Security Basics: in-depth understanding of "Network neighbors" Principles

Source: Internet
Author: User

There have been many people asking questions about network neighbors, and misunderstandings are also common. Since Microsoft's NETBIOS documentation is not very detailed, I have collected some relevant information and written this series with my own practical experience, hoping to help you.

I originally wanted to write this series as a Q & A to improve readability, but I couldn't write so many questions in my head at the moment, we should give a general introduction to Microsoft's browser services step by step, and then thoroughly analyze the specific working mechanism of NETBIOS. If you have any questions, we can discuss them together.

1. Overview of Microsoft's Web browsing Process

In the book "Windows NT System Management Technology insider", I talked about a very representative problem. I excerpted it:

Q: under what circumstances will the computer in the network neighbor be able to see but cannot access or be able to access but not see? Select the best answer:

A. Your Network has physical problems, such as A network cable.

B. The Windows NTserver browsing service is broken as the main browser of the domain.

C. Windows NTserver Nic Problems

D. There is no problem with your network. The user describes the normal phenomenon of Microsoft browsing.

The correct answer is explained in the book. Microsoft's Web browsing may be interrupted, but they are not interrupted. This misunderstanding is caused by users' infamiliarity with the process of Microsoft's Web browsing.

Just as my classmates often complain, "why can't Other People's Network neighbors use it ?" "Why can't I browse the network sometimes ?" The release of the ticket also requires a contact. Let's take a look at how Microsoft's Web browsing works. As you may not know much about the NT "Domain" concept, and most of the browsing failures occur are 98 machines, I will explain it to you in the 98 "Working Group mode.

Ii. Web browsing

1. What is a browsed List)

On the Microsoft Network, you can view the entire network in the browsing list? Subnet or broadcast domain? You can consider) All computers. When you open the entire network through the network neighbor window, you will see a list of working groups, and then open a Working Group, you will see the computer List in it (you can also use the net view/domain: workgroupname command in DOS mode). This is what we call the Browsing List. Working groups are essentially a group of computers that share a browsing list. All working groups are peer-to-peer and there is no rule that all computers cannot be in the same working group.

2. Where is the browsing list?

Some people say that the computer list in the network neighbor is obtained by broadcast query. Some people say that my classmates have all shut down, but I can still see it in the network neighbors. It should be obtained from the caches of relatively fixed devices such as hubs or switches. In fact, they all have only one right aspect. The answer is the correct answer when combining the two of them. The browser list is provided by the browser master server through broadcast query.

3. What is the browser master server?

The browser master server is one of the most important computers in the Working Group. It maintains the browsing list in this Working Group and the list of Master servers designated for other working groups, provides browsing services for other computers in the Working Group and other computers visiting the Working Group. Each working group selects a browser master server for each transmission protocol, most of the network browsing failures we often encounter are caused by the absence of the master server in your working group. You can use the NBTSTAT-a computername command in a working group to find the browser master server using the NBT Protocol. Its identifier is \ _ MSBROWSE _ name segment.

4. How is the browser master server specified?

By default, the browser master server in the win98 workgroup is the first computer in the workgroup to enable file and printer sharing, you can also manually configure a Windows computer as the browser master server (this method will be described later in network configuration, but the performance will be affected because the browser master server needs to maintain the Dynamic Browsing list ), if multiple computers in a working group have configured this option, or the current browser master server has disabled the system, and no other computer has enabled the master control settings, the master browser should be elected.

5. How to select and generate browser master servers

As for the browser's election packets, it is not good to capture packets, so I have to follow what is described in the book. in fact, the process is very simple. First, a computer sends an election critical message, which contains information (operating system, version, and NET name) from the computer ), the election message is broadcast to the network. Each computer in the Working Group compares its own information with the election message for priority, which is mainly used by the operating system, I remember it was NT Server> NT Workstation> Win98> WFWG. In the end, it was the best browser master Server.

6. What is the overall network browsing process?

When a win98 enters the network, if it carries a Server Service (file and printer sharing are enabled), it will broadcast its existence to the network, the browser master server obtains this declaration and puts it in the browser list maintained by itself. The computer that does not bind the file and printer share on the corresponding protocol will not be declared, so it will not appear in the network neighbors. When the customer's computer wants to obtain the desired list of network resources, it first broadcasts a browser request. After the browser master server receives the request, if the requested list is the browsing list of this group, directly send back the List of resources required by the customer. If you are requesting a List of other working groups, the browser master server will find the corresponding Working Group's browser based on the records in the Browsing List and return it to the user, you can get the desired browsing list from there. As for how to share and exchange resources with another computer, it is not a question we will discuss here.

