Re: [AFMUG] everyone should be blocking SMB ports

[Josh Luthman]

Taking about a Microsoft VPN maybe?  Don't they have an HTTPS tunnel for
this?

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Sep 20, 2016 1:08 PM, "Paul Stewart" <p...@paulstewart.org> wrote:

I’ve seen some custom VPN applications run over 445 and shook my head as to
why….

We limit our filtering specifically to SMTP, DNS, and UPNP type stuff where
attacks/misuse are most common …

On Sep 20, 2016, at 11:20 AM, Ken Hohhof <af...@kwisp.com> wrote:

I agree with what Lewis said.  Ports 135-139 and 445 are well known ports
assigned to Windows networking and have no business being on the open
Internet.

There should be a strong presumption that outbound traffic on these ports
is malicious traffic from a worm like Blaster trying to propagate over the
Internet.  Best case, a customer has misconfigured something to send LAN
traffic over a WAN connection.

There are many pros and zero cons to blocking this traffic.  Do not get
hung up on the word “blocked”.  This is not a Net Neutrality issue.
NetBIOS/SMB is LAN traffic not WAN traffic, if someone needs it to go
site-to-site, then it should be inside something like a VPN.


*From:* Stefan Englhardt <s...@genias.net>
*Sent:* Tuesday, September 20, 2016 9:26 AM
*To:* af@afmug.com
*Subject:* Re: [AFMUG] everyone should be blocking SMB ports

We say our customers: You get free unblocked access. So we dont block.
If we see a problem we block and notify the customer.


*Von:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *Im Auftrag
von *Dave
*Gesendet:* Dienstag, 20. September 2016 16:21
*An:* af@afmug.com
*Betreff:* Re: [AFMUG] everyone should be blocking SMB ports


+1

On 09/20/2016 09:12 AM, Jon Bruce wrote:

+1
On 9/20/2016 10:01 AM, Lewis Bergman wrote:

I am a firm believer in the stance that as your ISP, I am not your mommy.
We did no filtering or firewalling for our customers. The only exception
being the blocking of certain traffic that had no business being on the
open Internet. This is one of those things.

On Tue, Sep 20, 2016, 7:21 AM Richard Strittmatter <rich...@mesh.net> wrote:

We block, have for years and years..

Richard Strittmatter

*From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Mike Hammett
*Sent:* Monday, September 19, 2016 11:59 AM

*To:* af@afmug.com
*Subject:* Re: [AFMUG] everyone should be blocking SMB ports


Yes, block.


-
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>
<https://www.facebook.com/ICSIL>
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
<https://www.linkedin.com/company/intelligent-computing-solutions>
<https://twitter.com/ICSIL>
Midwest Internet Exchange <http://www.midwest-ix.com/>
<https://www.facebook.com/mdwestix>
<https://www.linkedin.com/company/midwest-internet-exchange>
<https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
--

*From: *"That One Guy /sarcasm" <thatoneguyst...@gmail.com>
*To: *af@afmug.com
*Sent: *Monday, September 19, 2016 11:57:44 AM


*Subject: *Re: [AFMUG] everyone should be blocking SMB ports
Whats the WISP consensus on blocking those ports at the edge? also, whats
the best religion? if Ford or Chevy better? Whats the greatest sports team?

On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood <zunder1...@gmail.com>
wrote:

My work has its own IP address and get upstream from atnt and charter. The
smb ports are not blocked.

Zach Underwood (RHCE,RHCSA,RHCT,UACA)

http://ZachUnderwood.me <http://zachunderwood.me/>

advance-networking.com



On Sep 19, 2016 12:47 PM, "Josh Luthman" <j...@imaginenetworksllc.com>
wrote:

Cable/Telco probably.

WISP?  I dunno...


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett <af...@zirkel.us> wrote:

i think everyone has been blocking those ports since 1998-ish (or at least
you should be)

-sean


On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood <zunder1...@gmail.com>
wrote:

This was written from the view point of windows AD setup can affect home
users  too since MS makes people use MS live accounts to log in to windows.

*Problem:*
Outside servers can get username/domain/password hash. Once a remote server
has the login info they could connect to VPN, Office365 or an other service
that using AD domain user info.
See attachment for example. I got the example from a VM with a test account
on it.

*Details:*
Microsoft based browsers like IE and Edge can be induced to make a outbound
smb connection to a remote server. In this connection Microsoft will send
over username, domain, and password hash. The remote server then can do a
decryption of 

Re: [AFMUG] everyone should be blocking SMB ports

[Paul Stewart]

I’ve seen some custom VPN applications run over 445 and shook my head as to 
why….

We limit our filtering specifically to SMTP, DNS, and UPNP type stuff where 
attacks/misuse are most common … 

> On Sep 20, 2016, at 11:20 AM, Ken Hohhof <af...@kwisp.com> wrote:
> 
> I agree with what Lewis said.  Ports 135-139 and 445 are well known ports 
> assigned to Windows networking and have no business being on the open 
> Internet.
>  
> There should be a strong presumption that outbound traffic on these ports is 
> malicious traffic from a worm like Blaster trying to propagate over the 
> Internet.  Best case, a customer has misconfigured something to send LAN 
> traffic over a WAN connection.
>  
> There are many pros and zero cons to blocking this traffic.  Do not get hung 
> up on the word “blocked”.  This is not a Net Neutrality issue.  NetBIOS/SMB 
> is LAN traffic not WAN traffic, if someone needs it to go site-to-site, then 
> it should be inside something like a VPN.
>  
>  
> From: Stefan Englhardt <mailto:s...@genias.net>
> Sent: Tuesday, September 20, 2016 9:26 AM
> To: af@afmug.com <mailto:af@afmug.com>
> Subject: Re: [AFMUG] everyone should be blocking SMB ports
>  
> We say our customers: You get free unblocked access. So we dont block. <>
> If we see a problem we block and notify the customer.
>  
>  
> Von: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] Im 
> Auftrag von Dave
> Gesendet: Dienstag, 20. September 2016 16:21
> An: af@afmug.com <mailto:af@afmug.com>
> Betreff: Re: [AFMUG] everyone should be blocking SMB ports
>  
> +1
> 
>  
> On 09/20/2016 09:12 AM, Jon Bruce wrote:
>> +1
>> 
>> On 9/20/2016 10:01 AM, Lewis Bergman wrote:
>>> I am a firm believer in the stance that as your ISP, I am not your mommy. 
>>> We did no filtering or firewalling for our customers. The only exception 
>>> being the blocking of certain traffic that had no business being on the 
>>> open Internet. This is one of those things.
>>> 
>>>  
>>> On Tue, Sep 20, 2016, 7:21 AM Richard Strittmatter <rich...@mesh.net 
>>> <mailto:rich...@mesh.net>> wrote:
>>>> We block, have for years and years..
>>>>  
>>>> Richard Strittmatter
>>>>  
>>>> From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] On 
>>>> Behalf Of Mike Hammett
>>>> Sent: Monday, September 19, 2016 11:59 AM
>>>> 
>>>> To: af@afmug.com <mailto:af@afmug.com>
>>>> Subject: Re: [AFMUG] everyone should be blocking SMB ports
>>>>  
>>>> Yes, block.
>>>> 
>>>> 
>>>> 
>>>> -
>>>> Mike Hammett
>>>> Intelligent Computing Solutions <http://www.ics-il.com/>
>>>>  <https://www.facebook.com/ICSIL> 
>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> 
>>>> <https://www.linkedin.com/company/intelligent-computing-solutions> 
>>>> <https://twitter.com/ICSIL>
>>>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>>>>  <https://www.facebook.com/mdwestix> 
>>>> <https://www.linkedin.com/company/midwest-internet-exchange> 
>>>> <https://twitter.com/mdwestix>
>>>> The Brothers WISP <http://www.thebrotherswisp.com/>
>>>>  <https://www.facebook.com/thebrotherswisp>
>>>> 
>>>> 
>>>>  <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>>>> From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com 
>>>> <mailto:thatoneguyst...@gmail.com>>
>>>> To: af@afmug.com <mailto:af@afmug.com>
>>>> Sent: Monday, September 19, 2016 11:57:44 AM
>>>> 
>>>> 
>>>> Subject: Re: [AFMUG] everyone should be blocking SMB ports
>>>> 
>>>> Whats the WISP consensus on blocking those ports at the edge? also, whats 
>>>> the best religion? if Ford or Chevy better? Whats the greatest sports team?
>>>>  
>>>> On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood <zunder1...@gmail.com 
>>>> <mailto:zunder1...@gmail.com>> wrote:
>>>>> My work has its own IP address and get upstream from atnt and charter. 
>>>>> The smb ports are not blocked.
>>>>> 
>>>>> Zach Underwood (RHCE,RHCSA,RHCT,UACA)
>>>>> 
>>>>> http://ZachUnderwood.me <http://zachunderwood.me/>
>>>&g

