This module is intended to introduce you to the protocols used by Microsoft hosts. "Ease-of-use" often implies lack of security for an unprotected network. The goal of this module is to familiarize the student with the components of a typical Microsoft network.
This module is intended to introduce you to the protocols used by Microsoft hosts. "Ease-of-use" often implies lack of security for an unprotected network. The goal of this module is to familiarize the student with the components of a typical Microsoft network.
This module is intended to introduce you to the protocols used by Microsoft hosts. "Ease-of-use" often implies lack of security for an unprotected network. The goal of this module is to familiarize the student with the components of a typical Microsoft network.
1 Microsoft Networking This module on Microsoft Networking and Security is intended to introduce you to the protocols used by Microsoft hosts and the accompanying security risks. One of the main problems/advantages with the Microsoft architecture is that it lends itself to the ease-of-use by users and administrators. This is one of the reasons that Microsoft software is so popular; it is just easier to use for the novice user than, say, Solaris or Linux. This is good for the user and the administrator, but the downfall is that ease-of-use often implies lack of security for an unprotected network. You must keep in mind that Microsoft or Windows networks are intended for use on intranets with a perimeter that blocks outsiders. We will examine some of the problems associated with the Microsoft protocols. The student will be able to analyze Microsoft networking traffic and determine what the purpose of the traffic is. Because this is an often exploited route into a network, you will see scans of ports associated with MS functions and attempts to find vulnerabilities on your own network. 6 - 2 Microsoft Networking SANS 2000 2003 2 Objectives The goal of this module is to: Explain a typical Microsoft network Present an understanding of TCP/IP behavior of Microsoft networking Emphasize computer security implications The Objectives of this course will be to familiarize the student with the components of a typical Microsoft network. Well examine how components on the network communicate with each other using TCP/IP. Much of the emphasis will be on security implications of the rather open Microsoft protocols. While Windows facilitates peer networking such as file sharing, security has often taken a back seat to the users unobstructed interface for using MS network protocols. Microsoft Windows 9x variants do not have a secure file system because one is not provided with the operating system. Microsoft Windows NT, while providing a more secure file system, requires additional attention to make it secure. Windows 2000 has made great strides in offering features that can be used to better secure the host and communications among Windows 2000 hosts. 6 - 3 Microsoft Networking SANS 2000 2003 3 Pre-Win2k Network Communications primaryDC 192.168.10.20 Mbrowser 192.168.10.34 WINShost 192.168.10. 9 armstrong 192.168.10.7 indurain 192.168.10.54 julich 192.168.10.3 lemond 192.168.10.10 hampsten 192.168.10.53 printer1 192.168.10. 4 Shared Files Perimeter Defense Look at the slide Pre-Win2K Communications to see what Windows networks looked like before Windows 2000. In this network, there are many NetBIOS workstations communicating with each other and servers. The servers are primaryDC that represents the primary domain controller for authentication, Mbrowser the master browser responsible for maintaining a list of hosts for your viewing via the Network Neighborhood, and WINShost that is responsible for pairing NetBIOS host names and IP numbers. Each host has a NetBIOS name (for instance armstrong) that uniquely identifies it. NetBIOS is an application program interface (API) for communication among computers. It basically allows applications to talk over the network. NetBIOS depends on a lower level transport to communicate between hosts. Hosts on this network communicate with each other via NetBIOS over TCP/IP, also known as (NBT). In years past this protocol was NetBEUI; that was a very chatty broadcast protocol. It had a limitation that it could only support 255 nodes in a given Windows network. Obviously, with the growth of networks, this limitation was a problem. NBT offers several services: 1) A name service (WINS) 2) Two communication services a) datagrams this is a broadcast protocol for Windows hosts that offers no reliability (comparable to UDP) b) session this is a host to host protocol for Windows hosts that offers the promise of reliability (comparable to TCP) Some of the NetBIOS ports are as follows: 137 NetBIOS name service (NetBIOS to IP resolution) 138 NetBIOS datagram service 139 NetBIOS session service 6 - 4 Microsoft Networking SANS 2000 2003 4 Win2k/Active Directory Network Communications Domain Controller with Active Directory 192.168.10.20 armstrong.bike.com 192.168.10.7 indurain.bike.com 192.168.10.54 julich.bike.com 192.168.10.3 lemond.bike.com 192.168.10.10 hampsten.bike.com 192.168.10.53 printer1.bike.com 192.168.10.4 Shared Files Perimeter Defense DNS Server Kerberos Server Now, flip to the next slide entitled Win2K/Active Directory Network Communications to see an altered view of the same network with a newer implementation. The same workstations exist as before, however the servers been consolidated. The use of Windows 2000 with Active Directory (AD) changes many aspects of the old network. AD stores information about objects on the network making it easier to locate resources for clients and maintain resources for administrators. AD is essentially a collection of services, standards, and protocols supported by a database that is installed on a Windows 2000 server when it is promoted to become a domain controller. Some of the information that can be stored in an AD database are: User account properties and passwords AD groups and organization units Computer properties Domain names and structures Printers and My Network Places browse list We will discuss an often used protocol in an AD network known as Lightweight Directory Access Protocol (LDAP) that is used to search the AD database for information. 