David Shackelford wrote:
>
> DMZ PDC to Internal PDC: TCP 139 NetBios Session
> DMZ PDC to Internal PDC: UDP 137 Name Service
> DMZ PDC to Internal PDC: UDP 138 Datagram Service
Ah, I stand corrected. I thought that NT domain-style
authentication (which is pretty much what happens in a
trust relationship, as far as I know) involved DCE
endport mapping. Hrm, wonder which part of the domain
controller processes I mixed _that_ up with.
Now, all that remains is all the fun stuff you can pull
across NetBIOS with its length validation errors, etc, no
matter how hard your machine is tightened.
(Let's not even begin with the Registry poking, etc etc
stunts you can pull if it is NOT sufficiently tightened.)
Just as a fun(?) example:
Quoting Luke Kenneth Carson Leighton <[EMAIL PROTECTED]> at
Mon, 5 Jun 2000 05:39:48 +1000:
>
> a new concept had to be invented for this one: "the BSOD". a problem
> that causes an nt5 server's screen to go black.
>
> [snip]
>
> in the SMB header, the data was indicated as
> being 2048 bytes, and as a 0xC write mode. the first two bytes in the SMB
> data section were 0x48 - the length of the DCE/RPC PDU, followed
> immediately by the DCE/RPC PDU.
>
> the consequences? a Black Screen Of Death. nt4 is, at least, a little
> friendlier [for once]. it brings up the familiar, comforting blue screen
> that can be found on screen-saver programs and nt boxes located in your
> office.
>
Mommy! My internal network PDC went belly up just five minutes
after my DMZ got r00ted! (Or should I perhaps say 4dm1n157r470red?)
:)
As you can see, I'm not a big fan of letting the DMZ talk NetBIOS
to any part of the internal network....
Hmmm let's see now, xxx.118.108.17 seems like an interesting address
to poke around on, given what you've just said...
Oh, yummy, an MS FTP server behind a PIX. Now, where did my
passive FTP data channel PIX exploits (that use the logon string
so that it works without anonymous access) go...
Nah, I wouldn't do that uninvited ;)
Be safe,
/Mikael Olsson
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
