_   _                                                          _   _
    ((___))                                                        ((___))
    [ x x ]                _                                       [ x x ]
     \   /  _   |_|_   _ _|_  _|_ |_  _    _| _  _. _|   _ _        \   /
     (' ') (_|_|| |_  (_) |    |_ | |(/_  (_|(/_(_|(_|  (_(_)\_/\_/ (' ')
      (U)                                                            (U)
     .ooM                     cDc communications                    .ooM

                       The NetBIOS Name Service / NBName
                                by Sir Dystic

(Jump to info on NBName) 

xXx // Background References \\ xXx

 * RFC 1001: PROTOCOL STANDARD FOR A NetBIOS SERVICE ON A TCP/UDP TRANSPORT:
   CONCEPTS AND METHODS http://www.faqs.org/rfcs/rfc1001.html 

 * RFC 1002: PROTOCOL STANDARD FOR A NetBIOS SERVICE ON A TCP/UDP TRANSPORT:
   DETAILED SPECIFICATIONS http://www.faqs.org/rfcs/rfc1002.html 

              --------------------------------------------------

xXx // Background \\ xXx

Machines using the NetBIOS protocol over a TCP/IP network use UDP packets 
sent from and to UDP port 137 for name resolution and management. NetBIOS
names consist of 15 uppercase characters followed by a one-byte value (the
service value).  Many service values are used as NetBIOS networks to identify
well-known services and other applications, but any application can register
and use any name and value if that name isn't a unique name and already in use
on the network.  The NetBIOS service broadcasts a NAME REGISTRATION REQUEST to
determine if a name is in use before it attempts to use it.  If the name is
already in use, the machine owning that name will DENY the name registration
request, and the registration attempt will fail.  Each NetBIOS node (machine
or interface) on the network maintains a list of names that it owns and that
node is responsible for defending any unique names that it owns by denying
other nodes' name registration requests.  If a NetBIOS node detects a name
conflict it will mark the name in its local table as being in conflict.  RFC
1001 has this to say about names in conflict:

     Logically, a marked name does not exist on that node.  This means 
     that the node should not defend the name (for name claim purposes), 
     should not respond to a name discovery requests for that name, nor 
     should the node send name refresh messages for that name. 
     Furthermore, it can no longer be used by that node for any session 
     establishment or sending or receiving datagrams.  Existing sessions 
     are not affected at the time a name is marked as being in conflict. 

     The only valid user function against a marked name is DELETE NAME. 
     Any other user NetBIOS function returns immediately with an error 
     code of "NAME CONFLICT". 

              --------------------------------------------------

xXx // Issues \\ xXx

Machines which do not react as the NetBIOS protocol dictates can disable 
NetBIOS networks by causing the names in other NetBIOS name tables to become in 
conflict. By denying all name registration requests, NetBIOS nodes will always 
think that their names are already in use on the network. Windows machines 
display the message that the chosen machine name is already in use and direct 
the user to change the name and reboot. By sending a NetBIOS node NAME RELEASE 
REQUESTS for each name in its table, a machine will stop responding to name 
requests, not be able to create or receive any new NetBIOS connections or 
datagrams and become isolated from the NetBIOS network.

Because the protocol is entirely unauthenticated, any machine can respond to 
broadcast queries for any name it sees queries for, possibly even beating 
legitimate name holders to the response. The address of the responding node will 
be returned and whatever type of connection was attempting to be made will 
attempt to connect to that address instead. In fact, in ANY place in windows 
that is expecting a host name, even an internet address like www.crap.edu, if 
the system is unable to resolve the address via DNS it will attempt to resolve 
it via a broadcast NetBIOS name packet if it is 15 characters or less. So if 
someone on the network tried to connect to www.crap,edu (a common unnoticed 
typo, a comma instead of a period) after the DNS request failed it will 
broadcast a name query for WWW.CRAP,EDU. If fake services were set up, such as 
telnet, ftp or whatever, most users wouldn't notice the mistake until it were 
too late.

              --------------------------------------------------

xXx // External Solution \\ xXx

Block UDP 137 on your firewall or router.  If NetBIOS networking is not
required, for God's sake uninstall it!

              --------------------------------------------------

xXx // Internal Solution \\ xXx

Microsoft recommends using IPSec for UDP 137.