6 - 5 Microsoft Networking SANS 2000 2003 5 What Changed? NetBIOS gone (going) Used as a protocol to communicate over TCP (NBT) Used as host names Active Directory adds Central repository for network services/data Different protocols Functionality to work with Kerberos and DNS Fully Qualified Domain Names (FQDN) host names Advance to slide What Changed? to examine some of the differences before and after Win2k with Active Directory. The most notable change is the disappearance of NetBIOS as both a naming convention and a protocol. NetBIOS names are no longer supported in a pure Win2k environment with AD. Host names are now the same as the DNS names. Additionally, NetBIOS disappears as a protocol for communication between hosts. No discussion of Microsoft networking is complete without mentioning the protocol known as SMB/CIFS or Server Message Block/Common Internet File System. Weve seen where TCP/IP was used for the transport of NetBIOS. We saw where clients connected to servers using NetBIOS over TCP/IP (NBT). Once these connections had been established, clients could then send commands (SMBs) to the server that allow them to access shares, open files, read and write files, and do print operations. So, SMB is a protocol that rode over NetBIOS for Windows operating systems both before Windows 2000. In Windows 2000, Microsoft added the option to run SMB directly over TCP/IP without the intervening layer of NBT. Instead of using ports 137, 138 (UDP), and 139 (TCP), Windows 2000 running directly over TCP/IP uses TCP port 445. This can be supported in Windows 2000 even without AD. A Windows 2000 server with AD becomes a primary controller capable of providing many directory services. Additionally, AD has the functionality to integrate with Kerberos to provide more secure authentication and DNS to locate network services as well as store DNS resource records as AD objects. 6 - 6 Microsoft Networking SANS 2000 2003 6 Hostname Resolution In this section, Hostname Resolution, well examine the different types of name resolution in Windows. Whether there is an older NetBIOS name or a newer DNS-like name, there has to be some method of resolving hostnames to IP numbers. 6 - 7 Microsoft Networking SANS 2000 2003 7 NetBIOS Names 16 character name Different from DNS name When a NetBIOS machine comes online needs to register NetBIOS name No two hosts in the same Windows domain or workgroup should have same NetBIOS name Two ways to register/perform name resolution for NetBIOS names Broadcast to network WINS Turning to the slide NetBIOS Names, we discover that they are 16 character alphanumeric names. 15 characters are for the NetBIOS name itself, and the final character identifies a resource type which well discuss a little later. When a NetBIOS host comes online, it broadcasts its NetBIOS information 6 to 10 times to alert other clients on the network of its presence and a list of names associated with applications or services on that client. If another client on the network has an identical NetBIOS name, it sends a broadcast challenge defending the name. The client will then mark the name in its own table as unusable and will not make any further attempts to use the challenged name. If no other client claims this NetBIOS name, the name will then be registered. Registration and future name resolution can be done via broadcasts or via a WINS server that will store names of NetBIOS hosts. 6 - 8 Microsoft Networking SANS 2000 2003 8 NetBIOS Name Resolution Without WINS Server NT client.goodguys.com resolves the name of server.goodguys.com 15:24:59.824558 client.goodguys.com.137 > 192.168.255.255.137: udp 50 15:24:59.824907 arp who-has client.goodguys.com tell server.goodguys.com 15:24:59.824965 arp reply client.goodguys.com is-at 0:15:5c:7:62:20 15:24:59.825106 server.goodguys.com.137 > client.goodguys.com.137: udp 62 15:25:00.908500 client.goodguys.com.3015 >server.goodguys.com.139: S 140756:140756(0) win 8192 <mss 1460> (DF) [tos 0x14] 15:25:00.909181server.goodguys.com.139 > client.goodguys.com.3015: S 126790:126790(0) ack 140757 win 8760 <mss 1460> (DF) 15:24:00.909330 client.goodguys.com.3015 >server.goodguys.com.139: . ack 1 win 8760 (DF) [tos 0x14] The slide NetBIOS Name Resolution Without WINS Server demonstrates what happens when a Windows client wants to find the name of another Windows host server.goodguys.com, yet there is no WINS server on the intranet (or Windows networking domain). Suppose the user at \\client has entered the command "net view \\server". In this case, the target host must be identified by its NetBIOS name (server) rather than its fully qualified domain name (server.goodguys.com). If the client does not have \\server and its IP address in its cache, it will broadcast a NetBIOS name query on the local network with the name of the destination host using UDP port 137 (the netbios-ns, or NetBIOS name service port). Each computer on the local network receives the 137 UDP broadcast and checks its local NetBIOS table to see if it owns the requested name. If it does, it formulates a NetBIOS name query response. But before the response can be sent, the host needs to determine the MAC address of the requestor. Therefore, an ARP request (arp who-has) is broadcast on the LAN to obtain the requesting client host's MAC address. When the MAC address of \\client is obtained, the name query response is sent using UDP port 137. At this point, \\client knows the IP address of \\server and can create a NetBIOS session. This is shown by the typical TCP three-way handshake on port 139 (netbios-ssn, the NetBIOS session service). . 