How an Intruder Using ONLY the TCP/138 Port Can Break into a Windows 2000 Advanced Server That is Functioning


In order to protect sensitive information, it is essential for any system administrator to be fully apprised of various threats and exploits that might undermine a system’s security and efficacy. (Moore, 2006) This text is designed to look into a particular exploit available on port 138 of a Windows 2000 server machine acting as a domain controller. Table of Contents Introduction The successful Windows NT (New Technology) platform was used by Microsoft to fabricate a new wave of operating systems most of which were centred on business needs. Windows 2000 emerged as the only successor to Window NT 4.0 and is the last OS to be branded with NT designations. (Microsoft, 1998) Four different editions of Windows 2000 were released which were Professional, Server, Advanced Server and Datacentre Server. Moreover, Windows 2000 was also sold as Advanced Server Limited Edition and Datacentre Server Limited Edition. (Microsoft, 2000) Each version of Windows 2000 was manufactured to target particular applications in the industry but all OS shared common features. These included new innovations such as the Microsoft Management Console as well as system administration applications that come with the OS by default. (Miles, 2000) Though security features were upgraded to protect Windows 2000 but certain vulnerabilities still remained. Vulnerabilities in Networks Some IT analysts have compared the security offered by Windows 2000 to an egg. The outside of the egg presents a fortified concept whereby the egg cannot be breached. However, the inside of the egg is fluid and susceptible to break down and separation as soon as the outer layer breaks down. In this sense, Windows 2000 is a little tough to beat on the outside but it is extremely fluid to exploit once the network’s DMZ or other security is breached. (Ethical Hacker Network, 2011) The most common way to intrude network machines is to scan ports and to exploit vulnerabilities in ports. Often the entire network spectrum is scanned for open as well as closed ports. Open ports are easiest to access. Nearly all contemporary OS possess the same distribution of ports although their exact designations may differ. Windows follows a common architecture for ports throughout its various OS schemes. Myriad ports are vulnerable but the NetBIOS ports are particularly vulnerable. These ports are listed below and are discussed further down the line to delineate their weakness. (Ethical Hacker Network, 2011) NetBIOS Port Applications 135 NetBIOS 137 NetBIOS – Name Service (NS) 138 NetBIOS – Datagram distribution service (DGM) 139 NetBIOS – Session Service (SSN) Typically two major services are vulnerable as first point impacts for attacks. These are the SMB (Server Message Block) protocol and NetBIOS over TCP / IP. Both services have the power to reveal large amounts of information related to the machine and the network in question. There is a dire need to shield these ports during use especially in server machines with un-patched OS installations. NetBIOS in particular is highly relevant for network mapping. (Boyce, 2006) This investigation is concerned with port 138 used for datagram services and so it will be looked into in more detail. Delineating NetBIOS, Datagram and Port 138 NetBIOS is the abbreviation for Network Basic Input and Output System and is an API (Application Program Interface) that aids the DOS (Disk Operating System) BIOS. Special functions for LANs (Local Area Networks) are included. NetBIOS was created by IBM