COMMAND

    netbios (feature using nbtstat)

SYSTEMS AFFECTED

    Win95, NT

PROBLEM

    Chris Williams posted following.  It seems someone on a win95  can
    remotly get  accsess to  shared directorys  on win95/NT  mechines.
    This  bug/prossess  was  posted  in  thtj  #14.  The attacker uses
    nbtstat to list  the current mechines  running a netbois  session,
    adds that mechine to his  lmhosts file, refreshes his own  netbois
    session and then  searches for the  computer name. If  the mechine
    shows up.  he/she now  has accsess to un-passworded directorys  on
    that mechine.

    Here's the attack sequence to go threw to test your mechine:

        nbtstat -A ipaddy#

    If there is a netbois session running it returns the computers  on
    it and the groups.  Write down  the first name you see that has  a
    UNIQE next to it.  Now open up c:\windows\lmhosts (or your  equiv)
    and add

        ipaddy mechinename

    Save it, and purge your netbois session:

        nbtstat -R

    It  shoudl  say  purge  succsessful.   If  it  dosn't  you  have a
    networking  error.   Now  go  to  find  computer and serch for the
    computer  name,  if  found,  double  click  on it and u have their
    shared dirs right there for you. Its not even really logged.

SOLUTION

    This is rather large securty flaw in the way Netbois trust  works.
    Quick fix is easy, just  password your dirs.... but this  seems to
    be a hole out of lousy networking authentication.  It is just  the
    normal way using NBTSTAT command.