AbuseBSI: Offene NetBIOS-Namensdienste in AS24940

The other day received a letter from the Federal Office for Information Security ( BSI ) about the vulnerability on a number of servers. It was about NetBIOS, which could potentially be used for DDoS attacks on third-party services - let's figure it out!

The importance of this notice seemed slightly exaggerated to me, but nevertheless I decided to take action. To begin with, make sure that the NetBIOS service on servers is available to anyone who wants it on the Internet, for this we use the utility nmblookup:

nmblookup -A 188.40.67.206
Looking up status of 188.40.67.206
	OWNEROR-JATRFIR <00> -         B <ACTIVE> 
	WORKGROUP       <00> - <GROUP> B <ACTIVE> 
	OWNEROR-JATRFIR <20> -         B <ACTIVE>

    MAC Address = 00-00-00-00-00-00

If the service is not available / disabled (or it simply does not), then the response (after some delay) will look like this:

nmblookup -A 188.40.67.206
Looking up status of 188.40.67.206
No reply from 188.40.67.206

Further, experts from the information security management advise either to disable the NetBIOS-over-TCP / IP service (if it is not used), or to restrict access for incoming connections to port 137 / udp using a firewall.

In my case, there is no need for this service, so I chose the first option. We connect to the remote host and check whether the above port is used:

netstat -napl | grep 137
udp        0      0 188.40.67.206:137       0.0.0.0:*                           1518/nmbd
udp 0 0 188.40.67.206:137 0.0.0.0:* 1518/nmbd
udp 0 0 192.168.15.255:137 0.0.0.0:* 1518/nmbd udp 0 0 192.168.15.21:137 0.0.0.0:* 1518/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 1518/nmbd

Stop the service nmbd:

systemctl stop nmdb.service

Check the port usage again:

netstat -napl | grep 137

And "mask" the service so that it no longer runs:

systemctl mask nmbd.service
Created symlink from /etc/systemd/system/nmbd.service to /dev/null.

 

We perform the listed actions for all servers with the specified vulnerability (the list in the letter), we thank the employees of the information security management and inform you that they have eliminated the vulnerability.

 

Securing Windows SMB and NetBios/NetBT Services

What is the Windows SMB service?

The Server Message Block (SMB) Protocol is a network file sharing protocol running on port 445. It is implemented in Microsoft Windows Server as the Microsoft SMB service. Microsoft SMB Protocol is installed by default in Microsoft Windows Server. SMBv2 protocol was introduced in Windows Vista and Windows Server 2008, however SMBv1 still exists on operating systems with SMBv2. SMBv3 protocol was introduced in Windows 8 and Windows Server 2012 with an SMB Encryption feature, but it is not configured by default.


What is Windows NetBios/NetBT service?

NetBIOS was a famous protocol co-developed by IBM and Sytek for computer networking in the 80's. Microsoft's implementation of NetBIOS Over TCP/IP (NetBT) provides the NetBIOS programming interface over the TCP/IP protocol, extending the reach of NetBIOS client and server programs to TCP/IP networks and providing interoperability with other operating systems.

It uses the following TCP and UDP ports:
- UDP port 137 (name services)
- UDP port 138 (datagram services)
- TCP port 139 (session services)

NetBIOS over TCP/IP (NBT) is installed and enabled by default for backwards compatibility with old systems (or SMB implementations); however Microsoft SMB Protocol can be used without Microsoft NetBIOS.


Vulnerabilities:

Since SMB and NetBios/NetBT services are enabled by default, malicious intruders may be able to query these services to gather information about the server or exploit breaches if they exist.
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

NetBios/NetBT service can also be exploited to perform amplification attacks:
https://www.us-cert.gov/ncas/alerts/TA14-017A


How to verify if your server/device is vulnerable?

Use the following command to collect the information about your system via the SMB service:

# nmap --script smb-os-discovery,smb-security-mode,smb-protocols -p445 <Your-server-IP>

Output sample:

PORT STATE SERVICE
445/tcp open microsoft-ds

Host script results:
| smb-os-discovery:
| OS: Windows Server xxxx
| OS CPE: cpe:/o:microsoft:windows_server_xxxx::-
| Computer name: xx-xxxxxxxxxxxx
| NetBIOS computer name: xx-xxxxxxxxxxxx
| Workgroup: WorkGroup
|_ System time: xxxx-xx-xx
| smb-protocols:
| dialects:
| NT LM 0.12 (SMBv1) [dangerous, but default]
| 2.02
| 2.10
| 3.00
|_ 3.02
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)

or using this tcping tool on port 445 for your IP: https://w3dt.net/tools/tcping


Use the following command to collect the information about your system via the NetBios/NetBT service:

From Windows machines (cmd):
# nbtstat -A <Your-server-IP>

From Linux machines (terminal):
# nmblookup -S -R -A <Your-server-IP>

Output sample:
[...]
Looking up status of <Your-server-IP>
XX-XXXXXXXXXXXX <00> - B <ACTIVE>
WORKGROUP <00> - <GROUP> B <ACTIVE>
XX-XXXXXXXXXXXX <20> - B <ACTIVE>
MAC Address = XX-XX-XX-XX-XX-XX


or using this online tool: https://w3dt.net/tools/netbios

If the commands return a time-out, the services might already be filtered/disabled.
Internet cartography services (such as www.shodan.io) could also be used to search for information about services publicly available on your IP (such as "SMB Version: 1").

 

 

Resolution:

SMB and NetBios/NetBT services are designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose these services directly to the Internet or, in general, to an environment where untrusted clients can directly access these services.

Different options are available to mitigate this issue and protect your server or device:

- Disable NetBios/NetBT and SMB services if you are not using them.
or
- Use your firewall to filter inbound connections to SMB and NetBios/NetBT services, and only allow the trusted IPs and hosts.

In addition to the above suggestions, you should install the Operating System security updates as soon as possible and ensure SMBv1 is not in use.

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Protect your Server Against the POODLE SSLv3 Vulnerability

Introduction On October 14th, 2014, a vulnerability in version 3 of the SSL encryption protocol...

How to Disable SSLv3 for Apache and Protect Your WHM/cPanel Server from POODLE

There’s a new POODLE in town, but unfortunately it’s not the kind of pooch you want around....

CSF Error: *WARNING* URLGET set to use LWP but perl module is not installed, reverting to HTTP::Tiny

Following the install of CSF (ConfigServer Security & Firewall) on some servers, you may...

Improve CSF iptables performance with ipset

Servers running iptables with CSF firewall can become slow and bogged down while processing the...