Regarding the problem of online neighbors, people have always been more, and the misunderstandings in understanding are generally severe. Given that Microsoft's NetBIOS document is not very meticulous, I have collected some relevant information, and I have written this series, I hope to help everyone.
I originally wanted to increase readability, write this series of question and answer, but there were so many problems in my head, or the Punxious browsing service was roughly introduced in the same way, and then in-depth analysis NetBIOS's specific work mechanism, if you have any questions, you can ask us to discuss together.
*** Microsoft Network Browsing Process Introduction ***
In the book of "Windows NT System Management Technology", I talked about a very representative problem, I took it down:
Q: Under what circumstances, it will lead to computer in the network neighbor, but can not access or can be visited.
Please select the best answer:
A. Your network has physical problems, such as network cable
B. The browsing service of Windows NTServer as a domain master browser is broken.
C. Windows NTServer network card has problems
D. Your network has no problem, the user describes the normal Microsoft browsing phenomenon
Correct answer D
The interpretation of the book: Microsoft's web browsing may appear "interrupt" in use, and actually they have not interrupted, this misunderstanding is due to the unfamiliarity of the processing of Microsoft's network browsing.
Just like the students often complain "why others are available online, but not?" "Why can I browse, sometimes I can't browse the network?" Let's take a bell, let us go together How is Microsoft's web browsing is achieved. In view of everyone may not know about NT's "domain" concept, there will be a machine that browsing the fault is 98, I will explain it with 98 "Working Mode".
1. What is a browsing list?
In Microsoft Network, users can see the entire network in the browsing list (What finger? Subnet or broadcast domain? Everyone can consider consideration) all the computers. When you open the entire network through the online neighbor window, you will see a list of workgroups, open a working group, you will see the list of computers inside (you can also use NET View / Domain: WorkgroupName command in DOS mode) Get it), this is what we said browsing list. The Working Group is essentially a group of computers sharing a browsing list, all of which are right, no provisions, not allowing all computers to be in a working group.
2. Where is the list of browsing list?
I have seen a debate in the wooden cotton, some people say: The computer list in the online neighbor is the broadcast query. Some people raised an alphabet saying: My classmates are shut down, but I can still see it in the online neighbors, which should be obtained from the cache of a more fixed device such as Hub or switches. In fact, they only say that one of them, combining them is the correct answer --- Browse the list is to browse the master server via the broadcast query, provided by the browsing master server.
3. What is the browsing the master server?
Browsing the master server is a most important computer in the workgroup, which is responsible for maintaining the browsing list in this workgroup and the list of master servers in other working groups, for this working group, other computers and other visiting this workgroup Computers provide browsing services, each working group selects a browsing master server for each transfer protocol, and the incorrectly incorrectly encountered unable to browse the network is because the working group you are not browsing the master server. Caused. You can use the nbtstat -a computername command in a working group to find out the browsing the master server using the NBT protocol, and its identity is containing // msbrowse_name field.
4. Browse the master server how to specify
By default, the browsing master server in the Win98 Working Group is the first computer that enables file and printer sharing features in the working group, and also allows manual to configure a Win computer to browse the master server (method will be behind) Describe the details of the network configuration, but because the main control server needs to maintain the dynamic browsing list, performance will be affected), if there are multiple computers in a working group configured this option, or the current browsing master server shut down the system There is no other computer to enable the master settings when there is no other computer. 5. How to generate browse the master server via browser elections
Regarding the election packet of the browser, I don't very much to capture, I have to tell the things in the book. In fact, the process is very simple, first send an election critical message from a computer, the message contains from sending Computer information (operating system, version and NET name, etc.), the election packets broadcast to the network, each computer in the working group uses its own information and the election packets, mainly, mainly the main role of the operating system , Remember that it seems to be NT Server> NT Workstation> Win98> WFWG, anyway to the end is the best way to make new browsing master servers.
6. What is the process of browsing throughout the web?
When a Win98 enters the network, if it comes with Server Services (Enable File and Printer Sharing) to broadcast our existence, browse the master server will get this declaration and put it in your own maintenance browsing list. In; no computers that bind files and printers shared on the corresponding protocol will not declare, and thus will not appear in the network neighbors.
When the customer's computer wants to get a list of network resources required, first broadcast browsing requests, browse the master server After receiving the request, if the request is the list of browsing this group, the customer needs to be returned directly; If the request is a browsing list of other working groups, browse the master server will find the master browser of the corresponding working group to return to the user according to the record of the Browsing List, and the user can get the list of browsing it wants. As for how to share exchange resources with another computer, it is not the problem we have to discuss here.
Understand the principle of online browsing, let me tell you a useful application, now many students don't welcome strangers to visit their own machines through online neighbors, and sometimes the lower movie needs to share the students. Come out, so you can't delete files and printer sharing services. How to do? Some people add $ with a shared name to achieve hidden results, which can be seen in DOS's NET Share; some people give a password, which is also a way to crack, and very It is easy to arise from the "hacker comrades". Is there a way to hide your own machine in a network neighbor? And students who have known can be accessed with // ip.
