3.1.5 - IP Behavior IV - Microsoft Networking

6 - 1

Microsoft Networking SANS 2000 2003 1

Microsoft Networking

This module on Microsoft Networking and Security is intended to introduce you to the protocols usedby Microsoft hosts and the accompanying security risks. One of the main problems/advantages withthe Microsoft architecture is that it lends itself to the ease-of-use by users and administrators. Thisis one of the reasons that Microsoft software is so popular; it is just easier to use for the novice userthan, say, Solaris or Linux. This is good for the user and the administrator, but the downfall is thatease-of-use often implies lack of security for an unprotected network. You must keep in mind thatMicrosoft or Windows networks are intended for use on intranets with a perimeter that blocksoutsiders.

We will examine some of the problems associated with the Microsoft protocols. The student will beable to analyze Microsoft networking traffic and determine what the purpose of the traffic is.Because this is an often exploited route into a network, you will see scans of ports associated withMS functions and attempts to find vulnerabilities on your own network.

6 - 2


Objectives

The goal of this module is to:

Explain a typical Microsoft network

Present an understanding of TCP/IP behavior ofMicrosoft networking

Emphasize computer security implications

The Objectives of this course will be to familiarize the student with the components of a typicalMicrosoft network. Well examine how components on the network communicate with each otherusing TCP/IP. Much of the emphasis will be on security implications of the rather open Microsoftprotocols.

While Windows facilitates peer networking such as file sharing, security has often taken a back seatto the users unobstructed interface for using MS network protocols. Microsoft Windows 9x variantsdo not have a secure file system because one is not provided with the operating system. MicrosoftWindows NT, while providing a more secure file system, requires additional attention to make itsecure. Windows 2000 has made great strides in offering features that can be used to better securethe host and communications among Windows 2000 hosts.

6 - 3


Pre-Win2k NetworkCommunications

primaryDC192.168.10.20

Mbrowser192.168.10.34

WINShost192.168.10.9

armstrong192.168.10.7

indurain192.168.10.54

julich192.168.10.3

lemond192.168.10.10

hampsten192.168.10.53

printer1192.168.10.4

SharedFiles

Perimeter Defense

Look at the slide Pre-Win2K Communications to see what Windows networkslooked like before Windows 2000. In this network, there are many NetBIOS workstationscommunicating with each other and servers. The servers are primaryDC that represents theprimary domain controller for authentication, Mbrowser the master browser responsible formaintaining a list of hosts for your viewing via the Network Neighborhood, and WINShost that isresponsible for pairing NetBIOS host names and IP numbers.

Each host has a NetBIOS name (for instance armstrong) that uniquely identifies it. NetBIOS is anapplication program interface (API) for communication among computers. It basically allowsapplications to talk over the network. NetBIOS depends on a lower level transport to communicatebetween hosts. Hosts on this network communicate with each other via NetBIOS over TCP/IP, alsoknown as (NBT). In years past this protocol was NetBEUI; that was a very chattybroadcast protocol. It had a limitation that it could only support 255 nodes in a given Windowsnetwork. Obviously, with the growth of networks, this limitation was a problem.

NBT offers several services:

1) A name service (WINS)

2) Two communication services

a) datagrams this is a broadcast protocol for Windows hosts that offers no reliability (comparableto UDP)

b) session this is a host to host protocol for Windows hosts that offers the promise of reliability(comparable to TCP)

Some of the NetBIOS ports are as follows:

137 NetBIOS name service (NetBIOS to IP resolution)

138 NetBIOS datagram service

139 NetBIOS session service

6 - 4


Win2k/Active DirectoryNetwork Communications

Domain Controller with Active Directory

192.168.10.20

armstrong.bike.com192.168.10.7

indurain.bike.com192.168.10.54

julich.bike.com192.168.10.3

lemond.bike.com192.168.10.10

hampsten.bike.com192.168.10.53

printer1.bike.com192.168.10.4

SharedFiles

Perimeter Defense

DNS ServerKerberos Server

Now, flip to the next slide entitled Win2K/Active Directory Network Communications to see analtered view of the same network with a newer implementation. The same workstations exist asbefore, however the servers been consolidated.

The use of Windows 2000 with Active Directory (AD) changes many aspects of the old network. ADstores information about objects on the network making it easier to locate resources for clients andmaintain resources for administrators. AD is essentially a collection of services, standards, andprotocols supported by a database that is installed on a Windows 2000 server when it is promoted tobecome a domain controller. Some of the information that can be stored in an AD database are:

User account properties and passwords

AD groups and organization units

Computer properties

Domain names and structures

Printers and My Network Places browse list

We will discuss an often used protocol in an AD network known as Lightweight Directory AccessProtocol (LDAP) that is used to search the AD database for information.

6 - 5


What Changed?

NetBIOS gone (going)

Used as a protocol to communicate over TCP (NBT)

Used as host names

Active Directory adds

Central repository for network services/data

Different protocols

Functionality to work with Kerberos and DNS

Fully Qualified Domain Names (FQDN) host names

Advance to slide What Changed? to examine some of the differences before and after Win2k withActive Directory. The most notable change is the disappearance of NetBIOS as both a namingconvention and a protocol. NetBIOS names are no longer supported in a pure Win2k environmentwith AD. Host names are now the same as the DNS names. Additionally, NetBIOS disappears as aprotocol for communication between hosts.

