Eric Monti wrote: > TCP 445 is the Windows 2000 equivalent for what used to be port 139 in Windows NT. It is the new NetBIOS over TCP port or "nbsession". Huh, no. Win2k introduced the possibility to run SMB directly over TCP/IP, removing the need for the NetBIOS layer. So while tcp/445 is ultimately used by the same services as the well-known NetBT ports (usually tcp/137, udp/137, udp/138 and tcp/139), namely file and printer sharing, there is no NetBIOS layer to decode. > The fact that the scan (if thats what it is) also does an nbname lookup further reinforces the likelihood that either someone is looking for open shares or other holes via NBT, or that someone is actually accessing your Windows 2000 shares (warez repository?). Probably the former, given that the scan uses different methods to try to access shared resources. One would expect an established connection to use one or the other, but not both. > If thats a Win2k system, turn on some auditing and see what is actually going on (to an extent... Win2k/NT logging leaves a lot to be desired) or throw up a sniffer that can decode NetBIOS over TCP. Not NetBIOS. Just SMB. Ethereal (among others) should be able to isolate the traffic you want to watch. -- Daniel ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 14:08:14 PDT