[Samba] Results of nessus scan

Andrew Bartlett abartlet at samba.org
Thu Dec 25 07:32:02 GMT 2003 

On Wed, 2003-12-17 at 06:57, Jonas Carlsson wrote:
> I run samba 2.2.8a on my openbsd 3.4 box, installed from a package.
> All i need is the ability to mount disks form winxp boxes so i only run 
> smbd, at 139/tcp.
> I tried scanning the box with nessus, and it came up with some results 
> that got me curious.
> Since i dont know very much about the smb protocol I thought i should 
> ask here.

The nessus text is a little alarming - given that none of the
information disclosed to your internal LAN is really that interesting...

> Have searched the archives but found only old posts, concering older 
> versions.
> 
> Whats a NULL session? what are domain and host SID?
> Nessus also suggests i'd limit the access to the $IPC share.

The 'securing samba' section of the howto collection includes
information on the IPC$ share.

> How can i limit this info disclosure?

You should only be running samba onto trusted networks that often need
this information, but you can restrict it a little, in some situations.

> 127.0.0.1|netbios-ssn (139/tcp)|10397|INFO|Here is the browse list of 
> the remote host :
> HOSTNAME -
> This is potentially dangerous as this may help the attack of a potential 
> hacker by giving him extra targets to check for
> Solution : filter incoming traffic to this port
> Risk factor : Low
> 
> 127.0.0.1|netbios-ssn (139/tcp)|10395|INFO|Here is the list of the SMB 
> shares of this host :
> myshare - 
> IPC$ - 
> ADMIN$ - 
> This is potentially dangerous as this may help the attack of a potential 
> hacker. Solution : filter incoming traffic to this port
> Risk factor : Medium
> 
> 127.0.0.1|netbios-ssn (139/tcp)|10400|INFO|
> The remote registry can be accessed remotely using the login / password 
> combination used
> for the SMB tests. Having the registry accessible to the world is not a 
> good thing as it gives
> extra knowledge to a hacker.
> Solution : Apply service pack 3 if not done already,
> and set the key 
> HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg
> to restrict what can be browsed by non administrators.
> In addition to this, you should consider filtering incoming packets to 
> this port.
> Risk factor : Low

We don't actually expose a remote registry - we expose something that
looks like it for the purpose of running various services.  If you were
to follow the advise on an MS box, you would probably break things.

> 127.0.0.1|netbios-ssn (139/tcp)|10859|INFO|The host SID can be obtained 
> remotely. Its value is :
> HOSTNAME : 4-55-654367899-87557843444-56789446
> An attacker can use it to obtain the list of the local users of this host
> Solution : filter the ports 137 to 139 and 445
> Risk factor : Low
> 
> 127.0.0.1|netbios-ssn (139/tcp)|10398|INFO|The domain SID can be 
> obtained remotely. Its value is :
> WORKGROUP : 45-0-0-0-0
> An attacker can use it to obtain the list of the local users of this host
> Solution : filter the ports 137 to 139 and 445
> Risk factor : Low
> 
> 127.0.0.1|netbios-ssn (139/tcp)|10394|REPORT|
> . It was possible to log into the remote host using a NULL session.
> The concept of a NULL session is to provide a null username and
> a null password, which grants the user the 'guest' access
> To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
> Q246261 (Windows 2000).
> Note that this won't completely disable null sessions, but will  prevent 
> them from
> connecting to IPC$.

This is matched by 'restrict anonymous' parameter in Samba 3.0.

> Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html.
> All the smb tests will be done as ''/'whatever' in domain

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20031225/01d6045f/attachment.bin

More information about the samba mailing list