Now that I understand the principles of Web browsing, I will introduce a useful application to you. Many students do not welcome strangers to access their computers through their network neighbors due to security concerns, sometimes the lower-part movies need to be shared with other people, so they cannot delete files or printer sharing services. What should I do? Some people add $ to the sharing name to achieve the hidden effect, but the net share under DOS can be seen; some people add a password to the sharing, we can hear that this is also a solution, and it is easy to arouse the curiosity of "hacker comrades. Is there a way to hide your machine in a network neighbor? However, you can use \ IP to access the website. Right, the key is to stop your machine from declaring itself to the network, and I know some of our

People have already turned this into reality. As for the method, don't ask me.

Note: There is very little information about win98 browser services, and most of the books involved are introduced based on the "Domain" model of NT. Therefore, I can only test it based on my own understanding and netxray practices, the details are easy to avoid. please correct me.

7. Why can't some hosts access my network neighbor?

If Microsoft's online neighbors can really achieve what they see and what they get, I believe that there will not be so many people complaining about it. You can refer to the introduction of browser services, and we already know that this is impossible, because the browsing list is not obtained by accessing each of the hosts, the browsing list cannot be correctly updated by computers on the network. When a computer is shut down normally, it sends a broadcast to the network so that the browser master server can delete it from the browsing list in time. After the computer is shut down abnormally, this entry remains in the browsing list for a long time (45 minutes for NT), which is why we can still see it in our network neighbors. 98's stability is well known-it collapsed before it could be shut down.

The SMB (Server Message Block) protocol is used for file sharing in NT/2000. In NT, SMB runs on NBT (NetBIOS over TCP/IP) and uses 137,139 (UDP ), port 139 (TCP. In Port 2000, SMB can run on TCP/IP directly without an additional NBT layer. Therefore, it should be slightly different from NT in 2000.

You can enable or disable NBT (NetBIOS over TCP/IP) in "network connection/properties/TCPIP protocol/properties/advanced/WINS ).

When 2000 is used for network sharing, port 139 or port 445 is selected. Determine the port used by the session as follows:

1. If the client enables NBT, both ports 139 and 445 will be accessed during the connection. If a response is received from port 445, the client will send the RST to port 139, terminate the connection on this port, and then conduct the SMB session from port 445. If the response is not received from port 445 but from port 139, the session is performed from port 139; if no response is received, the SMB session fails.

2. If the client disables NBT, it will only connect from port 445. Of course, if the server (on the sharing end) does not have port 445 for SMB sessions, the access will fail. Therefore, after port 445 is disabled, sharing the access to the NT machine will fail.

3. If NBT is enabled on the server, UDP 137, port 138, and TCP139, 445 are monitored at the same time. If NBT is disabled, only port 445 is monitored.

Therefore, for port 2000, the sharing problem is not only port 139, but also port 445.

Iii. Empty sessions

The NULL session, about NULL Sessions

The port used by NULL Sessions (empty sessions) also follows the above rules. A null session is a untrusted session established with the server. A session contains user authentication information, while a NULL session does not have user authentication information, just like an anonymous session.

Without authentication, it is impossible to establish a security channel for the system, and establishing a security channel is dual. First, it is to establish an identity sign, and second, it is to establish a temporary session key, both parties can use this session for encrypted data exchange (for example, the RPC and COM authentication levels are PKT_PRIVACY ). Whether it is a ticket that has passed NTLM or Kerberos authentication, a token containing user information is created for the session. (This section is from Joe Finamore)

According to the WIN2000 access control model, a token is also required for empty sessions. However, because a blank session is not authenticated, the token does not contain user information. Therefore, there is no key exchange between the two sides of the established session, which does not allow the system to send encrypted information. This does not indicate that the token of the empty session does not contain the SID. For an empty Session, the SID of the token provided by LSA is the S-1-5-7, which is the SID created by the empty session and the username is anonymous logon. This user name can be seen in the user list. But it cannot be found in the SAM Database. It is a built-in account of the system.

(For the analysis of this part of the null session, you can refer to: NULL Sessions InNT/2000 http://rr.sans.org/win/null.php)

NULL sessions have almost become a backdoor deployed by Microsoft. But why does Microsoft set such a "backdoor? I keep thinking about this problem. If the NULL Session has no important purpose, Microsoft should not set such a thing. It's hard to find this in Microsoft: In a multi-domain environment

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.