Apparent NetBIOS Attack - How Dangerous?

[Thomas]

I have been noticing, after checking Windows 2000's Event Viewer's security
protocol, that some individual (from the Internet) is attempting to log into
our computer. The attempts --fortunately all failed, so far-- start
occurring a few minutes after I establish a PPPoE Internet connection, and
cease after some time. When the attacks begin, they occur for several
minutes, sometimes every two or three seconds, sometimes every 10-60
seconds, sometimes just once or twice.

In the Event Viewer, the alerts look like the following one:

The logon to account: <Local account name here>
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: 0WEWCKG1
failed. The error code was: 3221225578

The error type is 681.

Strangely, the individual basically uses every account available in our
system. That is, if we have the accounts Administrator, Peter, Thomas, Jane,
then the user attempts to login with one or more of these accounts. How is
it possible that our full account list is known to someone on the Internet?

As the login attempts occur after packets are sent to local port 137
(NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks still
won't stop. The user still obtains our account list, and the failed logins
still appear on the Event Viewer security protocol.

What can be done in order to remedy this situation? If the subject discovers
the password for one account, would it be possible for him to eventually
"login" successfully, in spite of NetBIOS over TCP/IP being disabled? In
that instance, how much access does he actually have, and how much damage
can he do? In advance, I appreciate any information you can provide.

Regards,

Thomas

 

[Steven L Umbach]

Are you using a firewall such as a personal firewall or a hardware device -
even a cheap NAT router?? If not, then you need one and yes they could
connect if they discovered a user's password if you do not have a properly
configured firewall. Windows 2000 will still use port 445 TCP for file and
print sharing if NBT is disabled. It is trivial to obtain user accounts and
groups info [not passwords] if you are not using a firewall via a null
session. Go to a site like such as http://scan.sygatetech.com/ to do a self
scan assessment to see if any vulnerabilities are found. I would also make
sure that your computer is current with critical updates from Windows
Updates and is using a virus scan program that can monitor the computer in
live time, is current with virus definition files [they change almost daily]
, and scans all emails. If you have not done so, do a full virus scan on
your computer and also for parasites with AdAware SE as your chance of
infection is high from your description of what is going on. If infections
are found, do not connect to the internet until a firewall is in place and
properly configured. The link below is for free for personal use personal
firewalls such as Zone Alarm that is fairly easy for novices to configure
though I always prefer a hardware device such as a NAT router as the first
line of defense. --- Steve

http://www.microsoft.com/athome/security/protect/default.aspx -- Protect
your pc tips.
http://www.snapfiles.com/Freeware/security/fwfirewall.html
http://www.trendmicro.com/download/dcs.asp -- free Sysclean malware
detection and removal tool.
http://www.trendmicro.com/download/pattern.asp -- pattern file for Sysclean
in .zip file.

 

[Roger Abell [MVP]]

Aside from failing to use a firewall, you possibly do not have policies set
to that you Do not all anonymous enumeration of SAM accounts and shared
This allows a remote to easily list out your account names and groups,
and attracts further effort due the appearance of an easy meal.
The anonymous enumeration settings can be found in the security
setting options of the local security policy, although slightly differently
worded depending on OS version.

 

[Karl Levinson, mvp]

.... for more information on how to secure this and what can break at the
various settings, go to www.nsa.gov/snac and download the Windows 2000 group
policy guide, think it's the third document, and search it for
"restrictanonymous." For Win 2000, restrictanonymous=1 is usually safe,
though it doesn't block all enumeration, just blocks some details from being
seen. Restrictanonymous=2 is only safe if you have no Windows 9x or ME or
NT systems, for example. RestrictAnonymous=2 only exists in Windows 2000,
for XP and 2003 you use RestrictAnonymous and RestrictAnonymousSAM, both of
which can be either 0 or 1. Search www.google.com for RestrictAnonymousSAM
if you need more information on XP and 2003 settings.

More information on why this happens and what can be seen are at
www.securityfriday.com There is a presentation / article on netbios null
sessions, and the free getacct tool lets you see what the hackers can see.

I concur that it sounds like you have no firewall or a misconfigured
firewall and you should not be surprised that hackers can get into your
domain controllers. Windows is not secure until you secure it.
www.microsoft.com/technet/security, www.nsa.gov/snac and
www.securityadmin.info/faq.asp#harden have hardening guides for Win 2000.

 

[Thomas]

Thank you for your comments and links. It is interesting to see how much
information (and eventally, access!) others can obtain with NetBIOS.

Fortunately, I finally managed the problem by setting a fixed IPSec policy
to block all incoming and outgoing TCP and UDP packets through all
NetBIOS/SMB-related ports. Since then, I have not noticed any further login
attempts, so it seems that IPSec's 'firewall' is working. I still notice
that the individuals are trying to get the account list, this time without
success.

I will read the NSA security configuration guides. For now, at least, the
NetBIOS problem seeems to be taken care of.