              --------------------------------------------------

xXx // Microsoft's Response \\ xXx

I first sent a copy of NBName.cpp along with an extensive description of the
problems to secure@microsoft.com on June 20th.  I have since learned that they
were notified about similar and same issues some time in March.  They were
very responsive throughout the entire exchange, although their response
throughout has basically been, "Thanks for the info, we're just about to
release a patch." 

On July 28th Microsoft released this bulletin which provides a patch for
Windows 2000.  As of August 15th, the Windows NT 4.0 patch info still reads:

     Windows NT 4.0 Workstation, Server, and Server, Enterprise Edition:
          Patch to be released shortly. 
     Windows NT 4.0 Server, Terminal Server Edition:  Patch to be released
          shortly.

Apparently Microsoft is having trouble "packaging" their NT 4.0 patch.
Interestingly, nowhere in the bulletin does it mention Windows 9x, even though
it is just as affected as any other platform using the NetBIOS protocol over 
TCP/IP.  I asked them why this was and their response was basically that
anyone concerned with "security" wouldn't be running Windows 9x anyawy.  I
would LOVE to not have to run Windows 95 anymore, but I have several thousand
dollars worth of hardware and software (MP3 player that uses a propriatery
parallel interface, video capture cards that only have 9x drivers due to
promised then abandoned DirectX support for NT 4, Lego Mindstorm, tons of
games, etc!) that ONLY work under 9x! Is this is a sign that Microsoft is
preparing to abandon these platforms?  They sure do like Win2000...

On August Second, there was this report:

     Private Sector - (U) (CERT/CC, 2 August) The CERT/CC has issued Special
     Communication SC-2000.65 - NetBIOS, NBName, and the Cult of the Dead Cow
     (cDc).  As reported in yesterday�s NIPC Daily Report, a new tool
     exploiting several NetBIOS vulnerabilities has been released by a member
     of the cDc.  Source and binary has been posted to the Web site
     www.securityfocus.com.  Microsoft had previously released MS00-047 to
     help mitigate against the effects of being attacked via these
     vulnerabilities and suffering denial of NetBIOS services.  The CERT/CC
     has not received any reports of the tool being used at present to attack
     sites, but given the nature of the exposure surrounding past cDc tool
     releases, CERT/CC is preparing to publish some document to give people
     more information about the nature and scope of future activity involving
     NBName and exploitation of these vulnerabilities.

On August 10th, CERT published this Vulnerability Note 
which outlines the problem and basically reccomends to block the appropriate 
ports, and install the patches that Microsoft has yet to provide, although it 
does note:

     Note that no patch is being furnished for Win9x systems; Microsoft has
     publically stated it feels patching these systems to disable name
     conflict resolution would cause more problems than it would help
     prevent, especially in networks with large numbers of Win9x systems.

              --------------------------------------------------
              --------------------------------------------------

xXx // NBNAME \\ xXx

Check the source for current version and changes. 

NBName decodes and displays all NetBIOS name packets it receives on UDP port 
137.  Using the /DENY * command line option it will respond negatively to all
NetBIOS name registration packets it receives.  Using the /CONFLICT command
line option it will send a name release request for each name that is not
already in conflict to machines it receives an adapter status response from.
The /QUERY * command line option causes a wildcard name query request to be
broadcast at startup and each machine that responds to the name query is sent
an adapter status request.  The /ASTAT command line option causes an adapter
status request to be sent to the specified IP address, which doesn't have to
be on your local network.  Using /QUERY * /CONFLICT /DENY * will disable your
entire local NetBIOS network and prevent machines from rejoining it.

NBName is much more than just a NetBIOS DoS tool:

