Online neighbor's insider - article about NetBios and clear concepts
Regarding the problem of online neighbors, people have always been more, and the misunderstandings in understanding are generally severe. Given that Microsoft's NetBIOS document is not very meticulous, I have collected some relevant information, and I have written this series, I hope to help everyone. I originally wanted to increase readability, write this series of question and answer, but there were so many problems in my head, or the Punxious browsing service was roughly introduced in the same way, and then in-depth analysis NetBIOS's specific work mechanism, if there is any problem, you can ask us to discuss it. *** Microsoft network browsing process introduction *** In the "Windows NT System Management Technology insider", it is very representative. The problem, I took it out: Q: Under what circumstances will lead to computer in the network neighbors but can not access or can be visited? Please select the best answer: A. Your network has physical problems, such as the network cable B. The browsing service of the Windows NTServer as the domain master browser is broken C. Windows NTServer network card has problems D. Your network is not problematic, the user description It is normal Microsoft browsing phenomenon correct answer D book explanation: Microsoft's network browsing may appear "interrupt" in use, and actually they have no interruption, this misunderstanding is because the user's processing process of Microsoft Network browsing is unfamiliar Caused. Just like the students often complain "why others are available online, but not?" "Why can I browse, sometimes I can't browse the network?" Let's take a bell, let us go together How is Microsoft's web browsing is achieved. In view of everyone may not know about NT's "domain" concept, there will be a machine that browsing the fault is 98, I will explain it with 98 "Working Mode". 1. What is browsing list (Browsing List) In Microsoft Network, users can see the entire network in the browse list (What finger? Subnet or broadcast domain? Everyone can consider considerations) all the computers. When you open the entire network through the online neighbor window, you will see a list of workgroups, open a working group, you will see the list of computers inside (you can also use NET View / Domain: WorkgroupName command in DOS mode) Get it), this is what we said browsing list. The Working Group is essentially a group of computers sharing a browsing list, all of which are right, no provisions, not allowing all computers to be in a working group. 2. The browsing list has seen a debate on the wooden cotton, some people say: The computer list in the online neighbor is the broadcast query. Some people raised an alphabet saying: My classmates are shut down, but I can still see it in the online neighbors, which should be obtained from the cache of a more fixed device such as Hub or switches. In fact, they only say that one of them, combining them is the correct answer --- Browse the list is to browse the master server via the broadcast query, provided by the browsing master server. 3. Browse the master server is what browsing the master server is a most important computer in the working group. It is responsible for maintaining the browsing list in this working group and the list of master server for other working groups, for this working group. Other computers and other computers that come to this Working Group provide browsing services, each working group selects a browsing master server for each transfer protocol, and most of the incorrectly encountered unable to browse the network is mostly because you are The working group did not browse the master server. You can use the nbtstat -a computername command in a working group to find out the browsing the master server using the NBT protocol, and its identity is containing // msbrowse_name field.
4. Browse the master server how to specify the default, the browsing master server in the Win98 Working Group is the first computer that enables file and printer sharing features in the working group, and also allows hand to manually configure a Win computer configuration. In order to browse the master server (method will be specified later, it is specified in the network configuration, but because the main control server needs to maintain the dynamic browsing list, performance will be affected), if there are multiple computers in a working group to configure this option, or It is the current browsing master server to turn off the system, without other computers to enable the master settings, the election of the master browser is required. 5. How to generate the browser election to generate the election packet for the browser, don't be very good, I have to tell the things in the book. In fact, the process is simple, first send one by a computer. Election of critical packets, the message contains information from sending a computer (operating system, version and NET name, etc.), the election packets broadcast to the network, each computer in the working group will use itself and the election message The priority is mainly, mainly the main role of the operating system, remember to be NT Server> NT Workstation> Win98> WFWG, anyway to the end is the best way to make a new browsing master server. 6. Whole network browsing How is the process when a Win98 enters the network, if it comes with server services (enabled files and printer sharing), will broadcast our existence, and browse the master server will get this declaration and put it in yourself. Maintenance browsing list; without binding files and printer sharing on the corresponding protocol, it will not declare, and thus will not appear in the network neighbors. When the customer's computer wants to get a list of network resources required, first broadcast browsing requests, browse the master server After receiving the request, if the request is the list of browsing this group, the customer needs to be returned directly; If the request is a browsing list of other working groups, browse the master server will find the master browser of the corresponding working group to return to the user according to the record of the Browsing List, and the user can get the list of browsing it wants. As for how to share exchange resources with another computer, it is not the problem we have to discuss here. Understand the principle of online browsing, let me tell you a useful application, now many students don't welcome strangers to visit their own machines through online neighbors, and sometimes the lower movie needs to share the students. Come out, so you can't delete files and printer sharing services. How to do? Some people add $ with a shared name to achieve hidden results, which can be seen in DOS's NET Share; some people give a password, which is also a way to crack, and very It is easy to arise from the "hacker comrades". Is there a way to hide your own machine in a network neighbor? And students who have known can be accessed with // ip. If you want to be right, the key is to prevent your machine from declaring yourself to the network, and I know some of us have become reality, as for the method, don't ask me. Note: Because there are few information about Win98 browsing services, the books involved are also introduced in NT's "domain" model, so I can only test according to my understanding, and I will have a wrong way, welcome. Everyone finances. 7. Why can't I have access to the online neighbors in my online neighbors, I believe that people who complain about it will not be like now, and everyone is already in front of the browsing service. I know this is impossible, because the gain of the browsing list is not obtained by accessing each machine, many times the computer does not correctly update the browsing list.
