NetBIOS name server protocol spoofing
Christopher R. Hertel
crh at nts.umn.edu
Mon Aug 7 21:36:43 GMT 2000
Basic rule: prevent port 137/UDP from crossing your border.
> On Fri, 4 Aug 2000, Peter Polkinghorne wrote:
>
> > Summary: machines can be asked to give up NetBios names, by means of
> > name conflict and name release requests.
>
> > I did have a quick look at the code, but apart from no obvious ref to
> > conflict packets could not determine.
> > Is Samba vulnerable to this problem?
>
> > Here is the Microsoft take on it (very carefully worded):
>
> > http://www.microsoft.com/technet/security/bulletin/fq00-047.asp
>
> > Their fix is to have a registry setting to ignore such packets. They point
> > out that this is potentially dangerous. I do not think this is a big
> > issue - it is just another DoS attack.
>
> AFAIK, sending a netbios packet will not cause a Samba server to give up its
> name on the network. Samba is very persistent in this regard -- it will
> continue trying to claim the name (and anything else it's configured for) no
> matter what other machines on the network might tell it. I believe this name
> conflict / name release 'feature' of NT is also what allows you to hijack an
> NT domain when the PDC reboots..
>
> Steve Langasek
> postmodern programmer
>
>
--
Christopher R. Hertel -)----- University of Minnesota
crh at nts.umn.edu Networking and Telecommunications Services
Ideals are like stars; you will not succeed in touching them
with your hands...you choose them as your guides, and following
them you will reach your destiny. --Carl Schultz
More information about the samba-technical
mailing list