No discussion of Microsoft networking is complete without mentioning the protocol known asSMB/CIFS or Server Message Block/Common Internet File System. Weve seen where TCP/IP wasused for the transport of NetBIOS. We saw where clients connected to servers using NetBIOS overTCP/IP (NBT). Once these connections had been established, clients could then send commands(SMBs) to the server that allow them to access shares, open files, read and write files, and do printoperations. So, SMB is a protocol that rode over NetBIOS for Windows operating systems bothbefore Windows 2000.

In Windows 2000, Microsoft added the option to run SMB directly over TCP/IP without theintervening layer of NBT. Instead of using ports 137, 138 (UDP), and 139 (TCP), Windows 2000running directly over TCP/IP uses TCP port 445. This can be supported in Windows 2000 evenwithout AD.

A Windows 2000 server with AD becomes a primary controller capable of providing many directoryservices. Additionally, AD has the functionality to integrate with Kerberos to provide more secureauthentication and DNS to locate network services as well as store DNS resource records as ADobjects.

6 - 6


Hostname Resolution

In this section, Hostname Resolution, well examine the different types of name resolution inWindows. Whether there is an older NetBIOS name or a newer DNS-like name, there has to be somemethod of resolving hostnames to IP numbers.

6 - 7


NetBIOS Names

16 character name

Different from DNS name

When a NetBIOS machine comes online needs to registerNetBIOS name

No two hosts in the same Windows domain or workgroup shouldhave same NetBIOS name

Two ways to register/perform name resolution for NetBIOSnames

Broadcast to network

WINS

Turning to the slide NetBIOS Names, we discover that they are 16 character alphanumeric names.15 characters are for the NetBIOS name itself, and the final character identifies a resource type whichwell discuss a little later. When a NetBIOS host comes online, it broadcasts its NetBIOSinformation 6 to 10 times to alert other clients on the network of its presence and a list of namesassociated with applications or services on that client. If another client on the network has anidentical NetBIOS name, it sends a broadcast challenge defending the name. The client will thenmark the name in its own table as unusable and will not make any further attempts to use thechallenged name. If no other client claims this NetBIOS name, the name will then be registered.

Registration and future name resolution can be done via broadcasts or via a WINS server that willstore names of NetBIOS hosts.

6 - 8


NetBIOS Name ResolutionWithout WINS Server

NT client.goodguys.com resolves the name of server.goodguys.com

15:24:59.824558 client.goodguys.com.137 > 192.168.255.255.137: udp 5015:24:59.824907 arp who-has client.goodguys.com tell server.goodguys.com15:24:59.824965 arp reply client.goodguys.com is-at 0:15:5c:7:62:2015:24:59.825106 server.goodguys.com.137 > client.goodguys.com.137: udp 62

15:25:00.908500 client.goodguys.com.3015 >server.goodguys.com.139: S140756:140756(0) win 8192 (DF) [tos 0x14]

15:25:00.909181server.goodguys.com.139 > client.goodguys.com.3015: S126790:126790(0) ack 140757 win 8760 (DF)

15:24:00.909330 client.goodguys.com.3015 >server.goodguys.com.139: . ack 1win 8760 (DF) [tos 0x14]

The slide NetBIOS Name Resolution Without WINS Server demonstrates what happens when aWindows client wants to find the name of another Windows host server.goodguys.com, yet there is noWINS server on the intranet (or Windows networking domain). Suppose the user at \\client has enteredthe command "net view \\server". In this case, the target host must be identified by its NetBIOS name(server) rather than its fully qualified domain name (server.goodguys.com).

If the client does not have \\server and its IP address in its cache, it will broadcast a NetBIOS namequery on the local network with the name of the destination host using UDP port 137 (the netbios-ns, orNetBIOS name service port).

Each computer on the local network receives the 137 UDP broadcast and checks its local NetBIOS tableto see if it owns the requested name. If it does, it formulates a NetBIOS name query response. Butbefore the response can be sent, the host needs to determine the MAC address of the requestor.Therefore, an ARP request (arp who-has) is broadcast on the LAN to obtain the requesting client host'sMAC address. When the MAC address of \\client is obtained, the name query response is sent usingUDP port 137.

At this point, \\client knows the IP address of \\server and can create a NetBIOS session. This is shownby the typical TCP three-way handshake on port 139 (netbios-ssn, the NetBIOS session service).

.

6 - 9


Windows Internet NamingService (WINS)

Managed on UDP port 137

Microsoft feature for NetBIOS name to IP addresstranslation

WINS server registers and resolves NetBIOS hostnames and workgroups

Dynamic process

NetBIOS host comes online and is registered in WINS

NetBIOS host goes offline and is removed from WINS

Now, go to the next slide Windows Internet Naming Service (WINS). WINS is typicallyimplemented in Microsoft-centric environments. It serves as a pseudo naming process whichenables Windows clients to centrally register their NetBIOS names. The WINS server pairs IPaddresses with NetBIOS names.

The naming convention used by Microsoft limits these names to 15 characters. As you learned, whena client boots, it broadcasts its NetBIOS name and information.

