NetBIOS: Old & known but still posing a threat

There are few good articles about NetBIOS like Is it time to get rid of NetBIOS?, NetBIOS spoofing for attacks on browser and Pwning hotel guests and still it (NetBIOS over TCP/IP) poses a threat to modern systems. NetBIOS was developed in the 80s and is strictly seen just an API, though there is NetBIOS over TCP/IP which is unfortunately still supported by modern operating systems. Today it is a really bad protocol because it lacks any security whatsoever. While there are plenty of resources discussing NetBIOS with its weaknesses available it is important to point out that yet it is still a threat today. Unfortunately even the Wifi routers in planes route NetBIOS packets.

Here is the real-life risk: 1. Hijacking your browser search requests

When you type a term in your Google Chrome bar the browser will try to first resolve the term relying on the operating system (Windows), which will first check your hosts file, then tries the DNS and then as fallback NetBIOS (see here Microsoft TCP/IP Host Name Resolution Order). You can verify this yourself, simply run Wireshark and type something (not an actual domain) into the URL bar and it enter. In this example “insurance” was tried out:

NetBIOS Test 1

Because NetBIOS over TCP/IP is so insecure, (in case of those NetBIOS broadcast requests) literally anyone on your local network can reply to the NetBIOS message and claim to resolve the queried name. They can return an IP address they control and where they run for example a web-server with an exploit pack on it, or display a website which tries social engineering (“please enter your credentials here..” or “please download this update or install this plugin”).

2. Stealing SMB shares and HTTP credentials

By imitating other host names one could use NetBIOS to steal credentials (in hash form for SMB shares) that are sent automatically. The first linked article in this post describes this pretty good.

3. Proxying your internet traffic through automatic proxy configuration mechanism

Internet Explorer and some applications that use the IE/”internet” settings by default (depending on InternetOpen() call whether INTERNET_OPEN_TYPE_PRECONFIG is supplied) are totally vulnerable to this. For automatic proxy configuration retrieval (“Web Proxy Auto-Discovery Protocol”) the operating system queries the host “WPAD” – and again, if not present through DNS, it falls back to NetBIOS – making it easy for anyone to answer through NetBIOS and resolve WPAD to their own IP address.

From the server that resolves to WPAD Windows will request http://[IP]/wpad.dat – which is essentially a text file (“PAC file”) and a simple proxy script might be this:

function FindProxyForURL(url, host)
{
  return "PROXY 10.0.0.137:8080";
}

In our local test we did verify that this actually works. It allows to directly intercept and manipulate all internet traffic (except SSL) of all applications that use the Windows proxy settings by default. This would allow for example to steal credentials, exchange executables downloaded and serve custom content (including exploits).

NetBIOS Test 2

Few people seem to realize that exactly this was abused by Flame (together with a flaw in the way Windows Update verified the certificate of updates) to spread locally by spoofing the Windows Update mechanism (see this article). “Complex” attacks like Flame but also like done by regular malware often exploits multiple vulnerabilities – each being part of the path to successful intrusion. Vulnerabilities or vulnerable protocols like this might not seem to have a huge impact because of certain restrictions (only possible locally, only if NetBIOS activated, if routed, if not resolved by DNS/LLMNGR, only allows to intercept/route traffic of applications using the default settings) – however, in the bigger picture they are all pieces to the puzzle that make an attack possible.

Technical details on NetBIOS over TCP/IP

Technical details on the Microsoft implementation is available on TechNet here and basically it says it is using ports UDP 137, 138 and TCP 139.

There is awesome code and tools available in the nbtool suite which allow to log all requests observed at the network adapter and also respond automatically to all NetBIOS requests (poison them).

How to disable NetBIOS over TCP/IP

In the “Network Connections” window right click on your network adapter and select “Properties”. Select “Internet Protocol Version 4 (TCP/IPv4)” and click on the “Properties” button, then on the “Advanced” button and then in the WINS tab select “Disable NetBIOS over TCP/IP” like in the screenshot. Make sure to do this on all network adapters.

1

Alternatively this can be done via the registry and also through command line.

Note (update 9/7/2015): Deactivating NetBIOS will disables access to SMB shares through NetBIOS host names (because it uses NetBIOS over TCP/IP to resolve the names), however, you can still access them directly by using the IP. If your local network is set up with DHCP with a LAN domain (read this article about it) you will be still able to access them using the host names as they will be resolved by the DNS resolver of your router. So if you use old SMB shares (you might want to switch to newer BitTorrent protocol based sharing clients that provide better security, stability and speed), disable NetBIOS and enable local resolution of host names via DNS.