Which of the following protocols does netbios use to access a network resource?

Deciding whether to use NetBIOS services

Including NetBIOS in the Domino network has both benefits and risks. The benefits are as follows:

• NetBIOS has low overhead relative to other protocol suites. NetBIOS over NetBEUI has the least overhead; and NetBIOS over TCP/IP has the most.
• Because it is not directly routable, NetBIOS over NetBEUI can provide a secure means to access your server for administration within a flat network. To access the server over a routed IP network, you can create a data-link switching (DLSw) tunnel to limit the administration access with NetBIOS over NetBEUI.
• Because NetBIOS name-to-address resolution services offer dynamic registration by name broadcasts, you can use NetBIOS to build a remote Domino network for temporary or emergency use.

The risks of using NetBIOS involve the security of the file system on Domino servers. Depending on the access permissions of the operating system and on the transport protocol being used, NetBIOS name and file services might allow users to see or access the server's file system. When a server provides NRPC services, mitigate this risk by disabling the NetBIOS name and file services (SMB/CIFS) on the system so that the system's name cannot be seen over the network. Other HCL Notes® and Domino systems can still find the Domino server because Domino has its own NetBIOS name service to propagate and register the Domino server's NetBIOS name, but access is secure because it is controlled by the authentication and certification features in NRPC.

If the system on which you run Domino requires NetBIOS name or authentication services, mitigate the security risk by isolating the NetBIOS services. Install an additional NIC on the system for NetBIOS over a private administration network, and disable NetBIOS on the NIC that the Domino server uses.

NetBIOS stands for Network Basic Input Output System. It Allows computer communication over a LAN and allows them to share files and printers.

NetBIOS names are used to identify network devices over TCP/IP (Windows). It must be unique on a network, limited to 16 characters where 15 characters are used for the device name and the 16th character is reserved for identifying the type of service running or name record type.

Attackers use the NetBIOS enumeration to obtain:

• List of computers that belong to a domain
• List of shares on the individual hosts on the network
• Policies and passwords

Commands and tools used:

Nbtstat: utility used to find protocol statistics, NetBIOS name table and name cache details

Superscan: GUI tool used to enumerate windows machine

Net view: command line tool to identify shared resources on a network

SNMP Enumeration

SNMP (Simple Network Management Protocol) is an application layer protocol which uses UDP protocol to maintain and manage routers, hubs and switches other network devices on an IP network. SNMP is a very common protocol found enabled on a variety of operating systems like Windows Server, Linux & UNIX servers as well as network devices like routers, switches etc.

SNMP enumeration is used to enumerate user accounts, passwords, groups, system names, devices on a target system.

It consists of three major components:

1. Managed Device: A managed device is a device or a host (technically known as a node) which has the SNMP service enabled. These devices could be routers, switches, hubs, bridges, computers etc.
2. Agent: An agent can be thought of as a piece of software that runs on a managed device. Its primary job is to convert the information into SNMP compatible format for the smooth management of the network using SNMP protocol.
3. Network Management System (NMS): These are the software systems that are used for monitoring of the network devices.

An agent running on every SNMP device will be providing access to a read and writable database. The database is referred to as the management information base (MIB) which is organized hierarchically and is a virtual database containing a formal description of all the network objects identified by a specific object identifier (OID) that can be managed using SNMP. It’s a giant repository of values and settings. There is a manager involved in the process, and the manager will query the agent for various details.

Community strings is a text string used to authenticate communications between the management stations and network devices on which SNMP agents are hosted. Community Strings travel in clear text over the network, hence are subject to network sniffing attacks. Community Strings are sent with every network packet exchanged between the node and management station.

Two types of community strings:

1. Read only: This mode permits querying the device and reading the information, but does not permit any kind of changes to the configuration. The default community string for this mode is “public.”
2. Read Write: In this mode, changes to the device are permitted; hence if one connects with this community string, we can even modify the remote device ’s configurations. The default community string for this mode is “private.”

when the community strings are left at the default settings, attackers take the opportunity and find the loopholes in it.

Few tools:

1. OpUtils Network Monitoring Toolset — http://www.manageengine.com
2. SolarWinds ( best SNMP enumeration tool) — www.solarwinds.com
3. command line tools: SNMP-WALK, SNMP-CHECK

Countermeasures:

1. Remove or disable SNMP agents on hosts
2. Block port 161 at all perimeter network access devices
3. Restrict access to specific IP addresses
4. Use SNMPv3 (more secure)
5. Implement the Group Policy security option called “Additional restrictions for anonymous connections”
6. Access to null session pipes, null session shares, and IPsec filtering should also be restricted

LDAP Enumeration

The Lightweight Directory Access Protocol is a protocol used to access directory listings within Active Directory or from other Directory Services. A directory is usually compiled in a hierarchical and logical format, rather like the levels of management and employees in a company. LDAP tends to be tied into the Domain Name System to allow integrated quick lookups and fast resolution of queries. LDAP generally runs on port 389 and like other protocols tends to usually conform to a distinct set of rules (RFC’s). It is possible to query the LDAP service, sometimes anonymously to determine a great deal of information that could glean the tester, valid usernames, addresses, departmental details that could be utilised in a brute force or social engineering attack.

What is the best method of preventing NetBIOS attacks?

Which of the following is a window's client server technology designed to manage patching and updating systems software from the network?

What is an open source implementation of CIFS?

Which of the following HTML tags is used to create a hyperlink to a remote Web site?