SMB unicast
Jorge D Ortiz
I need some help from a SMB/NetBIOS over TCP guru. I have a firewall
that is logging ALL trafic from one network (192.168.100.0/24) of
windows workstations (Windows XP and Vista) to a nework
(192.168.1.0/24) of Windows servers.
I see a repetitive patern of entries in the firewall such as this:
192.168.100.123:1765 -> 192.168.1.1:138 UDP allowed
192.168.100.123:1766 -> 192.168.1.2:138 UDP allowed
192.168.100.123:1767 -> 192.168.1.10:138 UDP allowed
192.168.100.123:1768 -> 192.168.1.11:138 UDP allowed
192.168.100.123:1769 -> 192.168.1.26:138 UDP allowed
192.168.100.123:1770 -> 192.168.1.25:138 UDP allowed
But I cannot see the contents of those packets.
Some additional data:
- 192.168.1.1 and 192.168.1.2 are the DCs.
- 192.168.1.26 is an SQL server.
- 192.168.1.{10,11,25) have been removed from the network long
ago.They use to be an Exchange server, OWA and an SQL application.
- 192.168.100.123 is obtained through DHCP, and the computer is not
logged on to the DC.
I would like to know:
- What can those packets be? Which type of NetBIOS datagrams? (Keep in
mind that they are unicast)
- What application/configuration of windows can cause those packets to
be sent?
Thank you in advance.
Regards,
Jorge
Jason Tyler Tomasi
Try downloading a packet sniffer such as WireShark -
http://www.wireshark.org/
At first glance of this output, I would have thought nothing of it, but
on closer inspection, it looks more like the output of a port scan.
Since the destination ports are all the same - 138 - then it is clearly
gathering NetBIOS information.
Also, looking at the source ports (1765, 1766, 1767, 1768, 1769 and
1770), we can see that each packet was sent consecutively.
Most suspect, though, is that packets were sent *mostly* in order of
lowest IP address (192.168.1.1) to the highest (192.168.1.25).
There is nothing built in to Windows that would cause this sort of
packet sending.
P.S The fact that the packet-sending PC is not logged in to the DC is
irrelevant.