Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Question on IIS servers and reverse lookup

from [Miroslaw Slawek Chorazy] Network Security [Permanent Link]
Subject: Re: Question on IIS servers and reverse lookup
Date: Thu, 10 Mar 2005 10:58:37 -0600 
Do you have Security Audit turned on and see Failure Events of the Logon/Logoff 
type timestamped at the same time when IIS tries to send the  NetBIOS Name 
Resolution (UDP:137) packet?

Maybe these are authentication attempts against your IIS Server coming from the 
Internet and the IIS Server is sending a packet to destination asking for 
Domain Name?

slawek
 


"Maxime Ducharme" <mducharme@cybergeneration.com> 3/9/2005 16:41 >>>


Hi to the list

We are running a new iptables firewall with
restrictives policies.

I just noticed that sometimes (between 1 an 4 packets per
weeks), our IIS 5.0 server try to send NetBIOS name
query on foreign IPs.

Here is a hex dump of that packet :

11:44:56.495348 x.x.x.x.netbios-ns > 211.40.x.y.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; UNICAST
0x0000   4500 004e b2bf 0000 8011 ff8f XXXX XXXX        E..N.........hR.
0x0010   d328 913c 0089 0089 003a 6ff0 c7ee 0000        .(.<.....:o.....
0x0020   0001 0000 0000 0000 2043 4b41 4141 4141        .........CKAAAAA
0x0030   4141 4141 4141 4141 4141 4141 4141 4141        AAAAAAAAAAAAAAAA
0x0040   4141 4141 4141 4141 4100 0021 0001             AAAAAAAAA..!..

x.x.x.x is our server (i replaced hex dump with XXXX XXXX too)

Source : our server
Proto : UDP
Source port : 137
Dest : foreign server
Dest port : 137

I'd like to identify the source of these packets.


One thing that comes in mind is :
Would it be related to the option in IIS "reverse
lookup host" to log hostnames in the log file ?

I remember that nslookup() function of NT kernel
uses netbios if DNS doesnt reply anything
(correct me if i'm wrong).

There is not other inbound port than 80 opened.
Opened outbound ports are packets related to a already
opened connection on port 80 and DNS queries to our
servers. The server itself cannot open a connection
on Internet.

Since this server is hosting ASP & ASP.NET services,
I agree it would be possible to get access via
some crafted URLs or webapp attacks, but we didnt
see anything else than these packets.

Someone may enlighten me ?

Thanks in advance

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau



---------------------------------------------------------------------------
---------------------------------------------------------------------------



---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Basic question, Roman L. Daszczyszak II
Next by Date:  Re: Question on IIS servers and reverse lookup, Maxime Ducharme
Previous by Thread:  Re: Question on IIS servers and reverse lookup, Robert Schwartz
Next by Thread:  Re: Question on IIS servers and reverse lookup, Maxime Ducharme
Indexes:  [Date] [Thread] [Top] [All Lists]