     Usage: NBName  [/CONFLICT] [/REVERSE] [/NOLOCAL|/NOLOCALNET] [/ASTATBACK]
             [/ASTAT TargetIP] [/SWEEP StartIP EndIP] [/SCAN IPList]
             [/SVCDESC] [/TO ms] [/DELAY ms] [/PORT Port] [/RETRY Trys]
             [/QUERY Name] [/LOCALIP LocalIP] [/NETMASK Netmask] [/EXAMPLES]
             [/ASOUT Outfile] [/ALLOW|/DENY NameOrFile] [/RESPOND NameOrFile]
             [/RESPONDIP RespIP] [/OUTSVC SvcNum OutFile]
             [/SPAWN SvcNum CmdExe "Args"] [/DESTPORT Port] [/PROXYIP ProxyIP]
             [/PROXYPORT ProxyPort] [/PROXYUSER Username]
             [/PROXYPASS Password] [/BCASTIP BcastIP]
       /LOCALIP will bind to LocalIP instead of the default system IP
       /NETMASK will use Netmask to determine local net addresses
       /BCASTIP will use BcastIP as the destination for broadcast packets
       /PORT will bind to Port instead of 137
       /DESTPORT will send packets to Port instead of 137
       /PROXYIP will use the SOCKS 5 proxy at address ProxyIP to route UDP
          packets
       /PROXYPORT will connect to tcp port ProxyPort rather than 1080
       /PROXYUSER and /PROXYPASS let you supply authentication info to the
          proxy
       /QUERY will cause a name query for Name to be broadcast
       /ASTAT will send an adapter status (astat) request to TargetIP
       /ASTATBACK will send astat requests to nodes that respond to queries
       /SWEEP will send adapter status requests to all IPs from StartIP to
          EndIP
       /SCAN will send adapter status requests to first IP listed in on each
          line of IPList
       /DELAY will pause for ms milliseconds between each packet sent
          during a scan or sweep, default 100 ms (10 packets per second)
       /REVERSE will send an astat request in response to astat requests
       /ASOUT will output received adapter status responses' contents to
          Outfile
       /OUTSVC will output machines that respond to an adapter status request
          and have service SvcNum running to OutFile in the format of lmhosts
       /SVCDESC will display a description of each known service in astat
          responses
       /SPAWN will spawn CmdExe with the commandline: CmdExe Args SrvrIP
          SrvrName when an astat response is received with service SvcNum
          running
       /NOLOCAL will prevent packets from the local host from being processed
       /NOLOCALNET will prevent packets from the local subnet from being
          processed
       /TO causes NBName to exit if no packets are received for ms
          milliseconds
       /RETRY changes the number of times failed packets are resent from 3 to
          Trys
       /CONFLICT* will send name release packets for each name in the remote
          name table of machines who respond to adapter status requests
       /RESPOND* will respond to name queries for NameOrFile
       /RESPONDIP will return RespIP for queries responded to if /RESPOND is
          used with a name or wildcard.  Defaults to LocalIP
       /DENY* will cause the name(s) specified by NameOrFile to be denied if
          a node tries to register it (them)
       /ALLOW* will deny all names _except_ NameOrFile
          NameOrFile can be a single name, the path to a file containing a
          list of names or * for all names (/ALLOW * is not valid).. Names
          can include a service value by adding a backslash followed by the
          hex service value
      * These options may be damaging to network stability, use with caution!

Using /SWEEP or /SCAN you can spew packets to blocks or lists of IPs, those 
machines with NetBIOS name services running will respond with their adapter 
status (including the contents of their name table).  Using /OUTSVC you can
have discovered machines appended directly to an lmhosts file, and using
/SPAWN as well, you can use a batch file to run a program which gathers
information from found NetBIOS servers or audits them for open shares, dumb
passwords etc (NAT)... Adapter status request packets are 96 bytes, so using
the /DELAY option you can tune NBName to send packets as fast as the available
bandwidth allows.  If you send packets too fast some of them will simply get
lost and not reach their destination.  The default delay is 100 milliseconds
or 10 packets per second, or 960 bytes per second.  A 128kb DSL or cable modem
connection can probably safely handle delays as low as 10 ms, or 100 packets,
or about 10k/s.  At this speed you could scan an entire class C (65k IPs) in
about 11 minutes, having a NetBIOS auditor or other program spawned in
parallel each time a server is found.

Listening on the default port 137 and using /REVERSE, when someone queries 
your machine for NetBIOS adapter status it will display the request and
respond instead with a request for the querying machine's status.  It is
important to realize that Windows machines will generate such a request
AUTOMATICALLY if an application on that computer calls gethostbyaddress() and
is unable to resolve an IP address's name via DNS, it will send an adapter
status request directly to the address attempting to retrieve the NetBIOS
name... So just because a machine requested your adapter status does not
necessarily mean that they are trying to hack you or running nbtstat.exe...
this fact however can be quite useful in detecting IDS systems on Windows
machines by listening for NBNAME packets and probing a machine from an IP
address that does not resolve to a name via DNS, if there is an IDS which is
configured to immediately resolve the names of attacking addresses, you will
see an adapter status request after the DNS lookup fails.

