[ipv6hackers] Scanning for IPv6 addresses embedding TCP/UDP service ports

Fabian Wenk fabian at wenks.ch
Tue Mar 26 13:59:23 CET 2013

Hello Jim

On 17.03.2013 23:34, Jim Small wrote:
>> On 17.03.2013 21:44, Jim Small wrote:

> Sorry, I should have been more specific.  Assuming Samba is
> emulating Windows (which was the original idea), I can confirm
> that TCP/445 is direct hosting of SMB/CIFS over TCP.  It
> doesn't use NetBIOS.  To use NetBIOS you use the session
> service which runs over TCP/139.

> So I'm curious if it's possible to do an SMB connection via
> TCP/139 over IPv6.  If it doesn't work you could see if you
> could get it to work with a static entry in an lmhosts files.
> In Windows this is %windir%\system32\drivers\etc\lmhosts where
> %windir% is often C:\Windows.  For Samba lmhosts is in the
> config directory - depends on the setup.  See lmhosts(5) man
> page.

According to the lmhosts(5) manpage it requires "IP Address - in 
dotted decimal format.", and also the examples are only with 
IPv4. I did test anyway, but it failed:

fabian at superman:~ $ cat /usr/local/etc/samba/lmhosts
2001:8a8:1005:1::3	SIXTEST
fabian at superman:~ $ smbclient //SIXTEST/download -U fabian
Enter fabian's password:
Connection to SIXTEST failed (Error NT_STATUS_BAD_NETWORK_NAME)
fabian at superman:~ $

I do not have any useful Windows system available, so I can not 
do any further testing against Samba.

> However, the fact that Samba listens on both v4/v6 for TCP/139
> could be a vulnerability since NetBIOS is not designed to work
> over IPv6.  That said, what are the odds of someone making an
> address with the NetBIOS session service (TCP/139) embedded in
> the address?

It would probably be the best, to just firewall the TCP/139 on 
IPv6. Even the smb.conf(5) manpage is quite low on information 
regarding IPv6, I see only this two parts, all other examples an 
options just mention IPv4 addresses:

        the IP address of the client machine.

        Before 3.6.0 it could contain IPv4 mapped IPv6 addresses,
        now it only contains IPv4 or IPv6 addresses.

        the local IP address to which a client connected.

        Before 3.6.0 it could contain IPv4 mapped IPv6 addresses,
        now it only contains IPv4 or IPv6 addresses.


More information about the Ipv6hackers mailing list