resolution)
138 – NetBIOS datagram service
139 – NetBIOS session service
6 - 4
Microsoft Networking – SANS ©2000 – 2003
4
Win2k/Active Directory
Network Communications
Domain Controller with Active Directory
192.168.10.20
armstrong.bike.com
192.168.10.7
indurain.bike.com
192.168.10.54
julich.bike.com
192.168.10.3
lemond.bike.com
192.168.10.10
hampsten.bike.com
192.168.10.53
printer1.bike.com
192.168.10.4
Shared
Files
Perimeter Defense
DNS Server
Kerberos Server
Now, flip to the next slide entitled “Win2K/Active Directory Network Communications” to see an
altered view of the same network with a newer implementation. The same workstations exist as
before, however the servers been consolidated.
The use of Windows 2000 with Active Directory (AD) changes many aspects of the old network. AD
stores information about objects on the network making it easier to locate resources for clients and
maintain resources for administrators. AD is essentially a collection of services, standards, and
protocols supported by a database that is installed on a Windows 2000 server when it is promoted to
become a domain controller. Some of the information that can be stored in an AD database are:
• User account properties and passwords
• AD groups and organization units
• Computer properties
• Domain names and structures
• Printers and “My Network Places” browse list
We will discuss an often used protocol in an AD network known as Lightweight Directory Access
Protocol (LDAP) that is used to search the AD database for information.
6 - 5
Microsoft Networking – SANS ©2000 – 2003
5
What Changed?
• NetBIOS gone (going)
• Used as a protocol to communicate over TCP (NBT)
• Used as host names
• Active Directory adds
• Central repository for network services/data
• Different protocols
• Functionality to work with Kerberos and DNS
• Fully Qualified Domain Names (FQDN) host names
Advance to slide “What Changed?” to examine some of the differences before and after Win2k with
Active Directory. The most notable change is the disappearance of NetBIOS as both a naming
convention and a protocol. NetBIOS names are no longer supported in a pure Win2k environment
with AD. Host names are now the same as the DNS names. Additionally, NetBIOS disappears as a
protocol for communication between hosts.
No discussion of Microsoft networking is complete without mentioning the protocol known as
SMB/CIFS or Server Message Block/Common Internet File System. We’ve seen where TCP/IP was
used for the transport of NetBIOS. We saw where clients connected to servers using NetBIOS over
TCP/IP (NBT). Once these connections had been established, clients could then send commands
(SMBs) to the server that allow them to access shares, open files, read and write files, and do print
operations. So, SMB is a protocol that rode over NetBIOS for Windows operating systems both
before Windows 2000.
In Windows 2000, Microsoft added the option to run SMB directly over TCP/IP without the
intervening layer of NBT. Instead of using ports 137, 138 (UDP), and 139 (TCP), Windows 2000
running directly over TCP/IP uses TCP port 445. This can be supported in Windows 2000 even
without AD.
A Windows 2000 server with AD becomes a primary controller capable of providing many directory
services. Additionally, AD has the functionality to integrate with Kerberos to provide more secure
authentication and DNS to locate network services as well as store DNS resource records as AD
objects.
6 - 6
Microsoft Networking – SANS ©2000 – 2003
6
Hostname Resolution
In this section, “Hostname Resolution”, we’ll examine the different types of name resolution in
Windows. Whether there is an older NetBIOS name or a newer DNS-like name, there has to be some
method of resolving hostnames to IP numbers.
6 - 7
Microsoft Networking – SANS ©2000 – 2003
7
NetBIOS Names
• 16 character name
• Different from DNS name
• When a NetBIOS machine comes online – needs to register
NetBIOS name
• No two hosts in the same Windows domain or workgroup should
have same NetBIOS name
• Two ways to register/perform name resolution for NetBIOS
names
– Broadcast to network
– WINS
Turning to the slide “NetBIOS Names”, we discover that they are 16 character alphanumeric names.
15 characters are for the NetBIOS name itself, and the final character identifies a resource type which
we’ll discuss a little later. When a NetBIOS host comes online, it broadcasts its NetBIOS
information 6 to 10 times to alert other clients on the network of its presence and a list of names
associated with applications or services on that client. If another client on the network has an
identical NetBIOS name, it sends a broadcast challenge defending the name. The client will then
mark the name in its own table as unusable and will not make any further attempts to use the
challenged name. If no other client claims this NetBIOS name, the name will then be registered.
Registration and future name resolution can be done via broadcasts or via a WINS server that will
store names of NetBIOS hosts.
6 - 8
Microsoft Networking – SANS ©2000 – 2003
8
NetBIOS Name Resolution
Without WINS Server
NT client.goodguys.com resolves the name of server.goodguys.com
15:24:59.824558 client.goodguys.com.137 > 192.168.255.255.137: udp 50
15:24:59.824907 arp who-has client.goodguys.com tell server.goodguys.com
15:24:59.824965 arp reply client.goodguys.com is-at 0:15:5c:7:62:20
15:24:59.825106 server.goodguys.com.137 > client.goodguys.com.137: udp 62
15:25:00.908500 client.goodguys.com.3015 >server.goodguys.com.139: S
140756:140756(0) win 8192 <mss 1460> (DF) [tos 0x14]
15:25:00.909181server.goodguys.com.139 > client.goodguys.com.3015: S
126790:126790(0) ack 140757 win 8760 <mss 1460> (DF)
15:24:00.909330 client.goodguys.com.3015 >server.goodguys.com.139: . ack 1
win 8760 (DF) [tos 0x14]
The slide “NetBIOS Name Resolution Without WINS Server” demonstrates what happens when a
Windows client wants to find the name of another Windows host – server.goodguys.com, yet there is no
WINS server on the intranet (or Windows networking domain). Suppose the user at \\client has entered
the command "net view \\server". In this case, the target host must be identified by its NetBIOS name
(server) rather than its fully qualified domain name (server.goodguys.com).
