SMB unicast - SMB

This is a discussion on SMB unicast - SMB ; Hi everybody! I need some help from a SMB/NetBIOS over TCP guru. I have a firewall that is logging ALL trafic from one network (192.168.100.0/24) of windows workstations (Windows XP and Vista) to a nework (192.168.1.0/24) of Windows servers. I ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: SMB unicast

  1. SMB unicast

    Hi everybody!

    I need some help from a SMB/NetBIOS over TCP guru. I have a firewall
    that is logging ALL trafic from one network (192.168.100.0/24) of
    windows workstations (Windows XP and Vista) to a nework
    (192.168.1.0/24) of Windows servers.

    I see a repetitive patern of entries in the firewall such as this:
    192.168.100.123:1765 -> 192.168.1.1:138 UDP allowed
    192.168.100.123:1766 -> 192.168.1.2:138 UDP allowed
    192.168.100.123:1767 -> 192.168.1.10:138 UDP allowed
    192.168.100.123:1768 -> 192.168.1.11:138 UDP allowed
    192.168.100.123:1769 -> 192.168.1.26:138 UDP allowed
    192.168.100.123:1770 -> 192.168.1.25:138 UDP allowed
    But I cannot see the contents of those packets.

    Some additional data:
    - 192.168.1.1 and 192.168.1.2 are the DCs.
    - 192.168.1.26 is an SQL server.
    - 192.168.1.{10,11,25) have been removed from the network long
    ago.They use to be an Exchange server, OWA and an SQL application.
    - 192.168.100.123 is obtained through DHCP, and the computer is not
    logged on to the DC.

    I would like to know:
    - What can those packets be? Which type of NetBIOS datagrams? (Keep in
    mind that they are unicast)
    - What application/configuration of windows can cause those packets to
    be sent?

    Thank you in advance.

    Regards,

    Jorge

  2. Re: SMB unicast

    Jorge D Ortiz wrote:
    > Hi everybody!
    >
    > I need some help from a SMB/NetBIOS over TCP guru. I have a firewall
    > that is logging ALL trafic from one network (192.168.100.0/24) of
    > windows workstations (Windows XP and Vista) to a nework
    > (192.168.1.0/24) of Windows servers.
    >
    > I see a repetitive patern of entries in the firewall such as this:
    > 192.168.100.123:1765 -> 192.168.1.1:138 UDP allowed
    > 192.168.100.123:1766 -> 192.168.1.2:138 UDP allowed
    > 192.168.100.123:1767 -> 192.168.1.10:138 UDP allowed
    > 192.168.100.123:1768 -> 192.168.1.11:138 UDP allowed
    > 192.168.100.123:1769 -> 192.168.1.26:138 UDP allowed
    > 192.168.100.123:1770 -> 192.168.1.25:138 UDP allowed
    > But I cannot see the contents of those packets.
    >
    > Some additional data:
    > - 192.168.1.1 and 192.168.1.2 are the DCs.
    > - 192.168.1.26 is an SQL server.
    > - 192.168.1.{10,11,25) have been removed from the network long
    > ago.They use to be an Exchange server, OWA and an SQL application.
    > - 192.168.100.123 is obtained through DHCP, and the computer is not
    > logged on to the DC.
    >
    > I would like to know:
    > - What can those packets be? Which type of NetBIOS datagrams? (Keep in
    > mind that they are unicast)
    > - What application/configuration of windows can cause those packets to
    > be sent?
    >
    > Thank you in advance.
    >
    > Regards,
    >
    > Jorge


    Try downloading a packet sniffer such as WireShark -
    http://www.wireshark.org/

    At first glance of this output, I would have thought nothing of it, but
    on closer inspection, it looks more like the output of a port scan.

    Since the destination ports are all the same - 138 - then it is clearly
    gathering NetBIOS information.

    Also, looking at the source ports (1765, 1766, 1767, 1768, 1769 and
    1770), we can see that each packet was sent consecutively.

    Most suspect, though, is that packets were sent *mostly* in order of
    lowest IP address (192.168.1.1) to the highest (192.168.1.25).

    There is nothing built in to Windows that would cause this sort of
    packet sending.

    P.S The fact that the packet-sending PC is not logged in to the DC is
    irrelevant.

+ Reply to Thread