6 - 9 Microsoft Networking SANS 2000 2003 9 Windows Internet Naming Service (WINS) Managed on UDP port 137 Microsoft feature for NetBIOS name to IP address translation WINS server registers and resolves NetBIOS host names and workgroups Dynamic process NetBIOS host comes online and is registered in WINS NetBIOS host goes offline and is removed from WINS Now, go to the next slide Windows Internet Naming Service (WINS). WINS is typically implemented in Microsoft-centric environments. It serves as a pseudo naming process which enables Windows clients to centrally register their NetBIOS names. The WINS server pairs IP addresses with NetBIOS names. The naming convention used by Microsoft limits these names to 15 characters. As you learned, when a client boots, it broadcasts its NetBIOS name and information. If the WINS server or another client on the collision domain has a NetBIOS entry for that name, then the WINS server or client possessing ownership of that name broadcasts on the appropriate segment, and the client who was initially trying to register that name immediately stops. Windows users identify a host by its NetBIOS name, not an FQDN (fully qualified domain name). This name is propagated throughout the network and replicated with other WINS servers. This replication to other WINS servers occurs over TCP port 42. 6 - 10 Microsoft Networking SANS 2000 2003 10 NetBIOS Name Resolution with WINS Server 12:26:07.905619 client.goodguys.com.137 > wins-server.goodguys.com.137: udp 50 12:26:07.906766 wins-server.goodguys.com.137 > client.goodguys.com.137: udp 62 12:26:07.908500 client.goodguys.com.3015 >server.goodguys.com.139: S 140756:140756(0) win 8192 <mss 1460> (DF) [tos 0x14] 12:26:07.909181server.goodguys.com.139 > client.goodguys.com.3015: S 126790:126790(0) ack 140757 win 8760 <mss 1460> (DF) 12:26:07.909330 client.goodguys.com.3015 >server.goodguys.com.139: . ack 1 win 8760 (DF) [tos 0x14] We see a different process of name resolution on slide Name Resolution with WINS Server. The same client queries the WINS server for the IP address associated with the NetBIOS name of the server. There is no broadcast for the NetBIOS name. When the WINS server returns the IP address of the server that the client wants, it talks directly to it. In this case, client.goodguys.com is checking the WINS server, wins-server.goodguys.com, for the IP number associated with the NetBIOS name that it knows server.goodguys.com by. It appears that client.goodguys.com discovered the name because it then tries some kind of NetBIOS session with server.goodguys.com. 6 - 11 Microsoft Networking SANS 2000 2003 11 Name Resolution with Active Directory DNS Server 10.4.3.3.3017 > 10.4.2.2.53: 35+ A? mothra.usa.sans.org. (37) 10.4.2.2.53 > 10.4.3.3.3017: 35* 1/0/0 A 10.4.2.2 (53)
10.4.3.3.3253 > 10.4.2.2.53: 1+ SRV ? _ldap._tcp.dc._msdcs.usa.sans.org. (51) 10.4.2.2.53 > 10.4.3.3.3253: 1* 2/0/2 SRV , SRV (162) Go to the next slide, Name Registration with Active Directory DNS Server, to see how hostname to IP address resolution is handled with AD and Win2k. Remember, NetBIOS names are now gone and hostnames are known as they are in non-Windows networks, as their DNS names. Therefore, there is no longer a need for WINS resolution or broadcast to associate NetBIOS names and IP numbers. DNS is now used for hostname/IP address resolution. All DNS queries use standard UDP port 53, even though the storage location of DNS records is in the AD database. When the DNS server boots up, it queries the AD database using the LDAP protocol for all the records for which it is authoritative. It caches them in RAM and serves up those records to DNS clients over UDP port 53. When new records are added (either statically or dynamically) to the DNS server, they are periodically writing back to the AD database again using LDAP. The Windows domain controllers replicate these new DNS records to each other automatically, thus indirectly distributing them to all other DNS server. The traditional zone transfers and primary/secondary DNS server distinction has disappeared. The first set of DNS exchanges above should look somewhat familiar. Host 10.4.3.3 is asking the DNS server 10.4.2.2 for the address associated with hostname mothra.usa.sans.org. Host 10.4.2.2 responds with one resource record presumably with the answer. The second set of DNS exchanges is something new. Windows DNS servers and later versions of BIND offer a new resource record type known as an Service Resource Record (SRV). This allows clients to find desired services. For instance, in this case 10.4.3.3 is asking the DNS server where (the name/IP address) the LDAP server for the domain is. This same type of lookup may be done to find a Kerberos server to be used for authentication. 6 - 12 Microsoft Networking SANS 2000 2003 12 Discovering Information About Hosts In this section Discovering Information About Hosts, well see commands that are used for legitimate purposes for Windows host discovery. Well also see how these commands can be used as reconnaissance by hackers. It bears repeating that Windows networks should be protected by some kind of packet filtering device to keep intruders out. Yet many sites dont block the necessary ports or take the proper precautions to do so, and hackers will try to use these open avenues. 