If the client does not have \\server and its IP address in its cache, it will broadcast a NetBIOS name
query on the local network with the name of the destination host using UDP port 137 (the netbios-ns, or
NetBIOS name service port).
Each computer on the local network receives the 137 UDP broadcast and checks its local NetBIOS table
to see if it owns the requested name. If it does, it formulates a NetBIOS name query response. But
before the response can be sent, the host needs to determine the MAC address of the requestor.
Therefore, an ARP request (arp who-has) is broadcast on the LAN to obtain the requesting client host's
MAC address. When the MAC address of \\client is obtained, the name query response is sent using
UDP port 137.
At this point, \\client knows the IP address of \\server and can create a NetBIOS session. This is shown
by the typical TCP three-way handshake on port 139 (netbios-ssn, the NetBIOS session service).
.
6 - 9
Microsoft Networking – SANS ©2000 – 2003
9
Windows Internet Naming
Service (WINS)
• Managed on UDP port 137
• Microsoft feature for NetBIOS name to IP address
translation
• WINS server registers and resolves NetBIOS host
names and workgroups
• Dynamic process
– NetBIOS host comes online and is registered in WINS
– NetBIOS host goes offline and is removed from WINS
Now, go to the next slide “Windows Internet Naming Service (WINS)”. WINS is typically
implemented in Microsoft-centric environments. It serves as a ‘pseudo’ naming process which
enables Windows clients to centrally register their NetBIOS names. The WINS server pairs IP
addresses with NetBIOS names.
The naming convention used by Microsoft limits these names to 15 characters. As you learned, when
a client boots, it broadcasts its NetBIOS name and information.
If the WINS server or another client on the collision domain has a NetBIOS entry for that name, then
the WINS server or client possessing ownership of that name broadcasts on the appropriate segment,
and the client who was initially trying to register that name immediately stops.
Windows users identify a host by its NetBIOS name, not an FQDN (fully qualified domain name).
This name is propagated throughout the network and replicated with other WINS servers. This
replication to other WINS servers occurs over TCP port 42.
6 - 10
Microsoft Networking – SANS ©2000 – 2003
10
NetBIOS Name Resolution
with WINS Server
12:26:07.905619 client.goodguys.com.137 > wins-server.goodguys.com.137:
udp 50
12:26:07.906766 wins-server.goodguys.com.137 > client.goodguys.com.137:
udp 62
12:26:07.908500 client.goodguys.com.3015 >server.goodguys.com.139: S
140756:140756(0) win 8192 <mss 1460> (DF) [tos 0x14]
12:26:07.909181server.goodguys.com.139 > client.goodguys.com.3015: S
126790:126790(0) ack 140757 win 8760 <mss 1460> (DF)
12:26:07.909330 client.goodguys.com.3015 >server.goodguys.com.139: . ack
1 win 8760 (DF) [tos 0x14]
We see a different process of name resolution on slide “Name Resolution with WINS Server”. The
same client queries the WINS server for the IP address associated with the NetBIOS name of the
server. There is no broadcast for the NetBIOS name. When the WINS server returns the IP address
of the server that the client wants, it talks directly to it.
In this case, client.goodguys.com is checking the WINS server, wins-server.goodguys.com, for the IP
number associated with the NetBIOS name that it knows server.goodguys.com by. It appears that
client.goodguys.com discovered the name because it then tries some kind of NetBIOS session with
server.goodguys.com.
6 - 11
Microsoft Networking – SANS ©2000 – 2003
11
Name Resolution with Active
Directory DNS Server
10.4.3.3.3017 > 10.4.2.2.53: 35+ A? mothra.usa.sans.org. (37)
10.4.2.2.53 > 10.4.3.3.3017: 35* 1/0/0 A 10.4.2.2 (53)
10.4.3.3.3253 > 10.4.2.2.53: 1+ SRV ? _ldap._tcp.dc._msdcs.usa.sans.org. (51)
10.4.2.2.53 > 10.4.3.3.3253: 1* 2/0/2 SRV , SRV (162)
Go to the next slide, “Name Registration with Active Directory DNS Server”, to see how
hostname to IP address resolution is handled with AD and Win2k. Remember, NetBIOS names are
now gone and hostnames are known as they are in non-Windows networks, as their DNS names.
Therefore, there is no longer a need for WINS resolution or broadcast to associate NetBIOS names
and IP numbers. DNS is now used for hostname/IP address resolution.
