Navigation and service

BSI - Federal Office for Information Security (Link to homepage)

CERT-Bund-Reports

Openly accessible NetBIOS name services

NetBIOS defines a software interface and a naming convention. NetBIOS-over-TCP/IP provides the NetBIOS programming interface over the TCP/IP protocol. NetBIOS includes a name service, often called WINS on Microsoft Windows operating systems. The NetBIOS name service uses port 137/udp.

The NetBIOS name service is only needed within local networks and with systems before Microsoft Windows 2000 which require name resolution through WINS. Otherwise, in particular on the Internet, name resolution is done via DNS. Thus, it does not make sense to expose a NetBIOS name service to the Internet.

Problem

Openly accessible NetBIOS name services can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the server or network for preparation of further attacks.

Verification

In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 192.168.45.67 with the IP address of the host to check.

To check if a NetBIOS name service is openly accessible from the Internet, you can use the 'nmblookup' tool:

$ nmblookup -A 192.168.45.67

An openly accessible NetBIOS name service will return information like this:

Looking up status of 192.168.45.67

        HOSTNAME        <00> -         B <ACTIVE>

        WORKGROUP       <00> - <GROUP> B <ACTIVE>

        HOSTNAME        <20> -         B <ACTIVE>

        WORKGROUP       <1e> - <GROUP> B <ACTIVE>
        MAC Address = 12-34-56-78-90-AB

Otherwise, nmblookup will run into a timeout:

Looking up status of 192.168.45.67

No reply from 192.168.45.67

Solution

If NetBIOS-over-TCP/IP is not needed, disable it. Otherwise, restrict access to the NetBIOS name service to trusted clients, e. g. by blocking incoming connections to port 137 tcp/udp on the firewall. For security reasons, you should consider blocking access to ports 135, 138, 139 and 445 from anywhere on the Internet as well.

On Linux/Unix systems, the NetBIOS name service is usually provided by 'nmbd' included with Samba. If you don't need Samba, disable or deinstall it. Otherwise, NetBIOS support can be disabled by setting

disable netbios = Yes

in the Samba configuration.

Further information

FAQ

Similar topics

Back to HowTo