If the WINS server or another client on the collision domain has a NetBIOS entry for that name, thenthe WINS server or client possessing ownership of that name broadcasts on the appropriate segment,and the client who was initially trying to register that name immediately stops.

Windows users identify a host by its NetBIOS name, not an FQDN (fully qualified domain name).This name is propagated throughout the network and replicated with other WINS servers. Thisreplication to other WINS servers occurs over TCP port 42.

6 - 10


NetBIOS Name Resolutionwith WINS Server

12:26:07.905619 client.goodguys.com.137 > wins-server.goodguys.com.137:udp 50

12:26:07.906766 wins-server.goodguys.com.137 > client.goodguys.com.137:udp 62

12:26:07.908500 client.goodguys.com.3015 >server.goodguys.com.139: S140756:140756(0) win 8192 (DF) [tos 0x14]

12:26:07.909181server.goodguys.com.139 > client.goodguys.com.3015: S126790:126790(0) ack 140757 win 8760 (DF)

12:26:07.909330 client.goodguys.com.3015 >server.goodguys.com.139: . ack1 win 8760 (DF) [tos 0x14]

We see a different process of name resolution on slide Name Resolution with WINS Server. Thesame client queries the WINS server for the IP address associated with the NetBIOS name of theserver. There is no broadcast for the NetBIOS name. When the WINS server returns the IP addressof the server that the client wants, it talks directly to it.

In this case, client.goodguys.com is checking the WINS server, wins-server.goodguys.com, for the IPnumber associated with the NetBIOS name that it knows server.goodguys.com by. It appears thatclient.goodguys.com discovered the name because it then tries some kind of NetBIOS session withserver.goodguys.com.

6 - 11


Name Resolution with ActiveDirectory DNS Server

10.4.3.3.3017 > 10.4.2.2.53: 35+ A? mothra.usa.sans.org. (37)

10.4.2.2.53 > 10.4.3.3.3017: 35* 1/0/0 A 10.4.2.2 (53)

10.4.3.3.3253 > 10.4.2.2.53: 1+ SRV ? _ldap._tcp.dc._msdcs.usa.sans.org. (51)

10.4.2.2.53 > 10.4.3.3.3253: 1* 2/0/2 SRV , SRV (162)

Go to the next slide, Name Registration with Active Directory DNS Server, to see howhostname to IP address resolution is handled with AD and Win2k. Remember, NetBIOS names arenow gone and hostnames are known as they are in non-Windows networks, as their DNS names.Therefore, there is no longer a need for WINS resolution or broadcast to associate NetBIOS namesand IP numbers. DNS is now used for hostname/IP address resolution.

All DNS queries use standard UDP port 53, even though the storage location of DNS records is in theAD database. When the DNS server boots up, it queries the AD database using the LDAP protocolfor all the records for which it is authoritative. It caches them in RAM and serves up those records toDNS clients over UDP port 53. When new records are added (either statically or dynamically) to theDNS server, they are periodically writing back to the AD database again using LDAP. The Windowsdomain controllers replicate these new DNS records to each other automatically, thus indirectlydistributing them to all other DNS server. The traditional zone transfers and primary/secondary DNSserver distinction has disappeared.

The first set of DNS exchanges above should look somewhat familiar. Host 10.4.3.3 is asking theDNS server 10.4.2.2 for the address associated with hostname mothra.usa.sans.org. Host 10.4.2.2responds with one resource record presumably with the answer. The second set of DNS exchanges issomething new. Windows DNS servers and later versions of BIND offer a new resource record typeknown as an Service Resource Record (SRV). This allows clients to find desired services. Forinstance, in this case 10.4.3.3 is asking the DNS server where (the name/IP address) the LDAP serverfor the domain is. This same type of lookup may be done to find a Kerberos server to be used forauthentication.

6 - 12


Discovering Information AboutHosts

In this section Discovering Information About Hosts, well see commands that are used forlegitimate purposes for Windows host discovery. Well also see how these commands can be used asreconnaissance by hackers. It bears repeating that Windows networks should be protected by somekind of packet filtering device to keep intruders out. Yet many sites dont block the necessary portsor take the proper precautions to do so, and hackers will try to use these open avenues.

6 - 13


NetBIOS Name/Resource Type

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

V E R B 0 00

15 byte resource name

1 byte resource type

16 byte NetBIOS value

15 byte NetBIOS name

1 byte resource type

Unique resources

Group resources

Looking at slide NetBIOS Name/Resource Type, you see that the NetBIOS names is a 16character field. The NetBIOS name itself can be up to 15 characters or bytes. The 16th byte isreserved for the resource type. When a NetBIOS name is registered, it is registered with a resourcetype or multiple resource types. These resource types or services identify the functions or servicesthat this particular NetBIOS resource can perform.

A resource can be a unique resource or a group resource. A unique resource is one that is unique, asthe name implies. For instance, there can only be one particular NetBIOS name that refers to acomputer within a workgroup or domain. A group resource refers to a group of computers or usersassociated with a workgroup or domain.