All DNS queries use standard UDP port 53, even though the storage location of DNS records is in the
AD database. When the DNS server boots up, it queries the AD database using the LDAP protocol
for all the records for which it is authoritative. It caches them in RAM and serves up those records to
DNS clients over UDP port 53. When new records are added (either statically or dynamically) to the
DNS server, they are periodically writing back to the AD database again using LDAP. The Windows
domain controllers replicate these new DNS records to each other automatically, thus indirectly
distributing them to all other DNS server. The traditional zone transfers and primary/secondary DNS
server distinction has disappeared.
The first set of DNS exchanges above should look somewhat familiar. Host 10.4.3.3 is asking the
DNS server 10.4.2.2 for the address associated with hostname mothra.usa.sans.org. Host 10.4.2.2
responds with one resource record presumably with the answer. The second set of DNS exchanges is
something new. Windows DNS servers and later versions of BIND offer a new resource record type
known as an Service Resource Record (SRV). This allows clients to find desired services. For
instance, in this case 10.4.3.3 is asking the DNS server where (the name/IP address) the LDAP server
for the domain is. This same type of lookup may be done to find a Kerberos server to be used for
authentication.
6 - 12
Microsoft Networking – SANS ©2000 – 2003
12
Discovering Information About
Hosts
In this section “Discovering Information About Hosts”, we’ll see commands that are used for
legitimate purposes for Windows host discovery. We’ll also see how these commands can be used as
reconnaissance by hackers. It bears repeating that Windows networks should be protected by some
kind of packet filtering device to keep intruders out. Yet many sites don’t block the necessary ports
or take the proper precautions to do so, and hackers will try to use these open avenues.
6 - 13
Microsoft Networking – SANS ©2000 – 2003
13
NetBIOS Name/Resource Type
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
V E R B 0 00
15 byte resource name
1 byte resource type
16 byte NetBIOS value
15 byte NetBIOS name
1 byte resource type
Unique resources
Group resources
Looking at slide “NetBIOS Name/Resource Type”, you see that the NetBIOS names is a 16
character field. The NetBIOS name itself can be up to 15 characters or bytes. The 16
th
byte is
reserved for the resource type. When a NetBIOS name is registered, it is registered with a resource
type or multiple resource types. These resource types or services identify the functions or services
that this particular NetBIOS resource can perform.
A resource can be a unique resource or a group resource. A unique resource is one that is unique, as
the name implies. For instance, there can only be one particular NetBIOS name that refers to a
computer within a workgroup or domain. A group resource refers to a group of computers or users
associated with a workgroup or domain.
6 - 14
Microsoft Networking – SANS ©2000 – 2003
14
NetBIOS Unique
Resource Type Codes
Resource Hexadecimal Type Code
Standard Workstation 00
Messenger Service (WinPopup) 03
File/Print Server 20
Master Browser Name 1D
The slide “NetBIOS Unique Resource Type Codes” is an abbreviated list of the resource types
codes that can be found for unique resources. These values tell the functions of a given unique
resource. We’ll see how we can list these resource codes for a given NetBIOS resource. Obviously,
someone doing reconnaissance on a network will not only want to attempt to list the NetBIOS
resource names, but the types as well to try to discover what the function of a given NetBIOS
resource is.
A master browser is a host that keeps a list of the currently active NetBIOS hosts. When NetBIOS
hosts boot up or are shut down, the master browser updates its browse list of active hosts. So, for
reconnaissance purposes, if someone can discover this host and query it for active hosts, it provides a
lot of information.
6 - 15
Microsoft Networking – SANS ©2000 – 2003
15
NetBIOS Group
Resource Type Codes
Resource Hexadecimal Type Code
Standard Workstation Group 00
__MSBROWSE__ (Master Browser) 01
Domain Controller 1C
Group Name 1E
The slide “NetBIOS Group Resource Type Codes” is an abbreviated list of the resource types
codes that can be found for group resources. These values tell the functions of a given group
resource.
6 - 16
Microsoft Networking – SANS ©2000 – 2003
16
Identify Resources on a
Remote Windows/Samba Host
nbtstat -A 192.168.143.5
NetBIOS Remote Machine Name Table
Name Type Status
-------------------------------------------------------------------------
VERBO <00> UNIQUE Registered
VERBO <03> UNIQUE Registered
VERBO <20> UNIQUE Registered
..__MSBROWSE__. <01> GROUP Registered
SIMPLE <00> GROUP Registered
SIMPLE <1B> UNIQUE Registered
SIMPLE <1C> GROUP Registered
SIMPLE <1D> UNIQUE Registered
SIMPLE <1E> GROUP Registered
As the next slide “Identify Resources on a Remote Windows/Samba Host” describes, the nbtstat
command is used to discover NetBIOS resource names and their resource types. The Windows
command nbtstat -A IP address command will identify users on a remote Windows or Samba
system. This will display the remote host’s NetBIOS table. In this case we look at a host with a
NetBIOS name of verbo which happens to be a Linux host running Samba. The system name of the
host is verbo and its domain is named simple.
Note that we’ve used the nbtstat -A switch, which requires an IP number. There is another nbtstat
command that uses that nbtstat -a switch and takes a hostname as the argument. While the output
from this is the same as seen above, the decoded contents seen over the network will be different.
6 - 17
Microsoft Networking – SANS ©2000 – 2003
17
Snort Capture
of nbtstat Request
06/12-19:18:47.672062 192.168.143.101:137 -> 192.168.143.5:137
UDP TTL:128 TOS:0x0 ID:24949
Len: 58
05 02 00 00 00 01 00 00 00 00 00 00 20 43 4B 41 ............ CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..!