One of the most common problems with WANs is locating the NetBIOS machines 
that you can not send broadcast packets to (nodes on the far end of the WAN)
if there is not a WINS server in use.  Microsoft's solution is to add the
machines on the far end of the WAN to your lmhosts file which will be used to
resolve a name to its address before a broadcast query is broadcast, but this
is a pain for any large sized network, especially if IPs change at all.  Using
/OUTSVC in combination with /SCAN or /SWEEP you can quickly and easily create
an lmhosts file.

              --------------------------------------------------

xXx // Extended Descriptions of Some Options \\ xXx

/PORT
  In order to receive the normal broadcast traffic that NetBIOS nodes generate
  you must be listening on the default port, 137.  In Unix and Windows NT or
  2000 boxes you may have to run NBName as root or Administrator.  Also see
  the notes for additional problems with binding.

/DESTPORT
  Use this option to send packets to a port other than UDP 137.  There are
  very few circumstances in which this will be a useful option.

/PROXYIP /PROXYPORT /PROXYUSER and /PROXYPASS
  To route the UDP trafic through a SOCKS 5 proxy, you can use these options
  to specify the IP address of the proxy.  All the other proxy options are
  optional.  Currently only plaintext authentication is supported.

/QUERY
  This options causes a name query for the name provided to be broadcast.
  This can be used to resolve a name to its owners address.  /QUERY * will
  return cause all the workstations to be resolved.

/ASTATBACK
  This option will cause adapter status requests to be sent to any machine
  that responds to a name query.  Used in combination with /QUERY * this will
  cause an adapter status request to be sent to every machine on the local
  network.  Used in combination with /QUERY * and /CONFLICT this will dissable
  every machine on the local network that responds to the broadcast query. 

/SWEEP
  This option causes an adapter status request to be sent to a block of IPs.
  You specify the starting address and the ending address, which need not be
  in the same class C block.  Using /DELAY you can control the speed at which
  these packets are sent. 

/SCAN
  This option causes NBName to send adapter status requests to each of the IP
  addresses listed in the file supplied.  It will read the IP address from the
  beginning of each line and ignore the rest, which means you can suply the
  files created by /OUTSRVS or /OUTALL.  You can use /DELAY to control the
  speed at which packets are sent. 

/REVERSE
  When an adapter status request is received by NBName when this option is
  used, instead of that system responding with its adapter statys, NBName will
  send an adapter status back to port 137 on the machine that requested it.
  Using this in combination with /ASOUT you can log the name table, IP and mac
  address of people who request your adapter status.  Using with /CONFLICT you
  can disable the NetBIOS networking of anyone who requests your adapter
  status if they have NetBIOS services running.  Using it in combination with
  /SPAWN you can execute a script or program that does something else when
  someone requests your adapter status and has the server service running.  It
  is probably a good idea to use /NOLOCALNET and definately /NOLOCAL with this
  command. 

/OUTSVC
  This options cause NBName to append machines with the service value
  supplied to a file with their IP address followed by the NetBIOS name
  associated with this value, which is the same format as used by lmhosts
  files in both Unix (by Samba) and Windows.  In Win9x this file is located
  in the system32 directory, in NT and 2k it is in
  %windir%\system32\drivers\etc.  NBName will always append to these files,
  but will not check if a machine with that IP or machine name already exists.
  If you want to use NBName to spawn a program that accesses the machine by
  its name and you are bound to the default port you will have to use one of 
  these options to update the system lmhosts file. Y ou will not be able to
  use \\123.321.123.432 to access the machine because Windows actually sends
  an adapter status request to the machine to get its machine name
  automagically for you and if NBName is listening on port 137 the system will
  not be able to retrieve the machine name. 

/SPAWN
  This option can be used to spawn another script or program when a machine
  with the service value supplied responds to an adapter status request.  You
  must supply at least one "argument" or paramater to pass to the program
  although the program or script obviously doesn't have to use it.  The second
  paramater passed to the script or program is the IP address of the
  responding machine, and the third is the NetBIOS name the server is using.
  The program is spawned is parallel and NBName continues to run. 

/NOLOCAL and /NOLOCALNET
  If you are working with remote machines it is probably a good idea to use
  the /NOLOCALNET option.  Machines on your "local network" are determined
  using the netmask, which can be provided using /NETMASK. /NOLOCAL will cause
  packets generated from the IP NBName is listening on to be ignored and not
  processed. 

