On Wed, 2003-12-17 at 06:57, Jonas Carlsson wrote:> I run samba 2.2.8a on my openbsd 3.4 box, installed from a package.
> All i need is the ability to mount disks form winxp boxes so i only run
> smbd, at 139/tcp.
> I tried scanning the box with nessus, and it came up with some results
> that got me curious.
> Since i dont know very much about the smb protocol I thought i should
> ask here.
The nessus text is a little alarming - given that none of the
information disclosed to your internal LAN is really that interesting...
> Have searched the archives but found only old posts, concering older
> versions.
>
> Whats a NULL session? what are domain and host SID?
> Nessus also suggests i'd limit the access to the $IPC share.
The 'securing samba' section of the howto collection includes
information on the IPC$ share.
> How can i limit this info disclosure?
You should only be running samba onto trusted networks that often need
this information, but you can restrict it a little, in some situations.
> 127.0.0.1|netbios-ssn (139/tcp)|10397|INFO|Here is the browse list of
> the remote host :
> HOSTNAME -
> This is potentially dangerous as this may help the attack of a potential
> hacker by giving him extra targets to check for
> Solution : filter incoming traffic to this port
> Risk factor : Low
>
> 127.0.0.1|netbios-ssn (139/tcp)|10395|INFO|Here is the list of the SMB
> shares of this host :
> myshare -
> IPC$ -
> ADMIN$ -
> This is potentially dangerous as this may help the attack of a potential
> hacker. Solution : filter incoming traffic to this port
> Risk factor : Medium
>
> 127.0.0.1|netbios-ssn (139/tcp)|10400|INFO|
> The remote registry can be accessed remotely using the login / password
> combination used
> for the SMB tests. Having the registry accessible to the world is not a
> good thing as it gives
> extra knowledge to a hacker.
> Solution : Apply service pack 3 if not done already,
> and set the key
> HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg
> to restrict what can be browsed by non administrators.
> In addition to this, you should consider filtering incoming packets to
> this port.
> Risk factor : Low
We don't actually expose a remote registry - we expose something that
looks like it for the purpose of running various services. If you were
to follow the advise on an MS box, you would probably break things.
> 127.0.0.1|netbios-ssn (139/tcp)|10859|INFO|The host SID can be obtained
> remotely. Its value is :
> HOSTNAME : 4-55-654367899-87557843444-56789446
> An attacker can use it to obtain the list of the local users of this host
> Solution : filter the ports 137 to 139 and 445
> Risk factor : Low
>
> 127.0.0.1|netbios-ssn (139/tcp)|10398|INFO|The domain SID can be
> obtained remotely. Its value is :
> WORKGROUP : 45-0-0-0-0
> An attacker can use it to obtain the list of the local users of this host
> Solution : filter the ports 137 to 139 and 445
> Risk factor : Low
>
> 127.0.0.1|netbios-ssn (139/tcp)|10394|REPORT|
> . It was possible to log into the remote host using a NULL session.
> The concept of a NULL session is to provide a null username and
> a null password, which grants the user the 'guest' access
> To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
> Q246261 (Windows 2000).
> Note that this won't completely disable null sessions, but will
prevent
> them from
> connecting to IPC$.
This is matched by 'restrict anonymous' parameter in Samba 3.0.
> Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html.
> All the smb tests will be done as ''/'whatever' in domain
Andrew Bartlett
--
Andrew Bartlett abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet@samba.org
Student Network Administrator, Hawker College abartlet@hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20031225/01d6045f/attachment.bin