00 01 70 61 63 6B ..pack
Alert message:
[**] SMB Name Wildcard [**]
06/12-19:22:58.895474 192.168.143.101:137 -> 192.168.143.5:137
UDP TTL:128 TOS:0x0 ID:25461
Len: 58
The slide “Snort Capture of nbtstat Request” was captured by Snort, which can decode the
application layer. Nothing is really coherent, but look at the CKAAAA… output. We’ll see in a
couple of slides that this is a “wildcard” or generic search for resources. It does not specifically
identify a NetBIOS name or hostname; it uses the “*” wildcard to query the host for its NetBIOS
table.
Also, note that Snort doesn’t translate IP numbers to hostnames; this is done for the sake of
efficiency. In this example, 192.168.143.101 represents hostname win98.com that has a NetBIOS
name of win98, and 192.168.143.5 represents verbo.com with a NetBIOS name of verbo.
You can then see that when running Snort with its rules files, the nbtstat -A IP address triggered an
alert. Snort identifies this as an SMB Name Wildcard. By using the IP address as an argument to
nbtstat, it does a wildcard “*” search of the host for resources.
The rule that triggered the alert is seen below. It alerts on any UDP traffic sent to an internal network
host destination port 137. The content of the packet must contain the ASCII string of
“CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA” followed by a binary value of “0000”.
This is the signature for the wildcard. We’ll examine how we arrive at the ASCII content in the
reference section.
Rule that triggered alert:
alert udp any any -> $HOME_NET 137 (msg:"SMB Name Wildcard";
content:"CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|0000|";)
6 - 18
Microsoft Networking – SANS ©2000 – 2003
18
GIAC Postings of Port 137 Scans
(Beginning around Year 2000)
06:21:25.180967 nbscanner.com.137>192.168.143.7.137: udp 50
06:21:25.180969 nbscanner.com.137>192.168.143.93.137: udp 50
06:21:25.180970 nbscanner.com.137>192.168.143.115.137: udp 50
06:21:25.180971 nbscanner.com.137>192.168.143.44.137: udp 50
06:21:25.180973 nbscanner.com.137>192.168.143.71.137: udp 50
[**] SMB Name Wildcard [**]
04/09-06:49:51.748689 24.3.200.114:137 -> xxx.xxx.xxx.189:137
UDP TTL:118 TOS:0x0 ID:43610
Len: 58
55 9E 00 10 00 01 00 00 00 00 00 00 20 43 4B 41 U........... CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..!
00 01
As the next slide “Many GIAC Postings of Port 137 Scans” shows, there was a proliferation of
detect scans to destination port UDP 137. Many different networks have detected these scans and
they appear to be ongoing and constant. The above detection is akin to something tcpdump or
Shadow might have picked up.
Next, you see the Snort capture of these same port 137 scans. As you can see, this appears to be the
same signature that we saw for the nbtstat –A command. So, it looks as if these scans are attempting
to discover NetBIOS resources located on different hosts.
6 - 19
Microsoft Networking – SANS ©2000 – 2003
19
“network.vbs” Worm
• Probable explanation for increase in port 137 traffic
• Visual Basic Script that infects Windows hosts
• Searches other class C network NetBIOS resources
and then looks for unprotected shares on C drive
• If any discovered, “network.vbs” worm installed and
worm propagated
• Speculation of connection for search of potential
DDoS agent/handler hosts
Advancing to the next slide, you’ll discover that the probable explanation of the increase in this
activity is because of the “network.vbs Worm”. This is a Visual Basic Script that infects Windows
hosts and then tries to search for other candidate hosts on which to replicate. It issues these port 137
searches on random Class C networks. If it discovers accessible NetBIOS hosts, it will then try to
enumerate shares and see if there are any unprotected ones on the C drive. If it finds any unprotected
shares on the C drive, it will install a copy of network.vbs there and propagate. Some believe that
this activity might be related to finding hosts that later will be used as DDoS candidates.
Carnegie Mellon CERT has a write-up on this activity, and it can be found at
http://www.cert.org/incident_notes/IN-2000-02.html.
6 - 20
Microsoft Networking – SANS ©2000 – 2003
20
Enumerating NetBIOS Shares
net view \\linux2
Shared resources at \\LINUX2
Sharename Type Comment
jdoe Disk Home Directories
lp Print
test Disk For testing purposes
The command was completed successfully.
Take a look at the following slide “Enumerating NetBIOS Shares”. The net view command will
enumerate the NetBIOS shares for a Windows or Samba host. The first thing that you notice is that
we had to know the NetBIOS name (linux2) in order to execute this command. This command
would have to be executed in an environment where the querier could resolve the NetBIOS name
linux2 – usually done via a broadcast or through WINS resolution.
We see on linux2 that there is a share named jdoe which is a shared disk directory, another named lp
which is for shared print resources, and finally another shared disk known as test.