Re: [AFMUG] everyone should be blocking SMB ports

[That One Guy /sarcasm]

we run his script, oddly though its not blocking this now, I will have to
go investigate what i did wrong

On Tue, Sep 20, 2016 at 10:27 AM, Justin Wilson <li...@mtin.net> wrote:

> Butch Evans has an awesome firewalling script.   It’s worth it to buy it
> and see what is going on.
>
>
> Justin Wilson
> j...@mtin.net
>
> ---
> http://www.mtin.net Owner/CEO
> xISP Solutions- Consulting – Data Centers - Bandwidth
>
> http://www.midwest-ix.com  COO/Chairman
> Internet Exchange - Peering - Distributed Fabric
>
> On Sep 20, 2016, at 11:20 AM, Ken Hohhof <af...@kwisp.com> wrote:
>
> I agree with what Lewis said.  Ports 135-139 and 445 are well known ports
> assigned to Windows networking and have no business being on the open
> Internet.
>
> There should be a strong presumption that outbound traffic on these ports
> is malicious traffic from a worm like Blaster trying to propagate over the
> Internet.  Best case, a customer has misconfigured something to send LAN
> traffic over a WAN connection.
>
> There are many pros and zero cons to blocking this traffic.  Do not get
> hung up on the word “blocked”.  This is not a Net Neutrality issue.
> NetBIOS/SMB is LAN traffic not WAN traffic, if someone needs it to go
> site-to-site, then it should be inside something like a VPN.
>
>
> *From:* Stefan Englhardt <s...@genias.net>
> *Sent:* Tuesday, September 20, 2016 9:26 AM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] everyone should be blocking SMB ports
>
> We say our customers: You get free unblocked access. So we dont block.
> If we see a problem we block and notify the customer.
>
>
> *Von:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *Im
> Auftrag von *Dave
> *Gesendet:* Dienstag, 20. September 2016 16:21
> *An:* af@afmug.com
> *Betreff:* Re: [AFMUG] everyone should be blocking SMB ports
>
>
> +1
>
> On 09/20/2016 09:12 AM, Jon Bruce wrote:
>
> +1
> On 9/20/2016 10:01 AM, Lewis Bergman wrote:
>
> I am a firm believer in the stance that as your ISP, I am not your mommy.
> We did no filtering or firewalling for our customers. The only exception
> being the blocking of certain traffic that had no business being on the
> open Internet. This is one of those things.
>
> On Tue, Sep 20, 2016, 7:21 AM Richard Strittmatter <rich...@mesh.net>
> wrote:
>
> We block, have for years and years..
>
> Richard Strittmatter
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Mike Hammett
> *Sent:* Monday, September 19, 2016 11:59 AM
>
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] everyone should be blocking SMB ports
>
>
> Yes, block.
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> --
>
> *From: *"That One Guy /sarcasm" <thatoneguyst...@gmail.com>
> *To: *af@afmug.com
> *Sent: *Monday, September 19, 2016 11:57:44 AM
>
>
> *Subject: *Re: [AFMUG] everyone should be blocking SMB ports
> Whats the WISP consensus on blocking those ports at the edge? also, whats
> the best religion? if Ford or Chevy better? Whats the greatest sports team?
>
> On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood <zunder1...@gmail.com>
> wrote:
>
> My work has its own IP address and get upstream from atnt and charter. The
> smb ports are not blocked.
>
> Zach Underwood (RHCE,RHCSA,RHCT,UACA)
>
> http://ZachUnderwood.me <http://zachunderwood.me/>
>
> advance-networking.com
>
>
>
> On Sep 19, 2016 12:47 PM, "Josh Luthman" <j...@imaginenetworksllc.com>
> wrote:
>
> Cable/Telco probably.
>
> WISP?  I dunno...
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett <af...@zirkel.us> wrote:
>
> i think everyone has been blocking those ports since 1998-ish (or at least
> you should be)
>
> -sean
>
>
> On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood <zunder1..

Re: [AFMUG] everyone should be blocking SMB ports

[Justin Wilson]

Butch Evans has an awesome firewalling script.   It’s worth it to buy it and 
see what is going on.


Justin Wilson
j...@mtin.net

---
http://www.mtin.net Owner/CEO
xISP Solutions- Consulting – Data Centers - Bandwidth

http://www.midwest-ix.com  COO/Chairman
Internet Exchange - Peering - Distributed Fabric

> On Sep 20, 2016, at 11:20 AM, Ken Hohhof <af...@kwisp.com> wrote:
> 
> I agree with what Lewis said.  Ports 135-139 and 445 are well known ports 
> assigned to Windows networking and have no business being on the open 
> Internet.
>  
> There should be a strong presumption that outbound traffic on these ports is 
> malicious traffic from a worm like Blaster trying to propagate over the 
> Internet.  Best case, a customer has misconfigured something to send LAN 
> traffic over a WAN connection.
>  
> There are many pros and zero cons to blocking this traffic.  Do not get hung 
> up on the word “blocked”.  This is not a Net Neutrality issue.  NetBIOS/SMB 
> is LAN traffic not WAN traffic, if someone needs it to go site-to-site, then 
> it should be inside something like a VPN.
>  
>  
> From: Stefan Englhardt <mailto:s...@genias.net>
> Sent: Tuesday, September 20, 2016 9:26 AM
> To: af@afmug.com <mailto:af@afmug.com>
> Subject: Re: [AFMUG] everyone should be blocking SMB ports
>  
> We say our customers: You get free unblocked access. So we dont block. <>
> If we see a problem we block and notify the customer.
>  
>  
> Von: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] Im 
> Auftrag von Dave
> Gesendet: Dienstag, 20. September 2016 16:21
> An: af@afmug.com <mailto:af@afmug.com>
> Betreff: Re: [AFMUG] everyone should be blocking SMB ports
>  
> +1
> 
>  
> On 09/20/2016 09:12 AM, Jon Bruce wrote:
>> +1
>> 
>> On 9/20/2016 10:01 AM, Lewis Bergman wrote:
>>> I am a firm believer in the stance that as your ISP, I am not your mommy. 
>>> We did no filtering or firewalling for our customers. The only exception 
>>> being the blocking of certain traffic that had no business being on the 
>>> open Internet. This is one of those things.
>>> 
>>>  
>>> On Tue, Sep 20, 2016, 7:21 AM Richard Strittmatter <rich...@mesh.net 
>>> <mailto:rich...@mesh.net>> wrote:
>>>> We block, have for years and years..
>>>>  
>>>> Richard Strittmatter
>>>>  
>>>> From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] On 
>>>> Behalf Of Mike Hammett
>>>> Sent: Monday, September 19, 2016 11:59 AM
>>>> 
>>>> To: af@afmug.com <mailto:af@afmug.com>
>>>> Subject: Re: [AFMUG] everyone should be blocking SMB ports
>>>>  
>>>> Yes, block.
>>>> 
>>>> 
>>>> 
>>>> -
>>>> Mike Hammett
>>>> Intelligent Computing Solutions <http://www.ics-il.com/>
>>>>  <https://www.facebook.com/ICSIL> 
>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> 
>>>> <https://www.linkedin.com/company/intelligent-computing-solutions> 
>>>> <https://twitter.com/ICSIL>
>>>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>>>>  <https://www.facebook.com/mdwestix> 
>>>> <https://www.linkedin.com/company/midwest-internet-exchange> 
>>>> <https://twitter.com/mdwestix>
>>>> The Brothers WISP <http://www.thebrotherswisp.com/>
>>>>  <https://www.facebook.com/thebrotherswisp>
>>>> 
>>>> 
>>>>  <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>>>> From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com 
>>>> <mailto:thatoneguyst...@gmail.com>>
>>>> To: af@afmug.com <mailto:af@afmug.com>
>>>> Sent: Monday, September 19, 2016 11:57:44 AM
>>>> 
>>>> 
>>>> Subject: Re: [AFMUG] everyone should be blocking SMB ports
>>>> 
>>>> Whats the WISP consensus on blocking those ports at the edge? also, whats 
>>>> the best religion? if Ford or Chevy better? Whats the greatest sports team?
>>>>  
>>>> On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood <zunder1...@gmail.com 
>>>> <mailto:zunder1...@gmail.com>> wrote:
>>>>> My work has its own IP address and get upstream from atnt and charter. 
>>>>> The smb ports are not blocked.
>>>>> 
>>>>> Zach Underwood (RHCE,RHCSA,RHCT,UACA)
>>

