[ipv6hackers] Scanning for IPv6 addresses embedding TCP/UDP service ports

Jim Small jim.small at cdw.com
Sun Mar 17 21:44:02 CET 2013 

Hi Fabian,

> On 17.03.2013 18:53, Jim Small wrote:
> > One more goof I made:
> >> In regards to port 137, I'm pretty sure it only runs on UDP for name service
> >> resolution.  But of course there may be exceptions.  Here is my
> recollection
> >> of the legacy NetBIOS ports/services:
> >> UDP/137 - WINS or NetBIOS Name Server
> >> UDP/138 - NetBIOS datagram service
> >> TCP/139 - NetBIOS session service
> >
> > Looking at this in context it doesn't make any sense to look
> > for NetBIOS services in IPv6.  NetBIOS is an IPv4-only
> > protocol that Microsoft has been trying to phase out for
> > years.  There are no plans to extend it to IPv6 - IPv4 is the
> > end of the road.  So scanning for it with v6 tools doesn't
> > make sense.
> 
> Interesting, my Samba 3.6.12 installation on FreeBSD is also
> listening on IPv6 for TCP/139 and TCP/145:
> 
> fabian at superman:~ $ netstat -an | egrep "139|445"
> tcp4       0      0 *.139            *.*               LISTEN
> tcp4       0      0 *.445            *.*               LISTEN
> tcp6       0      0 *.139            *.*               LISTEN
> tcp6       0      0 *.445            *.*               LISTEN
> fabian at superman:~ $
> 
> But for the UDP/137 and UDP/138 ports it is only listening on IPv4.

No kidding.  OK - you got me curious.  So NetBIOS was created to work over IBM networks.  IBM, Novell, and Microsoft extended it to work over various networking types (See Wikipedia articles).  The big limitation with NetBIOS is it was designed for a small flat network.  Its name space is limited to 16 characters plus a scope identifier and that's it.  With the massive hierarchical networks of today you can see why Microsoft wants to get away from it.  So it looks like it was defined in RFCs 1001/1002.  In RFC 1002 it is clearly an IPv4 only protocol.  The name records are only designed for 32bit IPv4 addresses and are not compatible with IPv6 without redesign.  This means the NetBIOS Name Server (UDP/137) is not capable of working with IPv6.  I don't see an immediate death sentence for the NetBIOS Datagram Service (UDP/138) or the NetBIOS Session Service (TCP/139) in the RFCs.  However, from reading the definitive Microsoft book on IPv6 (Understanding IPv6, 3e), Microsoft considers NetBIOS dead with the release of IPv6.  I hope Mr. Davies doesn't mind if I quote from his book:

"You might still be using NetBIOS applications and WINS, which provides enterprise-wide NetBIOS name registration and resolution. NetBIOS over TCP/IP (NetBT) is defined only for IPv4, not IPv6. Therefore, as you plan for IPv6 predominance on your intranet, you should also plan to deprecate the use of NetBIOS applications and WINS. For example, update or replace your NetBIOS applications to use WinSock or the .NET Framework Class Library.  WINS is also used to contain static records that provide single-label, unqualified name resolution. To replace this functionality for IPv6, use the GlobalNames zone and functionality in the DNS Server service of Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008."

NetBIOS depends on broadcast resolution (which doesn't exist in IPv6) or a NetBIOS Name Server (which doesn't exist in IPv6), so getting it to work would not be easy.  It may be possible to use a static lmhosts file (NetBIOS equivalent of /etc/hosts) but I would be surprised it supports IPv6.  For NetBIOS queries you have to include the target NetBIOS name, so if you can't specify it in the lmhosts file how would it work?  I guess you'd have to try it.  Also, UNC paths can't use IPv6 addresses.  Microsoft had to create a new name space for these to work with IPv6 addresses - the ipv-literal.net space:
\\2001-db8-28-3-f8a-5b31-67b7-6ef.ipv6-literal.net\docs
>From a quick look it appears there may be issues with support for this with Linux/Samba.  Finally according to several presentations on Microsoft's TechNet site, NetBIOS doesn't work over IPv6.  If Microsoft doesn't support it (and I can't believe IBM/Novell are still pushing it), one question would be why try to make it work in IPv6?

So the real question is, just because Samba binds the NetBIOS Session Service to an IPv6 socket, does it actually work?  A really good test would be, does it work on an IPv6 only network?  And if I put on my attacker hat I would suspect that enabling something like the NetBIOS Session Service over IPv6 on a dual stack network is probably opening up some interesting security issues for the person patient enough to figure out how to exploit it.  So maybe it is worth adding to the scan tools after all...

--Jim

More information about the Ipv6hackers mailing list