6 - 13 Microsoft Networking SANS 2000 2003 13 NetBIOS Name/Resource Type 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 V E R B 0 00 15 byte resource name 1 byte resource type 16 byte NetBIOS value 15 byte NetBIOS name 1 byte resource type Unique resources Group resources Looking at slide NetBIOS Name/Resource Type, you see that the NetBIOS names is a 16 character field. The NetBIOS name itself can be up to 15 characters or bytes. The 16 th byte is reserved for the resource type. When a NetBIOS name is registered, it is registered with a resource type or multiple resource types. These resource types or services identify the functions or services that this particular NetBIOS resource can perform. A resource can be a unique resource or a group resource. A unique resource is one that is unique, as the name implies. For instance, there can only be one particular NetBIOS name that refers to a computer within a workgroup or domain. A group resource refers to a group of computers or users associated with a workgroup or domain. 6 - 14 Microsoft Networking SANS 2000 2003 14 NetBIOS Unique Resource Type Codes Resource Hexadecimal Type Code Standard Workstation 00 Messenger Service (WinPopup) 03 File/Print Server 20 Master Browser Name 1D The slide NetBIOS Unique Resource Type Codes is an abbreviated list of the resource types codes that can be found for unique resources. These values tell the functions of a given unique resource. Well see how we can list these resource codes for a given NetBIOS resource. Obviously, someone doing reconnaissance on a network will not only want to attempt to list the NetBIOS resource names, but the types as well to try to discover what the function of a given NetBIOS resource is. A master browser is a host that keeps a list of the currently active NetBIOS hosts. When NetBIOS hosts boot up or are shut down, the master browser updates its browse list of active hosts. So, for reconnaissance purposes, if someone can discover this host and query it for active hosts, it provides a lot of information. 6 - 15 Microsoft Networking SANS 2000 2003 15 NetBIOS Group Resource Type Codes Resource Hexadecimal Type Code Standard Workstation Group 00 __MSBROWSE__ (Master Browser) 01 Domain Controller 1C Group Name 1E The slide NetBIOS Group Resource Type Codes is an abbreviated list of the resource types codes that can be found for group resources. These values tell the functions of a given group resource. 6 - 16 Microsoft Networking SANS 2000 2003 16 Identify Resources on a Remote Windows/Samba Host nbtstat -A 192.168.143.5 NetBIOS Remote Machine Name Table Name Type Status ------------------------------------------------------------------------- VERBO <00> UNIQUE Registered VERBO <03> UNIQUE Registered VERBO <20> UNIQUE Registered ..__MSBROWSE__. <01> GROUP Registered SIMPLE <00> GROUP Registered SIMPLE <1B> UNIQUE Registered SIMPLE <1C> GROUP Registered SIMPLE <1D> UNIQUE Registered SIMPLE <1E> GROUP Registered As the next slide Identify Resources on a Remote Windows/Samba Host describes, the nbtstat command is used to discover NetBIOS resource names and their resource types. The Windows command nbtstat -A IP address command will identify users on a remote Windows or Samba system. This will display the remote hosts NetBIOS table. In this case we look at a host with a NetBIOS name of verbo which happens to be a Linux host running Samba. The system name of the host is verbo and its domain is named simple. Note that weve used the nbtstat -A switch, which requires an IP number. There is another nbtstat command that uses that nbtstat -a switch and takes a hostname as the argument. While the output from this is the same as seen above, the decoded contents seen over the network will be different. 6 - 17 Microsoft Networking SANS 2000 2003 17 Snort Capture of nbtstat Request 06/12-19:18:47.672062 192.168.143.101:137 -> 192.168.143.5:137 UDP TTL:128 TOS:0x0 ID:24949 Len: 58 05 02 00 00 00 01 00 00 00 00 00 00 20 43 4B 41 ............ CKA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..! 00 01 70 61 63 6B ..pack Alert message: [**] SMB Name Wildcard [**] 06/12-19:22:58.895474 192.168.143.101:137 -> 192.168.143.5:137 UDP TTL:128 TOS:0x0 ID:25461 Len: 58 The slide Snort Capture of nbtstat Request was captured by Snort, which can decode the application layer. Nothing is really coherent, but look at the CKAAAA output. Well see in a couple of slides that this is a wildcard or generic search for resources. It does not specifically identify a NetBIOS name or hostname; it uses the * wildcard to query the host for its NetBIOS table. Also, note that Snort doesnt translate IP numbers to hostnames; this is done for the sake of efficiency. In this example, 192.168.143.101 represents hostname win98.com that has a NetBIOS name of win98, and 192.168.143.5 represents verbo.com with a NetBIOS name of verbo. You can then see that when running Snort with its rules files, the nbtstat -A IP address triggered an alert. Snort identifies this as an SMB Name Wildcard. By using the IP address as an argument to nbtstat, it does a wildcard * search of the host for resources. The rule that triggered the alert is seen below. It alerts on any UDP traffic sent to an internal network host destination port 137. The content of the packet must contain the ASCII string of CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA followed by a binary value of 0000. This is the signature for the wildcard. Well examine how we arrive at the ASCII content in the reference section. Rule that triggered alert: alert udp any any -> $HOME_NET 137 (msg:"SMB Name Wildcard"; content:"CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|0000|";) 6 - 18 Microsoft Networking SANS 2000 2003 18 GIAC Postings of Port 137 Scans (Beginning around Year 2000) 06:21:25.180967 nbscanner.com.137>192.168.143.7.137: udp 50 06:21:25.180969 nbscanner.com.137>192.168.143.93.137: udp 50 06:21:25.180970 nbscanner.com.137>192.168.143.115.137: udp 50 06:21:25.180971 nbscanner.com.137>192.168.143.44.137: udp 50 06:21:25.180973 nbscanner.com.137>192.168.143.71.137: udp 50 [**] SMB Name Wildcard [**] 04/09-06:49:51.748689 24.3.200.114:137 -> xxx.xxx.xxx.189:137 UDP TTL:118 TOS:0x0 ID:43610 Len: 58 55 9E 00 10 00 01 00 00 00 00 00 00 20 43 4B 41 U........... CKA 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..! 