Re: [AFMUG] everyone should be blocking SMB ports

[Ken Hohhof]

I agree with what Lewis said.  Ports 135-139 and 445 are well known ports 
assigned to Windows networking and have no business being on the open Internet.

There should be a strong presumption that outbound traffic on these ports is 
malicious traffic from a worm like Blaster trying to propagate over the 
Internet.  Best case, a customer has misconfigured something to send LAN 
traffic over a WAN connection.

There are many pros and zero cons to blocking this traffic.  Do not get hung up 
on the word “blocked”.  This is not a Net Neutrality issue.  NetBIOS/SMB is LAN 
traffic not WAN traffic, if someone needs it to go site-to-site, then it should 
be inside something like a VPN.


From: Stefan Englhardt 
Sent: Tuesday, September 20, 2016 9:26 AM
To: af@afmug.com 
Subject: Re: [AFMUG] everyone should be blocking SMB ports

We say our customers: You get free unblocked access. So we dont block.

If we see a problem we block and notify the customer.

 

 

Von: Af [mailto:af-boun...@afmug.com] Im Auftrag von Dave
Gesendet: Dienstag, 20. September 2016 16:21
An: af@afmug.com
Betreff: Re: [AFMUG] everyone should be blocking SMB ports

 

+1

 

On 09/20/2016 09:12 AM, Jon Bruce wrote:

  +1

  On 9/20/2016 10:01 AM, Lewis Bergman wrote:

I am a firm believer in the stance that as your ISP, I am not your mommy. 
We did no filtering or firewalling for our customers. The only exception being 
the blocking of certain traffic that had no business being on the open 
Internet. This is one of those things.

 

On Tue, Sep 20, 2016, 7:21 AM Richard Strittmatter <rich...@mesh.net> wrote:

  We block, have for years and years..

   

  Richard Strittmatter

   

  From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mike Hammett
  Sent: Monday, September 19, 2016 11:59 AM


  To: af@afmug.com
  Subject: Re: [AFMUG] everyone should be blocking SMB ports

   

  Yes, block.



  -
  Mike Hammett
  Intelligent Computing Solutions

  Midwest Internet Exchange

  The Brothers WISP






--

  From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com>
  To: af@afmug.com
  Sent: Monday, September 19, 2016 11:57:44 AM


      Subject: Re: [AFMUG] everyone should be blocking SMB ports

  Whats the WISP consensus on blocking those ports at the edge? also, whats 
the best religion? if Ford or Chevy better? Whats the greatest sports team?

   

  On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood <zunder1...@gmail.com> 
wrote:

My work has its own IP address and get upstream from atnt and charter. 
The smb ports are not blocked.

Zach Underwood (RHCE,RHCSA,RHCT,UACA)

http://ZachUnderwood.me

advance-networking.com



 

On Sep 19, 2016 12:47 PM, "Josh Luthman" <j...@imaginenetworksllc.com> 
wrote:

  Cable/Telco probably.


  WISP?  I dunno...




   

  Josh Luthman
  Office: 937-552-2340
  Direct: 937-552-2343
  1100 Wayne St
  Suite 1337
  Troy, OH 45373

   

  On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett <af...@zirkel.us> 
wrote:

i think everyone has been blocking those ports since 1998-ish (or 
at least you should be)

 

-sean

 

 

On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood 
<zunder1...@gmail.com> wrote:

  This was written from the view point of windows AD setup can 
affect home users  too since MS makes people use MS live accounts to log in to 
windows.

   

  Problem:

  Outside servers can get username/domain/password hash. Once a 
remote server has the login info they could connect to VPN, Office365 or an 
other service that using AD domain user info.

  See attachment for example. I got the example from a VM with a 
test account on it.




  Details:

  Microsoft based browsers like IE and Edge can be induced to make 
a outbound smb connection to a remote server. In this connection Microsoft will 
send over username, domain, and password hash. The remote server then can do a 
decryption of the password hash using brute force, password, dictionary and 
rainbow tables.  

   

  Fix:

  The fastest way to stop this is to block all of the smb networks 
ports on the edge firewall for incoming and outgoing. The ports are 137-138udp, 
137tcp,139tcp, 445tcp

   

  Sources:

  
http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/

  Testing site:

  https://msleak.perfect-privacy.com/

   

  -- 

  Zach Un

Re: [AFMUG] everyone should be blocking SMB ports

[Stefan Englhardt]

We say our customers: You get free unblocked access. So we dont block.

If we see a problem we block and notify the customer.





Von: Af [mailto:af-boun...@afmug.com] Im Auftrag von Dave
Gesendet: Dienstag, 20. September 2016 16:21
An: af@afmug.com
Betreff: Re: [AFMUG] everyone should be blocking SMB ports



+1



On 09/20/2016 09:12 AM, Jon Bruce wrote:

+1

On 9/20/2016 10:01 AM, Lewis Bergman wrote:

I am a firm believer in the stance that as your ISP, I am not your mommy. We 
did no filtering or firewalling for our customers. The only exception being the 
blocking of certain traffic that had no business being on the open Internet. 
This is one of those things.



On Tue, Sep 20, 2016, 7:21 AM Richard Strittmatter <rich...@mesh.net 
<mailto:rich...@mesh.net> > wrote:

We block, have for years and years..



Richard Strittmatter



From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com> ] On Behalf 
Of Mike Hammett
Sent: Monday, September 19, 2016 11:59 AM


To: af@afmug.com <mailto:af@afmug.com>
Subject: Re: [AFMUG] everyone should be blocking SMB ports



Yes, block.



