TCP Port 139 (netbios-ssn): Fact and Fiction
=============================================

Security professionals and digital miscreants are long familiar with TCP 
port 139. The NetBIOS Session port if left open can provide an open gateway 
for any number of virtual nasties to slither into a network. Much is made of 
port 139 as a potential security vulnerability in many texts and sources (1) 
and it is popularly believed that this port poses a significant threat to 
the integrity of data and networks (2). This brief paper examines the scope 
of port 139 as a potential vulnerability, covers the key technical details 
of the testing process, and provides an indication of the measure of how 
seriously (or otherwise) administrators are taking this potential threat.


Introduction
============
Port 139 (in open state) has always been held up as a significant threat to 
network security. Although this contention is undeniably accurate, there is 
much FUD (Fear, Uncertainty and Doubt) concerning this area. A number of 
online sources make much of port 139 being a terrific threat to both the 
home and business network. Statistical data (3) indicates that UDP ports 135 
- 139 and TCP port 137 - 139 are amongst the most commonly scanned ports on 
remote computers. Just because something is commonly tested however, does 
not necessarily dictate that it is in a state of vulnerability. For example 
if a series of burglars were to routinely try and fail to gain access to a 
locked door, the door would not be insecure, but would in actuality be doing 
the job it was designed to do in keeping intruders at bay. A number of 
sources (4) claim that port 139 is open on upwards of 10% of active hosts 
connected to the Internet, and this has long been accepted wisdom amongst 
security professionals. This paper addresses this key issue, namely how many 
hosts are open to intruders using NetBIOS ports? Specifically this paper 
focuses on discovering the true scope of active hosts running an open TCP 
port 139 (NetBIOS Session Service).


Methodology
===========
The methodology for this study was incredibly simple, namely scan a range of 
IP addresses with commonly available network discovery applications, and 
discover those hosts with TCP port 139 in an open state. Testing was 
conducted using a Pentium 3, 850 MHz computer running the Windows 98 
Operating System with internal 56k modem, and standard ISP dial up. Although 
Nmap for Win32 was considered as the testing application of choice, it was 
the authors intent to simulate the probes that would commonly occour from 
the less technical or neophyte computer intruder, referred to in common 
parlance as 'script kiddies'. For this reason Windows was selected as the 
Operating System of choice, as were a number of 'point and click' port 
scanning applications. Of a short list of five possible applications, two 
were selected. The scanning activity was predominantly conducted using 
SuperScan (version 3.00) from Foundstone Inc. with results compared to those 
generated by ShadowScan (version 2.70) to ensure the accuracy and validity 
of data. These applications were deliberated selected as they provide 
powerful scanning functionalities to naïve users, operate using simple point 
and click GUI's, and provide easily detectable signatures for IDS's.

Once the Operating System and relevant port scanning applications had been 
selected, a simple scan was conducted against the IP range XXX.XXX.1.1 to 
XXX.XXX.255.254. (5) The scan conducted was a visible port 139 enquiry, with 
no IDS evasion techniques applied. A Ping sweep was also conducted, as well 
as host name identification. The legality of this scan is discussed in a 
later section. All scans were conducted during business 'off hours' as this 
traditionally is when most script kiddies are presumed to attack and scan 
hosts (this belief is largely incorrect as attacks can, and do occour at all 
hours day and night.).


Results
=======
Of the 64,770 hosts scanned, 5545 were responsive to a Ping sweep. The 
reasons for this may be numerous. Firstly an IP range was selected in a 
Scandinavian country, largely because it was assumed that less number of 
hosts would be aware of potential port 139 vulnerabilities. Obviously this 
is an assumption, and thus incorrect, and my apologies to any Scandinavian 
readers for doubting your technical competence. The Internet security 
industry is a lot less aggressive in Scandinavia than in the US for example, 
and thus potential vulnerabilities (even those as well known as having port 
139 open) may be prone to occour with greater regularity. Another reason 
Scandinavia was selected was purely on the personal grounds that I have long 
liked Monty Python, and one of their musical routines clearly provides a 
link to the country on which the scans focused (now if that isn't a clue I 
don't know what is!). Of the 5545 responsive hosts, 201 responded with TCP 
port 139 in an open state. On the basis of the scan of this IP range only 
2.75% of responsive hosts had open TCP port 139. Detailed ennumeration was 
not conducted however a probe of all affected hosts using SolarWinds IP 
Network Browser, revealed only 9 (of a possible 64,770) hosts with open TCP 
port 139 and user shares enabled. Thus of a potential number of hosts in the 
thousands only nine were actually vulnerable to basic NetBIOS hacking 
methods (6).


