Window networking / NetBIOS / SMB / CIFS

Windows networking is a set of protocols and services that allow Windows machines to communicate to provide facilities such as file and printer sharing and work group and domain browsing.

This section contains a brief overview of how Windows Networking works.

The next section Configuring Windows networking for KFSensor describes how to configure Windows to enable KFSensor to emulate Windows networking.

The following section KFSensor Windows networking emulation describes how KFSensor emulates Windows networking and how to configure it and interpret the events it generates.

Windows Networking

Windows Networking is extremely complex and confusing to understand given its long history of development.

Back in the old days of DOS machines could communicate with each other using a protocol called NetBIOS. This ancient protocol is inferior in almost every aspect to the IP protocol. Pure NetBIOS is hardly ever used a anymore on modern networks.
However Microsoft could not abandon it completely as so much software, including their own, relied upon it. Microsoft introduced NetBIOS over TCP/IP (NBT). NBT allows the NetBIOS API to run over an IP network.

Microsoft introduced another protocol called Common Internet File System (CIFS) which enables the core functionality of Windows Networking; file and printer sharing and domain. The core of CIFS is a protocol called the Server Message Block (SMB). The SMB sits on top of NBT as its transport layer. SMB can be implemented on other protocols other than NBT, as described later on. The long term intention of Microsoft is to abandon NBT.

While NBT is essentially a Windows protocol, there exists a module for Linux called Samba that allows Linux to provides services to Windows clients.

With all these abbreviations it can get very confusing. KFSensor just uses NBT to refer to its components that deal with Windows networking, even though strictly speaking some of these components, have nothing to do with NBT.

NetBIOS Names

NetBIOS names are used to identify machines and workgroups and form the key building blocks of the NBT system.
The names are limited to sixteen characters that are always in upper case.
The sixteenth character of a NetBIOS name is used to indicate the type of service the name refers to. A Windows machine will thus own several names that vary only by their sixteenth character.

NetBIOS names are usually encoded into a special 32 character format which makes them un-readable unless they are decoded.

There are four separate services that are used to implement Windows networking.
KFSensor emulates each one of these as described in the following sections.

Service Port Description
NetBIOS Name Service (NBNS) UDP 137 NBNS is also known as Windows Internet Name Service (WINS).
The job of NBNS is to match IP addresses with NetBIOS names and allow queries to be made of the matches. The name service is usually the first service that will be attacked. A visitor will need the information it can provide to begin a session on the other services.
NetBIOS Datagram UDP 138 The Datagram service is used receive broadcasts of SMB packets via UDP.
This service receives a lot of legitimate traffic from other Windows machines on the LAN as they broadcast their names and services. It is rare for an attacker to use this service, unless they are trying to add their machine to the windows network.
NetBIOS Session Service TCP 139 The Session Service is used to handle NBT sessions. NBT sessions are a light weight protocol used to contain an SMB session. The SMB protocol and sessions based on it are used to provide the complex functionality of the services supported by Window's networking; such as file and print sharing.
This is the service that attackers will be most interested in.
SMB Direct TCP 445 In Windows 2000 Microsoft introduced an implementation of SMB that does not need NBT to communicate.
This service is in practice the same as the NetBIOS Session Service, but without the additional NBT protocol around the SMB session. The SMB Direct is not supported in older Windows versions. The older hacker tools do not target this service, instead they go for the NetBIOS Session Service.

Further reading

The description given here is only very brief introduction and does not begin to describe the NBT or SMB protocols.

There are many articles and web sites that explain there issues in much greater detail. The following may be of interest:

Next: Configuring Windows networking for KFSensor

Related Topics


KF Sensor On-Line Manual Contents