[Snort-users] Netbios attack

Dr SuSE drsuse at ...748...
Tue Nov 14 19:43:12 EST 2000


After reading Lance Spitzner's article about the hack on his Windows 98
honeypot I decided to give it a shot and see what I can come up with since
I too have been seeing netbios probes from machines with cable and xDSL
connections.

I setup a Windows 98 box in my dmz with file and print sharing
enabled.  To monitor traffic to and from the box I used Sniffer Pro
running on an NT workstation and Snort was keeping track of things from my
Linux box. 

Similar to Lance, it was not long before I was visited.
The first attack came about 90 minutes after I put my Windows 98 machine
online.  At 00:31 CST Snort using vision.conf detected a netbios name
query from 24.0.169.221  Snort/vision.conf detected a second netbios name
query at 00:44 CST from 24.163.71.18

I wasnt too worried when I saw this but rather happy so I decided to go to
bed and then check the sniffer data in the morning.

Once I got out of bed I shut the Windows 98 honeypot down and had a look
at the data collected by sniffer pro.

The first netbios connection attempt was made by 24.0.169.221 which
resolved to a home.com host which I'm assuming is on a cable connection.
According to my data the netbios connection was established and the first
thing this guy did was try to make an account for himself.  The account
name he attempted to make was called "John Hall".  My Windows 98 machine
rejected that attempt.  Next this person then tried to connect to the C
drive of my Windows 98 box but that too was rejected since the C drive was
not shared.  After that, John Hall or so he calls himself closed the
connection and left.

The second attempt from 24.163.71.18 which resolved to an rr.com host was
quick and simple.  This person did establish a netbios connection, then
attempted to access the C drive but once again it was rejected by my
machine since the C drive was not shared.

I will write a more detailed paper in the future and I might go ahead and
share the C drive this weekend so that I can use the information gathered
to learn more about this activity and become more familiar with IP
behavior and reading sniffer logs.  This might be a good time to learn
more about tcpdump too.



Lance, your article made for great reading.  I really enjoyed it.  

Dr SuSE

"Microsoft ist nicht installiert"




More information about the Snort-users mailing list