Regards,

Thomas

 

[Thomas]

Thank you for your reply. That the computer may be infected with some sort
of trojan passed my mind. I performed a full system scan for viruses,
trojans, etc. Fortunately, the scan didn't find anything critical.

It seems like I overestimated Windows 2000's default security. I have since
added some IPSec port filters in order to take care of the NetBIOS problem.

Regards,

Thomas

Are you using a firewall such as a personal firewall or a hardware device -
even a cheap NAT router?? If not, then you need one and yes they could
connect if they discovered a user's password if you do not have a properly
configured firewall. Windows 2000 will still use port 445 TCP for file and
print sharing if NBT is disabled. It is trivial to obtain user accounts and
groups info [not passwords] if you are not using a firewall via a null
session. Go to a site like such as http://scan.sygatetech.com/ to do a self
scan assessment to see if any vulnerabilities are found. I would also make
sure that your computer is current with critical updates from Windows
Updates and is using a virus scan program that can monitor the computer in
live time, is current with virus definition files [they change almost daily]
, and scans all emails. If you have not done so, do a full virus scan on
your computer and also for parasites with AdAware SE as your chance of
infection is high from your description of what is going on. If infections
are found, do not connect to the internet until a firewall is in place and
properly configured. The link below is for free for personal use personal
firewalls such as Zone Alarm that is fairly easy for novices to configure
though I always prefer a hardware device such as a NAT router as the first
line of defense. --- Steve

http://www.microsoft.com/athome/security/protect/default.aspx -- Protect
your pc tips.
http://www.snapfiles.com/Freeware/security/fwfirewall.html
http://www.trendmicro.com/download/dcs.asp -- free Sysclean malware
detection and removal tool.
http://www.trendmicro.com/download/pattern.asp -- pattern file for Sysclean
in .zip file.

I have been noticing, after checking Windows 2000's Event Viewer's security
protocol, that some individual (from the Internet) is attempting to log
into
our computer. The attempts --fortunately all failed, so far-- start
occurring a few minutes after I establish a PPPoE Internet connection, and
cease after some time. When the attacks begin, they occur for several
minutes, sometimes every two or three seconds, sometimes every 10-60
seconds, sometimes just once or twice.

In the Event Viewer, the alerts look like the following one:

The logon to account: <Local account name here>
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: 0WEWCKG1
failed. The error code was: 3221225578

The error type is 681.

Strangely, the individual basically uses every account available in our
system. That is, if we have the accounts Administrator, Peter, Thomas,
Jane,
then the user attempts to login with one or more of these accounts. How is
it possible that our full account list is known to someone on the
Internet?

As the login attempts occur after packets are sent to local port 137
(NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks
still
won't stop. The user still obtains our account list, and the failed logins
still appear on the Event Viewer security protocol.

What can be done in order to remedy this situation? If the subject
discovers
the password for one account, would it be possible for him to eventually
"login" successfully, in spite of NetBIOS over TCP/IP being disabled? In
that instance, how much access does he actually have, and how much damage
can he do? In advance, I appreciate any information you can provide.

Regards,

Thomas

 

[Steve Clark [MSFT]]

This may seem semantical/pedantic, but IPsec is *not* a firewall. It can
not make stateuful decisions on connection specific information like a
firewall can.

It makes decisions on permit/deny based on filters, not on ports/protocols
and their state.

This is why it is considered "best practice" to use IPsec with a host based
firewall (such as the Windows Firewall with XP SP2 or 2003 SP1) to provide
the best of both feature sets. Look for a feature called "Authenticated
Bypass" if you want to know more about the beauty of this approach.

 

[Thomas]

This may seem semantical/pedantic, but IPsec is *not* a firewall. It can
not make stateuful decisions on connection specific information like a
firewall can.

Thank you for clarifying. That is the reason why I used quotation marks for
'firewall'.

This is why it is considered "best practice" to use IPsec with a host based
firewall (such as the Windows Firewall with XP SP2 or 2003 SP1) to provide
the best of both feature sets. Look for a feature called "Authenticated
Bypass" if you want to know more about the beauty of this approach.

We currently do not need a firewall for this particular (Windows 2000)
workstation, as it is not connected to the server (which I believe does use
a software firewall). Only NetBIOS ports need to be relatively secure.

Regards,

Thomas

 

[Steven L Umbach]

Windows 2000 does not have a built in firewall like Windows 2003 does and
can be very vulnerable when connected directly to the internet. Ipsec is a
good stop gap measure. If you are not using file and print sharing on that
particular computer [or at least on an external adapter] it would be wise to
disable it, at least on adapters that do not use it. Another possibility is
to enable tcp/ip filtering for TCP only with no ports listed if that
computer does not need to be accessed in any way. Tcp/ip filtering for TCP
is stateful, but UDP is not and dns client will fail to resolve names. Glad
to here you have made steps to secure the computer. --- Steve

Thank you for your reply. That the computer may be infected with some sort
of trojan passed my mind. I performed a full system scan for viruses,
trojans, etc. Fortunately, the scan didn't find anything critical.