6 - 14


NetBIOS UniqueResource Type Codes

Resource Hexadecimal Type Code

Standard Workstation 00

Messenger Service (WinPopup) 03

File/Print Server 20

Master Browser Name 1D

The slide NetBIOS Unique Resource Type Codes is an abbreviated list of the resource typescodes that can be found for unique resources. These values tell the functions of a given uniqueresource. Well see how we can list these resource codes for a given NetBIOS resource. Obviously,someone doing reconnaissance on a network will not only want to attempt to list the NetBIOSresource names, but the types as well to try to discover what the function of a given NetBIOSresource is.

A master browser is a host that keeps a list of the currently active NetBIOS hosts. When NetBIOShosts boot up or are shut down, the master browser updates its browse list of active hosts. So, forreconnaissance purposes, if someone can discover this host and query it for active hosts, it provides alot of information.

6 - 15


NetBIOS GroupResource Type Codes

Resource Hexadecimal Type Code

Standard Workstation Group 00

__MSBROWSE__ (Master Browser) 01

Domain Controller 1C

Group Name 1E

The slide NetBIOS Group Resource Type Codes is an abbreviated list of the resource typescodes that can be found for group resources. These values tell the functions of a given groupresource.

6 - 16


Identify Resources on aRemote Windows/Samba Hostnbtstat -A 192.168.143.5

NetBIOS Remote Machine Name Table

Name Type Status-------------------------------------------------------------------------VERBO UNIQUE RegisteredVERBO UNIQUE RegisteredVERBO UNIQUE Registered..__MSBROWSE__. GROUP RegisteredSIMPLE GROUP RegisteredSIMPLE UNIQUE RegisteredSIMPLE GROUP RegisteredSIMPLE UNIQUE RegisteredSIMPLE GROUP Registered

As the next slide Identify Resources on a Remote Windows/Samba Host describes, the nbtstatcommand is used to discover NetBIOS resource names and their resource types. The Windowscommand nbtstat -A IP address command will identify users on a remote Windows or Sambasystem. This will display the remote hosts NetBIOS table. In this case we look at a host with aNetBIOS name of verbo which happens to be a Linux host running Samba. The system name of thehost is verbo and its domain is named simple.

Note that weve used the nbtstat -A switch, which requires an IP number. There is another nbtstatcommand that uses that nbtstat -a switch and takes a hostname as the argument. While the outputfrom this is the same as seen above, the decoded contents seen over the network will be different.

6 - 17


Snort Captureof nbtstat Request

06/12-19:18:47.672062 192.168.143.101:137 -> 192.168.143.5:137UDP TTL:128 TOS:0x0 ID:24949Len: 5805 02 00 00 00 01 00 00 00 00 00 00 20 43 4B 41 ............ CKA41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..!00 01 70 61 63 6B ..pack

Alert message:

[**] SMB Name Wildcard [**]

06/12-19:22:58.895474 192.168.143.101:137 -> 192.168.143.5:137

UDP TTL:128 TOS:0x0 ID:25461

Len: 58

The slide Snort Capture of nbtstat Request was captured by Snort, which can decode theapplication layer. Nothing is really coherent, but look at the CKAAAA output. Well see in acouple of slides that this is a wildcard or generic search for resources. It does not specificallyidentify a NetBIOS name or hostname; it uses the * wildcard to query the host for its NetBIOStable.

Also, note that Snort doesnt translate IP numbers to hostnames; this is done for the sake ofefficiency. In this example, 192.168.143.101 represents hostname win98.com that has a NetBIOSname of win98, and 192.168.143.5 represents verbo.com with a NetBIOS name of verbo.

You can then see that when running Snort with its rules files, the nbtstat -A IP address triggered analert. Snort identifies this as an SMB Name Wildcard. By using the IP address as an argument tonbtstat, it does a wildcard * search of the host for resources.

The rule that triggered the alert is seen below. It alerts on any UDP traffic sent to an internal networkhost destination port 137. The content of the packet must contain the ASCII string ofCKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA followed by a binary value of 0000.This is the signature for the wildcard. Well examine how we arrive at the ASCII content in thereference section.

Rule that triggered alert:

alert udp any any -> $HOME_NET 137 (msg:"SMB Name Wildcard";content:"CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|0000|";)

6 - 18


GIAC Postings of Port 137 Scans(Beginning around Year 2000)

06:21:25.180967 nbscanner.com.137>192.168.143.7.137: udp 5006:21:25.180969 nbscanner.com.137>192.168.143.93.137: udp 5006:21:25.180970 nbscanner.com.137>192.168.143.115.137: udp 5006:21:25.180971 nbscanner.com.137>192.168.143.44.137: udp 5006:21:25.180973 nbscanner.com.137>192.168.143.71.137: udp 50

[**] SMB Name Wildcard [**]

04/09-06:49:51.748689 24.3.200.114:137 -> xxx.xxx.xxx.189:137UDP TTL:118 TOS:0x0 ID:43610

Len: 58

55 9E 00 10 00 01 00 00 00 00 00 00 20 43 4B 41 U........... CKA

41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..!

00 01

As the next slide Many GIAC Postings of Port 137 Scans shows, there was a proliferation ofdetect scans to destination port UDP 137. Many different networks have detected these scans andthey appear to be ongoing and constant. The above detection is akin to something tcpdump orShadow might have picked up.

Next, you see the Snort capture of these same port 137 scans. As you can see, this appears to be thesame signature that we saw for the nbtstat A command. So, it looks as if these scans are attemptingto discover NetBIOS resources located on different hosts.

