On Wed, 2003-12-17 at 06:57, Jonas Carlsson wrote:
I run samba 2.2.8a on my openbsd 3.4 box, installed from a package.
All i need is the ability to mount disks form winxp boxes so i only run
smbd, at 139/tcp.
I tried scanning the box with nessus, and it came up with some results
that got me curious.
Since i dont know very much about the smb protocol I thought i should
ask here.
The nessus text is a little alarming - given that none of the
information disclosed to your internal LAN is really that interesting...
Have searched the archives but found only old posts, concering older
versions.
Whats a NULL session? what are domain and host SID?
Nessus also suggests i'd limit the access to the $IPC share.
The 'securing samba' section of the howto collection includes
information on the IPC$ share.
How can i limit this info disclosure?
You should only be running samba onto trusted networks that often need
this information, but you can restrict it a little, in some situations.
127.0.0.1|netbios-ssn (139/tcp)|10397|INFO|Here is the browse list of
the remote host :
HOSTNAME -
This is potentially dangerous as this may help the attack of a potential
hacker by giving him extra targets to check for
Solution : filter incoming traffic to this port
Risk factor : Low
127.0.0.1|netbios-ssn (139/tcp)|10395|INFO|Here is the list of the SMB
shares of this host :
myshare -
IPC$ -
ADMIN$ -
This is potentially dangerous as this may help the attack of a potential
hacker. Solution : filter incoming traffic to this port
Risk factor : Medium
127.0.0.1|netbios-ssn (139/tcp)|10400|INFO|
The remote registry can be accessed remotely using the login / password
combination used
for the SMB tests. Having the registry accessible to the world is not a
good thing as it gives
extra knowledge to a hacker.
Solution : Apply service pack 3 if not done already,
and set the key
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg
to restrict what can be browsed by non administrators.
In addition to this, you should consider filtering incoming packets to
this port.
Risk factor : Low
We don't actually expose a remote registry - we expose something that
looks like it for the purpose of running various services. If you were
to follow the advise on an MS box, you would probably break things.
127.0.0.1|netbios-ssn (139/tcp)|10859|INFO|The host SID can be obtained
remotely. Its value is :
HOSTNAME : 4-55-654367899-87557843444-56789446
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low
127.0.0.1|netbios-ssn (139/tcp)|10398|INFO|The domain SID can be
obtained remotely. Its value is :
WORKGROUP : 45-0-0-0-0
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low
127.0.0.1|netbios-ssn (139/tcp)|10394|REPORT|
. It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access
To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will prevent
them from
connecting to IPC$.
This is matched by 'restrict anonymous' parameter in Samba 3.0.
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html.
All the smb tests will be done as ''/'whatever' in domain
Andrew Bartlett
--
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED]
Student Network Administrator, Hawker College [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
