The other day received a letter from the Federal Office for Information Security ( BSI ) about the vulnerability on a number of servers. It was about NetBIOS, which could potentially be used for DDoS attacks on third-party services - let's figure it out!
The importance of this notice seemed slightly exaggerated to me, but nevertheless I decided to take action. To begin with, make sure that the NetBIOS service on servers is available to anyone who wants it on the Internet, for this we use the utility
nmblookup -A 184.108.40.206 Looking up status of 220.127.116.11 OWNEROR-JATRFIR <00> - B <ACTIVE> WORKGROUP <00> - <GROUP> B <ACTIVE> OWNEROR-JATRFIR <20> - B <ACTIVE> MAC Address = 00-00-00-00-00-00
If the service is not available / disabled (or it simply does not), then the response (after some delay) will look like this:
nmblookup -A 18.104.22.168
Looking up status of 22.214.171.124
No reply from 126.96.36.199
Further, experts from the information security management advise either to disable the NetBIOS-over-TCP / IP service (if it is not used), or to restrict access for incoming connections to port 137 / udp using a firewall.
In my case, there is no need for this service, so I chose the first option. We connect to the remote host and check whether the above port is used:
netstat -napl | grep 137 udp 0 0 188.8.131.52:137 0.0.0.0:* 1518/nmbd
udp 0 0 184.108.40.206:137 0.0.0.0:* 1518/nmbd
udp 0 0 192.168.15.255:137 0.0.0.0:* 1518/nmbd udp 0 0 192.168.15.21:137 0.0.0.0:* 1518/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 1518/nmbd
Stop the service
systemctl stop nmdb.service
Check the port usage again:
netstat -napl | grep 137
And "mask" the service so that it no longer runs:
systemctl mask nmbd.service Created symlink from /etc/systemd/system/nmbd.service to /dev/null.
We perform the listed actions for all servers with the specified vulnerability (the list in the letter), we thank the employees of the information security management and inform you that they have eliminated the vulnerability.
Securing Windows SMB and NetBios/NetBT Services
What is the Windows SMB service?
The Server Message Block (SMB) Protocol is a network file sharing protocol running on port 445. It is implemented in Microsoft Windows Server as the Microsoft SMB service. Microsoft SMB Protocol is installed by default in Microsoft Windows Server. SMBv2 protocol was introduced in Windows Vista and Windows Server 2008, however SMBv1 still exists on operating systems with SMBv2. SMBv3 protocol was introduced in Windows 8 and Windows Server 2012 with an SMB Encryption feature, but it is not configured by default.
What is Windows NetBios/NetBT service?
NetBIOS was a famous protocol co-developed by IBM and Sytek for computer networking in the 80's. Microsoft's implementation of NetBIOS Over TCP/IP (NetBT) provides the NetBIOS programming interface over the TCP/IP protocol, extending the reach of NetBIOS client and server programs to TCP/IP networks and providing interoperability with other operating systems.
It uses the following TCP and UDP ports:
- UDP port 137 (name services)
- UDP port 138 (datagram services)
- TCP port 139 (session services)
NetBIOS over TCP/IP (NBT) is installed and enabled by default for backwards compatibility with old systems (or SMB implementations); however Microsoft SMB Protocol can be used without Microsoft NetBIOS.
Since SMB and NetBios/NetBT services are enabled by default, malicious intruders may be able to query these services to gather information about the server or exploit breaches if they exist.
NetBios/NetBT service can also be exploited to perform amplification attacks:
How to verify if your server/device is vulnerable?
Use the following command to collect the information about your system via the SMB service:
# nmap --script smb-os-discovery,smb-security-mode,smb-protocols -p445 <Your-server-IP>
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| OS: Windows Server xxxx
| OS CPE: cpe:/o:microsoft:windows_server_xxxx::-
| Computer name: xx-xxxxxxxxxxxx
| NetBIOS computer name: xx-xxxxxxxxxxxx
| Workgroup: WorkGroup
|_ System time: xxxx-xx-xx
| NT LM 0.12 (SMBv1) [dangerous, but default]
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
or using this tcping tool on port 445 for your IP: https://w3dt.net/tools/tcping
Use the following command to collect the information about your system via the NetBios/NetBT service:
From Windows machines (cmd):
# nbtstat -A <Your-server-IP>
From Linux machines (terminal):
# nmblookup -S -R -A <Your-server-IP>
Looking up status of <Your-server-IP>
XX-XXXXXXXXXXXX <00> - B <ACTIVE>
WORKGROUP <00> - <GROUP> B <ACTIVE>
XX-XXXXXXXXXXXX <20> - B <ACTIVE>
MAC Address = XX-XX-XX-XX-XX-XX
or using this online tool: https://w3dt.net/tools/netbios
If the commands return a time-out, the services might already be filtered/disabled.
Internet cartography services (such as www.shodan.io) could also be used to search for information about services publicly available on your IP (such as "SMB Version: 1").
SMB and NetBios/NetBT services are designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose these services directly to the Internet or, in general, to an environment where untrusted clients can directly access these services.
Different options are available to mitigate this issue and protect your server or device:
- Disable NetBios/NetBT and SMB services if you are not using them.
- Use your firewall to filter inbound connections to SMB and NetBios/NetBT services, and only allow the trusted IPs and hosts.
In addition to the above suggestions, you should install the Operating System security updates as soon as possible and ensure SMBv1 is not in use.