6 - 19


network.vbs Worm

Probable explanation for increase in port 137 traffic

Visual Basic Script that infects Windows hosts

Searches other class C network NetBIOS resourcesand then looks for unprotected shares on C drive

If any discovered, network.vbs worm installed andworm propagated

Speculation of connection for search of potentialDDoS agent/handler hosts

Advancing to the next slide, youll discover that the probable explanation of the increase in thisactivity is because of the network.vbs Worm. This is a Visual Basic Script that infects Windowshosts and then tries to search for other candidate hosts on which to replicate. It issues these port 137searches on random Class C networks. If it discovers accessible NetBIOS hosts, it will then try toenumerate shares and see if there are any unprotected ones on the C drive. If it finds any unprotectedshares on the C drive, it will install a copy of network.vbs there and propagate. Some believe thatthis activity might be related to finding hosts that later will be used as DDoS candidates.

Carnegie Mellon CERT has a write-up on this activity, and it can be found athttp://www.cert.org/incident_notes/IN-2000-02.html.

6 - 20


Enumerating NetBIOS Shares

net view \\linux2

Shared resources at \\LINUX2

Sharename Type Comment

jdoe Disk Home Directories

lp Print

test Disk For testing purposes

The command was completed successfully.

Take a look at the following slide Enumerating NetBIOS Shares. The net view command willenumerate the NetBIOS shares for a Windows or Samba host. The first thing that you notice is thatwe had to know the NetBIOS name (linux2) in order to execute this command. This commandwould have to be executed in an environment where the querier could resolve the NetBIOS namelinux2 usually done via a broadcast or through WINS resolution.

We see on linux2 that there is a share named jdoe which is a shared disk directory, another named lpwhich is for shared print resources, and finally another shared disk known as test.

6 - 21


Snort Output of ShareEnumeration Request

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/18-18:57:33.747043 192.168.143.101:2215 -> 192.168.143.16:139TCP TTL:128 TOS:0x0 ID:50213 DF

*****PA* Seq: 0x16AA2F6E Ack: 0xB1BA69F8 Win: 0x20BB

00 00 00 3E FF 53 4D 42 75 00 00 00 00 00 00 00 ...>.SMBu.......

00 00 00 00 00 00 00 00 00 00 00 00 00 00 B1 73 ...............s

64 00 02 4B 04 FF 00 00 00 02 00 01 00 13 00 00 d..K............

5C 5C 4C 49 4E 55 58 32 5C 49 50 43 24 00 49 50 \\LINUX2\IPC$.IP

43 00 C.

Looking at slide Snort Output of Share Enumeration Request, you can see the request that wassent when the net view command was issued. You see the notation SMB, which weve learned is theServer Message Block Protocol that is necessary for this transfer to occur over the network. Youllalso see the reference \\LINUX2\IPC$. This is a reference to a UNC (Universal Naming Convention)that has the format of \\NetBIOSname\directory. The NetBIOS name of the host is LINUX2 and thedirectory is IPC$. This is a special directory a hidden default directory for Inter-ProcessCommunications.

6 - 22


Win2K/AD Discovery/Access ofShared Resources

10.4.3.3.3258 > 10.4.2.2.389: udp 166

10.4.2.2.389 > 10.4.3.3.3258: udp 178

10.4.3.3.3259 > 10.4.4.4.445: S 4084969658:4084969658(0) win 16384 (DF)

10.4.4.4.445 > 10.4.3.3.3259: S 1607718307:1607718307(0) ack4084969659 win 17520 (DF)

10.4.3.3.3259 > 10.4.4.4.445: . ack 1 win 17520 (DF)

10.4.3.3.3259 > 10.4.4.4.445: P 1:138(137) ack 1 win 17520 (DF)

Slide Win2K/AD Discovery/Access of Shared Resources shows a tcpdump capture of activityfrom clicking on the My Network Places on the desktop. First, you see a new port UDP port389. This is known as Lightweight Directory Access Protocol (LDAP) and is used to connect to theAD server and search the database for some desired information. In this case, it is the sharedresources available to the user who clicked the My Network Places icon. Above, host 10.4.3.3accesses the AD server 10.4.2.2.

Once the resources are displayed, the user may chose to double-click on a resource to access. Thiswill require the use of SMB directly over TCP/IP using port 445. This connects to the desiredcomputer directly to see shared resources. In the above output, host 10.4.3.3 wishes to access ashared resource available from host 10.4.4.4. Since this is TCP port 445, you see the three-wayhandshake and the beginning of the data exchange.

6 - 23


Domain Controller

This section, Domain Controller explains another component in a Microsoft network . A domaincontroller was not necessary before Active Directory, but many Microsoft networks used a primarydomain controller (PDC) and a backup domain controller (BDC). A Microsoft network with adomain controller is known as a domain, whereas one with no domain controller is known as aworkgroup.

With Active Directory applied to a Windows 2000 server, the host automatically becomes a domaincontroller. There can be many such domain controllers in a domain or enterprise and there is nodistinction between primary and backup.