It seems like I overestimated Windows 2000's default security. I have
since
added some IPSec port filters in order to take care of the NetBIOS
problem.

Regards,

Thomas

Newsbeitrag

Are you using a firewall such as a personal firewall or a hardware device -
even a cheap NAT router?? If not, then you need one and yes they could
connect if they discovered a user's password if you do not have a
properly
configured firewall. Windows 2000 will still use port 445 TCP for file
and
print sharing if NBT is disabled. It is trivial to obtain user accounts and
groups info [not passwords] if you are not using a firewall via a null
session. Go to a site like such as http://scan.sygatetech.com/ to do a self
scan assessment to see if any vulnerabilities are found. I would also
make
sure that your computer is current with critical updates from Windows
Updates and is using a virus scan program that can monitor the computer
in
live time, is current with virus definition files [they change almost daily]
, and scans all emails. If you have not done so, do a full virus scan on
your computer and also for parasites with AdAware SE as your chance of
infection is high from your description of what is going on. If
infections
are found, do not connect to the internet until a firewall is in place
and
properly configured. The link below is for free for personal use personal
firewalls such as Zone Alarm that is fairly easy for novices to configure
though I always prefer a hardware device such as a NAT router as the
first
line of defense. --- Steve

http://www.microsoft.com/athome/security/protect/default.aspx --
Protect
your pc tips.
http://www.snapfiles.com/Freeware/security/fwfirewall.html
http://www.trendmicro.com/download/dcs.asp -- free Sysclean malware
detection and removal tool.
http://www.trendmicro.com/download/pattern.asp -- pattern file for Sysclean
in .zip file.

I have been noticing, after checking Windows 2000's Event Viewer's security
protocol, that some individual (from the Internet) is attempting to log
into
our computer. The attempts --fortunately all failed, so far-- start
occurring a few minutes after I establish a PPPoE Internet connection, and
cease after some time. When the attacks begin, they occur for several
minutes, sometimes every two or three seconds, sometimes every 10-60
seconds, sometimes just once or twice.

In the Event Viewer, the alerts look like the following one:

The logon to account: <Local account name here>
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: 0WEWCKG1
failed. The error code was: 3221225578

The error type is 681.

Strangely, the individual basically uses every account available in our
system. That is, if we have the accounts Administrator, Peter, Thomas,
Jane,
then the user attempts to login with one or more of these accounts. How is
it possible that our full account list is known to someone on the
Internet?

As the login attempts occur after packets are sent to local port 137
(NetBIOS), I have disabled NetBIOS over TCP/IP, but the login attacks
still
won't stop. The user still obtains our account list, and the failed logins
still appear on the Event Viewer security protocol.

What can be done in order to remedy this situation? If the subject
discovers
the password for one account, would it be possible for him to
eventually
"login" successfully, in spite of NetBIOS over TCP/IP being disabled?
In
that instance, how much access does he actually have, and how much damage
can he do? In advance, I appreciate any information you can provide.

Regards,

Thomas

 

[Guest]

IPSec filtering is a good move.
If this Win 2000 client does not need to share anything, disable "File and
Printer Sharing", "Server" and "Computer Browser" NT Services.

This will stop UDP 138 from being propagating, which in turn prevents
NetBIOS info (computer name / services, user name, etc.) from being
advertised.

As long as some form of Internet connectivity is needed, a good personal
firewall (stateful, application, ect.) should be a standard on each client
machine in today's hostile environment.

 

[Karl Levinson, mvp]

We currently do not need a firewall for this particular (Windows 2000)
workstation, as it is not connected to the server (which I believe does use
a software firewall). Only NetBIOS ports need to be relatively secure.

FYI there is a default registry value you *absolutely* need to change on
Windows 2000 to make IPSec filtering secure. It's mentioned in the IPsec
guide at www.nsa.gov/snac Without this setting, by default anyone can
bypass your IPsec filters by using a certain source port. Windows 2003
Server has this setting configured securely by default. I think XP IPsec is
configured securely by default, but I'm not 100% sure.

 

[Laura A. Robinson]

Tinfoil hat securely fastened, Thomas pounded the keyboard to produce

t is interesting to see how much
information (and eventally, access!) others can obtain with NetBIOS.

It's not NetBIOS that is the problem in this case; it is the allowing of null
connections (which provide backward compatibility with NT4, in case you're
wondering why Microsoft has them set up that way).

Laura

 

[Laura A. Robinson]

Tinfoil hat securely fastened, Thomas pounded the keyboard to produce

I appreciate any information you can provide.

In addition to the other responses, take a look at this:

http://www.hammerofgod.com/download/Mullen-RA.ppt

and the UserDump and UserInfo utilities here:

http://www.hammerofgod.com/download.htm

Laura