KFSensor Windows networking emulation

KFSensor supports the four Windows networking services using four Sim Standard Servers:

Service Port Sim Std Server
NetBIOS Name Service (NBNS) UDP 137 NBT Name Service
NetBIOS Datagram UDP 138 NBT Datagram Service
NetBIOS Session Service TCP 139 NBT Session Service
SMB Direct TCP 445 NBT SMB

Emulation Type

Currently there is only one type of emulation, called "Anything Goes". This emulation does not enforce any rules or restrictions onto a visitor, such as insisting a session is set up before a file is opened.
It always returns a positive response to any request it receives.

The "Anything Goes" emulation is designed to catch the maximum number of tricks used by hackers. The emulation will appear to be Windows 98 if accessed on port 139 and Windows NT based if accessed on port 445.

There are dozens of SMB commands and even more in the different sub-protocols like RAP.
KFSensor only processes correctly a sub-set of these, which are known to be used by attackers.
For examples of the functionality KFSensor supports see the next section of the manual: Testing KFSensor Windows networking emulation.

The NetBIOS Name Service emulation deliberately does not take part in browser elections or broadcast its presence. This makes it invisible to a use on the same LAN when examining their "My Network Places" in Windows. Instead it responds directly to requests made to its IP address. These are very likely to be malicious.

Configuring KFSensor

The four Windows networking services are added as part of the NetBIOS/NBT/SMB and RPC option in the Components of the Setup Wizard.

The most important things to configure are the NBT names that KFSensor should return in response to a name service query and the NBT Shares the are returned in response to a RAP RNetShareEnum request.

You can change these using the NBT Settings dialog box.
The default names are GIMLI for the computer and MORIA for the workgroup.
Change all occurrences of these names to ones appropriate to your network.

File Transfers

The main purpose of NBT is to transfer files between two computers. Hackers and worms use this to read system files from the target system and to upload malware onto the target system.

As part of the emulation KFSensor allows real files to be transferred, in a safe manner. The files that can be transferred are limited to two specified directories.

If file downloads are disabled, or the file is not found then KFSensor will generate an in memory file of random size and containing random data, which will then be transferred to the visitor.

How the download works

If a visitor requests a file to be opened for reading then KFSensor looks in the Download Path to see if the requested file exists in that directory. Any sub-directory specified in the request is always ignored.
If the file is found then it is transferred to the visitor using subsequent read requests.

KFSensor includes two example system files in the default download path as part of the installation.
The WIN.INI and SYSTEM.INI files come from a typical Windows 98 machine and are common points of attack for a worm.

How the upload works

If a visitor requests a file to be opened for writing then KFSensor will accept the data into memory.
When the file is closed KFSensor will create a file in the Upload Path using the following name format:

<visitor's ip address><visitor's port><requested file name>.bin


All non-standard characters and periods in the file name are converted to underscores.
The files are always given the extension .bin instead of the requested file names extension.

The files uploaded are likely to be either trojans or worms. Treat them with care.

Anti-Virus software is extremely useful in identifying the type of malware that has been uploaded.

Filtering events

NBT generates more events than any other server, both legitimate and illegitimate.
If you are on a large LAN then you may find the DOS limits are exceeded quite quickly.

In order to reduce the number of events received and logged by these services, use the Visitor Rules to ignore connections from machines on the local subnet.

It is also possible to disable the NBT Name Service as that gets a lot of traffic and is rarely attacked.

Next: Testing KFSensor Windows networking emulation

Related Topics

KFSensor On-Line Manual Contents