6 - 24


Pre-Win2k Primary DomainController

Primary Domain Controller Shared ResourceHost

Shared Printer

NetBIOS ClientWorkstation NetBIOS Client

Workstation

NetBIOS ClientWorkstation

Access

Authentication

SAM database

The slide Pre-Win2K Primary Domain Controller depicts the role of the primary domaincontroller. The primary domain controller has multiple purposes. The first one is to authenticaterequests for access to shared resources. This is typically done via a username and password. Insteadof each shared resource granting or denying access, the primary domain controller maintains controlfor the entire domain. It does so by keeping a list of usernames and passwords known as a securityaccount manager (SAM) database.

Once a user is authenticated to use a shared resource by the primary domain controller, a token willbe granted to the user to allow access to other shared resources. At this point, the user is consideredlogged in. Much ado has been made of the problems associated with Windows encoding ofpasswords specifically, the algorithm used to encode the password so that it is not totally exposed isconsidered to be weak.

.

6 - 25


Partial Snort Collection ofAuthentication (Pre-Win2K)

06/13-11:23:28.368177 192.168.143.5:139 -> 192.168.143.101:1025TCP TTL:64 TOS:0x0 ID:433 DF*****PA* Seq: 0x189808DC Ack: 0x61DD Win: 0x7D78

00 00 00 72 FF 53 4D 42 25 00 00 00 00 80 01 00 ...r.SMB%.......00 00 00 00 00 00 00 00 00 00 00 00 01 00 87 13 ................64 00 81 06 0A 06 00 32 00 00 00 06 00 38 00 00 d......2.....8..00 32 00 40 00 00 00 00 00 3B 00 00 00 00 00 00 .2.@.....;......32 00 00 00 16 00 00 00 1C 00 00 00 23 00 00 00 2...........#...04 02 2A 00 00 00 31 00 00 00 56 45 52 42 4F 00 ..*...1...VERBO.6A 6E 6F 76 61 6B 00 53 49 4D 50 4C 45 00 53 49 jnovak.SIMPLE.SI4D 50 4C 45 00 00 MPLE..

06/13-11:23:28.393848 192.168.143.101:1025 -> 192.168.143.5:139TCP TTL:128 TOS:0x0 ID:7168 DF*****PA* Seq: 0x61DD Ack: 0x18980952 Win: 0x1E6700 00 00 43 FF 53 4D 42 75 00 00 00 00 00 00 00 ...C.SMBu.......00 00 00 00 00 00 00 00 00 00 00 00 00 00 87 13 ................64 00 01 07 04 FF 00 00 00 02 00 01 00 18 00 00 d...............5C 5C 56 45 52 42 4F 5C 4E 45 54 4C 4F 47 4F 4E \\VERBO\NETLOGON00 3F 3F 3F 3F 3F 00 45 5C 4C 41 .?????.E\LA

Slide Partial Snort Collection of Authentication shows that the authentication process, if sniffed,can show some valuable information. We see a user name (jnovak) and we see the domain namesimple. If we can identify a password in the authentication stream, we can use the tool l0phtcrack tocrack the password. This will give the cracker access to any resources that the cracked user isallowed.

6 - 26


Win2k Domain Controller WithAD

Domain Controller Shared ResourceHost

Shared Printer

ClientWorkstation Client

Workstation

ClientWorkstation

Access

Authentication (preferred method Kerberos)

KerberosActiveDirectory

Look at slide Win2k Domain Controller With AD to see a more current network set-up. Thepreferred method of authentication is now Kerberos. The Kerberos Key Distribution Center (KDC)takes care of authentication by first identifying if a username and password can be authenticated.Kerberos allows for a single sign-on to the network and handles subsequent requests for resources.

Once authenticated, a user can request services from a particular network resource. Each user has auser account number known as a Security ID (SID) that is unique among an enterprise of domains.When a client attempts to access a remote server, it will use a Kerberos ticket that contains the usersSID along with other information. The target server will compare the SID in the Kerberos ticket withits permissions for resources to decide if the user is allowed access.

6 - 27


Authentication WithAD/Kerberos

tcpdump output of Kerberos records

10.4.3.3.3263 > 10.4.2.2.88: v510.4.2.2.88 > 10.4.3.3.3263: v5

Ethereal output of kerberos records

No. Time Source Destination Protocol Info 1 0.000000 10.4.3.3 10.4.2.2 KRB5 AS-REQ 2 0.040000 10.4.2.2 10.4.3.3 KRB5 AS-REP

Authentication With AD/Kerberos is shown via tcpdump and Ethereal record output. There arethree subprotocols associated with Kerberos: 1) Authentication Service (AS) Exchange 2) Ticket-Granting Service (TGS) Exchange 3) Client/Server (CS) Exchange.

The AS Exchange is where the KDC gives a client requesting authentication a logon session key anda Ticket Granting Ticket (TGT) is issued after the users identity has been confirmed. The TGS iswhere the KDC issues a service session key and a ticket for the desired service. Finally, the CSexchange involves the client sending the ticket to the server for admission to a service.

The above exchange shows only the Authentication Exchange both query and response. This usesthe Kerberos port UDP 88.

6 - 28


Reference Material

This page intentionally left blank.