When a computer is turned off normally, it will send a broadcast declaration to the network so that the browsing the master server is deleted from the browsing list; not normal shutdown, the list will remain a long time for a long time ( Nt is 45 minutes), which is what we can still see it in the network neighbors. The stability of 98 is well known - there is already collapsed before you have already closed it, ^ - ^ SMB (Server The Message Block) protocol is used in NT / 2000 to make file sharing. In NT, SMB runs on NBT (NetBIOS over TCP / IP), using 137, 139 (UDP), 139 (TCP) port. In 2000, SMB can run directly on TCP / IP without additional NBT layers, using TCP 445 ports. Therefore, in 2000 should be more varied slightly more than NT. Enable or disable NBT (NetBIOS over TCP / IP) in "Network Connection / Properties / TCPIP Protocol / Properties / Advanced / WINS. When 2000 uses network shares, it faces the selection 139 or 445 port. The situation determines the ports used by the session: 1. If the client enabled NBT, then access the 139 and 445 ports at the same time, if the client gets a response from the 445 port, then the client will send RST to 139 port to terminate this port connection. Then, then the SMB session is performed from the 445 port; if there is no response from the 445 port, then the session is performed from the 139 port; if you do not get any response, the SMB session fails. 2, if the client is disabled NBT, he will only connect only from the 445 port. Of course, if the server (open shared end) does not have a 445 port for the SMB session, then the access failed, so after disabling the 445 port, the sharing of the access NT machine will fail. 3. If the server is enabled, the UDP 137, 138 port and TCP139, 445 are listened at the same time. If you disable NBT, only the 445 port is listened. So for 2000, the sharing problem is not just 139 port, 445 The port is also capable of completing. About empty sponsored NULL sessions (empty sponsored) Use ports to follow the above rules. Null session is a untrustful support with the server. A session contains user authentication information, and Null session is no user The authentication information is the same as an anonymous. It is impossible to establish a safety channel for the system, and the establishment of a security channel is also double. First, it is to establish an identity flag. The second is to establish a temporary session key, The two sides can use this session to encrypt data exchange (such as the RPC and COM's authentication level is pkt_privacy). Whether it is NTLM or the Kerberos certified ticket, one is created for a token for the session. (This from Joe FINAMORE) According to the WIN2000 access control model, it is also necessary to provide a token for empty space. But because there is no authenticated session, the token does not contain user information, so the establishment of the session has no key exchange, This does not allow the system to send encrypted information between the system. This does not represent the SID in the token of the empty session. For an empty box, the token of the LSA is S-1-5-7, which is an empty session established SID, the username is anonymous logon. This username is you can see in the user list.
