Home > Articles > Operating Systems, Server > Linux/UNIX/Open Source

  • Print
  • + Share This

Checking for Windows NetBIOS risks

Here's a final test. On a home system running Windows, if a port scan found port 139 open, then that means that file sharing (NetBIOS) is open on your computer.

You can use the Windows nbtstat utility to see if your system is making files available. Nbstat is a utility that is used to show information about current TCP/IP connections using NetBIOS. For this you'll need the IP address that's assigned to your computer. This is for any kind of connection whether it is a dialup connection or a cable modem, DSL or whatever.

On dialup connections and on some cable modem, DSL, or other broadband connections at home, you don't have an assigned IP address. Your IP address is dynamically assigned by your ISP. If you don't know your IP address, you can find it on a Windows computer by opening a DOS window and entering the command ipconfig /all. The results will look something like this (the numbers here aren't real):

C:\>ipconfig /all
Windows NT IP Configuration
        Host Name . . . . . . . . . : gary 
        DNS Servers . . . . . . . . : 192.168.1.1
        Node Type . . . . . . . . . : Hybrid
        NetBIOS Scope ID. . . . . . :
        IP Routing Enabled. . . . . : No
        WINS Proxy Enabled. . . . . : No
        NetBIOS Resolution Uses DNS : Yes
Ethernet adapter SMCISA1:
        Description . . . . . . . . : Intel EtherExpress
        Physical Address. . . . . . : 00-AA-80-CF-42-C0
        DHCP Enabled. . . . . . . . : No
        IP Address. . . . . . . . . : 192.168.1.3
        Subnet Mask . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . : 192.168.1.1

Now you have your IP address. Next, use nbtstat to see a table of current TCP/IP connections. Enter the command nbtstat -A your_IP_address. (Be sure to put in your IP address and to use a capital A.)

The table nbtstat produces will look something like this (if you don't have a network card on your computer, but only have a modem, the MAC Address will be all 0s):

NetBIOS Remote Machine Name Table
Name Type Status
GARY <03> UNIQUE
GARY <03> UNIQUE
GARY <00> UNIQUE
WORKGROUP <00> GROUP
GARY <20> UNIQUE
MAC Address = 00-00-00-00-00-00

What you (and any attacker) are looking for here is the code <20>. This means that your system is advertising that it has shares available. These shares (your hard drive and files) are potentially available on the Internet.

If you don't see the <20> code, then it means that no one can use a simple Windows connection to get to your files. It does not mean that there aren't other vulnerabilities on your system.

If you do see the <20> code and you haven't yet set up a firewall, you should either disable file sharing on your system or be sure to add a Scope ID password. Computers using Scope ID are invisible to other computers that do not have the same Scope ID. For more information on Scope ID see Microsoft's Using and Troubleshooting the TCP/IP Scope ID.

To set up Scope ID on either a Windows 98 or Windows 95 computer, see Microsoft's Windows 95 NetBIOS Scope ID Configuration.

On Windows NT, use these steps to set up Scope ID:

  1. Go to Network Protocols in the Control Panel.

  2. Select the TCP/IP Protocol.

  3. In Properties go to WINS Address.

  4. Find the box for Scope ID.

  5. Enter an ID—a secure password.

This has tested only one potential vulnerability on your home computer.

If you are ready to set up a firewall for your home system in order to make sure it is secure, then you ready to go to Part 2: Hardware and networking ... what you'll need to build a Linux firewall. (coming soon!)

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.