Re: NULL IPC$ Sessions
From: David LeBlanc (dleblanc@MINDSPRING.COM)Date: 02/05/02
- Previous message: Greg Chatten - St. Louis Internet: "IIS Services Stop if Virtual Root Deleted on Disk"
- In reply to: ThePsyko: "Re: NULL IPC$ Sessions"
- Next in thread: John Hornbuckle: "No Security Bulletin Notification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 5 Feb 2002 09:29:39 -0800 From: David LeBlanc <dleblanc@MINDSPRING.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> From: ThePsyko
> I've found that enum (http://www.cotse.com/tools/netbios.htm)
> is capable of pulling down much more information via a null
> session.
Actually, enum only pulls down a fraction of what's actually available.
What types of information are available is documented fairly thoroughly
in the Platform SDK, also available on the web, so none of this is
hidden - anyone who can read the SDK and write just a little C can see
what's there. Various tools have been created that gather much more
information. A lot of the information isn't especially useful to an
attacker, some of it is.
The available information also strongly varies with operating system
version and in the case of NT 4.0, service pack. The amount of
information available to the anonymous user is substantially less for
Windows 2000 than NT 4.0, and Windows 2000 allows RestrictAnonymous to
be set to 2 - which essentially denies all null sessions. If you're
going to set RA=2, please look up and read the KB articles. In Windows
XP, the information is even further restricted, and it is restricted by
default.
The real question as an admin is what to do about the information being
available. First, if all the users have strong passwords, there isn't a
problem. This can be accomplished by installing a password filter on NT
4.0, simply checking a policy item in Windows 2000 and later. Push it
down via domain policy if you have Win2k DC and clients. Next, audit
your network. Know what's out there. If you're really worried about it,
run Windows 2000 or better, turn off the browser service (RA=2 breaks
it) and set RA=2. Running Windows XP protects you even further. Lastly,
be sure and block ports 139 and 445 TCP from the internet.
David LeBlanc
dleblanc@mindspring.com
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper
Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Greg Chatten - St. Louis Internet: "IIS Services Stop if Virtual Root Deleted on Disk"
- In reply to: ThePsyko: "Re: NULL IPC$ Sessions"
- Next in thread: John Hornbuckle: "No Security Bulletin Notification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
