Vulnerability description
NetBIOS (Network Basic Input Output System) is an application interface (API ), the system can use WINS service, broadcast, and Lmhost files to resolve NetBIOS names to corresponding IP addresses for information communication, therefore, the NetBIOS protocol can be used within the LAN to facilitate message communication and resource sharing. Because it occupies less system resources and has high transmission efficiency, it is particularly suitable for a small LAN consisting of 20 to 200 computers. Therefore, Microsoft's client/server network systems are based on NetBIOS.
When TCP/IP protocol is installed, NetBIOS is also loaded by Windows as the default setting. Our computer is also open to NetBIOS and port 139 is opened. Some people with ulterior motives use this function to attack the server, so that administrators cannot safely share files with printers.
NetBIOS vulnerability attack
1. Search for shared resources using software
Use NetBrute route software to scan an IP address (for example, 10.0.13.1 ~ 10.0.13.254 ).
2. Use PQwak to crack the Shared Password
Double-click the shared folder that has been scanned. If you do not have a password, you can open it directly. Of course, you can also enter the scanned IP address with the shared folder in the address bar of IE, for example, "\ 10.0.13.191" (or check the default share with C $, D $, etc ). If you have a shared password, you are required to enter the shared user name and password. You can use the tool software used to crack the network neighbor password, such as PQwak. After cracking, you can enter the corresponding folder.
Disable NetBIOS Vulnerability
I was angry when I found my machine was changed. After careful research, we finally found a solution to disable the NetBIOS protocol.
1. Unbind files from printer sharing
Right-click [Network Neighbor] → [attribute] → [local connection] → [attribute] on the desktop, and remove the check box before "file and printer sharing in Microsoft Network, unbind files from printer sharing. In this way, all requests from ports 139 and 445 will be prohibited, and others will not be able to see the sharing of the local machine.
2. Filter by TCP/IP
Right-click [Network Neighbor] → [attribute] → [local connection] → [attribute] on the desktop to open the "local connection attribute" dialog box. Select [Internet Protocol (TCP/IP)] → [properties] → [advanced] → [Options], and click the "TCP/IP filter" option in the list. Click the [properties] button, select "allow only", click the [add] button (2), and enter the ports except 139 and 445. In this way, when scanning ports 139 and 445 using a scanner, no response will be made.
3. Use IPSec Security Policies to block access to ports 139 and 445
Select [my computer] → [Control Panel] → [Administrative Tools] → [Local Security Policy] → [IP Security Policy, on a local machine], here, we define an IPSec Security Policy rule that prevents any IP addresses from accessing the IP addresses from the TCP139 and TCP445 ports, so that when someone else uses the scanner to scan, the local ports 139 and 445 will not respond.
4. Stop the Server Service
Select [my computer] → [Control Panel] → [Administrative Tools] → [services], enter the service manager, and disable the Server service. In this way, although the port is not closed, the service of the local machine to other machines can be suspended. Of course, the sharing of other machines will be suspended. However, disabling this service will cause many related services to fail to start. For example, if there is an IIS service in the machine, this method cannot be used.
5. Use the firewall to prevent attacks
In the firewall, you can also set to prevent other machines from using local sharing. For example, in "Skynet Personal Firewall", select an empty rule, set the packet direction to "receive", select "any address" for the IP address of the other party, and set the Protocol to "TCP ", the local port is set to "139 to 139", the peer port is set to "0 to 0", the flag is set to "SYN", and the action is set to "intercept ", finally, click the [OK] button and select this rule in the "custom IP rule" list to start blocking port 139 attacks (3 ).
You can select the above five methods based on your actual situation. Sharing is disabled. Although sharing cannot be used to manage machines, it is worthwhile to prevent others from stealing files or making modifications.
