Incident: 03-01-02 07:41am

Two examples of udp:137 netBIOS name table probes

Pretty common stuff, actually..

..I used to think it was just a misconfigured Window$ box, but after doing a little research, I'm not so sure. Read on...

Here's what /etc/services has to say: 

netbios-ns      137/tcp         #NETBIOS Name Service
netbios-ns      137/udp         #NETBIOS Name Service

See: http://support.baynetworks.com/library/tpubs/html/router/soft1200/117358AA/B_39.HTM

"The Network Basic Input/Output System (NetBIOS) is a session layer communications service used by client and server applications in IBM token ring and PC LAN networks.

"There are three categories of NetBIOS services: the name service, the session service, and the datagram service.

"The NetBIOS name service allows an application to:

And see: http://www.microsoft.com/ntserver/techresources/commnet/WINS/WINSwp98/WINS01-12.asp

"NetBIOS Names:

"In order to understand the architecture of WINS, it is first necessary to understand the history behind it: that is, NetBIOS. NetBIOS started as a high-level programming language interface for PC-DOS applications to IBM PC-Network broadband LANs..."

This is interesting, from SANS:

http://www.sans.org/y2k/061500.htm 

Handler on Duty: Stephen Northcutt:
(Judy Novak, my co-author on the new version of the intrusion book 
checks in with the scoop on CKAAAA.. You know, I can't look at that 
and not think of a bunch of crows! )

Stephen, Don't remember seeing a discussion of the significance 
of the "CKAAA...." in the Snort 137 traffic posted on GIAC.

Here's what I've discovered in doing some research. See you...

In doing research for the Windows section of the TCP/IP course, I discovered 
the correlation between the ASCII characters "CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 
that are seen in the Snort output and the meaning of the Snort alert "SMB Name
Wildcard". Perhaps the GIAC users might want to understand the connection. When
NetBIOS names are sent over the network, they are "mangled"..."
The "..intrusion book.." is "Network Intrusion Detection" by Stephen Northcutt and Judy Novak, New Riders, pub..

Also see: "Intrusion Signatures and Analysis" by Northcutt, Mark Cooper, Matt Fearnow and Karen Frederick, also New Riders, pub..

Both books are highly recommended!

From "Intrusion Signatures.." see pp. 156-159 "NetBIOS Wildcard Scan"

The packet examples in that book are almost identical to those I received, below.

And this is interesting:

See: http://archives.neohapsis.com/archives/snort/2000-01/0222.html 

IDSKEY IDS177
EVENT NAME netbios-name-query
EVENT DESCRIPTION:
This is a standard netbios name table retrieval query.
Windows machines often exchange these queries as a part of the filesharing
protocol to determine NetBIOS names when only IP addresses are known. An
attacker could use this same query to extract useful information such as
workstation name, domain, and users currently logged in.

SIGNATURE alert UDP $EXTERNAL any -> $INTERNAL 137 (msg:
"IDS177/netbios-name-query"; content: "CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|00
00|";)

PROTOCOL UDP
SOURCE IP $EXTERNAL
SOURCE PORT any
DIRECTION ->
DESTINATION IP $INTERNAL
DESTINATION PORT 137
CONTENTS "CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|00 00|"

CATAGORIES Pre-Attack_Probe

BACKGROUND: Windows machines typically send these types of queries in normal
operation, particularly when filesharing is active, to determine NetBIOS
names when only IP addresses are known. 

This type of query, when originating from an external network, is usually 
a pre-attack probe to gather netbios name table information such as 
workstation name, domain, and a list of currently logged in users. 

This signature was created and can be reproduced by using the unix 
samba command "nmblookup -A ". 

By accessing system name table information, individuals can obtain information 
which can be used to launch an attack. Information available includes: 
1. The NetBIOS name of the server. 
2. The Windows NT workgroup domain name. 
3. Login names of users who are logged into the server. 
4. The name of the administrator account if they are logged into the server. 

It is considered best practice to ensure that users outside of your network 
are not permitted to access the NetBIOS name service. This is usually 
accomplished by configuring packet filters to drop UDP traffic to port 137.