-
Mike Hammett
 <http://www.ics-il.com/> Intelligent Computing Solutions
 <https://www.facebook.com/ICSIL>  
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>  
<https://www.linkedin.com/company/intelligent-computing-solutions>  
<https://twitter.com/ICSIL>
 <http://www.midwest-ix.com/> Midwest Internet Exchange
 <https://www.facebook.com/mdwestix>  
<https://www.linkedin.com/company/midwest-internet-exchange>  
<https://twitter.com/mdwestix>
 <http://www.thebrotherswisp.com/> The Brothers WISP
 <https://www.facebook.com/thebrotherswisp>  
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>





  _


From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com 
<mailto:thatoneguyst...@gmail.com> >
To: af@afmug.com <mailto:af@afmug.com>
Sent: Monday, September 19, 2016 11:57:44 AM


Subject: Re: [AFMUG] everyone should be blocking SMB ports

Whats the WISP consensus on blocking those ports at the edge? also, whats the 
best religion? if Ford or Chevy better? Whats the greatest sports team?



On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood <zunder1...@gmail.com 
<mailto:zunder1...@gmail.com> > wrote:

My work has its own IP address and get upstream from atnt and charter. The smb 
ports are not blocked.

Zach Underwood (RHCE,RHCSA,RHCT,UACA)

http://ZachUnderwood.me

advance-networking.com <http://advance-networking.com>





On Sep 19, 2016 12:47 PM, "Josh Luthman" <j...@imaginenetworksllc.com 
<mailto:j...@imaginenetworksllc.com> > wrote:

Cable/Telco probably.


WISP?  I dunno...






Josh Luthman
Office: 937-552-2340 
Direct: 937-552-2343 
1100 Wayne St
Suite 1337
Troy, OH 45373



On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett <af...@zirkel.us 
<mailto:af...@zirkel.us> > wrote:

i think everyone has been blocking those ports since 1998-ish (or at least you 
should be)



-sean





On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood <zunder1...@gmail.com 
<mailto:zunder1...@gmail.com> > wrote:

This was written from the view point of windows AD setup can affect home users  
too since MS makes people use MS live accounts to log in to windows.



Problem:

Outside servers can get username/domain/password hash. Once a remote server has 
the login info they could connect to VPN, Office365 or an other service that 
using AD domain user info.

See attachment for example. I got the example from a VM with a test account on 
it.




Details:

Microsoft based browsers like IE and Edge can be induced to make a outbound smb 
connection to a remote server. In this connection Microsoft will send over 
username, domain, and password hash. The remote server then can do a decryption 
of the password hash using brute force, password, dictionary and rainbow tables.



Fix:

The fastest way to stop this is to block all of the smb networks ports on the 
edge firewall for incoming and outgoing. The ports are 137-138udp, 
137tcp,139tcp, 445tcp



Sources:

http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/

Testing site:

https://msleak.perfect-privacy.com/



--

Zach Underwood (RHCE,RHCSA,RHCT,UACA)

My website <http://zachunderwood.me>

advance-networking.com <http://advance-networking.com>











--

If you only see yourself as part of the team but you don't see your team as 
part of yourself you have already failed as part of the team.





--

Re: [AFMUG] everyone should be blocking SMB ports

[Dave]

+1


On 09/20/2016 09:12 AM, Jon Bruce wrote:

+1

On 9/20/2016 10:01 AM, Lewis Bergman wrote:


I am a firm believer in the stance that as your ISP, I am not your 
mommy. We did no filtering or firewalling for our customers. The only 
exception being the blocking of certain traffic that had no business 
being on the open Internet. This is one of those things.



On Tue, Sep 20, 2016, 7:21 AM Richard Strittmatter <rich...@mesh.net 
<mailto:rich...@mesh.net>> wrote:


We block, have for years and years..

Richard Strittmatter

*From:*Af [mailto:af-boun...@afmug.com
<mailto:af-boun...@afmug.com>] *On Behalf Of *Mike Hammett
*Sent:* Monday, September 19, 2016 11:59 AM


*To:* af@afmug.com <mailto:af@afmug.com>
    *Subject:* Re: [AFMUG] everyone should be blocking SMB ports

Yes, block.



-
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>

<https://www.facebook.com/ICSIL><https://plus.google.com/+IntelligentComputingSolutionsDeKalb><https://www.linkedin.com/company/intelligent-computing-solutions><https://twitter.com/ICSIL>
Midwest Internet Exchange <http://www.midwest-ix.com/>

<https://www.facebook.com/mdwestix><https://www.linkedin.com/company/midwest-internet-exchange><https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>



*From: *"That One Guy /sarcasm" <thatoneguyst...@gmail.com
<mailto:thatoneguyst...@gmail.com>>
*To: *af@afmug.com <mailto:af@afmug.com>
*Sent: *Monday, September 19, 2016 11:57:44 AM


*Subject: *Re: [AFMUG] everyone should be blocking SMB ports

Whats the WISP consensus on blocking those ports at the edge?
also, whats the best religion? if Ford or Chevy better? Whats the
greatest sports team?

On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood
<zunder1...@gmail.com <mailto:zunder1...@gmail.com>> wrote:

My work has its own IP address and get upstream from atnt and
charter. The smb ports are not blocked.

Zach Underwood (RHCE,RHCSA,RHCT,UACA)

http://ZachUnderwood.me

advance-networking.com <http://advance-networking.com>

On Sep 19, 2016 12:47 PM, "Josh Luthman"
<j...@imaginenetworksllc.com
<mailto:j...@imaginenetworksllc.com>> wrote:

Cable/Telco probably.


WISP?  I dunno...


Josh Luthman
Office: 937-552-2340 
Direct: 937-552-2343 
1100 Wayne St
Suite 1337
Troy, OH 45373

On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett
<af...@zirkel.us <mailto:af...@zirkel.us>> wrote:

i think everyone has been blocking those ports since
1998-ish (or at least you should be)

-sean

On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood
<zunder1...@gmail.com <mailto:zunder1...@gmail.com>>
wrote:

This was written from the view point of windows
AD setup can affect home users  too since MS
makes people use MS live accounts to log in to
windows.

**

*Problem:*

Outside servers can get username/domain/password
hash. Once a remote server has the login info
they could connect to VPN, Office365 or an other
service that using AD domain user info.

See attachment for example. I got the example
from a VM with a test account on it.


*Details:*

Microsoft based browsers like IE and Edge can be
induced to make a outbound smb connection to a
remote server. In this connection Microsoft will
send over username, domain, and password hash.
The remote server then can do a decryption of the
password hash using brute force, password,
dictionary and rainbow tables.

*Fix:*

The fastest way to stop this is to block all of
the smb networks ports on the edge firewall for
incoming and outgoing. The ports are 137-138udp,
137tcp,139tcp, 445tcp

*Sources:*


http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/

*Testing site*:

 

Re: [AFMUG] everyone should be blocking SMB ports

[Jon Bruce]

+1

On 9/20/2016 10:01 AM, Lewis Bergman wrote:


I am a firm believer in the stance that as your ISP, I am not your 
mommy. We did no filtering or firewalling for our customers. The only 
exception being the blocking of certain traffic that had no business 
being on the open Internet. This is one of those things.



On Tue, Sep 20, 2016, 7:21 AM Richard Strittmatter <rich...@mesh.net 
<mailto:rich...@mesh.net>> wrote:


We block, have for years and years..

Richard Strittmatter

*From:*Af [mailto:af-boun...@afmug.com
<mailto:af-boun...@afmug.com>] *On Behalf Of *Mike Hammett
*Sent:* Monday, September 19, 2016 11:59 AM


*To:* af@afmug.com <mailto:af@afmug.com>
    *Subject:* Re: [AFMUG] everyone should be blocking SMB ports

Yes, block.