00 01 As the next slide Many GIAC Postings of Port 137 Scans shows, there was a proliferation of detect scans to destination port UDP 137. Many different networks have detected these scans and they appear to be ongoing and constant. The above detection is akin to something tcpdump or Shadow might have picked up. Next, you see the Snort capture of these same port 137 scans. As you can see, this appears to be the same signature that we saw for the nbtstat A command. So, it looks as if these scans are attempting to discover NetBIOS resources located on different hosts. 6 - 19 Microsoft Networking SANS 2000 2003 19 network.vbs Worm Probable explanation for increase in port 137 traffic Visual Basic Script that infects Windows hosts Searches other class C network NetBIOS resources and then looks for unprotected shares on C drive If any discovered, network.vbs worm installed and worm propagated Speculation of connection for search of potential DDoS agent/handler hosts Advancing to the next slide, youll discover that the probable explanation of the increase in this activity is because of the network.vbs Worm. This is a Visual Basic Script that infects Windows hosts and then tries to search for other candidate hosts on which to replicate. It issues these port 137 searches on random Class C networks. If it discovers accessible NetBIOS hosts, it will then try to enumerate shares and see if there are any unprotected ones on the C drive. If it finds any unprotected shares on the C drive, it will install a copy of network.vbs there and propagate. Some believe that this activity might be related to finding hosts that later will be used as DDoS candidates. Carnegie Mellon CERT has a write-up on this activity, and it can be found at http://www.cert.org/incident_notes/IN-2000-02.html. 6 - 20 Microsoft Networking SANS 2000 2003 20 Enumerating NetBIOS Shares net view \\linux2 Shared resources at \\LINUX2 Sharename Type Comment jdoe Disk Home Directories lp Print test Disk For testing purposes The command was completed successfully. Take a look at the following slide Enumerating NetBIOS Shares. The net view command will enumerate the NetBIOS shares for a Windows or Samba host. The first thing that you notice is that we had to know the NetBIOS name (linux2) in order to execute this command. This command would have to be executed in an environment where the querier could resolve the NetBIOS name linux2 usually done via a broadcast or through WINS resolution. We see on linux2 that there is a share named jdoe which is a shared disk directory, another named lp which is for shared print resources, and finally another shared disk known as test. 6 - 21 Microsoft Networking SANS 2000 2003 21 Snort Output of Share Enumeration Request =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/18-18:57:33.747043 192.168.143.101:2215 -> 192.168.143.16:139 TCP TTL:128 TOS:0x0 ID:50213 DF *****PA* Seq: 0x16AA2F6E Ack: 0xB1BA69F8 Win: 0x20BB 00 00 00 3E FF 53 4D 42 75 00 00 00 00 00 00 00 ...>.SMBu....... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B1 73 ...............s 64 00 02 4B 04 FF 00 00 00 02 00 01 00 13 00 00 d..K............ 5C 5C 4C 49 4E 55 58 32 5C 49 50 43 24 00 49 50 \\LINUX2\IPC$.IP 43 00 C. Looking at slide Snort Output of Share Enumeration Request, you can see the request that was sent when the net view command was issued. You see the notation SMB, which weve learned is the Server Message Block Protocol that is necessary for this transfer to occur over the network. Youll also see the reference \\LINUX2\IPC$. This is a reference to a UNC (Universal Naming Convention) that has the format of \\NetBIOSname\directory. The NetBIOS name of the host is LINUX2 and the directory is IPC$. This is a special directory a hidden default directory for Inter-Process Communications. 6 - 22 Microsoft Networking SANS 2000 2003 22 Win2K/AD Discovery/Access of Shared Resources 10.4.3.3.3258 > 10.4.2.2.389: udp 166 10.4.2.2.389 > 10.4.3.3.3258: udp 178 10.4.3.3.3259 > 10.4.4.4.445: S 4084969658:4084969658(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 10.4.4.4.445 > 10.4.3.3.3259: S 1607718307:1607718307(0) ack 4084969659 win 17520 <mss 1460,nop,nop,sackOK> (DF) 10.4.3.3.3259 > 10.4.4.4.445: . ack 1 win 17520 (DF) 10.4.3.3.3259 > 10.4.4.4.445: P 1:138(137) ack 1 win 17520 (DF) Slide Win2K/AD Discovery/Access of Shared Resources shows a tcpdump capture of activity from clicking on the My Network Places on the desktop. First, you see a new port UDP port 389. This is known as Lightweight Directory Access Protocol (LDAP) and is used to connect to the AD server and search the database for some desired information. In this case, it is the shared resources available to the user who clicked the My Network Places icon. Above, host 10.4.3.3 accesses the AD server 10.4.2.2. Once the resources are displayed, the user may chose to double-click on a resource to access. This will require the use of SMB directly over TCP/IP using port 445. This connects to the desired computer directly to see shared resources. In the above output, host 10.4.3.3 wishes to access a shared resource available from host 10.4.4.4. Since this is TCP port 445, you see the three-way handshake and the beginning of the data exchange. 