RE: NetBIOS Messenger spam - how did it get in?

From: Daniel Miessler (danielrm26@hotmail.com)
Date: 10/29/02 

From: "Daniel Miessler" <danielrm26@hotmail.com>
To: <jasonc@science.org>, "'Damon McMahon'" <inst_karma@hotmail.com>
Date: Tue, 29 Oct 2002 16:13:07 -0500

Hmm. I am wondering where the attacker is going to put this route that
you mention so that it routes right past your NAT.

> It can not be stressed enough that NAT alone is _no protection at
> all_, there must be some filtering or you are running wide open
> looking for trouble.
>
> By adding a route to the network you can directly reach the machines
> from outside the NAT box, something like[1]
>
> # route add -net 192.168/16 gw 123.123.123.123
>
> would do. Then just ping around to find what hosts are alive...
>
> It is raining on the Internet. Don't leave your house with the windows
> open...
>
> [1] Assuming the corporate LAN uses 192.168.0.0--192.168.255.255 as
> their internal addresses and the gateways external IP is
> 123.123.123.123.
> ----
>
> In other words, NAT gains you pretty much nothing for security. The
> existance of your network behind a NATting device might not be
immediately
> obvious to someone scanning from the outside, but anyone watching
traffic
> from your NAT device will be able to figure out pretty easily that
there is
> a network behind that one IP address, and if they care to probe to see
what
> is there, the NAT does not do much to protect the network.
>
> Randy Graham
>
>
> -----Original Message-----
> From: Schuler, Jeff [mailto:Jeff.Schuler@hit.cendant.com]
> Sent: Wednesday, September 25, 2002 1:17 PM
> To: security-basics@securityfocus.com
> Subject: Network Address Translation insecurities
>
>
> I am looking for information regarding the insecurities and
vulnerabilities
> that exist in Network Address Translation. One of our admins feels
that
> because everything is NAT'd that there is no way anyone can break into
the
> systems that are NAT'd. I know that this is not a completely accurate
> statement but need to find some research and documentation regarding
this.
> All our systems are behind at least one firewall so please don't
advise me
> to install a firewall as extra security as they are already there. I
just
> want to make sure that we are not overlooking serious vulnerabilities
just
> because the box is behind a NAT. In order to justify doing
vulnerability
> testing on some of our internal systems I need to demonstrate the
> insecurities in NAT.
>
> Thanks in advance
>
> Jeff Schuler
>
> -----Original Message-----
> From: Damon McMahon [mailto:inst_karma@hotmail.com]
> Sent: Thursday, October 24, 2002 11:36 PM
> To: security-basics@securityfocus.com
> Subject: NetBIOS Messenger spam - how did it get in?
>
>
>
>
> Greetings, The gateway host of my small workgroup has just become a
> 'victim' of the recent spate of SPAM using the NetBIOS Messenger
Service.
> However, I'm seeking advice on how it managed to get through what I
thought
> was a reasonably secure gateway. The gateway is a Windows 2000 host
which
> connects to the internet via an external IP dynamically assigned by my
ISP,
> and to an internal network via a 192.168.0.0/24 IP assigned by the
Windows
> Internet Connection Sharing service. I have ZoneAlarm Pro installed
on the
> gateway, which allows NetBIOS traffic over the 192.168.0.0/24 subnet
but
> rejects NetBIOS traffic from any other IP. This rule is explicitly
defined
> in the ZA Pro configuration, and appears to be working as the ZA Pro
logs
> are full of rejected packets from internet IPs attempting to access
NetBIOS
> ports on the host. From what I understand, such a firewall
configuration
> should discard any traffic to ports 135, 137-139 from any hosts not on
the
> internal network. Clearly there has been a breach. The only possible
> explanation I can conceive is that the source of the NetBIOS message
spoofed
> it's IP address to be in the 192.168.0.0/24 range: 1. Is this
possible? I
> would have thought any packet with such a spoofed IP address would be
deemed
> non-routable by any of the routers between the source host and mine,
and
> hence would never make it to my host? 2. If this is possible, is
there any
> inexpensive [preferably free!] method of configuring Windows 2000
(with or
> without ZA Pro) to filter packets on the basis of interface as well as
IP
> address? For example, BSD variants come with an inbuilt firewall
called ipfw
> which enables you to construct a rule denying all packets with an
address
> 192.168.0.0/24 from passing via the external interface, while allowing
such
> packets to pass via the internal interface. 3. Are there any other
> explanations for this intrusion? Any advice will be most appreciated.
> Please email me on inst_karma A T hotmail D O T com if you require
more
> detailed information.

Relevant Pages