hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: Nbtstat Work Around ?
GovernmentSecurity.org > System Security > Beginners Section
FLW
Oct 21 2003, 04:26 PM
Is there a way to deny someone from running "nbtstat -a ip" and picking off the logon name? I have a local whois that I run to see what is up and want to know if there is any way a local user can disable his machine from returning the usr name?

I have some users that can/have change machine names as easily as underware so I won't bother with that but they can't change there logon (their own or one borrowed). This includes if they are only logged on on locally and not to any server. (i.e. WinXP Home )

I've tested a linux box which will still show the machine name but it's not the local usr name. XP Home which shows machine and local usr name. XP Pro which is authenticated to servers show both as well.

Right now I run a script that does a nbtstat -a ip to any machine that accesses the gateway out as well as tracking all pages hit and time on line. Got this script from squint.

Any idea's on what the usr's may try to hide local usr name via nbtstat? I'm trying to stay one step ahead.
snail
Oct 22 2003, 08:48 AM

the <03> "username" comes from the Messenger service. Disable it.


This will also stop the "net send" spam you get on the internet while de-firewalled
FLW
Oct 22 2003, 05:28 PM
QUOTE
the <03> "username" comes from the Messenger service. Disable it.


I don't believe Win98 or win2k came with Messenger. At least its not on any of our machines by default.

But what I did discover is if one (or more mad.gif ) of my users turned on the built in XP firewall, nbtstat will not work at all. I assume the same would be true for other firewall products that can be added on as well, like ZoneAlarm. All for no cost and have just defeated the tracking script.

I guess hunt down a firewall detection script from the net and give it a try. Since all usr's are internal there is no good reason to install software without authorization.

Thanks to anyone who read and gave my post some thought.
Grinler
Oct 22 2003, 06:13 PM
Blocking ports UDP 137,138 I believe should be sufficient.

I think you can also stop this by disabling Netbios over IP.


fuzzard
Oct 22 2003, 11:44 PM
QUOTE
I don't believe Win98 or win2k came with Messenger. At least its not on any of our machines by default.


he wasnt talkin about msn messenger. he was talking about the messenger service. Ther is a big difference in teh 2 and on win2k it is installed and running by default
FLW
Oct 23 2003, 02:18 AM
QUOTE
Ther is a big difference in teh 2 and on win2k it is installed and running by default


Still can't be the messenger since nbtstat picks off win98 and 95 boxes info no problem. Also 98% of the machines had no file or printer shares on.

But again a basic firewall will stop nbtstat from working or use advanced tcp/ip filter in win2k/xp. The simplest work around of being ID'd, I've already figured out.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.