Re: preventing username enumeration on NT4

From: HC (
Date: 06/03/02

From: HC <>
Date: Mon, 03 Jun 2002 06:56:41 -0400

> I am fairly certain that the attacker established a null session and then
> obtained the usernames (don't know what program was used though).

I don't think the program used really matters...does it? I've got a
Perl script on my web page that does full null session enumeration, all
the way to the point of being able to determine the manufacturer of the
NICs in the machine.

I left the below quote from your post intact so you could look at it
again. I have no idea where the conceptual loss is...this isn't meant
as a flame or anything, so please don't take offense. If you need to
use NetBIOS on your network, then what you need to do is block access to
port 139 *from the Internet*. So, take that "old computer" you
mentioned, put two NICs in it (a couple of old 10baseT 3Com cards might
cost you $10, total), make sure they have different IRQs, then take the
hard drive(s) out of the box and use one of the many "firewalls on a
floppy" that you can find on the Internet. Several of them are quite
good and easy to use. FloppyFW comes to mind. Make sure that the f/w
is configured to block all access from the Internet...some of these f/ws
come pre-configured this way.

At that point, all you need to do is grab a free syslog server from
someplace, *if* you intend to maintain logs from the f/w. Kiwi's got a
good one.

Again, if you need NetBIOS internally, then simply block access to the
ports from the Internet....

> I want to prevent future attackers from doing this. One method is to set
> a registry value to 1 (something like restrictanonymous). But this method
> is only partially effective and may deter some attacks, but the threat is
> still present (ie. I can't prevent the use of sid2user & user2sid this
> way).
> The big problem lies in the exposure of port 139 to the Internet.
> Am I correct in assuming that it's very difficult (impossible?) to prevent
> null session establishments in NT 4 while simultaneously utilizing the
> following features:
> - shared drives (accessed locally and sometimes remotely)
> - WINS
> I can unbind netbios from the NIC, but I think that causes problems with
> those features, right?
> Our organization's resources are slim, so buying/using additional
> computers so each computer serves a single purpose is not likely. Also
> forget about hiring a security consultant.
> What about packet filtering at the router? What options do I have there?
> And an application firewall? I am not entirely sure which ports I must
> leave open to the world for the following functions:
> - PDC / web server (IIS 4) / shared drives
> - BDC / web server (IIS 4, OWA) / Exchange Server
> Is it possible to grab an old computer and write an application that
> intercepts "bad" packets coming towards my PDC & BDC, and then send back
> the appropriate response to make the targets seem like they're not there?
> Any resources on undertaking such a task (I only have basic socket
> programming experience)?