6 - 21
Microsoft Networking – SANS ©2000 – 2003
21
Snort Output of Share
Enumeration Request
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
05/18-18:57:33.747043 192.168.143.101:2215 -> 192.168.143.16:139
TCP TTL:128 TOS:0x0 ID:50213 DF
*****PA* Seq: 0x16AA2F6E Ack: 0xB1BA69F8 Win: 0x20BB
00 00 00 3E FF 53 4D 42 75 00 00 00 00 00 00 00 ...>.SMBu.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 B1 73 ...............s
64 00 02 4B 04 FF 00 00 00 02 00 01 00 13 00 00 d..K............
5C 5C 4C 49 4E 55 58 32 5C 49 50 43 24 00 49 50 \\LINUX2\IPC$.IP
43 00 C.
Looking at slide “Snort Output of Share Enumeration Request”, you can see the request that was
sent when the net view command was issued. You see the notation SMB, which we’ve learned is the
Server Message Block Protocol that is necessary for this transfer to occur over the network. You’ll
also see the reference \\LINUX2\IPC$. This is a reference to a UNC (Universal Naming Convention)
that has the format of \\NetBIOSname\directory. The NetBIOS name of the host is LINUX2 and the
directory is IPC$. This is a special directory – a hidden default directory for Inter-Process
Communications.
6 - 22
Microsoft Networking – SANS ©2000 – 2003
22
Win2K/AD Discovery/Access of
Shared Resources
10.4.3.3.3258 > 10.4.2.2.389: udp 166
10.4.2.2.389 > 10.4.3.3.3258: udp 178
10.4.3.3.3259 > 10.4.4.4.445: S 4084969658:4084969658(0) win 16384
<mss 1460,nop,nop,sackOK> (DF)
10.4.4.4.445 > 10.4.3.3.3259: S 1607718307:1607718307(0) ack
4084969659 win 17520 <mss 1460,nop,nop,sackOK> (DF)
10.4.3.3.3259 > 10.4.4.4.445: . ack 1 win 17520 (DF)
10.4.3.3.3259 > 10.4.4.4.445: P 1:138(137) ack 1 win 17520 (DF)
Slide “Win2K/AD Discovery/Access of Shared Resources” shows a tcpdump capture of activity
from clicking on the “My Network Places” on the desktop. First, you see a new port – UDP port
389. This is known as Lightweight Directory Access Protocol (LDAP) and is used to connect to the
AD server and search the database for some desired information. In this case, it is the shared
resources available to the user who clicked the “My Network Places” icon. Above, host 10.4.3.3
accesses the AD server 10.4.2.2.
Once the resources are displayed, the user may chose to double-click on a resource to access. This
will require the use of SMB directly over TCP/IP using port 445. This connects to the desired
computer directly to see shared resources. In the above output, host 10.4.3.3 wishes to access a
shared resource available from host 10.4.4.4. Since this is TCP port 445, you see the three-way
handshake and the beginning of the data exchange.
6 - 23
Microsoft Networking – SANS ©2000 – 2003
23
Domain Controller
This section, “Domain Controller” explains another component in a Microsoft network . A domain
controller was not necessary before Active Directory, but many Microsoft networks used a primary
domain controller (PDC) and a backup domain controller (BDC). A Microsoft network with a
domain controller is known as a domain, whereas one with no domain controller is known as a
workgroup.
With Active Directory applied to a Windows 2000 server, the host automatically becomes a domain
controller. There can be many such domain controllers in a domain or enterprise and there is no
distinction between primary and backup.
6 - 24
Microsoft Networking – SANS ©2000 – 2003
24
Pre-Win2k Primary Domain
Controller
Primary Domain Controller
Shared Resource
Host
Shared Printer
NetBIOS Client
Workstation NetBIOS Client
Workstation
NetBIOS Client
Workstation
Access
Authentication
SAM database
The slide “Pre-Win2K Primary Domain Controller” depicts the role of the primary domain
controller. The primary domain controller has multiple purposes. The first one is to authenticate
requests for access to shared resources. This is typically done via a username and password. Instead
of each shared resource granting or denying access, the primary domain controller maintains control
for the entire domain. It does so by keeping a list of usernames and passwords known as a security
account manager (SAM) database.
Once a user is authenticated to use a shared resource by the primary domain controller, a token will
be granted to the user to allow access to other shared resources. At this point, the user is considered
“logged in”. Much ado has been made of the problems associated with Windows encoding of
passwords specifically, the algorithm used to encode the password so that it is not totally exposed is
considered to be weak.
.
6 - 25
Microsoft Networking – SANS ©2000 – 2003
25
Partial Snort Collection of
Authentication (Pre-Win2K)
06/13-11:23:28.368177 192.168.143.5:139 -> 192.168.143.101:1025
TCP TTL:64 TOS:0x0 ID:433 DF
*****PA* Seq: 0x189808DC Ack: 0x61DD Win: 0x7D78
00 00 00 72 FF 53 4D 42 25 00 00 00 00 80 01 00 ...r.SMB%.......
00 00 00 00 00 00 00 00 00 00 00 00 01 00 87 13 ................
64 00 81 06 0A 06 00 32 00 00 00 06 00 38 00 00 d......2.....8..
00 32 00 40 00 00 00 00 00 3B 00 00 00 00 00 00 .2.@.....;......
32 00 00 00 16 00 00 00 1C 00 00 00 23 00 00 00 2...........#...
04 02 2A 00 00 00 31 00 00 00 56 45 52 42 4F 00 ..*...1...VERBO.