6 - 23 Microsoft Networking SANS 2000 2003 23 Domain Controller This section, Domain Controller explains another component in a Microsoft network . A domain controller was not necessary before Active Directory, but many Microsoft networks used a primary domain controller (PDC) and a backup domain controller (BDC). A Microsoft network with a domain controller is known as a domain, whereas one with no domain controller is known as a workgroup. With Active Directory applied to a Windows 2000 server, the host automatically becomes a domain controller. There can be many such domain controllers in a domain or enterprise and there is no distinction between primary and backup. 6 - 24 Microsoft Networking SANS 2000 2003 24 Pre-Win2k Primary Domain Controller Primary Domain Controller Shared Resource Host Shared Printer NetBIOS Client Workstation NetBIOS Client Workstation NetBIOS Client Workstation Access Authentication SAM database The slide Pre-Win2K Primary Domain Controller depicts the role of the primary domain controller. The primary domain controller has multiple purposes. The first one is to authenticate requests for access to shared resources. This is typically done via a username and password. Instead of each shared resource granting or denying access, the primary domain controller maintains control for the entire domain. It does so by keeping a list of usernames and passwords known as a security account manager (SAM) database. Once a user is authenticated to use a shared resource by the primary domain controller, a token will be granted to the user to allow access to other shared resources. At this point, the user is considered logged in. Much ado has been made of the problems associated with Windows encoding of passwords specifically, the algorithm used to encode the password so that it is not totally exposed is considered to be weak. . 6 - 25 Microsoft Networking SANS 2000 2003 25 Partial Snort Collection of Authentication (Pre-Win2K) 06/13-11:23:28.368177 192.168.143.5:139 -> 192.168.143.101:1025 TCP TTL:64 TOS:0x0 ID:433 DF *****PA* Seq: 0x189808DC Ack: 0x61DD Win: 0x7D78 00 00 00 72 FF 53 4D 42 25 00 00 00 00 80 01 00 ...r.SMB%....... 00 00 00 00 00 00 00 00 00 00 00 00 01 00 87 13 ................ 64 00 81 06 0A 06 00 32 00 00 00 06 00 38 00 00 d......2.....8.. 00 32 00 40 00 00 00 00 00 3B 00 00 00 00 00 00 .2.@.....;...... 32 00 00 00 16 00 00 00 1C 00 00 00 23 00 00 00 2...........#... 04 02 2A 00 00 00 31 00 00 00 56 45 52 42 4F 00 ..*...1...VERBO. 6A 6E 6F 76 61 6B 00 53 49 4D 50 4C 45 00 53 49 jnovak.SIMPLE.SI 4D 50 4C 45 00 00 MPLE.. 06/13-11:23:28.393848 192.168.143.101:1025 -> 192.168.143.5:139 TCP TTL:128 TOS:0x0 ID:7168 DF *****PA* Seq: 0x61DD Ack: 0x18980952 Win: 0x1E67 00 00 00 43 FF 53 4D 42 75 00 00 00 00 00 00 00 ...C.SMBu....... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 87 13 ................ 64 00 01 07 04 FF 00 00 00 02 00 01 00 18 00 00 d............... 5C 5C 56 45 52 42 4F 5C 4E 45 54 4C 4F 47 4F 4E \\VERBO\NETLOGON 00 3F 3F 3F 3F 3F 00 45 5C 4C 41 .?????.E\LA Slide Partial Snort Collection of Authentication shows that the authentication process, if sniffed, can show some valuable information. We see a user name (jnovak) and we see the domain name simple. If we can identify a password in the authentication stream, we can use the tool l0phtcrack to crack the password. This will give the cracker access to any resources that the cracked user is allowed. 6 - 26 Microsoft Networking SANS 2000 2003 26 Win2k Domain Controller With AD Domain Controller Shared Resource Host Shared Printer Client Workstation Client Workstation Client Workstation Access Authentication (preferred method Kerberos) Kerberos Active Directory Look at slide Win2k Domain Controller With AD to see a more current network set-up. The preferred method of authentication is now Kerberos. The Kerberos Key Distribution Center (KDC) takes care of authentication by first identifying if a username and password can be authenticated. Kerberos allows for a single sign-on to the network and handles subsequent requests for resources. Once authenticated, a user can request services from a particular network resource. Each user has a user account number known as a Security ID (SID) that is unique among an enterprise of domains. When a client attempts to access a remote server, it will use a Kerberos ticket that contains the users SID along with other information. The target server will compare the SID in the Kerberos ticket with its permissions for resources to decide if the user is allowed access. 6 - 27 Microsoft Networking SANS 2000 2003 27 Authentication With AD/Kerberos tcpdump output of Kerberos records 10.4.3.3.3263 > 10.4.2.2.88: v5 10.4.2.2.88 > 10.4.3.3.3263: v5 Ethereal output of kerberos records No. Time Source Destination Protocol Info 1 0.000000 10.4.3.3 10.4.2.2 KRB5 AS-REQ 2 0.040000 10.4.2.2 10.4.3.3 KRB5 AS-REP Authentication With AD/Kerberos is shown via tcpdump and Ethereal record output. There are three subprotocols associated with Kerberos: 1) Authentication Service (AS) Exchange 2) Ticket- Granting Service (TGS) Exchange 3) Client/Server (CS) Exchange. The AS Exchange is where the KDC gives a client requesting authentication a logon session key and a Ticket Granting Ticket (TGT) is issued after the users identity has been confirmed. The TGS is where the KDC issues a service session key and a ticket for the desired service. Finally, the CS exchange involves the client sending the ticket to the server for admission to a service. The above exchange shows only the Authentication Exchange both query and response. This uses the Kerberos port UDP 88. 