Talk about Netbios and online neighbors
2003-01-17 Author (source): this site forum
Regarding the problem of online neighbors, people have always been more, and the misunderstandings in understanding are generally severe. Tentative
The NetBIOS document in Microsoft is not very meticulous, I collected some relevant information, add my own practice.
Skips this series, I hope to help everyone.
I originally wanted to increase readability, write this series as a question and answer form, but I can't make it in my head.
So many questions, or a general introduction to Microsoft's browsing services, then inception
Analysis of the specific work mechanism of NetBIOS, if you have any questions, you can ask us to discuss it.
*** Microsoft Network Browsing Process Introduction ***
In the book of "Windows NT System Management Technology", I talked about a very representative issue, I put it
It has been extracted:
Q: Under what circumstances, it will lead to computer in the network neighbor, but can not access or can be visited. please
Choose the best answer: A. Your network has physical problems, such as network cable B. Windows for domain master browsers
NTServer's browsing service is broken C. Windows NTServer network card has problems D. Your network is no problem, users
Described is normal Microsoft browsing
correct answer
The interpretation of the book: Microsoft's web browsing may appear "interrupt" in use, and actually they have not interrupted, this
Misunderstorm is due to the unfamiliarity of the processing of Microsoft's network browsing.
Just like the students often complain "why someone else's online neighbors can be used, I can't do it?" "Why is there
When you can browse, sometimes you can't browse the network? "Let's take a bell, let us take a look at Microsoft
How is Internet browsing implementation. In view of everyone may not know the "domain" concept of NT, browsing
Macon, which is also 98, I will explain it with 98 "Working Mode".
1. What is browsing list (Browsing List) in Microsoft Network, users can see the entire in the browse list
Network (What is the subnet or a broadcast domain? You can consider considerations on all the computers. When you pass online
When you open the entire network, you will see a list of working groups, open a working group, you will see it
Computer list (can also be obtained with NET View / Domain: Workgroupname command in DOS mode), this
It is what we said browsing list. The Working Group is essentially a set of calculations for sharing a browsing list.
Machine, all the workgroups are all right, no provisions can not allow all computers to be in one working group
in.
2. The browsing list has seen a debate in the cotton, some people say: The list of computer in the online neighbors is
Broadcast query. Some people raised the alphase: My classmates are shut down, but I can still see it in the online neighbors.
It should be obtained in a cache that is more fixed from the HUB or switch. In fact, they are just right.
In one aspect, combine them in the two statements is the correct answer --- Browse the list is through broadcast query
The main control server is provided by the browsing master server.
3. Browse the master server is what browsing the master server is a most important computer in the working group, it
Responsible for maintaining the list of browsing lists in this working group and the list of master server lists for other working groups, for this working group
His computers and other contacts in this Working Group provide browsing services, each working group is a transfer protocol
Select a browsing the master server, and the incorrect error that we often encounter cannot be browsed online because you are
The Working Group did not browse the master server. You can use the nbtstat -acomputername command in a workgroup to find out the browsing the master server using the NBT protocol, and its identity is // _ msbrowse_
Name field.
4. Browse the master server how to specify the default, the browsing the master server in the Win98 Working Group is the work
The first computer that enables files and printer sharing features in the group, also allows handle to configure a Win computer
In order to browse the master server (the method will be specified after the network configuration is described later, but due to the browsing of the master server
To maintain dynamic browsing lists, performance will be affected, if there are multiple computers in a working group to configure this selection
Item, or the current browsing the master server closes the system, but there is no other computer to enable the master settings,
The election of the master browser.
5. How to generate the browser election message about the browser, not very good to capture the election packets of the browser, I will
I have to tell the things in the book. In fact, the process is very simple, first send a computer to a elective critical message.
The message contains information from the sending computer (operating system, version and NET name, etc.), and the election packet is broad.
Broadcast, every computer in the Working Group uses its own information with the election packet, mainly the operation system.
Creating the main role, remember to be NT Server> NT Workstation> Win98> WFWG, anyway to the end is that one
It is best to make new browsing master servers.
6. How is the process of the entire network browsing when a Win98 enters the network, if it is with server service (check
Use files and printer sharing) will broadcast online broadcasts to the existence, and browse the master server will get this
Declare and put it in your own maintenance browsing list; not bind files and printers shared on the corresponding protocol
The computer will not declare, and thus will not appear in the network neighbors. When the customer wants to get the required network
When the list of resources will broadcast a browse request, then browse the master server after receiving the request, if the request is
This group of browsing lists are sent directly to the resources required by the customer; if the request is the browsing of other working groups
List, browse the master server will find the main control browsing of the corresponding working group according to the record in the browsingsing list.
The device returns to the user, and the user can get the list of browsing it wants. As for how to share with another computer
Switching resources is not the problem we have to discuss here.
Understand the principle of online browsing, let me tell you a useful application, now many students have a safety test
I don't very much welcome strangers to access their own machines through online neighbors. Sometimes the lower movie needs to be understood.
Learn to share, so you can't delete files and printer sharing services. How to do? Some people add a shared name
$, To achieve hidden results, this can be seen in Net Share under DOS; some people give sharing plus secret
The code, it can be heard that this is also a way to crack, and it is easy to arise from the "hacker comrades". Is there a way
Hide your own machine hide up in the network neighbors? And students who have known can be accessed with // ip.
If you want to be, the key is to prevent your machine from declaring yourself in your network, and I know some of us.
People have turned this into reality, as for the method, don't ask me.