6A 6E 6F 76 61 6B 00 53 49 4D 50 4C 45 00 53 49 jnovak.SIMPLE.SI
4D 50 4C 45 00 00 MPLE..
06/13-11:23:28.393848 192.168.143.101:1025 -> 192.168.143.5:139
TCP TTL:128 TOS:0x0 ID:7168 DF
*****PA* Seq: 0x61DD Ack: 0x18980952 Win: 0x1E67
00 00 00 43 FF 53 4D 42 75 00 00 00 00 00 00 00 ...C.SMBu.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 87 13 ................
64 00 01 07 04 FF 00 00 00 02 00 01 00 18 00 00 d...............
5C 5C 56 45 52 42 4F 5C 4E 45 54 4C 4F 47 4F 4E \\VERBO\NETLOGON
00 3F 3F 3F 3F 3F 00 45 5C 4C 41 .?????.E\LA
Slide “Partial Snort Collection of Authentication” shows that the authentication process, if sniffed,
can show some valuable information. We see a user name (jnovak) and we see the domain name
simple. If we can identify a password in the authentication stream, we can use the tool l0phtcrack to
crack the password. This will give the cracker access to any resources that the cracked user is
allowed.
6 - 26
Microsoft Networking – SANS ©2000 – 2003
26
Win2k Domain Controller With
AD
Domain Controller
Shared Resource
Host
Shared Printer
Client
Workstation Client
Workstation
Client
Workstation
Access
Authentication (preferred method Kerberos)
Kerberos Active
Directory
Look at slide “Win2k Domain Controller With AD” to see a more current network set-up. The
preferred method of authentication is now Kerberos. The Kerberos Key Distribution Center (KDC)
takes care of authentication by first identifying if a username and password can be authenticated.
Kerberos allows for a single sign-on to the network and handles subsequent requests for resources.
Once authenticated, a user can request services from a particular network resource. Each user has a
user account number known as a Security ID (SID) that is unique among an enterprise of domains.
When a client attempts to access a remote server, it will use a Kerberos ticket that contains the user’s
SID along with other information. The target server will compare the SID in the Kerberos ticket with
its permissions for resources to decide if the user is allowed access.
6 - 27
Microsoft Networking – SANS ©2000 – 2003
27
Authentication With
AD/Kerberos
• tcpdump output of Kerberos records
10.4.3.3.3263 > 10.4.2.2.88: v5
10.4.2.2.88 > 10.4.3.3.3263: v5
• Ethereal output of kerberos records
No. Time Source Destination Protocol Info
1 0.000000 10.4.3.3 10.4.2.2 KRB5 AS-REQ
2 0.040000 10.4.2.2 10.4.3.3 KRB5 AS-REP
“Authentication With AD/Kerberos” is shown via tcpdump and Ethereal record output. There are
three subprotocols associated with Kerberos: 1) Authentication Service (AS) Exchange 2) Ticket-
Granting Service (TGS) Exchange 3) Client/Server (CS) Exchange.
The AS Exchange is where the KDC gives a client requesting authentication a logon session key and
a Ticket Granting Ticket (TGT) is issued after the user’s identity has been confirmed. The TGS is
where the KDC issues a service session key and a ticket for the desired service. Finally, the CS
exchange involves the client sending the ticket to the server for admission to a service.
The above exchange shows only the Authentication Exchange – both query and response. This uses
the Kerberos port UDP 88.
6 - 28
Microsoft Networking – SANS ©2000 – 2003
28
Reference Material
This page intentionally left blank.
6 - 29
Microsoft Networking – SANS ©2000 – 2003
29
SMB Name Wildcard
NetBIOS names “mangled” when nbtstat request made
1) Each character in NetBIOS name is divided into two hex characters
2) Normally blank padded to 16 characters
3) Each hex character added to ASCII value 0x41 (uppercase “A”)
If “*” is used as wildcard NetBIOS name (hex value = 2A)
1) Separate into two hex characters: 2 A
2) Null padded to 16 characters: 2 A
3) Add 0x41 to each character
2 A
+ 41 41 41 41 41 41 41 41 41 41 41 41 41 41, etc.
43 4B 41 41 41 41 41 41 41 41 41 41 41 41 - Hex result
C K A A A A A A A A A A A A - ASCII result
The “SMB Name Wildcard” slide describes why we use a content of
“CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA” to search for the wildcard. When
NetBIOS names are sent over the network, they are mangled into a different format. This format
takes each character in the NetBIOS name and divides it into two hex characters. For normal
NetBIOS names, blanks pad any unused field for 16 character name. Finally, the value of 0x41
(uppercase A) is added to each of the characters.
If we take a NetBIOS name of “*”, it is a bit different because it is null padded. The “*” character is
2A in hex. These two character are separated and each character is added to 0x41. So, 2 + 41 = 43
(ASCII C) and A + 41 = 4B (ASCII K). All the null fields are added with a hex 41, also with the
resulting value of 41 (ASCII) A. So that is why the
CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA value is used.
6 - 30
Microsoft Networking – SANS ©2000 – 2003
30
Quick Reference
for Microsoft Ports
Function Static Ports
File Sharing TCP:139
Printing UDP:137,138 TCP:139
Browsing UDP:137, 138
WINS Replication TCP:42
WINS Manager TCP:135
WINS Registration TCP:137
NT User Manager TCP:139
NT Server Manager TCP:139
NT Event Viewer TCP:139
NT Registry Editor TCP:139
NT Diagnostics TCP:139
NT Directory Replication UDP:138 TCP:139
This page intentionally left blank.