-
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>

<https://www.facebook.com/ICSIL><https://plus.google.com/+IntelligentComputingSolutionsDeKalb><https://www.linkedin.com/company/intelligent-computing-solutions><https://twitter.com/ICSIL>
Midwest Internet Exchange <http://www.midwest-ix.com/>

<https://www.facebook.com/mdwestix><https://www.linkedin.com/company/midwest-internet-exchange><https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>



*From: *"That One Guy /sarcasm" <thatoneguyst...@gmail.com
<mailto:thatoneguyst...@gmail.com>>
*To: *af@afmug.com <mailto:af@afmug.com>
*Sent: *Monday, September 19, 2016 11:57:44 AM


*Subject: *Re: [AFMUG] everyone should be blocking SMB ports

Whats the WISP consensus on blocking those ports at the edge?
also, whats the best religion? if Ford or Chevy better? Whats the
greatest sports team?

On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood
<zunder1...@gmail.com <mailto:zunder1...@gmail.com>> wrote:

My work has its own IP address and get upstream from atnt and
charter. The smb ports are not blocked.

Zach Underwood (RHCE,RHCSA,RHCT,UACA)

http://ZachUnderwood.me

advance-networking.com <http://advance-networking.com>

On Sep 19, 2016 12:47 PM, "Josh Luthman"
<j...@imaginenetworksllc.com
<mailto:j...@imaginenetworksllc.com>> wrote:

Cable/Telco probably.


WISP?  I dunno...


Josh Luthman
Office: 937-552-2340 
Direct: 937-552-2343 
1100 Wayne St
Suite 1337
Troy, OH 45373

On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett
<af...@zirkel.us <mailto:af...@zirkel.us>> wrote:

i think everyone has been blocking those ports since
1998-ish (or at least you should be)

-sean

On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood
<zunder1...@gmail.com <mailto:zunder1...@gmail.com>>
wrote:

This was written from the view point of windows AD
setup can affect home users  too since MS makes
people use MS live accounts to log in to windows.

**

*Problem:*

Outside servers can get username/domain/password
hash. Once a remote server has the login info they
could connect to VPN, Office365 or an other
service that using AD domain user info.

See attachment for example. I got the example from
a VM with a test account on it.


*Details:*

Microsoft based browsers like IE and Edge can be
induced to make a outbound smb connection to a
remote server. In this connection Microsoft will
send over username, domain, and password hash. The
remote server then can do a decryption of the
password hash using brute force, password,
dictionary and rainbow tables.

*Fix:*

The fastest way to stop this is to block all of
the smb networks ports on the edge firewall for
incoming and outgoing. The ports are 137-138udp,
137tcp,139tcp, 445tcp

*Sources:*


http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/

*Testing site*:

https://msleak.perfect-privacy.com/

-- 


  

Re: [AFMUG] everyone should be blocking SMB ports

[Lewis Bergman]

I am a firm believer in the stance that as your ISP, I am not your mommy.
We did no filtering or firewalling for our customers. The only exception
being the blocking of certain traffic that had no business being on the
open Internet. This is one of those things.

On Tue, Sep 20, 2016, 7:21 AM Richard Strittmatter <rich...@mesh.net> wrote:

> We block, have for years and years..
>
>
>
> Richard Strittmatter
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Mike Hammett
> *Sent:* Monday, September 19, 2016 11:59 AM
>
>
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] everyone should be blocking SMB ports
>
>
>
> Yes, block.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> ------
>
> *From: *"That One Guy /sarcasm" <thatoneguyst...@gmail.com>
> *To: *af@afmug.com
> *Sent: *Monday, September 19, 2016 11:57:44 AM
>
>
> *Subject: *Re: [AFMUG] everyone should be blocking SMB ports
>
> Whats the WISP consensus on blocking those ports at the edge? also, whats
> the best religion? if Ford or Chevy better? Whats the greatest sports team?
>
>
>
> On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood <zunder1...@gmail.com>
> wrote:
>
> My work has its own IP address and get upstream from atnt and charter. The
> smb ports are not blocked.
>
> Zach Underwood (RHCE,RHCSA,RHCT,UACA)
>
> http://ZachUnderwood.me
>
> advance-networking.com
>
>
>
>
>
> On Sep 19, 2016 12:47 PM, "Josh Luthman" <j...@imaginenetworksllc.com>
> wrote:
>
> Cable/Telco probably.
>
>
> WISP?  I dunno...
>
>
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
>
>
> On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett <af...@zirkel.us> wrote:
>
> i think everyone has been blocking those ports since 1998-ish (or at least
> you should be)
>
>
>
> -sean
>
>
>
>
>
> On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood <zunder1...@gmail.com>
> wrote:
>
> This was written from the view point of windows AD setup can affect home
> users  too since MS makes people use MS live accounts to log in to windows.
>
>
>
> *Problem:*
>
> Outside servers can get username/domain/password hash. Once a remote
> server has the login info they could connect to VPN, Office365 or an other
> service that using AD domain user info.
>
> See attachment for example. I got the example from a VM with a test
> account on it.
>
>
> *Details:*
>
> Microsoft based browsers like IE and Edge can be induced to make a
> outbound smb connection to a remote server. In this connection Microsoft
> will send over username, domain, and password hash. The remote server then
> can do a decryption of the password hash using brute force, password,
> dictionary and rainbow tables.
>
>
>
> *Fix:*
>
> The fastest way to stop this is to block all of the smb networks ports on
> the edge firewall for incoming and outgoing. The ports are 137-138udp,
> 137tcp,139tcp, 445tcp
>
>
>
> *Sources:*
>
>
> http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/
>
> *Testing site*:
>
> https://msleak.perfect-privacy.com/
>
>
>
> --
>
> Zach Underwood (RHCE,RHCSA,RHCT,UACA)
>
> My website <http://zachunderwood.me>
>
> advance-networking.com
>
>
>
>
>
>
>
>
>
> --
>
> If you only see yourself as part of the team but you don't see your team
> as part of yourself you have already failed as part of the team.
>

Re: [AFMUG] everyone should be blocking SMB ports

[Richard Strittmatter]

We block, have for years and years..

Richard Strittmatter

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mike Hammett
Sent: Monday, September 19, 2016 11:59 AM
To: af@afmug.com
Subject: Re: [AFMUG] everyone should be blocking SMB ports

Yes, block.


-
Mike Hammett
Intelligent Computing Solutions<http://www.ics-il.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL>
Midwest Internet Exchange<http://www.midwest-ix.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix>
The Brothers WISP<http://www.thebrotherswisp.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png]


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>

From: "That One Guy /sarcasm" 
<thatoneguyst...@gmail.com<mailto:thatoneguyst...@gmail.com>>
To: af@afmug.com<mailto:af@afmug.com>
Sent: Monday, September 19, 2016 11:57:44 AM
Subject: Re: [AFMUG] everyone should be blocking SMB ports
Whats the WISP consensus on blocking those ports at the edge? also, whats the 
best religion? if Ford or Chevy better? Whats the greatest sports team?

On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood 
<zunder1...@gmail.com<mailto:zunder1...@gmail.com>> wrote:

My work has its own IP address and get upstream from atnt and charter. The smb 
ports are not blocked.

Zach Underwood (RHCE,RHCSA,RHCT,UACA)

http://ZachUnderwood.me

advance-networking.com<http://advance-networking.com>



On Sep 19, 2016 12:47 PM, "Josh Luthman" 
<j...@imaginenetworksllc.com<mailto:j...@imaginenetworksllc.com>> wrote:
Cable/Telco probably.

WISP?  I dunno...


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett 
<af...@zirkel.us<mailto:af...@zirkel.us>> wrote:
i think everyone has been blocking those ports since 1998-ish (or at least you 
should be)

-sean


On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood 
<zunder1...@gmail.com<mailto:zunder1...@gmail.com>> wrote:
This was written from the view point of windows AD setup can affect home users  
too since MS makes people use MS live accounts to log in to windows.

Problem:
Outside servers can get username/domain/password hash. Once a remote server has 
the login info they could connect to VPN, Office365 or an other service that 
using AD domain user info.
See attachment for example. I got the example from a VM with a test account on 
it.