Note: Because there are few information about Win98 browsing services, the books involved are also invested in NT's "domain" model.
Shaos, so I can only test the practice of Netxray according to my understanding, the details are difficult to have a fault, welcome
Everyone finances.
7. Why can't I have access to my online neighbors in my online neighbors?
So, I believe that people who complain that it will not like so much now, you can introduce the browsing service, you already know
This is impossible, because the gain of the browsing list is not obtained by accessing each machine, many times the network
The computer in the network does not update the browsing list correctly. When a computer is turned off normally, it will send a wide network to the network.
Broadcast announcement, make the browsing master server to remove it from the browse list; not normal shutdown, browse the list
This entry will remain a long time (45 minutes under NT), this is what we can still see it in the network neighbors.
The reason. And the stability of 98 is well known - there is already collapsed before still getting off, it has already collapsed ^ - ^
The SMB (Server Message Block) protocol is used in NT / 2000 to make file sharing, in NT, SMB is running
On NBT (NetBIOS over TCP / IP), 137,139 (UDP), 139 (TCP) port is used. In 2000
In the middle, SMB can run directly on TCP / IP, without additional NBT layers, using TCP 445 ports. Thus, in
2000 should be more varied slightly more than NT.
Enable or disable NBT in "Network Connection / Properties / TCPIP Protocol / Properties / Advanced / WINS
(NetBIOS over TCP / IP).
When 2000 uses network sharing, it faces the selection 139 or 445 port. The following situation is determined
Port: ports used:
1. If the client enabled NBT, then access the 139 and 445 ports at the same time, if you are from 445 port
Get the response, then the client will send RST to 139 ports, terminate this port connection, then from 445 ports
Perform SMB session; if you don't have a response from 139 from the 445 port, then
Session from the 139 port; if you don't get any response, the SMB session fails.
2. If the client is banned, he will only connect only from the 445 port. Of course if the server (open sharing
The end) There is no 445 port for the SMB session, then the access failed, so after the 445 port is disabled,
Ask the NT machine sharing will fail.
3. If the server is enabled, the UDP 137, 138 port and TCP139, 445 are listened simultaneously. If you are banned
With NBT, only 445 ports are listened.
Therefore, for 2000, the shared problem is not only 139 ports, and the 445 port can also be completed.
III, THE NULL Session, about empty
NULL session (empty meeting) uses ports to follow the rules above. NULL session is established with the server
There is no trusted support for sessions. A session contains user authentication information, and NULL session is no user's authentication letter
Interest, it is like an anonymous.
No certification is impossible to establish a secure channel for the system, and establish a security channel is also double, first, that is
Establish an identity flag, the second is to build a temporary session key, and both sides can use this session to encrypt data.
For example, RPC and COM's certification level is pkt_privacy. Whether it is NTLM or after Kerberos?
Certificate of the certificate, one after another, create a token containing user information for the session. (This section is from Joe FINMORE)
A token is also required for empty sponsored according to Win2000 access control model. But when empty
There is no certified session, so the token does not contain user information, so there is no key to establish a session.
Exchange, this does not allow system to send encrypted information between systems. This does not mean that the SID is not included in the token of the empty session. For an empty space, the SID of the token provided by the LSA is S-1-5-7, which is the SID established by the empty session, the username is
Anonymous Logon. This username can be seen in the user list. But can't be in the SAM database
Find, belonging to the system built-in account.
(About this partial analysis of Null Session, you can refer to: "NULL sessions in
NT / 2000HTTP: //rr.sans.org/win/null.php)
NULL session is almost the backdoor of Microsoft's own placement, but why is Microsoft to set this one?
"What? I have been thinking about this problem, if there is no important purpose if the null session, then Microsoft should also
Will not set this with something. It's hard to find this on Microsoft:
When in a multi-domain environment, the trust relationship is to be established in a multi-domain. First, you need to find the PDC in the domain to pass through the safety.
The password verification of the road is very easy to find the PDC using an empty session, and there is a question about some system services.
question. And lmhosts #include requires support for empty sessions, you can refer to your article:
Http://support.microsoft.com/defaul...b;n-us;q121281
Also http://support.microsoft.com/defaul...b;n-us;q124184
In fact, the conditions for establishing an empty session are also very strict. First of all, it is necessary to meet the above, that is, open TCP.
139 and TCP 445 ports. We can see it from one closure of these two ports. Server close
445 and 139 ports, then we come to the connection of empty sessions. First, the client is planning
Connecting 445 ports, then try connecting 139 ports. Of course, I finally failed.
Only open these two ports is not available, the server must also have to open IPC $ sharing. If there is no IPC sharing, ie
Make a shared file, have permission to be Anonymous Logon, or create a session, even if the permission is set to complete
Control, the connection error of the appearance is still not enough. This is not the same as other accounts. If you want to allow a text
Piecs Sharing can use empty sessions similar to IPC $ (named pipe rather than sharing), then you need to modify the registry:
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / PARAMETERS
/ Medium: nullsessionshares,
Add a new shared name so that you can build a shared empty meeting. At this time, it will not rely on the existence of IPC.
(Even if such empty sponsors are not good for later breakthroughs, because there is no IPC $ naming tube.
Road, RPC is not available, this knows the specific implementation of the IPC named pipe. Ha ha)
Although the requirements for empty sessions are strict, it is all built by default. Since it is the default, for use
The server of the Win2K system is still useful. The most obvious is that empty bodies can be very convenient.
Receive other domains, enumerate users, machines, etc. This is the principle of scanning software for detection.
Source document