6 - 28 Microsoft Networking SANS 2000 2003 28 Reference Material This page intentionally left blank. 6 - 29 Microsoft Networking SANS 2000 2003 29 SMB Name Wildcard NetBIOS names mangled when nbtstat request made 1) Each character in NetBIOS name is divided into two hex characters 2) Normally blank padded to 16 characters 3) Each hex character added to ASCII value 0x41 (uppercase A) If * is used as wildcard NetBIOS name (hex value = 2A) 1) Separate into two hex characters: 2 A 2) Null padded to 16 characters: 2 A 3) Add 0x41 to each character 2 A + 41 41 41 41 41 41 41 41 41 41 41 41 41 41, etc. 43 4B 41 41 41 41 41 41 41 41 41 41 41 41 - Hex result C K A A A A A A A A A A A A - ASCII result The SMB Name Wildcard slide describes why we use a content of CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA to search for the wildcard. When NetBIOS names are sent over the network, they are mangled into a different format. This format takes each character in the NetBIOS name and divides it into two hex characters. For normal NetBIOS names, blanks pad any unused field for 16 character name. Finally, the value of 0x41 (uppercase A) is added to each of the characters. If we take a NetBIOS name of *, it is a bit different because it is null padded. The * character is 2A in hex. These two character are separated and each character is added to 0x41. So, 2 + 41 = 43 (ASCII C) and A + 41 = 4B (ASCII K). All the null fields are added with a hex 41, also with the resulting value of 41 (ASCII) A. So that is why the CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA value is used. 6 - 30 Microsoft Networking SANS 2000 2003 30 Quick Reference for Microsoft Ports Function Static Ports File Sharing TCP:139 Printing UDP:137,138 TCP:139 Browsing UDP:137, 138 WINS Replication TCP:42 WINS Manager TCP:135 WINS Registration TCP:137 NT User Manager TCP:139 NT Server Manager TCP:139 NT Event Viewer TCP:139 NT Registry Editor TCP:139 NT Diagnostics TCP:139 NT Directory Replication UDP:138 TCP:139 This page intentionally left blank. 6 - 31 Microsoft Networking SANS 2000 2003 31 Quick Reference for Microsoft Ports (2) Function Static Ports Logon Sequence UDP:137,138 TCP:139 NT Trusts UDP:137,138 TCP:139 NT Secure Channel UDP:137,138 TCP:139 NetLogon UDP:138 Pass Through Validation UDP:137,138 TCP:139 NT Performance Monitor TCP:139 DNS Administration TCP:139 DNS Resolution UDP:53 DHCP Manager TCP:135 DHCP Lease UDP:67,68 PPTP TCP:1723 IP Protocol:47 This page intentionally left blank. 6 - 32 Microsoft Networking SANS 2000 2003 32 Quick Reference for Windows 2000 Ports Function Static Ports Global Catalog with LDAP TCP:3268 Global Catalog with LDAP and SSL encryption TCP:3269 Kerberos KSHELL TCP:544 Kerberos Passwords TCP,UDP:464 Kerberos Secure Authentication TCP,UDP:88 LDAP SSL TCP:636 Lightweight Directory Access Protocol (LDAP) TCP,UDP:389 SMB without NetBIOS (CIFS) TCP:445 Terminal Server TCP:3389 This page intentionally left blank. 6 - 33 Microsoft Networking SANS 2000 2003 33 Section Quiz 1. Microsoft networks need no perimeter protection from the outside world. (T/F) 2. Microsoft protocols stress security first even at the cost of making software hard to use. (T/F) 3. WINS servers eliminated the need for DNS servers for Internet traffic. (T/F) 4. In a true Windows 2000 network with no backwards compatibility (Native mode), NetBIOS is no longer supported. (T/F) 5. NetBIOS names are the same as DNS fully qualified domain names. (T/F) This page intentionally left blank. 6 - 34 Microsoft Networking SANS 2000 2003 34 Section Quiz (2) 6. NBT (NetBIOS over TCP/IP) was the method of communications in most MS networks before Windows 2000. (T/F) 7. Windows hostnames using Windows 2000 and AD are the same as DNS hostnames. (T/F) 8. The only way NetBIOS names can be known is via a WINS server. (T/F) 9. Under normal operations, Microsoft File and Print sharing are accomplished via standard FTP (TCP port 21). (T/F) 10.LDAP is the protocol used to do connect to a Kerberos server to do authentication. (T/F) This page intentionally left blank. 6 - 35 Microsoft Networking SANS 2000 2003 35 Section Quiz (3) 11.Port 445 is used to connect a client to a server for access to remote shares or printers for hosts in a true (no backwards compatibility/Native mode) Windows 2000 network. (T/F) 12. UDP port 137 traffic is associated with WINS operations and nbtstat queries/responses. (T/F) 13. TCP port 139 is associated with WINS lookup operations only. (T/F) 14. In Windows 2000, the preferred method of authentication is Kerberos. (T/F) 15. AD is essentially a collection of services, standards, and protocols supported by a database that is installed on a server. (T/F) Answers to True/False questions: 1) F 2) F 3) F 4) T 5) F 6) T 7) T 8) F 9) F 10) F 11) T 12) T 13) F 14) T 15) T 6 - 36 Microsoft Networking SANS 2000 2003 36 Multiple Choice 1. The nbtstat A IP address command does the following: a) Enumerates WINS servers for the IP address b) Enumerates an NT registry the IP address c) Enumerates passwords for the IP address d) Enumerates NetBIOS resources for the IP address 2. When no WINS server is present in a workgroup/domain, NetBIOS hosts discover other NetBIOS hosts via: a) There must be a WINS server in order for NetBIOS hosts to communicate b) Sending broadcasts over the network c) Using DNS servers d) Using NetBEUI This page intentionally left blank. 