Internet Accessible NetBIOS Name Service

Description

The NetBIOS Name Service (NBNS) is part of the NetBIOS-over-TCP/IP (NBT/NetBT) protocol suite that allows legacy computer applications relying on the NetBIOS Application Programming Interface (API) to be used on TCP/IP networks. NBNS performs a similar task as the Domain Name System (DNS) does, translating human-readable names into IP addresses. (This service is often called Windows Internet Name Service (WINS) on the Microsoft Windows system).

NetBIOS listens on port 137/TCP and port 137/UDP.

Problem

An Internet Accessible NetBIOS Name Service may be abused for a Distributed Denial-of-Service (DDoS) Reflection/Amplification attack against third parties.

Furthermore, an internet accessible NetBIOS service will allow a malicious actor, through NetBIOS enumeration, to map an exposed network, extracting potentially sensitive information, such as the list of computers that belong to a domain, the list of shares on the individual hosts on the network, together with policies and passwords.

The NetBIOS name service has a Bandwidth Amplification Factor (BAF) of between 2.56 and 3.85.

NetBIOS

NetBIOS is an abbreviation of Network Basic Input/Output System. The primary purpose of NetBIOS is to allow applications on separate computers to communicate and establish sessions to access shared resources, such as files and printers, and to find each other over a local area network (LAN).

NetBIOS provides three distinct services:

1. Name service for name registration and resolution (port 137/TCP and port 137/UDP)
2. Datagram distribution service for connectionless communication (port 138/UDP)
3. Session service for connection-oriented communication (port 139/TCP).

NetBIOS-over-TCP/IP (NBT) implements all of these services.

NetBIOS names are used to identify network devices over TCP/IP (Windows). The name must be a unique on a network, limited to 16 characters where 15 characters are used for the device name and the 16th character is reserved for identifying the type of service running or name record type. Short names are automatically and transparently padded to 16 characters.

NetBIOS-over-TCP/IP (NBT) can implement a central repository, or Name Service, that records all name registrations. An application that wants to register a name would contact the name server and enquire whether the name is already registered, using a "Name Query" packet. The name server returns a negative response if the name is not already in the database, indicating that it is available. The Name Service, as specified in RFCs 1001 and 1002, is called NetBIOS Naming Service or NBNS. Microsoft WINDS is an implementation of NBNS.

To start a session or to send a datagram to a particular host rather than to broadcast the datagram, NBT will have to determine the IP address of the host with a given NetBIOS name, this is done by broadcasting a "Name Query" packet, and /or sending it to the NetBIOS name server. The response will have the IP address of the host with that name.

The packet formats of the Name Service are identical to DNS. The key differences are the addition of NetBIOS "Node Status" query, dynamic registration and conflict marking packets. They are encapsulated in UDP.

Datagram mode is "connectionless". NetBIOS datagrams are sent over UDP. A datagram is sent with a "Direct Unique" or "Direct Group" packet if it's being sent to a particular NetBIOS name, or a "Broadcast" packet if it's being sent to all NetBIOS names on the network.

Session mode lets two computers establish a connection for a "conversation", thus allowing larger messages to be handled, and provides error detection and recovery. Sessions are established by exchanging packets. The computer establishing the session attempts to make a connection to port 139/TCP on the computer with which the session is to be established. If the connection is made, the computer establishing the session then sends a "Session Request" packet with the NetBIOS names of the application establishing the session and the NetBIOS name to which the session is to be established, over the connection. The computer with which the session is to be established will respond with a "Positive Session Response" indicating that a session can be established or a "Negative Session Response" indicating that no session can be established. Data is transmitted during an established session by Session Message packets.

TCP handles flow control and retransmission of all session service packets, and the dividing of the data stream over which the packets are transmitted into IP datagrams small enough to fit in link-layer packets. Sessions are closed by closing the TCP connection.

The Server Message Block (SMB) is the transport protocol used by Windows for a variety of purposes, such as file sharing, printer sharing and access to remote Windows services. Older versions of SMB uses port 139/UDP to communicate over NetBIOS. Newer versions of SMB use port 445/TCP, Using TCP allows SMB to communicate over the internet. In May 2017, the WannaCry ransomware cryptoworm used SMB version 1 and port 445/TCP to propagate.

