RE: TIS Gauntlet : WINS and Exchange

From: Garbrick, Randy (rgarb@data-io.com)
Date: Thu Apr 02 1998 - 09:51:23 PST

Next message: Feeney, Tim: "RE: [fwd] Firewall Products: Many Not Ready For Prime Time,"

Previous message: Steven W. Engle: "Re: failover and dns"
Next in thread: Bill_Roydsat_private: "RE: TIS Gauntlet : WINS and Exchange"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is true with one exception.  WINS maps each character of the
NETBIOS name to TWO characters in a really weird way. I guess that they
did this because the name field in DNS is twice as long as the NETBIOS
names.  This only becomes a problem if you have to sniff the packets.  I
have a conversion table that I made for this purpose if you need it.
RFC1001 and RFC1002 should explain the whole thing. 

> ----------
> From: 	Bill_Roydsat_private[SMTP:Bill_Roydsat_private]
> Reply To: 	Bill_Roydsat_private
> Sent: 	Wednesday, April 01, 1998 1:23 PM
> To: 	firewall-wizardsat_private
> Subject: 	Re: TIS Gauntlet : WINS and Exchange
> 
> WINS is really DNS on another port down to format of the replies. So
> anything you could do with DNS (cache poisoning, exploits) can be done
> on
> WINS.
> The port used is 137/UDP which is one part of the netbios suite (from
> 137-139). Since all your machines advertise themselves as being
> exploitable
> MS OS machines with broadcasts on this port, it is inherently very
> dangerous to do this over the Internet. THe smbclient (or simple NT
> stuff)
> would certainly allow them to break passwords unless they use NT
> challenge
> respone password checking (this would slow things down but not
> eliminate
> it).
> 
> Why don't they use a VPN tunnel (even MS pptp would be better than
> nothing)
> to connect the 2 WINS servers and not allow any netbios over the
> Internet?
> 
> 
> 
> 
> 
> 
> Hey folks,
> So I am currently on a project that involves
> a number of m$ products; <sigh>
> "Know thy enemy" is what I always say
> though.
> check this: the company has 2 WINS servers, the primary
> one is in their uptown location. Their secondary is
> at their downtown location, where I am.
> So they do WINS resolution _over the INternet_.
> (no inter-office connectivity
> except through the net). Is WINS and port 137-139
> netbios services the same thing? How the fsck does WINS
> work anyway? More importantly, how will I pass
> it through the Gauntlet firewall (plug-gw?) ( is there not
> the fear that somebody can just use smbclient and
> a cracked password to access the drives?) Not only
> that, but they do the Exchange database replication
> also _over the internet_. needless to say, their
> setup is fubar. but I have to know how does the m$ sexchange
> db replication work anyway? (which ports or anything)
> more importantly, how do I pass it through gauntlet?
> I believe I might have to just tcpdump
> on the wire and figure out what's happening,
> cause RFC1001 and RFC1002 aint fun reading.
> Suggestions, flames, comments welcome.
> --Anindya
> 
> 
> 
> 
> 
> 
>

Next message: Feeney, Tim: "RE: [fwd] Firewall Products: Many Not Ready For Prime Time,"
Previous message: Steven W. Engle: "Re: failover and dns"
Next in thread: Bill_Roydsat_private: "RE: TIS Gauntlet : WINS and Exchange"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:02 PDT