It is an unfortunate legacy of Microsoft thinking TCP/IP was for linking
Windows computers together. A public global Internet? What a silly idea.
These big companies still have not gotten over the idea that the Internet was
built for them. Like for delivering WIndows 10 updates, Xbox updates, storing
all your data in the OneDrive or Azure cloud. And of course you will have a
Windows or Google or Facebook account and use that to log into everything. And
if you’re a 23 year old engineer at one of these companies and it’s the only
place you’ve ever worked, you probably drink the kool aid.
From: Josh Luthman
Sent: Monday, September 19, 2016 12:01 PM
To: af@afmug.com
Subject: Re: [AFMUG] everyone should be blocking SMB ports
There is *NO* reason to not block and countless reasons to block them at your
edge.
If the customer wants to access these ports they should tunnel in.
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On Mon, Sep 19, 2016 at 12:57 PM, That One Guy /sarcasm
<thatoneguyst...@gmail.com> wrote:
Whats the WISP consensus on blocking those ports at the edge? also, whats the
best religion? if Ford or Chevy better? Whats the greatest sports team?
On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood <zunder1...@gmail.com> wrote:
My work has its own IP address and get upstream from atnt and charter. The
smb ports are not blocked.
Zach Underwood (RHCE,RHCSA,RHCT,UACA)
http://ZachUnderwood.me
advance-networking.com
On Sep 19, 2016 12:47 PM, "Josh Luthman" <j...@imaginenetworksllc.com>
wrote:
Cable/Telco probably.
WISP? I dunno...
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett <af...@zirkel.us> wrote:
i think everyone has been blocking those ports since 1998-ish (or at
least you should be)
-sean
On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood <zunder1...@gmail.com>
wrote:
This was written from the view point of windows AD setup can affect
home users too since MS makes people use MS live accounts to log in to windows.
Problem:
Outside servers can get username/domain/password hash. Once a remote
server has the login info they could connect to VPN, Office365 or an other
service that using AD domain user info.
See attachment for example. I got the example from a VM with a test
account on it.
Details:
Microsoft based browsers like IE and Edge can be induced to make a
outbound smb connection to a remote server. In this connection Microsoft will
send over username, domain, and password hash. The remote server then can do a
decryption of the password hash using brute force, password, dictionary and
rainbow tables.
Fix:
The fastest way to stop this is to block all of the smb networks
ports on the edge firewall for incoming and outgoing. The ports are 137-138udp,
137tcp,139tcp, 445tcp
Sources:
http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/
Testing site:
https://msleak.perfect-privacy.com/
--
Zach Underwood (RHCE,RHCSA,RHCT,UACA)
My website
advance-networking.com
--
If you only see yourself as part of the team but you don't see your team as
part of yourself you have already failed as part of the team.