Details:
Microsoft based browsers like IE and Edge can be induced to make a outbound smb 
connection to a remote server. In this connection Microsoft will send over 
username, domain, and password hash. The remote server then can do a decryption 
of the password hash using brute force, password, dictionary and rainbow tables.

Fix:
The fastest way to stop this is to block all of the smb networks ports on the 
edge firewall for incoming and outgoing. The ports are 137-138udp, 
137tcp,139tcp, 445tcp

Sources:
http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/
Testing site:
https://msleak.perfect-privacy.com/

--
Zach Underwood (RHCE,RHCSA,RHCT,UACA)
My website<http://zachunderwood.me>
advance-networking.com<http://advance-networking.com>





--
If you only see yourself as part of the team but you don't see your team as 
part of yourself you have already failed as part of the team.

Re: [AFMUG] everyone should be blocking SMB ports

[Ken Hohhof]

It is an unfortunate legacy of Microsoft thinking TCP/IP was for linking 
Windows computers together.  A public global Internet?  What a silly idea.

These big companies still have not gotten over the idea that the Internet was 
built for them.  Like for delivering WIndows 10 updates, Xbox updates, storing 
all your data in the OneDrive or Azure cloud.  And of course you will have a 
Windows or Google or Facebook account and use that to log into everything.  And 
if you’re a 23 year old engineer at one of these companies and it’s the only 
place you’ve ever worked, you probably drink the kool aid.


From: Josh Luthman 
Sent: Monday, September 19, 2016 12:01 PM
To: af@afmug.com 
Subject: Re: [AFMUG] everyone should be blocking SMB ports

There is *NO* reason to not block and countless reasons to block them at your 
edge.

If the customer wants to access these ports they should tunnel in.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Mon, Sep 19, 2016 at 12:57 PM, That One Guy /sarcasm 
<thatoneguyst...@gmail.com> wrote:

  Whats the WISP consensus on blocking those ports at the edge? also, whats the 
best religion? if Ford or Chevy better? Whats the greatest sports team?

  On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood <zunder1...@gmail.com> wrote:

My work has its own IP address and get upstream from atnt and charter. The 
smb ports are not blocked.

Zach Underwood (RHCE,RHCSA,RHCT,UACA)

http://ZachUnderwood.me

advance-networking.com




On Sep 19, 2016 12:47 PM, "Josh Luthman" <j...@imaginenetworksllc.com> 
wrote:

  Cable/Telco probably. 

  WISP?  I dunno...



  Josh Luthman
  Office: 937-552-2340
  Direct: 937-552-2343
  1100 Wayne St
  Suite 1337
  Troy, OH 45373


  On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett <af...@zirkel.us> wrote:

i think everyone has been blocking those ports since 1998-ish (or at 
least you should be) 

-sean


On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood <zunder1...@gmail.com> 
wrote:

  This was written from the view point of windows AD setup can affect 
home users  too since MS makes people use MS live accounts to log in to windows.


  Problem: 
  Outside servers can get username/domain/password hash. Once a remote 
server has the login info they could connect to VPN, Office365 or an other 
service that using AD domain user info.
  See attachment for example. I got the example from a VM with a test 
account on it.

  Details:
  Microsoft based browsers like IE and Edge can be induced to make a 
outbound smb connection to a remote server. In this connection Microsoft will 
send over username, domain, and password hash. The remote server then can do a 
decryption of the password hash using brute force, password, dictionary and 
rainbow tables.  

  Fix:
  The fastest way to stop this is to block all of the smb networks 
ports on the edge firewall for incoming and outgoing. The ports are 137-138udp, 
137tcp,139tcp, 445tcp

  Sources:
  
http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/

  Testing site:
  https://msleak.perfect-privacy.com/

  -- 

  Zach Underwood (RHCE,RHCSA,RHCT,UACA) 
  My website

  advance-networking.com







  -- 

  If you only see yourself as part of the team but you don't see your team as 
part of yourself you have already failed as part of the team.

Re: [AFMUG] everyone should be blocking SMB ports

[George Skorup]

We've used the SMB filter on Canopy since day one.

On 9/19/2016 12:01 PM, Josh Luthman wrote:
There is *NO* reason to not block and countless reasons to block them 
at your edge.


If the customer wants to access these ports they should tunnel in.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Mon, Sep 19, 2016 at 12:57 PM, That One Guy /sarcasm 
> wrote:


Whats the WISP consensus on blocking those ports at the edge?
also, whats the best religion? if Ford or Chevy better? Whats the
greatest sports team?

On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood
> wrote:

My work has its own IP address and get upstream from atnt and
charter. The smb ports are not blocked.

Zach Underwood (RHCE,RHCSA,RHCT,UACA)

http://ZachUnderwood.me

advance-networking.com 


On Sep 19, 2016 12:47 PM, "Josh Luthman"
> wrote:

Cable/Telco probably.

WISP?  I dunno...


Josh Luthman
Office: 937-552-2340 
Direct: 937-552-2343 
1100 Wayne St
Suite 1337
Troy, OH 45373

On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett
> wrote:

i think everyone has been blocking those ports since
1998-ish (or at least you should be)

-sean


On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood
>
wrote:

This was written from the view point of windows AD
setup can affect home users  too since MS makes
people use MS live accounts to log in to windows.
*
*
*
Problem:*
Outside servers can get username/domain/password
hash. Once a remote server has the login info they
could connect to VPN, Office365 or an other
service that using AD domain user info.
See attachment for example. I got the example from
a VM with a test account on it.

*Details:*
Microsoft based browsers like IE and Edge can be
induced to make a outbound smb connection to a
remote server. In this connection Microsoft will
send over username, domain, and password hash. The
remote server then can do a decryption of the
password hash using brute force, password,
dictionary and rainbow tables.

*Fix:*
The fastest way to stop this is to block all of
the smb networks ports on the edge firewall for
incoming and outgoing. The ports are 137-138udp,
137tcp,139tcp, 445tcp

*Sources:*

http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/


*Testing site*:
https://msleak.perfect-privacy.com/


-- 
Zach Underwood (RHCE,RHCSA,RHCT,UACA)

My website 
advance-networking.com 






-- 
If you only see yourself as part of the team but you don't see

your team as part of yourself you have already failed as part of
the team.

Re: [AFMUG] everyone should be blocking SMB ports

[Ken Hohhof]

That’s pretty amazing.  They should be blocked inbound and outbound.

Blaster worm was like 13 years ago?  At that time, if you connected a brand new 
Windows computer to a non firewalled Internet connection, it would be infected 
within seconds, before you could run Windows Update.

I also remember people would get these little system notification windows 
popping up on their screen.

I think we used to block port 1434 due to the MS SQL Slammer worm, I forget how 
long ago we stopped that.


From: Zach Underwood 
Sent: Monday, September 19, 2016 11:50 AM
To: af@afmug.com 
Subject: Re: [AFMUG] everyone should be blocking SMB ports

My work has its own IP address and get upstream from atnt and charter. The smb 
ports are not blocked.

Zach Underwood (RHCE,RHCSA,RHCT,UACA)

http://ZachUnderwood.me

advance-networking.com




On Sep 19, 2016 12:47 PM, "Josh Luthman" <j...@imaginenetworksllc.com> wrote:

  Cable/Telco probably. 

  WISP?  I dunno...


  Josh Luthman
  Office: 937-552-2340
  Direct: 937-552-2343
  1100 Wayne St
  Suite 1337
  Troy, OH 45373

  On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett <af...@zirkel.us> wrote:

i think everyone has been blocking those ports since 1998-ish (or at least 
you should be) 

-sean


On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood <zunder1...@gmail.com> 
wrote:

  This was written from the view point of windows AD setup can affect home 
users  too since MS makes people use MS live accounts to log in to windows.