But can't find the account that is built in the system in the SAM database. (About this partial analysis of Null Session, you can refer to: "Null sessions in nt / 2000" http://rr.sans.org/win/null.php) NULL session almost became the back door of Microsoft's own placement, but Microsoft Why come to set this "back door"? I have been thinking about this problem. If there is no important purpose if the null session, Microsoft should not set such a thing. It's hard to find this in Microsoft: When in a multi-domain environment, you must build a trust relationship in a multi-domain. First, you need to find the PDC in the domain to verify the password verification through the security channel, and use the empty session very easily to find PDC, There is also a problem with some system services. And lmhosts #include requires support for empty sessions, you can refer to article: http://support.microsoft.com/default.aspx?...b;n-us;q121281 is also http://support.microsoft. COM / DEFAULT.ASPX? SCID = KB; EN-US; Q124184 It is also very strict in the establishment of an empty session. First, you must meet the above, that is, open TCP 139 and TCP 445 ports. We can see it from one closure of these two ports. The server turns off 445 and 139 ports, then we come to the connection of empty sessions. First, the client intends to connect to the 445 port, then try to connect 139 port. Of course, I finally failed. Only open these two ports is not available, the server must also have to open IPC $ sharing. If there is no IPC share, even if a file is shared, there is permission to anonymous logon, and you cannot establish a session. Even if the permission is set to full control, the connection error that occurs is still not enough. This is not the same as other accounts. If you want to allow a folder sharing to be able to use an empty session like IPC $ (Name Pipe, not shared), you need to modify the registry: hkey_local_machine / system / currentcontrolset / service / lantserver / parameters / in: NullSessionShares, add new sharing Name, this can create a shared empty board. At this time, it will not rely on the existence of IPC. (Even if such a empty space is not enough for the later breakthrough, because there is no IPC $ naming pipe, RPC is not available, this knows the specific implementation of the IPC named pipe. Ha ha) Although empty session is established It is very strict, but it is all built by default. Since it is the default, it is still useful for servers using the Win2K system. The most obvious is that the empty boxes can be easily connected to other domains, enumerate users, machines, etc. This is the principle of scanning software for detection. 1. Some people add a $ $ with a shared name to achieve hidden effects, which can be seen in DOS's NET Share; this hidden is only the restriction of the Microsoft Windows standard client NET View, not the server limit During the network transmission process, it is dependent, so the direct modification of the client to release this restriction or use third-party client software to see so-called hidden sharing, such as SMBClient is a typical representative. Directly modify the WINDOWS client approach, 99 years of Yuan Ge post, I am reprinted in the Security version of Huazhong, the essence is still there.
2. Some people give the sharing plus password, which is also a way to crack; this crack should look at what level, pure violent cracking does not have to say, of course, it is always possible. The 95/98 has another vulnerability, Yuan Ge discovered, is his famous Vredir.vxd, the length used when the server verifies the password is actually provided by the client, which means that it is more than 256 times (in fact, there are so many , Consider printing the character range). At the beginning, many people used this way to illegally browse others' machines. In 2000, Microsoft is now repaired. http://security.nsfocus.net/index.php?act=. =view&adv_id=6 By the way, this vulnerability can quickly take rapid password, although this is unnecessary in the attack. Therefore, I can only test according to my understanding of my understanding, the details are inevitably wrong, I recommend Ethereal, which is available at www.ethereal.com, which is the most free software I have ever seen for SMB decoding, there is UNIX / Windows version, source code is available. 3. In 2000, the SMB can run directly on TCP / IP, without additional NBT layers, using TCP 445 ports. Therefore, in 2000 should be more varied slightly more than NT. In fact, in the opposite of the SSAXH_CAPABILITIES field, it indicates that "Extended Security Verification" is not used. At this time, use the original authentication mechanism, just remove the session request of the NBT layer, change 139 / TCP to 445 / TCP, which can be successfully established Empty sponsored, and successfully open "//
Microsoft's own operating system does not recognize "* SMBSERV <00 ... (8)>", but Samba Server 2.2.5 recognizes, actually returns Positive Session Response. This is one of the methods of accurately identifying Samba Server. Microsoft will not mention these in << Direct Hosting of Smb Over TCP / IP >>, just 139 / TCP, 445 / TCP fair competition, prioritize the first returned response message. Don't trust its ghost. If you come back, if you are not demanding, you don't have to care about this difference. This difference is fatal when there is a need. 5. The most obvious is that the empty boxes can be easily connected to other domains, enumerate users, machines, etc. This is the principle of scanning software for detection. XP, 2003 Default prohibited POLICYACCOUNTDOMAININFORMATION query on empty sessions, you can see that LsaropenPolicy2 (44) fails, permission is negative. If a valid account is specified in advance, the password establishes the SMB session, not the empty meeting, and LSAROpenPolicy2 (44) will successfully return. Author: Tall in the saddle Source: chinaitlab Digest
