Monday, May 13, 2013

Security risks: Netbios, port exposure & remote access removal

NetBIOS is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. As strictly an API, NetBIOS is not a networking protocol. Older operating systems ran NetBIOS over IEEE 802.2 and IPX/SPX using the NetBIOS Frames (NBF) and NetBIOS over IPX/SPX (NBX) protocols, respectively. In modern networks, NetBIOS normally runs over TCP/IP via the NetBIOS over TCP/IP (NBT) protocol. This results in each computer in the network having both a NetBIOS name and an IP address corresponding to a (possibly different) host name.

The main reason for using NetBIOS if for two machines to communicate on a local network which rarely is needed except for file and printer sharing on a local network but leaves the door wide open for being hacked. You can remove this risk in two ways and I personally do it both ways Big Grin

Firewall: Block ports 135-139 plus 445 in and out. These are used by hackers to steal your info and take control of your pc and after doing so will use NetBIOS to then use your computer to take over another, etc, etc.. Port 137-139 is for Windows Printer and File Sharing but also creates a security risk if unblocked. But if you share a printer on your network you will have to allow this one but I recommend just go to the pc the printer is hooked up to and use. Port 135 is for RPC service on a remote machine. Port 136 is used for Profile Name Service which I don't even think is used any longer but opens a door for hackers.

Disable NetBIOS: Route depends on OS but go to the network connections and find your ethernet adapter which should be called local area connection, right click, click properties, double click TCP/IPv4 in the list, click advanced, click WINS, uncheck LMHosts lookup, choose disable NetBIOS near the bottom. Click ok, ok, ok to close all three windows. Also disable these the same way for the TAP Win32 adapter but LMHost lookup should already be unchecked.

Disable TCP/IP NetBIOS Helper service: From start type services, click services, go down to TCP/IP NetBIOS Helper and right click, click properties, click stop, switch automatically to disabled, click apply, close services.

Remote control ports: You should disable 5500, 5800 and 5900-5903 and 3389 (Windows uses for remote) in and out unless you need remote assistance on your pc which most people do not or do not use this. It's just an open doorway for hackers. This includes software such as VNC. If you ever notice VNC suddenly installed and you didn't then worry a lot and you have already been taken.

Note: If you disable Remote Access Connection Manager it will cause PPTP VPN to not work and connections disappear.

Disable UPnP port 5000: Universal Plug and Play allows your computer to automatically integrate with other network devices. There are known security vulnerabilities associated with this service and should be blocked as well but will eliminate sharing devices on the local network but the risk outways the use. Also it uses port 1900 for UPnP and should be blocked as well. Disable SSDP Discovery service.

You can also disable SMB (server message block) port 445 using regedit. Find HKLM/system/currentcontrolset/services/NetBS/parameters and find transportbindname, delete default value, reboot.

Other ports of interest: 8080 is used for HTTP proxy but also used by hackers to impersonate your pc and hack others. If you don't use a HTTP proxy you might want to block this one. Port 1080 is used for socks proxy and can be attacked and mine is every day by China. Port 500 is for IPSEC VPN use but also listed as a risk to Cisco systems and used mainly to carry the Isass trojan. Other ports known to be directly attacked by a long list of trojans is 21 FTP, 23 telnet dos, 1243, 3128, 3410, 6776, 7000, 12345, 12348, 20034, 27374, 31337. Technically any open port can be a risk but with a good firewall setup correctly you should be stealth for all of these ports. To test commonly attacked ports and check whether you are stealth go here.. https://www.securitymetrics.com/portscan.adp ..also can check here.. http://www.pcflank.com/scanner1.htm ..also.. https://www.grc.com/x/ne.dll?bh0bkyd2

Update: A new customizable port scanner I just found.. http://www.t1shopper.com/tools/port-scan/#

Messenger: Unless you use messenger it's best to uninstall because open up way too many ports and leaves to much at risk. Here are the ports used by MSN Messenger: 135 to get connection port, 1026, 1027, 1028, 1863, 5190, 6891-6900, 6901 voice pc to pc, 2001-2120 voice to phone. Yahoo ports: 80, 5000-5010, 5050, 5100. I'm still working on the different messenger service ports so will update as I go.

I personal recommend using Comodo Firewall and very easy to use and works perfectly. If using Comodo click firewall tab, advanced, network security policy, global rules click add and setup like illustrated below. It's 2 rules created but just showing the port settings of source and destination of each. To make simpler to understand.. the IN block rule is destination port you choose and source is ANY.. the OUT rule is the port you choose and the destination is ANY.

Update: You can download and install Comodo Firewall here.. http://personalfirewall.comodo.com/free-...ml?aid=350

and here with CNET review.. http://download.cnet.com/Comodo-Internet...tml?hhTest

[Image: block1.jpg]

[Image: block2n.jpg]

[Image: block3.jpg]

[Image: block4.jpg]

Only difference for single port block rules is choose "single port" for each rule and 5900-5903 will be setup identical to this one above and make sure you do source and destination of these.

Setup should look like this. Notice some only block incoming attacks so only has one IN rule..

[Image: block5.jpg]

Here is the setup for blocking incoming attacks on a specific port this is only one rule but shows source and destination

[Image: block6.jpg]

[Image: block7x.jpg]

This is because that is a port a hacker or trojan wants to enter but your pc is not going to be attacking out with the port, so only need the IN rule for these. The IN and OUT rule is best for one's where pc might be scanned for that port as entrance and your pc may also may try to communicate using such as with remote connections and especially the dangers of NetBIOS and LMHost lookup. Windows naturally loves for your pc to talk. I see 135-139 blocks all day long in my firewall events and it's not just other pc's but my pc as well until I stopped it with the steps listed in this tutorial. NetBIOS is the worst thing to have running and allowing to connect.

Here is what Comodo blocks but also with using my uTorrent VPN control rules (see.. http://forum.hidemyass.com/showthread.php?tid=1298 ) after cutting off VPN around 5pm you see uTorrent blocking my real IP in yellow (blurred IP) until I reconnected and then you can see in the green what has tried to scan my ports and is exactly what is on my list to block. Also notice the 1080 port scan bypassing VPN trying to scan my real IP. Looks shady to me. Also notice the 216 which is the VPN server IP other connected VPN users NetBIOS is trying to connect to my NetBIOS port 139. This is actually natural because it's their Windows OS that is doing it. Notice mine is not? Still wondering why people are using port 500 to my port 500 which is intended for IPSEC VPN connections like I'm the VPN server, keep in mind we are using openvpn protocol with HMA VPN and not IPSEC.

[Image: firewallblocks1.jpg]


Update: Another example of port scans on commonly used attacked ports. Notice the three blurred IP's (that is my real IP) is still being attacked by the same Chinese IP and same 1080 port.

[Image: portscan1.jpg]

Update!!! It would be a good idea in Comodo to export your firewall settings after completing all of the blocked ports. To do this click the "more" tab in Comodo and then choose "manage my configurations" then click "export" and to a place you will remember. If you have multiple hard drives or a flash drive it's best to store on something besides the Windows active partition in case of OS failure.

***Warning: if running a server on your network this can effect communication with local peers.

Also set your DNS to use OpenDNS - https://store.opendns.com/get/basic ..I set this up for all adapters. This eliminates any communication with DNS lookup with your ISP.

Here is doing some port scans and the results..

[Image: stealth1.png]

[Image: stealth2f.png]

[Image: stealth3.png]

[Image: stealth4.png]

If you disable NetBIOS properly, changed your DNS settings to OpenDNS properly you can check using CMD/ type ipconfig /all

[Image: ipconfigs.png]

No comments:

Post a Comment