6 - 29


SMB Name Wildcard

NetBIOS names mangled when nbtstat request made1) Each character in NetBIOS name is divided into two hex characters2) Normally blank padded to 16 characters3) Each hex character added to ASCII value 0x41 (uppercase A)

If * is used as wildcard NetBIOS name (hex value = 2A)1) Separate into two hex characters: 2 A2) Null padded to 16 characters: 2 A3) Add 0x41 to each character

2 A+ 41 41 41 41 41 41 41 41 41 41 41 41 41 41, etc. 43 4B 41 41 41 41 41 41 41 41 41 41 41 41 - Hex result C K A A A A A A A A A A A A - ASCII result

The SMB Name Wildcard slide describes why we use a content ofCKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA to search for the wildcard. WhenNetBIOS names are sent over the network, they are mangled into a different format. This formattakes each character in the NetBIOS name and divides it into two hex characters. For normalNetBIOS names, blanks pad any unused field for 16 character name. Finally, the value of 0x41(uppercase A) is added to each of the characters.

If we take a NetBIOS name of *, it is a bit different because it is null padded. The * character is2A in hex. These two character are separated and each character is added to 0x41. So, 2 + 41 = 43(ASCII C) and A + 41 = 4B (ASCII K). All the null fields are added with a hex 41, also with theresulting value of 41 (ASCII) A. So that is why theCKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA value is used.

6 - 30


Quick Referencefor Microsoft Ports

Function Static Ports

File Sharing TCP:139

Printing UDP:137,138 TCP:139

Browsing UDP:137, 138

WINS Replication TCP:42

WINS Manager TCP:135

WINS Registration TCP:137

NT User Manager TCP:139

NT Server Manager TCP:139

NT Event Viewer TCP:139

NT Registry Editor TCP:139

NT Diagnostics TCP:139

NT Directory Replication UDP:138 TCP:139


6 - 31


Quick Referencefor Microsoft Ports (2)


Logon Sequence UDP:137,138 TCP:139

NT Trusts UDP:137,138 TCP:139

NT Secure Channel UDP:137,138 TCP:139

NetLogon UDP:138

Pass Through Validation UDP:137,138 TCP:139

NT Performance Monitor TCP:139

DNS Administration TCP:139

DNS Resolution UDP:53

DHCP Manager TCP:135

DHCP Lease UDP:67,68

PPTP TCP:1723 IP Protocol:47


6 - 32


Quick Referencefor Windows 2000 Ports


Global Catalog with LDAP TCP:3268

Global Catalog with LDAP and SSL encryption TCP:3269

Kerberos KSHELL TCP:544

Kerberos Passwords TCP,UDP:464

Kerberos Secure Authentication TCP,UDP:88

LDAP SSL TCP:636

Lightweight Directory Access Protocol (LDAP) TCP,UDP:389

SMB without NetBIOS (CIFS) TCP:445

Terminal Server TCP:3389


6 - 33


Section Quiz

1. Microsoft networks need no perimeter protection from the outside world. (T/F)

2. Microsoft protocols stress security first even at the cost of making softwarehard to use. (T/F)

3. WINS servers eliminated the need for DNS servers for Internet traffic. (T/F)

4. In a true Windows 2000 network with no backwards compatibility (Nativemode), NetBIOS is no longer supported. (T/F)

5. NetBIOS names are the same as DNS fully qualified domain names. (T/F)


6 - 34


Section Quiz (2)

6. NBT (NetBIOS over TCP/IP) was the method of communications in most MSnetworks before Windows 2000. (T/F)

7. Windows hostnames using Windows 2000 and AD are the same as DNShostnames. (T/F)

8. The only way NetBIOS names can be known is via a WINS server. (T/F)

9. Under normal operations, Microsoft File and Print sharing are accomplishedvia standard FTP (TCP port 21). (T/F)

10.LDAP is the protocol used to do connect to a Kerberos server to doauthentication. (T/F)


6 - 35


Section Quiz (3)

11.Port 445 is used to connect a client to a server for access to remote sharesor printers for hosts in a true (no backwards compatibility/Native mode)Windows 2000 network. (T/F)

12. UDP port 137 traffic is associated with WINS operations and nbtstatqueries/responses. (T/F)

13. TCP port 139 is associated with WINS lookup operations only. (T/F)

14. In Windows 2000, the preferred method of authentication is Kerberos.(T/F)

15. AD is essentially a collection of services, standards, and protocolssupported by a database that is installed on a server. (T/F)

Answers to True/False questions:1) F

2) F

3) F

4) T

5) F

6) T

7) T

8) F

9) F

10) F

11) T

12) T

13) F

14) T

15) T

6 - 36


Multiple Choice

1. The nbtstat A IP address command does the following: a) Enumerates WINS servers for the IP address b) Enumerates an NT registry the IP address c) Enumerates passwords for the IP address d) Enumerates NetBIOS resources for the IP address

2. When no WINS server is present in a workgroup/domain, NetBIOS hostsdiscover other NetBIOS hosts via:

a) There must be a WINS server in order for NetBIOS hosts tocommunicate

b) Sending broadcasts over the network c) Using DNS servers d) Using NetBEUI


6 - 37


Multiple Choice (2)

3. The use of Active Directory provides which of the following? a) Provides a database of network resources/objects for clients to search

and administrators to centrally change b) Facilitates the use of NETBEUI c) Provide a means to Map a network drive d) NetBIOS name resolution

