Tuesday, December 29, 2009

NetBIOS Attacks

OK, here's another silly "let's make life simple for stupid sysadmins" setting that can be easily used by a malicious attacker to gain knowledge of data that should have been secure - including ssl-encrypted data.

This information is *especially* important for any notebooks you may have that are used in hotels or other public locations.  It is less relevant for machines that remain connected in the office - though if you have WiFi that's not running 802.1x and/or network points that are able to be used by malicious people, you may also want to seriously consider the scenarios I refer to.

Hands up if, by default, you disable the "Automatically detect settings" option in the LAN Settings part of Internet Explorer?  OK, so I don't see any hands...

Have a read of this post to get a bit of background on how NetBIOS works.  Now have a read of this post to see how it can be exploited even more readily.  And then have a read of this post to see some examples of this exploit in action.

Microsoft gives a way to disable this ON YOUR LAN, but this in no way will help when the laptop is off your LAN and in a hotel - which is the main cause of concern for this exploit.

And if you think that this is only a newly discovered exploit, have a read of this post from January 2008 discussing this issue.

Maybe, if Microsoft won't do it, we need to do it for them - use GPO to disable this setting.  Of course, if a laptop with "Automatically detect settings" disabled is connected to a network where the user isn't given proxy details and the owner of the network only knows "just set your computer to automatically detect the proxy" then I suggest this is a location that you DEFINITELY shouldn't be using - find another hotel where they have at least some vague idea about the services they are providing!  :)


The Outspoken Wookie
(who is on holidays and REALLY shouldn't be thinking about this stuff!)


Chris Knight said...

Disabling NetBIOS will mitigate NetBIOS spoofing. Adding a wpad entry in the Hosts file will lock down DNS lookups and will mitigate against rogue DHCP servers where the WPAD server is still named wpad.
But disabling Automatically detect settings is the best option. The other methods just close off part of the various hijacking methods.

Hilton Travis said...

G'day Chris,

Making changes to *your* DHCP will make no difference when a laptop of yours with "Auto detect" enabled goes to a hotel with a vulnerable setup. That was the point I was making. :)

Yeah, fondling the Hosts file will also help - but it is better to disable it altogether (and maybe still fondle Hosts in case it gets reenabled).