Thoughts on netbios exploitation


Plumbing, network-style

Recently, Slashdot covered a story about how netbios host discovery can be hijacked. While this has many obvious and grave security concerns, this defeat also an opportunity for enhancing the netbios protocol.

From the turning-a-flaw-into-a-feature department, I’d like to suggest that a new netbios service could be designed to masquerade or proxy netbios hosts that would not otherwise be available on a given netbios network. Let’s look at each one of these activities in turn.

NetBIOS Masquerading

Imagine a medium sized company with a file server that hosts read-only only material. This is a fairly common configuration. The netbios protocol requires each machine to have a unique name on the network. That means that everyone in the company who desires access to the network share must connect to this one file server. But what if you had a service that allowed many file server to respond to same netbios name? That would allow the file server load to be spread across multiple machines in a somewhat random manner akin to DNS round-robin load balancing.

NetBIOS Proxying

NetBIOS does not allow routing. When a host is sought by workstation, that host must be on the same network segment as the seeker. However, if you built a netbios proxy service, a host that has access to a desirable resouce on non-routable network could proxy requests for it on another network. Although proxying has overhead, it might be a great solution for admins trying to merge two companies’ networks.

It is possible, I think, with existing tools on Linux to do these kinds of services with a little hacking. The idea of exploiting this exploit for something useful appealed to me.