/CONFLICT
  When a NetBIOS node receives a name release packet (which is basically
  saying "OK I'm done using this name") for a name that it has registered, it
  marks that name as being in conflict and stops using it.  When an adapter
  status response is received by NBName and this option is used, it will send
  a name release packet for each name that is not already in conflict to that
  node, essentially disabling the NetBIOS networking on that node.  The
  machine will probably have to be rebooted to operate properly again. 

/RESPOND
  This option allows you to answer to received name queries.  You can respond
  to all names using * or a specific list of names by a name or filename
  containing the list.  This will cause your IP address, or the IP address
  specified with /RESPONDIP, to be returned when someone on your network
  attempts to use a machine name that doesn't resolve via DNS (this will
  happen to non-NetBIOS related applications also as the system automatically
  tries to resolve names by hosts then lmhosts then DNS then WINS) and that
  machine will in turn probably try to connect to the returned address instead
  of whatever address the other machine was trying to connect to.  It may also
  be able to respond faster than the node that actually owns the name if it is
  an actual name that is in use.  If a filename is provided it can either be a
  straight list of names to be responded to with RespIP or LocalIP or it can
  be an lmhosts style file, IP address then name on each line. 

/ALLOW and /DENY
  These options let you deny name registration requests so that NetBIOS nodes
  will think that their machine name is already in use on the network and not
  be able to function.  You can deny all names using /DENY * or suply a
  specific name or list of names to deny, or you can deny all names except a
  specific name or list of names using /ALLOW. 

              --------------------------------------------------

xXx // Notes \\ xXx

NBName should compile on Win32 and Unix platforms, but will not be able to run
on Win2k if NetBIOS is already bound to the IP interface being used.  This is
because Microsoft created a new socket flag which prevents other applications 
from re-binding in front of the socket.  This flag was implemented in NT 4.0
SP4 but apparently not used except in Win2k. 

While you can bind to any port using the /PORT command (except as noted
above), old Win95 boxes (pre-OSR2) will always respond to UDP 137.  This means
that unless you use the default port you will not see the responses from those 
machines.  However, this method can also be used to locate pre-osr2 win95 
machines which may be vulnerable to a few known exploits.

Many Unix platforms seem to have issues receiving broadcast UDP packets.  This
may prevent the many options from working as NBName will not be able to receive 
the normal NetBIOS traffic, options like /ALLOW /DENY /RESPOND..  Obviously you 
must be listening on the default port (137) for these options to work. 

On my NT box after binding in front of the system to UDP 137 I have repeatedly
seen it bind without error but then never receive the packets destined for
that port.  It seems to fix itself most of the time.  Using the /PORT option
you can bind to other ports (which may also allow you to get UDP packets
through a firewall by binding to a "trusted" port such as 53) and MOST Windows
machines will respond to that port, but some old Win95 boxes will always
respond to UDP 137 no matter the source port. 

There may be some issues related to the end node types which may cause NBName 
to function improperly on networks that do not use B-nodes. 

Using /REVERSE without /NOLOCAL(NET) may cause NBName to send packets to 
itself as fast as it can. That would be a bad thing. 

Names, either supplied with the option or in the filename, can include a
service value by appending a backslash (\) followed by the hex service value
(such as SERVER\20).  If no service value is supplied, 00 is used (workstation
service).  The most commonly used service values are 00 (workstation) and 20
(server). 

Names with spaces in them can be specified on the command line by putting 
quotes around the name, such as NBName /QUERY "THE NAME" ...and may even
include a service value like NBName /DENY "THE NAME\20" 

              --------------------------------------------------
			  
                               Get SOURCE here 

              --------------------------------------------------

                               Get BINARY here. 

              --------------------------------------------------

Here is an example batch file which you might execute with the /SPAWN option.
It uses NetE to extract information from found machines and writes a log to
c:\logs\ for each NetBIOS server that can be connected to.  A sample
command line for using this batch file might be:

     NBName /NOLOCALNET /SWEEP 123.231.123.1 123.231.129.255 /DELAY 25 /TO 
        20000 /OUTSVC 20 %windir%\system32\drivers\etc\lmhosts /SPAWN 20
        donete.bat TestSweep1

The above command line would sweep 7 class C networks sending 40 packets per
second, exiting automatically after 20 seconds of not having received any 
responses, appending machines with the server service running to the system 
lmhosts file, spawning donete.bat for each server found which will create a
file for each machine that could be connected to with names in this format:

     TestSweep1-123.231.123.99-HOST1
     TestSweep1-123.231.126.123-HOST2
     ... etc