  Problem: 
  Outside servers can get username/domain/password hash. Once a remote 
server has the login info they could connect to VPN, Office365 or an other 
service that using AD domain user info.
  See attachment for example. I got the example from a VM with a test 
account on it.

  Details:
  Microsoft based browsers like IE and Edge can be induced to make a 
outbound smb connection to a remote server. In this connection Microsoft will 
send over username, domain, and password hash. The remote server then can do a 
decryption of the password hash using brute force, password, dictionary and 
rainbow tables.  

  Fix:
  The fastest way to stop this is to block all of the smb networks ports on 
the edge firewall for incoming and outgoing. The ports are 137-138udp, 
137tcp,139tcp, 445tcp

  Sources:
  
http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/

  Testing site:
  https://msleak.perfect-privacy.com/

  -- 

  Zach Underwood (RHCE,RHCSA,RHCT,UACA) 
  My website

  advance-networking.com

Re: [AFMUG] everyone should be blocking SMB ports

[Josh Luthman]

There is *NO* reason to not block and countless reasons to block them at
your edge.

If the customer wants to access these ports they should tunnel in.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Mon, Sep 19, 2016 at 12:57 PM, That One Guy /sarcasm <
thatoneguyst...@gmail.com> wrote:

> Whats the WISP consensus on blocking those ports at the edge? also, whats
> the best religion? if Ford or Chevy better? Whats the greatest sports team?
>
> On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood 
> wrote:
>
>> My work has its own IP address and get upstream from atnt and charter.
>> The smb ports are not blocked.
>>
>> Zach Underwood (RHCE,RHCSA,RHCT,UACA)
>>
>> http://ZachUnderwood.me
>>
>> advance-networking.com
>>
>>
>>
>> On Sep 19, 2016 12:47 PM, "Josh Luthman" 
>> wrote:
>>
>>> Cable/Telco probably.
>>>
>>> WISP?  I dunno...
>>>
>>>
>>> Josh Luthman
>>> Office: 937-552-2340
>>> Direct: 937-552-2343
>>> 1100 Wayne St
>>> Suite 1337
>>> Troy, OH 45373
>>>
>>> On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett  wrote:
>>>
 i think everyone has been blocking those ports since 1998-ish (or at
 least you should be)

 -sean


 On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood 
 wrote:

> This was written from the view point of windows AD setup can affect
> home users  too since MS makes people use MS live accounts to log in to
> windows.
>
> *Problem:*
> Outside servers can get username/domain/password hash. Once a remote
> server has the login info they could connect to VPN, Office365 or an other
> service that using AD domain user info.
> See attachment for example. I got the example from a VM with a test
> account on it.
>
> *Details:*
> Microsoft based browsers like IE and Edge can be induced to make a
> outbound smb connection to a remote server. In this connection Microsoft
> will send over username, domain, and password hash. The remote server then
> can do a decryption of the password hash using brute force, password,
> dictionary and rainbow tables.
>
> *Fix:*
> The fastest way to stop this is to block all of the smb networks ports
> on the edge firewall for incoming and outgoing. The ports are 137-138udp,
> 137tcp,139tcp, 445tcp
>
> *Sources:*
> http://www.zdnet.com/article/windows-attack-can-steal-your-u
> sername-password-and-other-logins/
> *Testing site*:
> https://msleak.perfect-privacy.com/
>
> --
> Zach Underwood (RHCE,RHCSA,RHCT,UACA)
> My website 
> advance-networking.com
>


>>>
>
>
> --
> If you only see yourself as part of the team but you don't see your team
> as part of yourself you have already failed as part of the team.
>

Re: [AFMUG] everyone should be blocking SMB ports

[Mike Hammett]

https://customer.xfinity.com/help-and-support/internet/list-of-blocked-ports/ 

That's a good list to start with. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 




- Original Message -

From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com> 
To: af@afmug.com 
Sent: Monday, September 19, 2016 11:57:44 AM 
Subject: Re: [AFMUG] everyone should be blocking SMB ports 


Whats the WISP consensus on blocking those ports at the edge? also, whats the 
best religion? if Ford or Chevy better? Whats the greatest sports team? 


On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood < zunder1...@gmail.com > 
wrote: 



My work has its own IP address and get upstream from atnt and charter. The smb 
ports are not blocked. 
Zach Underwood (RHCE,RHCSA,RHCT,UACA) 
http://ZachUnderwood.me 
advance-networking.com 





On Sep 19, 2016 12:47 PM, "Josh Luthman" < j...@imaginenetworksllc.com > wrote: 



Cable/Telco probably. 

WISP? I dunno... 






Josh Luthman 
Office: 937-552-2340 
Direct: 937-552-2343 
1100 Wayne St 
Suite 1337 
Troy, OH 45373 

On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett < af...@zirkel.us > wrote: 



i think everyone has been blocking those ports since 1998-ish (or at least you 
should be) 


-sean 






On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood < zunder1...@gmail.com > 
wrote: 




This was written from the view point of windows AD setup can affect home users 
too since MS makes people use MS live accounts to log in to windows. 

Problem: 
Outside servers can get username/domain/password hash. Once a remote server has 
the login info they could connect to VPN, Office365 or an other service that 
using AD domain user info. 
See attachment for example. I got the example from a VM with a test account on 
it. 


Details: 
Microsoft based browsers like IE and Edge can be induced to make a outbound smb 
connection to a remote server. In this connection Microsoft will send over 
username, domain, and password hash. The remote server then can do a decryption 
of the password hash using brute force, password, dictionary and rainbow 
tables. 


Fix: 
The fastest way to stop this is to block all of the smb networks ports on the 
edge firewall for incoming and outgoing. The ports are 137-138udp, 
137tcp,139tcp, 445tcp 


Sources: 
http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/
 

Testing site : 
https://msleak.perfect-privacy.com/ 

-- 






Zach Underwood (RHCE,RHCSA,RHCT, UACA ) 


My website 

advance-networking.com 














-- 




If you only see yourself as part of the team but you don't see your team as 
part of yourself you have already failed as part of the team. 

Re: [AFMUG] everyone should be blocking SMB ports

[Mike Hammett]

Yes, block. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 




- Original Message -

From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com> 
To: af@afmug.com 
Sent: Monday, September 19, 2016 11:57:44 AM 
Subject: Re: [AFMUG] everyone should be blocking SMB ports 


Whats the WISP consensus on blocking those ports at the edge? also, whats the 
best religion? if Ford or Chevy better? Whats the greatest sports team? 


On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood < zunder1...@gmail.com > 
wrote: 



My work has its own IP address and get upstream from atnt and charter. The smb 
ports are not blocked. 
Zach Underwood (RHCE,RHCSA,RHCT,UACA) 
http://ZachUnderwood.me 
advance-networking.com 





On Sep 19, 2016 12:47 PM, "Josh Luthman" < j...@imaginenetworksllc.com > wrote: 



Cable/Telco probably. 

WISP? I dunno... 






Josh Luthman 
Office: 937-552-2340 
Direct: 937-552-2343 
1100 Wayne St 
Suite 1337 
Troy, OH 45373 

On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett < af...@zirkel.us > wrote: 



i think everyone has been blocking those ports since 1998-ish (or at least you 
should be) 


-sean 






On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood < zunder1...@gmail.com > 
wrote: 




This was written from the view point of windows AD setup can affect home users 
too since MS makes people use MS live accounts to log in to windows. 

Problem: 
Outside servers can get username/domain/password hash. Once a remote server has 
the login info they could connect to VPN, Office365 or an other service that 
using AD domain user info. 
See attachment for example. I got the example from a VM with a test account on 
it. 


Details: 
Microsoft based browsers like IE and Edge can be induced to make a outbound smb 
connection to a remote server. In this connection Microsoft will send over 
username, domain, and password hash. The remote server then can do a decryption 
of the password hash using brute force, password, dictionary and rainbow 
tables. 