4. WINS servers allow Microsoft systems to: a) Register NetBIOS names and IP numbers with the server b) Perform inverse queries c) Query DNS servers d) Eliminate the need for any DNS servers


6 - 38


Multiple Choice (3)

5. The net view \\NetBIOSname command: a) Enumerates NetBIOS passwords for host NetBIOSname b) Enumerates NetBIOS file and print shares for host NetBIOSname c) Enumerates NetBIOS registry entries for host NetBIOSname d) Enumerates NetBIOS Samba global configuration values for host NetBIOSname

6. Port 445 in Windows 2000 is used for: a) NetBIOS name resolution b) Connection to a Kerberos server c) Connection to servers for remote share and printer access d) To do AD searches via LDAP


6 - 39


Multiple Choice (4)

7. In Windows 2000 with AD, DNS has: a) Been upgraded to do NetBIOS to IP pairings b) Replaced WINS and is used to associate Windows hostnames and IP numbers c) Been upgraded to do NETBUI to IP pairings d) Been eliminated entirely

8. In Windows 2000 with AD, when the user clicks on the My Network Places andaccesses a remote resource: a) LDAP is used to locate network resources, and port 445 is used to access them b) DNS is used to locate network resources, and port 137 is used to access them c) LDAP is used to locate network resources, and port 137 is used to access them d) DNS is used to locate network resources, and port 88 is used to access them


6 - 40


Multiple Choice (5)

9. A wildcard SMB search using nbtstat will have the string CKAAA in thepayload; this string is:

a) The NetBIOS name for the master browser b) The NetBIOS name for the primary domain controller c) The NetBIOS name for the WINS server d) The result of mangling the wildcard character *

10. Domain Controllers: a) Manage accounts and access b) Replace DNS c) Manage workgroup backups d) Always provide master browser functions


6 - 41


Multiple Choice (6)

11. The network.vbs worm caused an increase in the following: a) Access to domain controllers b) Access to master browsers c) Access to WINS servers d) Access to UDP port 137

12. Access to file shares and shared printer resources is done via: a) TCP port 137 pre-Win2k, and TCP port 88 in Win2k b) TCP port 138 pre-Win2k, and TCP port 389 in Win2k c) TCP port 139 pre-Win2k, and TCP port 445 in Win2k d) TCP port 136 pre-Win2k, and TCP port 139 in Win2k


6 - 42


Multiple Choice (7)

13. Once a user has authenticated via the domain controller: a) He/she is allowed access to any shared resources on the network b) He/she is allowed access to any shared resources for which access had

been granted on the network c) He/she must be re-authenticated once logged on for additional shared

resources d) He/she is allowed access to all resources (shared/non-shared on the

network)

14. DNS used with Windows 2000 and AD can be used for the following: a) Hostname to IP resolution and location of network services b) NetBIOS to IP resolution and authentication to network resources c) SMB/CIFS resolution and access to LDAP d) Kerberos authentication and storing of encryption keys


6 - 43


Multiple Choice (8)

15. The SMB/CIFS protocol is used for: a) Client communications to a Samba server only b) Samba server communications to a client only c) A client to send commands to a server that allows them to access

shares, open files, read and write files d) Samba client and server communications only

Answers to Multiple Choice questions:

1. D

2. B

3. A

4. A

5. B

6. C

7. B

8. A

9. D

10. A

11. D

12. C

13. B

14. A

15. C

6 - 44


References

NetBIOS based NT hacking available atwww.webstore.fr/~tahiti/netbios.htm

Understanding NetBIOS by Neon Surge available athttp://signaltonoise.net/library/netbios.htm

Using Samba: Robert Eckstein, et al, Published byOReilly, 2000

Hacking Exposed: Stuart McClure & Joel Scambray,George Kurtz, Published by Osbourne/McGraw-Hill


6 - 45


Course Revision History

v1.0 J Novak.v1.1 J. Novak, deleted slide re: netbios tcpdump 139 exchange 28 Oct 2000v1.2 J. Kolde, formatting changes 21 Jan 01v1.3 J. Novak, quiz question clarification per student feedback, updates for Win2000 23 Feb 01v1.4 edited by K. Frederick, fix quiz question 15 Jun 01v1.5 edited by J. Novak, updated URL 6 July 2001v1.6 edited by J. Novak, corrections from student feedback 07 Oct 01v.1.7 edited by J. Novak deleted superfluous slides 17 Mar 02v.1.8 edited by J. Novak deleted references to inactive URLs 22 Jun 02v.1.9 edited by J. Novak updated for Win2k and ADv.1.10 edited by J. Novak page 3 added back information about NetBeui per user confusion. 22Sep 02, spelling change on slide 27 kerberos to Kerberos. v.1.11 edited by J. Novak slide 1 reference to Unix in notes page first paragraph, third sentencechanged to Solaris - 9 Nov 2002V1.12 edited by J. Novak slide 4 notes qualified AD in 2nd paragraph, second sentence. Slide 11 added parentheses notation on 2nd to last sentence, last paragraph Feb 2003.v.1.12 J. Novak March 2003- notes slide 17 per student feedback corrected grammar about snortresolutions.

Documents

3.1.5 - IP Behavior IV - Microsoft Networking