If you want to be right, the key is to prevent your machine from declaring yourself to the network, and I know some of us have become reality, as for the method, don't ask me.
Note: Because there are few information about Win98 browsing services, the books involved are also introduced in NT's "domain" model, so I can only test according to my understanding, and I will have a wrong way, welcome. Everyone finances.
7. Why can't I have access to my online neighbors?
If Microsoft's online neighbors can do what you have come, I believe that people who complain that it will not be like now, they can introduce the browsing service, you already know that this is impossible, because the browsing list is not By accessing each of the machines, many times the computer in the network does not correctly update the browsing list. When a computer is turned off normally, it will send a broadcast declaration to the network so that the browsing the master server is deleted from the browsing list; not normal shutdown, the list will remain a long time for a long time ( Nt is 45 minutes), which is what we can still see it in the network neighbors. The stability of 98 is well known - there is already collapsed before you have already closed it, ^ - ^ SMB (Server The Message Block) protocol is used in NT / 2000 to make file sharing. In NT, SMB runs on NBT (NetBIOS over TCP / IP), using 137, 139 (UDP), 139 (TCP) port.
In 2000, SMB can run directly on TCP / IP without additional NBT layers, using TCP 445 ports. Therefore, in 2000 should be more varied slightly more than NT. Enable or disable NBT (NetBIOS over TCP / IP) in the Network Connection / Properties / TCPIP Protocol / Properties / Advanced / WINS.
When 2000 uses network sharing, it faces the selection 139 or 445 port. The following situation determines the port used by the session:
1. If the client enables NBT, then access the 139 and 445 ports at the same time, if you get a response from the 445 port, the client will send the RST to 139 port, terminate the connection of this port, then take the 445 port SMB's session; if you do not respond from the 445 port, you will receive a session from the 139 port; if you don't get any response, then the SMB session fails.
2. If the client is banned, he will only connect only from the 445 port. Of course, if the server (open shared end) does not have a 445 port for the SMB session, then the access failed, so the 445 port is disabled, the sharing of the access NT machine will fail.
3. If the server is enabled, the UDP 137, 138 port and TCP139, 445 are listened simultaneously. If NBT is disabled, only 445 ports are listened.
Therefore, for 2000, the shared problem is not only 139 ports, and the 445 port can also be completed.
About empty board
NULL session (empty meeting) uses ports to follow the rules above. NULL session is a session that is untrustful support with the server. A session contains the user's authentication information, and the NULL session is no user authentication information, which is like an anonymous.
There is no certification to establish a safety channel for the system, and the establishment of a security channel is also double. First, establish an identity flag, the second is to establish a temporary session key, and both sides can use this session to encrypt data exchange (such as RPC and COM's certification level is pkt_privacy. Whether it is NTLM or a Kerberos certified ticket, one will now create a token containing user information for a session. (This section is from Joe FINMORE)
A token is also required for empty sponsored according to Win2000 access control model. However, if the empty boxes are not authenticated, the token does not contain user information, so the establishment of the session has no key exchange, which does not allow the system to send encrypted information. This does not mean that the SID is not included in the token of the empty session. For an empty box, the LSA's order SID is S-1-5-7, which is the SID established by the empty session, the username is Anonymous Logon. This username can be seen in the user list. But can't find the account that is built in the system in the SAM database. (About this part of the analysis of Null Session, you can refer to: "Null sessions in nt / 2000" http://rr.sans.org/win/null.php)
NULL session is almost bacterlous of Microsoft's own placement, but why is Microsoft to set this "back door"? I have been thinking about this problem. If there is no important purpose if the null session, Microsoft should not set such a thing. It's hard to find this on Microsoft:
When in multi-domain environments, trust relationships must be established in a multi-domain. First, you need to find PDC in the domain to verify password verification through the security channel. It can be very easy to find PDC very easy to use empty session, and there is a problem with some system services. . And lmhosts #include requires support for empty sessions, you can refer to your article:
http://support.microsoft.com/default.aspx?...b;n-us;q121281
and also
http://support.microsoft.com/default.aspx?scid=kb;n-us;q124184
In fact, the conditions for establishing an empty session are also very strict. First, you must meet the above, that is, open TCP 139 and TCP 445 ports. We can see it from one closure of these two ports. The server turns off 445 and 139 ports, then we come to the connection of empty sessions. First, the client intends to connect to the 445 port, then try to connect 139 port. Of course, I finally failed.