Fix: 
The fastest way to stop this is to block all of the smb networks ports on the 
edge firewall for incoming and outgoing. The ports are 137-138udp, 
137tcp,139tcp, 445tcp 


Sources: 
http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/
 

Testing site : 
https://msleak.perfect-privacy.com/ 

-- 






Zach Underwood (RHCE,RHCSA,RHCT, UACA ) 


My website 

advance-networking.com 














-- 




If you only see yourself as part of the team but you don't see your team as 
part of yourself you have already failed as part of the team. 

Re: [AFMUG] everyone should be blocking SMB ports

[That One Guy /sarcasm]

Whats the WISP consensus on blocking those ports at the edge? also, whats
the best religion? if Ford or Chevy better? Whats the greatest sports team?

On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood 
wrote:

> My work has its own IP address and get upstream from atnt and charter. The
> smb ports are not blocked.
>
> Zach Underwood (RHCE,RHCSA,RHCT,UACA)
>
> http://ZachUnderwood.me
>
> advance-networking.com
>
>
>
> On Sep 19, 2016 12:47 PM, "Josh Luthman" 
> wrote:
>
>> Cable/Telco probably.
>>
>> WISP?  I dunno...
>>
>>
>> Josh Luthman
>> Office: 937-552-2340
>> Direct: 937-552-2343
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>>
>> On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett  wrote:
>>
>>> i think everyone has been blocking those ports since 1998-ish (or at
>>> least you should be)
>>>
>>> -sean
>>>
>>>
>>> On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood 
>>> wrote:
>>>
 This was written from the view point of windows AD setup can affect
 home users  too since MS makes people use MS live accounts to log in to
 windows.

 *Problem:*
 Outside servers can get username/domain/password hash. Once a remote
 server has the login info they could connect to VPN, Office365 or an other
 service that using AD domain user info.
 See attachment for example. I got the example from a VM with a test
 account on it.

 *Details:*
 Microsoft based browsers like IE and Edge can be induced to make a
 outbound smb connection to a remote server. In this connection Microsoft
 will send over username, domain, and password hash. The remote server then
 can do a decryption of the password hash using brute force, password,
 dictionary and rainbow tables.

 *Fix:*
 The fastest way to stop this is to block all of the smb networks ports
 on the edge firewall for incoming and outgoing. The ports are 137-138udp,
 137tcp,139tcp, 445tcp

 *Sources:*
 http://www.zdnet.com/article/windows-attack-can-steal-your-u
 sername-password-and-other-logins/
 *Testing site*:
 https://msleak.perfect-privacy.com/

 --
 Zach Underwood (RHCE,RHCSA,RHCT,UACA)
 My website 
 advance-networking.com

>>>
>>>
>>


-- 
If you only see yourself as part of the team but you don't see your team as
part of yourself you have already failed as part of the team.

Re: [AFMUG] everyone should be blocking SMB ports

[Zach Underwood]

My work has its own IP address and get upstream from atnt and charter. The
smb ports are not blocked.

Zach Underwood (RHCE,RHCSA,RHCT,UACA)

http://ZachUnderwood.me

advance-networking.com



On Sep 19, 2016 12:47 PM, "Josh Luthman" 
wrote:

> Cable/Telco probably.
>
> WISP?  I dunno...
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett  wrote:
>
>> i think everyone has been blocking those ports since 1998-ish (or at
>> least you should be)
>>
>> -sean
>>
>>
>> On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood 
>> wrote:
>>
>>> This was written from the view point of windows AD setup can affect home
>>> users  too since MS makes people use MS live accounts to log in to windows.
>>>
>>> *Problem:*
>>> Outside servers can get username/domain/password hash. Once a remote
>>> server has the login info they could connect to VPN, Office365 or an other
>>> service that using AD domain user info.
>>> See attachment for example. I got the example from a VM with a test
>>> account on it.
>>>
>>> *Details:*
>>> Microsoft based browsers like IE and Edge can be induced to make a
>>> outbound smb connection to a remote server. In this connection Microsoft
>>> will send over username, domain, and password hash. The remote server then
>>> can do a decryption of the password hash using brute force, password,
>>> dictionary and rainbow tables.
>>>
>>> *Fix:*
>>> The fastest way to stop this is to block all of the smb networks ports
>>> on the edge firewall for incoming and outgoing. The ports are 137-138udp,
>>> 137tcp,139tcp, 445tcp
>>>
>>> *Sources:*
>>> http://www.zdnet.com/article/windows-attack-can-steal-your-u
>>> sername-password-and-other-logins/
>>> *Testing site*:
>>> https://msleak.perfect-privacy.com/
>>>
>>> --
>>> Zach Underwood (RHCE,RHCSA,RHCT,UACA)
>>> My website 
>>> advance-networking.com
>>>
>>
>>
>

Re: [AFMUG] everyone should be blocking SMB ports

[Josh Luthman]

Cable/Telco probably.

WISP?  I dunno...


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett  wrote:

> i think everyone has been blocking those ports since 1998-ish (or at least
> you should be)
>
> -sean
>
>
> On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood 
> wrote:
>
>> This was written from the view point of windows AD setup can affect home
>> users  too since MS makes people use MS live accounts to log in to windows.
>>
>> *Problem:*
>> Outside servers can get username/domain/password hash. Once a remote
>> server has the login info they could connect to VPN, Office365 or an other
>> service that using AD domain user info.
>> See attachment for example. I got the example from a VM with a test
>> account on it.
>>
>> *Details:*
>> Microsoft based browsers like IE and Edge can be induced to make a
>> outbound smb connection to a remote server. In this connection Microsoft
>> will send over username, domain, and password hash. The remote server then
>> can do a decryption of the password hash using brute force, password,
>> dictionary and rainbow tables.
>>
>> *Fix:*
>> The fastest way to stop this is to block all of the smb networks ports on
>> the edge firewall for incoming and outgoing. The ports are 137-138udp,
>> 137tcp,139tcp, 445tcp
>>
>> *Sources:*
>> http://www.zdnet.com/article/windows-attack-can-steal-your-u
>> sername-password-and-other-logins/
>> *Testing site*:
>> https://msleak.perfect-privacy.com/
>>
>> --
>> Zach Underwood (RHCE,RHCSA,RHCT,UACA)
>> My website 
>> advance-networking.com
>>
>
>

Re: [AFMUG] everyone should be blocking SMB ports

[Sean Heskett]

i think everyone has been blocking those ports since 1998-ish (or at least
you should be)

-sean


On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood 
wrote:

> This was written from the view point of windows AD setup can affect home
> users  too since MS makes people use MS live accounts to log in to windows.
>
> *Problem:*
> Outside servers can get username/domain/password hash. Once a remote
> server has the login info they could connect to VPN, Office365 or an other
> service that using AD domain user info.
> See attachment for example. I got the example from a VM with a test
> account on it.
>
> *Details:*
> Microsoft based browsers like IE and Edge can be induced to make a
> outbound smb connection to a remote server. In this connection Microsoft
> will send over username, domain, and password hash. The remote server then
> can do a decryption of the password hash using brute force, password,
> dictionary and rainbow tables.
>
> *Fix:*
> The fastest way to stop this is to block all of the smb networks ports on
> the edge firewall for incoming and outgoing. The ports are 137-138udp,
> 137tcp,139tcp, 445tcp
>
> *Sources:*
> http://www.zdnet.com/article/windows-attack-can-steal-your-u
> sername-password-and-other-logins/
> *Testing site*:
> https://msleak.perfect-privacy.com/
>
> --
> Zach Underwood (RHCE,RHCSA,RHCT,UACA)
> My website 
> advance-networking.com
>