Conclusion
==========
Although this is by far an in-depth statistical analysis of all Internet 
hosts (or even ones that would be of interest to the 'average' script kiddie 
who dreams of nothing more than defacing the CIA and making a name for 
themselves), this brief audit does provide some interesting results. From 
doing nothing more than a basic SYN/ACK port scan and SNMP query using 
automated tools, potential attackers can quickly and efficiently find 
vulnerable hosts. The numbers of hosts available for possible NetBIOS 
vulnerability exploitation are, on the basis of this audit, far lower than 
traditionally assumed. Perhaps it is thanks to the well publicised nature of 
NetBIOS vulnerabilities (7), or because NetBIOS ports are those that are 
most often routinely probed (8) by inexperienced computer intruders, but 
whatever the reason the numbers of hosts with this vulnerability seems to 
have decreased far beyond the traditionally accepted numbers. One area that 
was not focused on during this audit, and is a deficiency the author is 
aware of is domestic DSL. Domestic subscribers to 'always on' broadband 
services face a potentially grave threat from NetBIOS intrusions through TCP 
port 139 (to highlight just one route in). Commercially available and 
freeware firewalls must keep track of this, and home users must be made 
aware of the potential of this variety of attack.


Notes
=====
1 - Hacking the hacker: How a consultant shut down a malicious user on a 
client's FTP server (http://techrepublic.com.com/5100-6329-5055990.html), 
Penetration Testing: Re: [PEN-TEST] Closing Port 139 
(http://lists.insecure.org/lists/pen-test/2000/Oct/0204.html), Get back to 
security basics 
(http://insight.zdnet.co.uk/hardware/chips/0,39020436,2126042,00.htm), 
Peeping Through Port 139 (http://www.citypaper.com/2000-05-03/cyber.html), 
are just some of the 11,700 results tuned up on a recent Goggle search (with 
the string 'port 139 hacking').

2 - Software and services vendor Internet Security Systems even have gone so 
far as to define it as "the single most dangerous port on the Internet" 
(http://www.iss.net/security_center/advice/Exploits/Ports/139/default.htm), 
a definition which is a arguably a tad overwrought.

3 - ISC / SANS daily trends (http://isc.sans.org/trends.html), DShield 
(http://www.dshield.org).

4 - The Top Tens of Port Scanning 
(http://www.btinternet.com/~shawweb/george/hacks/topten.html), NetBIOS 
Hacking (http://www.rishabhdara.com/newsread.php?newsid=31), to name but 
two.

5 - See Legal Note section below for further details.

6 - As discussed in the FAQ for the USENET newsgroup alt.hacking 
(http://www.dsinet.org/textfiles/faqs/alt-hacking-FAQ/9.html), and countless 
other places online.

7 - Numerous on and off-line sources discuss this, including, 'Hacking 
Exposed' (Scambray, McClure, Kurtz), The Happy Hacker (Meinel), DCE/RPC over 
SMB: Samba and Windows NT Domain Internals (Leighton) and many more (NetBIOS 
hacking and NULL connections are discussed in the majority of modern books 
on computer and network security, as well as large number of websites, 
mailing lists, and newsgroups).

8 - ISC / SANS daily trends (http://isc.sans.org/trends.html).


Legal Note
==========
The scanning activity undertaken, as part of the research of this paper was 
as transparent as I could possible make it. Undoubtedly my activities have 
been recorded by hosts in the IP range scanned, as no effort was made to 
obscure my location. As yet no hosts have contacted me, however I will be 
contacted all affected 'high risk' hosts (i.e. those that are susceptible to 
simple NetBIOS hacking) and informing them of my findings. The research 
undertaken in preparation for this paper was not conducted in such a way as 
to cause harm to any remote host, and the author will not be releasing any 
details of affected or scanned hosts. This information has been removed from 
local hard disk, but is available upon request only to CERT, governmental 
agencies or law enforcement. No details will be passed to individual 
security researchers at this, or any future time. Although port scanning is 
considered intrusive by nature, it was a vital and necessary part of the 
research process. Information gathered was not pursued in the interests of 
gaining unauthorised access, but in an effort to define the true scope of a 
long known about security vulnerability, and see whether the problem is any 
closer to having been resolved. In conclusion, it is the authors hope that 
his willingness to disclose information to appropriate agencies, 
organisations and individuals, as well as the good intent governing the 
audit process will be of use should the matter ever arise.


.:clappymonkey:.11/03