6 - 37 Microsoft Networking SANS 2000 2003 37 Multiple Choice (2) 3. The use of Active Directory provides which of the following? a) Provides a database of network resources/objects for clients to search and administrators to centrally change b) Facilitates the use of NETBEUI c) Provide a means to Map a network drive d) NetBIOS name resolution 4. WINS servers allow Microsoft systems to: a) Register NetBIOS names and IP numbers with the server b) Perform inverse queries c) Query DNS servers d) Eliminate the need for any DNS servers This page intentionally left blank. 6 - 38 Microsoft Networking SANS 2000 2003 38 Multiple Choice (3) 5. The net view \\NetBIOSname command: a) Enumerates NetBIOS passwords for host NetBIOSname b) Enumerates NetBIOS file and print shares for host NetBIOSname c) Enumerates NetBIOS registry entries for host NetBIOSname d) Enumerates NetBIOS Samba global configuration values for host NetBIOSname 6. Port 445 in Windows 2000 is used for: a) NetBIOS name resolution b) Connection to a Kerberos server c) Connection to servers for remote share and printer access d) To do AD searches via LDAP This page intentionally left blank. 6 - 39 Microsoft Networking SANS 2000 2003 39 Multiple Choice (4) 7. In Windows 2000 with AD, DNS has: a) Been upgraded to do NetBIOS to IP pairings b) Replaced WINS and is used to associate Windows hostnames and IP numbers c) Been upgraded to do NETBUI to IP pairings d) Been eliminated entirely 8. In Windows 2000 with AD, when the user clicks on the My Network Places and accesses a remote resource: a) LDAP is used to locate network resources, and port 445 is used to access them b) DNS is used to locate network resources, and port 137 is used to access them c) LDAP is used to locate network resources, and port 137 is used to access them d) DNS is used to locate network resources, and port 88 is used to access them This page intentionally left blank. 6 - 40 Microsoft Networking SANS 2000 2003 40 Multiple Choice (5) 9. A wildcard SMB search using nbtstat will have the string CKAAA in the payload; this string is: a) The NetBIOS name for the master browser b) The NetBIOS name for the primary domain controller c) The NetBIOS name for the WINS server d) The result of mangling the wildcard character * 10. Domain Controllers: a) Manage accounts and access b) Replace DNS c) Manage workgroup backups d) Always provide master browser functions This page intentionally left blank. 6 - 41 Microsoft Networking SANS 2000 2003 41 Multiple Choice (6) 11. The network.vbs worm caused an increase in the following: a) Access to domain controllers b) Access to master browsers c) Access to WINS servers d) Access to UDP port 137 12. Access to file shares and shared printer resources is done via: a) TCP port 137 pre-Win2k, and TCP port 88 in Win2k b) TCP port 138 pre-Win2k, and TCP port 389 in Win2k c) TCP port 139 pre-Win2k, and TCP port 445 in Win2k d) TCP port 136 pre-Win2k, and TCP port 139 in Win2k This page intentionally left blank. 6 - 42 Microsoft Networking SANS 2000 2003 42 Multiple Choice (7) 13. Once a user has authenticated via the domain controller: a) He/she is allowed access to any shared resources on the network b) He/she is allowed access to any shared resources for which access had been granted on the network c) He/she must be re-authenticated once logged on for additional shared resources d) He/she is allowed access to all resources (shared/non-shared on the network) 14. DNS used with Windows 2000 and AD can be used for the following: a) Hostname to IP resolution and location of network services b) NetBIOS to IP resolution and authentication to network resources c) SMB/CIFS resolution and access to LDAP d) Kerberos authentication and storing of encryption keys This page intentionally left blank. 6 - 43 Microsoft Networking SANS 2000 2003 43 Multiple Choice (8) 15. The SMB/CIFS protocol is used for: a) Client communications to a Samba server only b) Samba server communications to a client only c) A client to send commands to a server that allows them to access shares, open files, read and write files d) Samba client and server communications only Answers to Multiple Choice questions: 1. D 2. B 3. A 4. A 5. B 6. C 7. B 8. A 9. D 10. A 11. D 12. C 13. B 14. A 15. C 6 - 44 Microsoft Networking SANS 2000 2003 44 References NetBIOS based NT hacking available at www.webstore.fr/~tahiti/netbios.htm Understanding NetBIOS by Neon Surge available at http://signaltonoise.net/library/netbios.htm Using Samba: Robert Eckstein, et al, Published by OReilly, 2000 Hacking Exposed: Stuart McClure & Joel Scambray, George Kurtz, Published by Osbourne/McGraw-Hill This page intentionally left blank. 6 - 45 Microsoft Networking SANS 2000 2003 45 Course Revision History v1.0 J Novak. v1.1 J. Novak, deleted slide re: netbios tcpdump 139 exchange 28 Oct 2000 v1.2 J. Kolde, formatting changes 21 Jan 01 v1.3 J. Novak, quiz question clarification per student feedback, updates for Win2000 23 Feb 01 v1.4 edited by K. Frederick, fix quiz question 15 Jun 01 v1.5 edited by J. Novak, updated URL 6 July 2001 v1.6 edited by J. Novak, corrections from student feedback 07 Oct 01 v.1.7 edited by J. Novak deleted superfluous slides 17 Mar 02 v.1.8 edited by J. Novak deleted references to inactive URLs 22 Jun 02 v.1.9 edited by J. Novak updated for Win2k and AD v.1.10 edited by J. Novak page 3 added back information about NetBeui per user confusion. 22 Sep 02, spelling change on slide 27 kerberos to Kerberos. v.1.11 edited by J. Novak slide 1 reference to Unix in notes page first paragraph, third sentence changed to Solaris - 9 Nov 2002 V1.12 edited by J. Novak slide 4 notes qualified AD in 2 nd paragraph, second sentence. Slide 11 added parentheses notation on 2 nd to last sentence, last paragraph Feb 2003. v.1.12 J. Novak March 2003- notes slide 17 per student feedback corrected grammar about snort resolutions.