6 - 31
Microsoft Networking – SANS ©2000 – 2003
31
Quick Reference
for Microsoft Ports (2)
Function Static Ports
Logon Sequence UDP:137,138 TCP:139
NT Trusts UDP:137,138 TCP:139
NT Secure Channel UDP:137,138 TCP:139
NetLogon UDP:138
Pass Through Validation UDP:137,138 TCP:139
NT Performance Monitor TCP:139
DNS Administration TCP:139
DNS Resolution UDP:53
DHCP Manager TCP:135
DHCP Lease UDP:67,68
PPTP TCP:1723 IP Protocol:47
This page intentionally left blank.
6 - 32
Microsoft Networking – SANS ©2000 – 2003
32
Quick Reference
for Windows 2000 Ports
Function Static Ports
Global Catalog with LDAP TCP:3268
Global Catalog with LDAP and SSL encryption TCP:3269
Kerberos KSHELL TCP:544
Kerberos Passwords TCP,UDP:464
Kerberos Secure Authentication TCP,UDP:88
LDAP SSL TCP:636
Lightweight Directory Access Protocol (LDAP) TCP,UDP:389
SMB without NetBIOS (CIFS) TCP:445
Terminal Server TCP:3389
This page intentionally left blank.
6 - 33
Microsoft Networking – SANS ©2000 – 2003
33
Section Quiz
1. Microsoft networks need no perimeter protection from the outside world. (T/F)
2. Microsoft protocols stress security first even at the cost of making software
hard to use. (T/F)
3. WINS servers eliminated the need for DNS servers for Internet traffic. (T/F)
4. In a true Windows 2000 network with no backwards compatibility (Native
mode), NetBIOS is no longer supported. (T/F)
5. NetBIOS names are the same as DNS fully qualified domain names. (T/F)
This page intentionally left blank.
6 - 34
Microsoft Networking – SANS ©2000 – 2003
34
Section Quiz (2)
6. NBT (NetBIOS over TCP/IP) was the method of communications in most MS
networks before Windows 2000. (T/F)
7. Windows hostnames using Windows 2000 and AD are the same as DNS
hostnames. (T/F)
8. The only way NetBIOS names can be known is via a WINS server. (T/F)
9. Under normal operations, Microsoft File and Print sharing are accomplished
via standard FTP (TCP port 21). (T/F)
10.LDAP is the protocol used to do connect to a Kerberos server to do
authentication. (T/F)
This page intentionally left blank.
6 - 35
Microsoft Networking – SANS ©2000 – 2003
35
Section Quiz (3)
11.Port 445 is used to connect a client to a server for access to remote shares
or printers for hosts in a true (no backwards compatibility/Native mode)
Windows 2000 network. (T/F)
12. UDP port 137 traffic is associated with WINS operations and nbtstat
queries/responses. (T/F)
13. TCP port 139 is associated with WINS lookup operations only. (T/F)
14. In Windows 2000, the preferred method of authentication is Kerberos.
(T/F)
15. AD is essentially a collection of services, standards, and protocols
supported by a database that is installed on a server. (T/F)
Answers to True/False questions:
1) F
2) F
3) F
4) T
5) F
6) T
7) T
8) F
9) F
10) F
11) T
12) T
13) F
14) T
15) T
6 - 36
Microsoft Networking – SANS ©2000 – 2003
36
Multiple Choice
1. The nbtstat –A IP address command does the following:
a) Enumerates WINS servers for the IP address
b) Enumerates an NT registry the IP address
c) Enumerates passwords for the IP address
d) Enumerates NetBIOS resources for the IP address
2. When no WINS server is present in a workgroup/domain, NetBIOS hosts
discover other NetBIOS hosts via:
a) There must be a WINS server in order for NetBIOS hosts to
communicate
b) Sending broadcasts over the network
c) Using DNS servers
d) Using NetBEUI
This page intentionally left blank.
6 - 37
Microsoft Networking – SANS ©2000 – 2003
37
Multiple Choice (2)
3. The use of Active Directory provides which of the following?
a) Provides a database of network resources/objects for clients to search
and administrators to centrally change
b) Facilitates the use of NETBEUI
c) Provide a means to ‘Map a network drive’
d) NetBIOS name resolution
4. WINS servers allow Microsoft systems to:
a) Register NetBIOS names and IP numbers with the server
b) Perform inverse queries
c) Query DNS servers
d) Eliminate the need for any DNS servers
This page intentionally left blank.
6 - 38
Microsoft Networking – SANS ©2000 – 2003
38
Multiple Choice (3)
5. The net view \\NetBIOSname command:
a) Enumerates NetBIOS passwords for host NetBIOSname
b) Enumerates NetBIOS file and print shares for host NetBIOSname
c) Enumerates NetBIOS registry entries for host NetBIOSname
d) Enumerates NetBIOS Samba global configuration values for host
NetBIOSname
6. Port 445 in Windows 2000 is used for:
a) NetBIOS name resolution
b) Connection to a Kerberos server
c) Connection to servers for remote share and printer access
d) To do AD searches via LDAP
This page intentionally left blank.