PACKET TRACES 

12/30-02:28:32.282973 source:1057 -> target:137
UDP TTL:64 TOS:0x0 ID:62089
Len: 58
24 C0 00 00 00 01 00 00 00 00 00 00 20 43 4B 41  $........... CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  AAAAAAAAAAAAA..!
00 01

Looks a lot like what I've got, below:

snort packet dumps:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-07:46:20.430267 209.85.219.50:53128 -> 12.82.128.101:137
UDP TTL:115 TOS:0x0 ID:25339 IpLen:20 DgmLen:78
Len: 58
E9 DE 00 10 00 01 00 00 00 00 00 00 20 43 4B 41  ............ CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  AAAAAAAAAAAAA..!
00 01                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-07:46:21.930436 209.85.219.50:53128 -> 12.82.128.101:137
UDP TTL:115 TOS:0x0 ID:50939 IpLen:20 DgmLen:78
Len: 58
EA 62 00 10 00 01 00 00 00 00 00 00 20 43 4B 41  .b.......... CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  AAAAAAAAAAAAA..!
00 01                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-07:46:23.430536 209.85.219.50:53128 -> 12.82.128.101:137
UDP TTL:115 TOS:0x0 ID:3836 IpLen:20 DgmLen:78
Len: 58
EA EE 00 10 00 01 00 00 00 00 00 00 20 43 4B 41  ............ CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  AAAAAAAAAAAAA..!
00 01                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


ipchains:

Mar  1 07:46:20 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
 209.85.219.50:53128+12.82.128.101:137
 L=78 S=0x00 I=25339 F=0x0000 T=115 (#27)

Mar  1 07:46:21 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
 209.85.219.50:53128+12.82.128.101:137
 L=78 S=0x00 I=50939 F=0x0000 T=115 (#27)

Mar  1 07:46:23 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
 209.85.219.50:53128+12.82.128.101:137
 L=78 S=0x00 I=3836 F=0x0000 T=115 (#27)



BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman 

SoftAware, Inc. (NETBLK-SOFTAWARE-BLK3)SOFTAWARE-BLK3
   209.85.0.0 - 209.85.255.255

JoeKaplanArchitecturalLighting (NETBLK-JOEKAPLAN-209-85-219) 
JOEKAPLAN-209-85-219
 209.85.219.48 - 209.85.219.63

JoeKaplanArchitecturalLighting (NETBLK-JOEKAPLAN-209-85-219)
   1901 Avenue of the Stars
   Los Angeles, CA 90067
   US    

Netname: JOEKAPLAN-209-85-219
   Netblock: 209.85.219.48 - 209.85.219.63    

Coordinator:
      SoftAware, Inc.  (SH47-ORG-ARIN)  hostmaster@softaware.com
      (310) 305-7352    

   Record last updated on 08-Jan-2000.
   Database last updated on  1-Mar-2002 19:57:27 EDT.

The second incident:


snort packet dump:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-13:22:46.952675 64.78.224.29:137 -> 12.82.128.101:137
UDP TTL:112 TOS:0x0 ID:49758 IpLen:20 DgmLen:78
Len: 58
B7 C4 00 00 00 01 00 00 00 00 00 00 20 43 4B 41  ............ CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  AAAAAAAAAAAAA..!
00 01                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-13:22:48.452751 64.78.224.29:137 -> 12.82.128.101:137
UDP TTL:112 TOS:0x0 ID:49772 IpLen:20 DgmLen:78
Len: 58
B7 E0 00 00 00 01 00 00 00 00 00 00 20 43 4B 41  ............ CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  AAAAAAAAAAAAA..!
00 01                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
03/01-13:22:49.952952 64.78.224.29:137 -> 12.82.128.101:137
UDP TTL:112 TOS:0x0 ID:49786 IpLen:20 DgmLen:78
Len: 58
B7 FC 00 00 00 01 00 00 00 00 00 00 20 43 4B 41  ............ CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  AAAAAAAAAAAAA..!
00 01                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


ipchains:

Mar  1 13:22:46 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
 64.78.224.29:137 12.82.128.101:137
 L=78 S=0x00 I=49758 F=0x0000 T=112 (#26)

Mar  1 13:22:48 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
 64.78.224.29:137 12.82.128.101:137
 L=78 S=0x00 I=49772 F=0x0000 T=112 (#26)

Mar  1 13:22:49 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
 64.78.224.29:137 12.82.128.101:137
 L=78 S=0x00 I=49786 F=0x0000 T=112 (#26)



BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman 

Request: 64.78.224.29
connecting to whois.arin.net [192.149.252.34:43] ...

Verado, Inc. (Denver DC) (NET-VERADO-DENVERDC2)
   8390 E Crescent Parkway, Suite 300
   Greenwood Village, CO 80111
   US    

Netname: VERADO-DENVERDC2
   Netblock: 64.78.224.0 - 64.78.239.255
   Maintainer: VRDN    

Coordinator:
      Verado, Inc.  (IV35-ARIN)  ARIN-POC@Verado.com
      303-874-8010    

Domain System inverse mapping provided by: 
   NS1.FWIDCSERVICES.NET64.78.224.58
   NS2.FWIDCSERVICES.NET216.23.160.51    

   Record last updated on 16-May-2001.
   Database last updated on  1-Mar-2002 19:57:27 EDT.
jsage@finchhaven.com
Last modified: Sat Mar 2 20:50:13 2002