Who is Using Cyberthreat Intel & How? Take Survey - Enter to Win iPad

Intrusion Detection FAQ: Port 137 Scan

Bryce Alexander
May 10, 2000


Summary:

There has been an increase in scanning for port 137 (Netbios SMB service). This has two sources, an increase in awareness among script kiddies of the ability to discover information about a target host using NBTSTAT and the spread of an internet worm known as network.vbs.

Background:

Beginning around the first of April, 2000 there has been an increase in the number of port 137 scans reported by contributors to GIAC. At first there was concern that this was the signature of the "911" bat-chode virus/worm, fortunately that worm was written to scan a small number of network subnets and was contained rapidly.

The increases in port 137 scans were noticed in large numbers on IP segments not included in the subnets targeted by the 911 worm. All use standard Netbios "nbstat" frames, which will elicit a node status response from Netbios and SAMBA clients. This response contains a listing of any Netbios names known to that node. A typical trace of this request looks like the following packets as captured by SNORT.

[**] SMB Name Wildcard [**]
05/10-18:08:05.359797 badguy.com:137 -> goodguy.com:137
UDP TTL:119 TOS:0x0 ID:45361
Len: 58
00 D4 00 00 00 01 00 00 00 00 00 00 20 43 4B 41 ............ CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..!
00 01 ..

[**] SMB Name Wildcard [**]
05/10-18:08:06.848941 badguy.com:137 -> goodguy.com:137
UDP TTL:119 TOS:0x0 ID:45617
Len: 58
00 D8 00 00 00 01 00 00 00 00 00 00 20 43 4B 41 ............ CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..!
00 01 ..

[**] SMB Name Wildcard [**]
05/10-18:08:08.348991 badguy.com:137 -> goodguy.com:137
UDP TTL:119 TOS:0x0 ID:45873
Len: 58
00 DA 00 00 00 01 00 00 00 00 00 00 20 43 4B 41 ............ CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..!
00 01 ..


A decode of the Netbios data in the first packet reveals the following:
  • Bytes 0 & 1: Xid
  • Value: 00 D4 (this value increments with each new query)
  • Bytes 2 & 3: Opcode NMflags & Rcode
  • Value: 00 10 = request, query, broadcast/multicast
  • Bytes 4 & 5: QDcount (number of name queries in packet)
  • Value: 00 01 = 1 name query
  • Bytes 6 to 11: ANcount, NScount, ARcount
  • Value: 00 00 00 00 00 00 = Not used in this frame.
  • Byte 12: Size of name field
  • Value: 0x20 = decimal value 32 (next 32 bytes used for name)
  • Bytes 13 to 45: Name field
  • Value 43 4b 41 41 41...(ETC.) This is the ascii string CKAAAAA... in the packet. It is a mangled name done by splitting the hex value of each character into two parts(nibbles) and then adding 0x41 to each nibble. In this packet the name is an asterisk "*" followed by nulls. The hex value of * is 2A, splitting and adding it would become: (2+41=43) and (A+41=4B) The Ascii Value of these two results is "CK". The remaining nulls added to 41 remain 41 or "A"
  • Byte 46 Null field delimiter
  • Bytes 47 & 48 Question_type
  • Value: 00 21 = Node Status request (nbstat).
  • Bytes 49 & 50 Question Class
  • Value: 00 01 = Internet Class.
This particular trace was crafted by using the windows command: NBTSTAT -A (Target IP Address)

Conclusions:

So why the sudden upsurge in scans across the entire network? Certainly the script kiddies have known of this command for some time and have used it for network enumeration.

The answer appears to be twofold. First there has been recent discussion on the newsgroup alt.hackers.malicious about Netbios over IP. One regular in particular (LocoHost) has posted the applicable RFC (RFC1002) and commentary on possible exploits of Netbios. Some of these posts discussed using the NBTSTAT command for learning any names associated with a target. This would tend to popularize the use of the exploit as people who follow this group will try it on their own as well as discuss their discoveries on IRC channels. The second reason appears to be due to a recent Internet worm known as network.vbs and it's derivatives (see: http://www.cert.org/incident_notes/IN-2000-02.html )

A network trace of the network.vbs worm can be found at: http://www.sans.org/y2k/honeypot_catch.htm

The infection process begins with a nbstat request frame that is indistinguishable from the frames described in this document (above). When the nbstat is answered the worm will follow it with a TCP session on port 139 which will attempt to mount to a share which is named "C" and has no password. If successful the worm will then load itself and other payload files onto various subdirectories of the victim including the startup directory. In most cases this worm is minimaly damaging as it's primary purpose has been to replicate itself. Some of the variants have been known to have other payload files, which may not be as innocent.

A search of newsgroups on Dejanews using the string "network.vbs" elicited over 11,000 matches. A random sampling of these messages indicate that people are discovering this worm on their PC's and are primarily experiencing slow response time as the PC is busy scanning for other systems to replicate itself to. This is an indication that the worm has been sucessful in replicating itself to a large number of systems.

An interesting side effect of this worm has been a rather strange pattern that periodically shows up in the scans for port 137. This pattern shows simultanious scanning from two addresses, one a legitimate address and one a private (RFC1918) address. It is my speculation that this is caused by systems that are providing proxy services on cable modems in order to share a single IP address on a cable modem. The internal (private) address is leaking out onto the network, most likely due to sharing a single ethernet hub for both internal and external interfaces.

Apr 21 00:17:29 myhost snort: SMB Name Wildcard: 192.168.0.1:137 -> my.ip.addr:137
Apr 21 00:17:29 myhost snort: SMB Name Wildcard: 24.28.135.131:137 -> my.ip.addr:137
Apr 21 00:17:31 myhost snort: SMB Name Wildcard: 24.28.135.131:137 -> my.ip.addr:137
Apr 21 00:17:31 myhost snort: SMB Name Wildcard: 192.168.0.1:137 -> my.ip.addr:137

Examination of the packets show identical ttl values and ID fields are close in value indicating a very high likelihood of originating from the same host. This is further evidence of a script driving the scanning.

Sources:

Detects are from my own network.
Newsgroup discussions from Dejanews search engine www.deja.com .
http://www.cert.org/incident_notes/IN-2000-02.html
http://www.sans.org/y2k/honeypot_catch.htm
RFC1002

Track 3: The Most Advanced Intrusion Detection Immersion Training Avilable
< Previous Question | Back to Intrusion Detection FAQ Home | Next Question >