6 - 39
Microsoft Networking – SANS ©2000 – 2003
39
Multiple Choice (4)
7. In Windows 2000 with AD, DNS has:
a) Been upgraded to do NetBIOS to IP pairings
b) Replaced WINS and is used to associate Windows hostnames and IP
numbers
c) Been upgraded to do NETBUI to IP pairings
d) Been eliminated entirely
8. In Windows 2000 with AD, when the user clicks on the “My Network Places” and
accesses a remote resource:
a) LDAP is used to locate network resources, and port 445 is used to access them
b) DNS is used to locate network resources, and port 137 is used to access them
c) LDAP is used to locate network resources, and port 137 is used to access them
d) DNS is used to locate network resources, and port 88 is used to access them
This page intentionally left blank.
6 - 40
Microsoft Networking – SANS ©2000 – 2003
40
Multiple Choice (5)
9. A wildcard SMB search using nbtstat will have the string CKAAA… in the
payload; this string is:
a) The NetBIOS name for the master browser
b) The NetBIOS name for the primary domain controller
c) The NetBIOS name for the WINS server
d) The result of “mangling” the wildcard character “*”
10. Domain Controllers:
a) Manage accounts and access
b) Replace DNS
c) Manage workgroup backups
d) Always provide master browser functions
This page intentionally left blank.
6 - 41
Microsoft Networking – SANS ©2000 – 2003
41
Multiple Choice (6)
11. The “network.vbs” worm caused an increase in the following:
a) Access to domain controllers
b) Access to master browsers
c) Access to WINS servers
d) Access to UDP port 137
12. Access to file shares and shared printer resources is done via:
a) TCP port 137 pre-Win2k, and TCP port 88 in Win2k
b) TCP port 138 pre-Win2k, and TCP port 389 in Win2k
c) TCP port 139 pre-Win2k, and TCP port 445 in Win2k
d) TCP port 136 pre-Win2k, and TCP port 139 in Win2k
This page intentionally left blank.
6 - 42
Microsoft Networking – SANS ©2000 – 2003
42
Multiple Choice (7)
13. Once a user has authenticated via the domain controller:
a) He/she is allowed access to any shared resources on the network
b) He/she is allowed access to any shared resources for which access had
been granted on the network
c) He/she must be re-authenticated once “logged on” for additional shared
resources
d) He/she is allowed access to all resources (shared/non-shared on the
network)
14. DNS used with Windows 2000 and AD can be used for the following:
a) Hostname to IP resolution and location of network services
b) NetBIOS to IP resolution and authentication to network resources
c) SMB/CIFS resolution and access to LDAP
d) Kerberos authentication and storing of encryption keys
This page intentionally left blank.
6 - 43
Microsoft Networking – SANS ©2000 – 2003
43
Multiple Choice (8)
15. The SMB/CIFS protocol is used for:
a) Client communications to a Samba server only
b) Samba server communications to a client only
c) A client to send commands to a server that allows them to access
shares, open files, read and write files
d) Samba client and server communications only
Answers to Multiple Choice questions:
1. D
2. B
3. A
4. A
5. B
6. C
7. B
8. A
9. D
10. A
11. D
12. C
13. B
14. A
15. C
6 - 44
Microsoft Networking – SANS ©2000 – 2003
44
References
• “NetBIOS based NT hacking” available at
www.webstore.fr/~tahiti/netbios.htm
• Understanding NetBIOS by Neon Surge available at
http://signaltonoise.net/library/netbios.htm
• Using Samba: Robert Eckstein, et al, Published by
O’Reilly, 2000
• Hacking Exposed: Stuart McClure & Joel Scambray,
George Kurtz, Published by Osbourne/McGraw-Hill
This page intentionally left blank.
6 - 45
Microsoft Networking – SANS ©2000 – 2003
45
Course Revision History
v1.0 –J Novak.
v1.1 – J. Novak, deleted slide re: netbios tcpdump 139 exchange – 28 Oct 2000
v1.2 – J. Kolde, formatting changes – 21 Jan 01
v1.3 – J. Novak, quiz question clarification per student feedback, updates for Win2000– 23 Feb 01
v1.4 – edited by K. Frederick, fix quiz question – 15 Jun 01
v1.5 – edited by J. Novak, updated URL – 6 July 2001
v1.6 – edited by J. Novak, corrections from student feedback – 07 Oct 01
v.1.7 – edited by J. Novak – deleted superfluous slides – 17 Mar 02
v.1.8 – edited by J. Novak – deleted references to inactive URL’s – 22 Jun 02
v.1.9 – edited by J. Novak – updated for Win2k and AD
v.1.10 – edited by J. Novak – page 3 added back information about NetBeui per user confusion. 22
Sep 02, spelling change on slide 27 kerberos to Kerberos.
v.1.11 – edited by J. Novak – slide 1 reference to Unix in notes page first paragraph, third sentence
changed to Solaris - 9 Nov 2002
V1.12 – edited by J. Novak – slide 4 – notes qualified AD in 2
nd
paragraph, second sentence. Slide 11
– added parentheses notation on 2
nd
to last sentence, last paragraph – Feb 2003.
v.1.12 – J. Novak March 2003- notes slide 17 – per student feedback corrected grammar about snort
resolutions.