Only open these two ports is not available, the server must also have to open IPC $ sharing. If there is no IPC share, even if a file is shared, there is permission to anonymous logon, and you cannot establish a session. Even if the permission is set to full control, the connection error that occurs is still not enough. This is not the same as other accounts. If you want a folder sharing to use an empty session like IPC $ (named pipe rather than sharing), you need to modify the registry:
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters /
In: NullSESSHARES, add a new shared name, so you can build a shared empty meeting. At this time, it will not rely on the existence of IPC. (Even though such empty sponsors are not available for later breakthroughs, because there is no IPC $ naming pipe, RPC is not available, this knows that IPC's naming pipe is implemented. Ha ha)
Although the requirements for empty sessions are strict, it is all built by default. Since it is the default, it is still useful for servers using the Win2K system. The most obvious is that the empty boxes can be easily connected to other domains, enumerate users, machines, etc. This is the principle of scanning software for detection.
1. Some people add $ with a shared name to achieve hidden results, which can be seen by NET Share under DOS;
This hidden is just the restriction of the Microsoft Windows standard client NET View, not the server limit, and the network transmission is subject to the same benevolence, so the direct modification of the client to remove this restriction or use third-party client software to see the so-called hidden hidden Sharing, such as SMBCLIENT is a typical representative. Directly modify the WINDOWS client approach, 99 years of Yuan Ge post, I am reprinted in the Security version of Huazhong, the essence is still there. 2. Some people give the shared plus password, which can hear this is also a way to crack;
This crack is to see what level, pure violent cracks don't have to be said, it is always possible. The 95/98 has another vulnerability, Yuan Ge discovered, is his famous Vredir.vxd, the length used when the server verifies the password is actually provided by the client, which means that it is more than 256 times (in fact, there are so many , Consider printing the character range). At the beginning, many people used this way to illegally browse others' machines. In 2000, Microsoft is now repaired.
http://security.nsfocus.net/index.php?act=...o=view&adv_id=6
By the way, this vulnerability can be used quickly to raise the original password, although this is unnecessary in the attack. Therefore, I can only test according to my own understanding of the practice of NetXray, and the details are inevitable.
It is recommended to provide Ethereal provided by www.ethereal.com, which is the most free software that I have ever seen, there is a UNIX / Windows version, providing source code.
3. In 2000, the SMB can run directly on TCP / IP, without additional NBT layers, using TCP 445 ports. Therefore, in 2000 should be more varied slightly more than NT.
In fact, in the opposite of the SSAXH_CAPABILITIES field, it indicates that "Extended Security Verification" is not used. At this time, use the original authentication mechanism, just remove the session request of the NBT layer, change 139 / TCP to 445 / TCP, which can be successfully established Empty sponsored, and successfully open "//
As for the higher level of RPC over SMB, it is not necessary to change any changes. In other words, from 139 / TCP to 445 / TCP, a pair of NBT session request / response is reduced during the entire communication process, which is completely consistent for both.
The so-called NBT layer, even in the 445 communication, there is always, the difference is just the above paragraph.
4. If the client enabled NBT, then access the 139 and 445 ports at the same time,
Microsoft did not let 139 / TCP and 445 / TCP fair competition. The SYN package that initiated the connection is simultaneously issued at the macro, which is sometimes initiated to the 139 / TCP to initiate a connection request, sometimes initiating the connection request to the 445 / TCP, a bit randomness.
When the last ACK packet that sends three handshakes to 139 / TCP, Windows carries the data in hand, here is a NBT session request with a deliberatened NetBIOS (* SMBSERV <00 ... (8)>). . And 445 / TCP does not require a session of the NBT layer.
139 / TCP is difficult to compete with 445 / TCP due to deliberately mistaken NetBIOS names. The server returns NEGATIVE NBT Session Response and the Close () operation is performed. This makes it necessary to re-establish 139 / TCP connection (TCP connection of the transport layer).
It can be seen that the NetBIOS name deliberately mistaken is just to give 445 / TCP to create a chance. Unfortunately, 445 / TCP does not compete, the task on this port is heavy, high load, even in this unfair competition, 139 / TCP is still possible to re-grab the NBT session before 445 / TCP (note Not a TCP connection). So the 445 port will return RST, follow-up SMB sessions are set up on 139 / TCP connection. Microsoft's own operating system does not recognize "* SMBSERV <00 ... (8)>", but Samba Server 2.2.5 recognizes, actually returns Positive Session Response. This is one of the methods of accurately identifying Samba Server.
Microsoft will not mention these in << Direct Hosting of Smb Over TCP / IP >>, just 139 / TCP, 445 / TCP fair competition, prioritize the first returned response message. Don't trust its ghost.
If you come back, if you are not demanding, you don't have to care about this difference. This difference is fatal when there is a need.
5. The most obvious is that the empty boxes can be easily connected to other domains, enumerate users, machines, etc. This is the principle of scanning software for detection.
XP, 2003 Default prohibited POLICYACCOUNTDOMAININFORMATION query on empty sessions, you can see that LsaropenPolicy2 (44) fails, permission is negative. If a valid account is specified in advance, the password establishes the SMB session, not the empty meeting, and LSAROpenPolicy2 (44) will successfully return.