Verification

To establish if a host has an Internet accessible service, simple utility programs or tools included with the standard Linux/Ubuntu distribution can be utilised. The test should not be run on the host itself or from the local network, instead it should be run from a different node on the Internet.

nmblookup - (used to lookup NetBIOS names)

To confirm an Internet accessible NetBIOS service, the 'nmblockup' program can be utilised.

The program is used to query NetBIOS names and map them to IP addresses in a network using NetBIOS over TCP/IP queries. The options allow the name queries to be directed at a particular IP broadcast area or to a particular machine. All queries are done over UDP.

Insert the IP address of the host you wish to check for an Internet accessible NetBIOS service when invoking the 'nmblockup' program together with the options as included in the following example.

$ nmblookup -A xxx.xxx.xxx.xxx

An Internet accessible NetBIOS service will return information similar to that as shown below:

$ nmblookup -A xxx.xxx.xxx.xxx
Looking up status of xxx.xxx.xxx.xxx
WIN-0AQG7FLQSLB	<00> - 		B <ACTIVE>
WORKGROUP	<00> - <GROUP>	B <ACTIVE>
WIN-QAQG7FLQSLB	<20> - 		B <ACTIVE>
MAC Address = 48-DF-57-01-2A-2D

Options
-A  :Interpret name as an IP address and do a node status query on this address.

Otherwise, nmblookup will timeout:

Look up status of xxx.xxx.xxx.xxx.
No reply from xxx.xxx.xxx.xxx

Solution

If the NetBIOS-over-TCP/IP service is not required, disable it or deinstall it.

If the NetBIOS-over-TCP/IP service is required, restrict access to trusted clients or specific IP addresses.

For security reasons, consideration should be given to blocking access to the follow ports on the firewall:-

Application Protocol TCP Port UDP Port
NetBIOS Name Resolution 137 137
NetBIOS Datagram Service 138 138
NetBIOS Session Service 139 139
Server Message Block (SMB) 445 445

The NetBIOS name service is only needed within local networks for legacy Microsoft Windows applications which require name resolution through Windows Internet Name Service (WINS). Domain Name System (DNS) also provides computer name registration and resolution services, and includes many additional benefits over WINS, such as integration with Active Directory Domain Services. It is recommended that DNS be deployed and that WINS be decommission.

The Samba Suite

Samba is the standard Windows interoperability suite of programs for Linux and Unix.

Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Windows Active Directory environments. The NetBIOS name service is provided by the 'smbd' daemon included with the Samba software

If Samba is not required, disable it or deinstall it.

Supplementary Information

Ingress & Egress Filtering

Ingress filtering - is a simple and effective method to limit the impact of DoS attacks, by denying traffic with a forged IP source address (IP spoofing) access to the network, and to help ensure that traffic is traceable to its correct network.
Egress filtering - limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations, by preventing traffic with a forged source (spoofed) IP address from leaving the network.

The implementation of best practice in relation to Ingress filtering limits the impact of a Denial of Service (DoS) attack on one's own network while the implementation of best practice in relation to Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations. Additional information on Ingress & Egress Filtering can be found at the following link - Ingress & Engress Filtering

UDP Based Denial-of-Service (DoS) Attack

The User Datagram Protocol (UDP), a generic carrier for several higher-level protocols, has a number of properties that makes it susceptible to exploitation for DoS attacks against third parties. Additional information on the components and techniques deployed in an UDP based DoS attack can be found at the following link - UDP Based Denial-of-Service (DoS) Attack

Additional Information

Internet Engineering Task Force (IETF) - RFC1001 - NetBIOS Service on a TCP/UDP Transport
Internet Engineering Task Force (IETF) - RFC1002 - NetBIOS Service on a TCP/UDP Transport
Internet Engineering Task Force (IETF) - RFC1088 - IP Datagrams over NetBIOS Networks
Microsoft - Preventing SMB traffic from lateral connections and entering or leaving the Network
Microsoft - Windows Internet Name Service (WINS)
Akamai Threat Advisory 2015 - NetBIOS name server
Wikiwand - NetBIOS over TCP/IP