Reject NetBIOS protocol vulnerabilities and network attacks (1)

The NetBIOS protocol is basically loaded by most systems by default. Because it is bound with the TCP/IP protocol. If you do not pay attention to the relevant settings, the NetBIOS protocol vulnerability may occur. This article mainly analyzes the NetBIOS protocol vulnerabilities. When TCP/IP protocol is installed, the NetBIOS protocol is also loaded by Windows as the default setting. Our computer also has the openness of NetBIOS. Some people with ulterior motives use this function to attack the server, so that administrators cannot safely share files with printers.

The ports attacked by NetBIOS protocol vulnerabilities are:

Port 135 is actually a WINNT vulnerability, and port 135 is prone to external "Snort" attacks !!!

To open port 135, add a rule on your firewall: deny all incoming UDP packets of this type. The destination port is 135, the source port is 135, or, this protects internal systems and prevents external attacks. Most firewalls or packet filters have already set many strict rules that cover this filter rule. However, you must note that there are some NT applications, they rely on the UDP135 port for valid communication, and open your port 135 to communicate with the RPC service of NT. If this is the case, you must require 135 communications on the systems with the original addresses.) implement the above rules to specify that communications from these systems can be performed through the firewall, or, it can be ignored by the attack detection system to maintain the normal connection of those applications. To protect your information security, we strongly recommend that you install Microsoft's latest patch package.

As mentioned above, NetbiosNETwork Basic Input/Output System) is the Basic Input/Output System of the network. It is a set of network standards developed by IBM in 1983. Microsoft continues to develop on this basis. Microsoft's client/server network systems are based on NetBIOS. In a network system built using Windows NT4.0, the unique identifier of each host is its NetBIOS name. The system can use multiple modes such as WINS service, broadcast, and Lmhost file to resolve NetBIOS names to corresponding IP addresses through port 139 for information communication. In such a network system, it is very convenient and fast to use NetBIOS name for information communication. But on the Internet, it is similar to a backdoor program. Therefore, it is necessary for us to block this terrible vulnerability.

NetBIOS protocol vulnerability attack

1. Search for shared resources using software

Use NetBrute route software to scan a segment of IP addresses, such as 10.0.13.1 ~ 10.0.13.254 ).

2. Double-click the shared folder scanned by using PQwak to crack the shared password. If no password exists, open it directly. Of course, you can also enter the scanned IP address with the shared folder in the address bar of IE, for example, \ 10.0.13.191 or C $, D $ to view the default share ). If you have a shared password, you are required to enter the shared user name and password. You can use the tool software used to crack the network neighbor password, such as PQwak. After cracking, you can enter the corresponding folder.

Disable NetBIOS protocol Vulnerability

1. Unbind files from printer sharing

Right-click [Network Neighbor] → [attribute] → [local connection] → [attribute] on the desktop, and remove the check box before "file and printer sharing in Microsoft Network, unbind files from printer sharing. In this way, all requests from ports 139 and 445 will be prohibited, and others will not be able to see the sharing of the local machine.

2. Filter by TCP/IP

Right-click [Network Neighbor] → [attribute] → [local connection] → [attribute] on the desktop to open the "local connection attribute" dialog box. Select [Internet Protocol (TCP/IP)] → [properties] → [advanced] → [Options], and click the "TCP/IP filter" option in the list. Click the [properties] button, select "allow only", click the [add] button (2), and enter the ports except 139 and 445. In this way, when scanning ports 139 and 445 using a scanner, no response will be made.