Re: NetBIOS info

[bugtraq () NETWORKICE COM (Robert Graham)]

> -----Original Message-----
> From: Bill Pennington
> Sent: Wednesday, March 22, 2000 3:37 PM
> Subject: Re: NetBIOS info
>
> Great stuff. Thanks Robert! A few comments... Maybe more along the line
> of a rant but...
>
> It just seems a little silly to me that in order to prevent this stuff
> from landing on my link I need to setup PTR records for all my boxes.
> What if I do not want PTR records (for whatever sick and twisted reason)
> now I have to put up with all this cruft getting shoved down my pipe.
>
> I think we can agree that not everyone is going to have PTR records
> setup or even configured correctly to stop this stuff. It looks like a
> big bandwidth hog to me. If gethostbyaddr fails then let it fail no need
> to send out more packets. Also someone sent me an e-mail wondering if
> you could use this as an attack method. It would seem like an easy way
> to guess the OS without ever sending a probe packet to the host. If you
> had some Netbios bomb or auto windows hack tool you could setup a site,
> wait to get some Netbios request then attack. I am sure there is a
> better way to handle it but that is a topic for Vuln-dev not here.
>
> Ok of the soapbox... :-)

Don't get mad; get even. I've written a little utility that simply
reflects NetBIOS queries back at the sender, and saves their
responses to a file. It is at:

http://www.robertgraham.com/src/soibten.c

Of course, this is likely to do you more harm than good (to you),
but at least you get to scan all those pesky windows users.
The cool part is that it seems to penetrate NATs, stateful
firewalls, and legal barriers. (i.e. this isn't code,
but a philosophical statement).

Robert Graham