Re: OT udp port 138 BROWSER traffic

From: NeoSadist (neosad1st_at_charter.net)
Date: 12/31/03

  • Next message: Karl Uppiano: "Re: Port 135 Probes Continue" 
    Date: Tue, 30 Dec 2003 19:40:22 -0700

    Newsbox wrote:

    > This is off topic since it is really about Windows security, but I thought
    > perhaps one or more of the kind and knowledgeable people here might give
    > me a more direct answer than if I posted in a Windows NG. I don't use MS
    > software virtually at all, and also haven't ever gotten fluent with SAMBA.
    > I seem to remember that port 138 is open and used on Windows (many) for
    > "BROWSER" (networking) business, and (often?) presents a security
    > vulnerability for them. My lower ports including 138 are almost all
    > firewalled closed, and my belief is that udp port 138 traffic is no risk
    > to me. I am however trying to compile a list of network events that occur
    > at the same time as I am losing packets. (The loss is not at my end.) I
    > have found some interesting events, and am making some progress.

    Then again, if someone's receiving your port 138 browser announcements,
    chances are they're on your network already, which means it's basically
    over. See, usually any sane network admin doens't allow 135-139 and 445 in
    or out of the internet side of the firewall, but they are allowed on the
    LAN. That's why I'm saying that if they're receiving those, chances are
    it's already all over, since they're on your LAN usually.

    >
    > One such coincident event was a BROWSER Host announcement from an NT
    > workstation, and I lost a ping return at that moment. I'm not concerned
    > about the ping packet, per se, but the connection has been noticeably
    > "spotty". This is on a public network.

    Was it received over the internet? It could be that there's a computer that
    thinks it needs to force a browser election every time it talks on the
    network... I've seen some buggy windows versions do that, and even "argue"
    back and forth for hours on who's the master browser. That's why I
    recommend to everyone to set this service to manual, and NOT automatic
    (except on the machine that's the master browser for that network, but
    that's only for peer to peer: i think most any windows version on a
    server-client or domain LAN you can disable the master browser service and
    nothing breaks...)

    >
    > So my question is, what kind of security risk, if any, does the NT
    > workstation run by having this BROWSER service running on a public
    > network?

    In my opinion, only announcing their presence, and that's only worth
    worrying about if someone's already hacked into your network on the LAN
    level.

    > Is there ever a good reason or justification to run that
    > publicly, or is that not recommended?

    No, but it can lead to problems, so like I said, set it to manual (i.e. NOT
    automatic) on all your machines except the servers (if there are any).

    > I'm just looking for some kind of
    > general frame of reference.

    This is by experience: i've sat with a linux box on plenty windows LAN's
    using ethereal in promiscuous mode, and watched the workstations and
    servers "argue" over that port. Usually the workstations also seem to
    announce this on power-up, if that service is set to automatic. I can go
    home and tie into anyone's LAN for the holidays and set up ethereal and
    watch their machines gladly give me their MAC address. This should only be
    a concern on networks where physical access is easier, such as WiFi...

    >
    > Also while we are off topic, is there any reason to believe that this kind
    > of BROWSER broadcast would make a properly configured router stumble? (It
    > was a broadcast packet, 243 bytes long.) This is a Cisco router but that
    > is all I know about it. Is there a better or more meaningful way to test,
    > rather than using ping?

    Shouldn't, unless that router also wants to be master browser. Disable the
    service on all machines (except servers) and see if that changes
    anything...
    More meaningful test? Uh, well you could grab a linux box, load the packet
    generator module, and use that to transmit master browser packets, but that
    would require tons of head-work, unless some script kiddie has a script for
    it, for like local LAN hacking...

    >
    > Thanks for reading, and I appreciate some perspective about this.
    >
    > Best wishes.
    > 

    -- 
What good is a ticket to the good life, if you can't find the
entrance?
  • Next message: Karl Uppiano: "Re: Port 135 Probes Continue"

    Relevant Pages

    • Re: how to connect firewall to router
      ... As packets travel a network, optimizations take place to route packets to ... As a packet travels through various relay points, ... If it were a private IP address, the ADSL modem is ... Any WAN or LAN ...
      (comp.security.firewalls)
    • Re: Is this OK?
      ... > packet to. ... The 'network' referred ... to would be a LAN, ... I allow "Router Solicitation" packets on ...
      (microsoft.public.security)
    • Re: Fix / Force Master Browser?
      ... So it doesn't take part in the building of the LAN browse list. ... To browse a segmented network usually involves running WINS. ... > has an open connection through the firewall), ... > makes itself being the Master Browser. ...
      (microsoft.public.windows.server.networking)
    • Re: risks of ip-forwarding, without ipf/ipfw
      ... > I run a FreeBSD router/firewall for my home network, ... say to itself "no match" and drop the packet ... access to your LAN. ...
      (FreeBSD-Security)
    • Re: Empty "My Network Places"
      ... >"My Network Places" window shows all the shared drives on the LAN system. ... How is one computer "set to Master Browser"? ...
      (microsoft.public.windowsxp.network_web)