Exploitable NetBIOS Vulnerability

Need Help?

That's what we're here for! The goal of the Rogers Community is to help you find answers on everything Rogers. Can't find what you're looking for? Just ask!
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
I Plan to Stick Around
Posts: 10

Re: Exploitable NetBIOS Vulnerability

Great suggestions, which I will try. Thank you!

Highlighted
I Plan to Stick Around
Posts: 10

Re: Exploitable NetBIOS Vulnerability

I"ll be exploring this most of tomorrow I think and I'll update if I find some sort of solution.
I'm Here A Lot
Posts: 6

Re: Exploitable NetBIOS Vulnerability

The problem @stu593  is, we as customers, have no way to tell what we are doing works until we get another email from Rogers. What one tech told me today was, when you call in, you have to ask for the timestamp of the scan that generated the email -- because the scan could have happened before we apply this "possible" solutions. 

 

Rogers needs to give the customers more specific information if we are to resolve the issue -- especially if we scan the ports and see that they are closed. So, what is Rogers complaining about then?

Highlighted
I Plan to Stick Around
Posts: 10

Re: Exploitable NetBIOS Vulnerability

I THINK THAT I HAVE A SOLUTION … MAYBE 

 

CAVEAT: I will know if this actually worked or not within the next couple of weeks - assuming that “not hearing” anything from Rogers by that time means that I ”passed" their network security test. 

 

My process - basically is a system of elimination with testing of all my devices (16) individually for port problems. There were several surprises in this voyage of discovery. Here is my process, which I have replicated here for those of you interested. Note: Some of you are quite advanced and will likely find this too detailed, but several people are not that familiar with some for these processes and I wanted to provide a bit of helpful guidance. I certainly found several problems which I managed to correct along the way and which have given me complete stealth (at least on the ShieldsUP site) on the most common ports of 1 to 1055 (ShieldsUP explains why they add some extra ports to come up with this number). 

 

  1. Secure one of your computers for testing without a router (in my case a MacBook Pro with firewall activated, all Apple updates installed etc. - this was my “test” computer). If you are using Windows, please don’t use Win7 to do this - use a more current version. I use Sophos Home Premium as my security suite (I am not recommending this package - there are problems with it from my perspective - but it is what I am using currently). Why do I suggest this step? Because you will need to test your router to see if it is the problem, or if it is something else. For what it’s worth, I plan on replicating this process using Windows 10 on a desktop PC at a later time. In the interim, maybe someone could provide feedback on section 6.4 below?
  2. Disconnect your home network from the internet. Turn off the wifi on your test computer and plug in a network cable between your Rogers modem/router and your test computer . Remove any additional network cables connected to your Rogers modem/router - you only want your “test computer” linked to the Rogers modem/router.
  3. Put your Rogers modem/router into bridge mode, if it is not already (see here on how to do this: https://www.rogers.com/customer/support/article/bridgemode-coda4582). This disables the router component in the Rogers modem/router, and allows you now to directly access the internet, without a router. If you have not secured your test computer ahead of time, you will likely regret this - just saying. You want to have all the Windows or Apple updates in place; a security suite running (not just AV, but also malware etc.); and the goal is to access a small number of web pages (i.e. “safe” router test sites, not some random dude’s site that may not be legit). The main site I used, that is considered by most as reputable, is ShieldsUp (it does have its detractors) here: https://www.grc.com/x/ne.dll?bh0bkyd2 . You don’t want to start surfing the internet at this point in time, with this suggested setup. Another site that I found useful, as it had gathered a plethora of links for testing in one page is here: https://routersecurity.org/testrouter.php. The author even has your current IP address linked into various test sites on his site.
  4. If you do not know your IP address or how to find it, do a Google search for "what is my ip" and Google will list your current IP address at the very top of the page, in a nice box that says "Your public IP address". You'll need to know this as many test sites will prompt you to enter your IP address. ShieldsUP will also tell you your IP address, note it on a piece of paper for future reference (I collected all my results and added the IP to each test result so that I would not get mixed up in my results). 
  5. Go to the ShieldsUp website. The first thing that you will notice is that your IP address has changed since you disconnected our router - this is normal, as Rogers sees your test computer as a new connection point into their network and assigns you a dynamic IP address. If you are actually paying Rogers for a static IP address, then the rest of these instructions may not apply (can anyone confirm this who has a static IP address?)
  6. At the ShieldsUp website do the following:
    1. Do the UPnP test (big orange button) - you should come back with a pass (all green), since you are not using a router  (do this test as some routers apparently still come with UPNP “on” by default - you can read all about the test results on the test page)
  7. Still on the ShieldsUP website, run the various file and port tests etc, but make sure to do this test:"All Service Ports" - depending on your OS, some ports will come back open. For me, here are the results that I got:
      1. Port 88 is open (Kerberos - Ticket System – part of Apple OS)
      2. Port 548 is open (AFPOVERTCP – part of Apple’s APF network protocol, is OK)
      3. Interesting discovery : ports 135 and 445 are “stealthed” by Rogers directly (no surprise really, both are major security holes for which an ISP would want to protect its customers from). So, in a way, you probably don’t need to block both those 2 specific ports within a Windows firewall for example, but I would go ahead and block ports 135-139 and 445 within all your Windows PCs, as those ports are very problematic when it comes to securing your devices.
      4. Q. What ports show up on Windows 8 and 10 PCs? Anyone care to test? I’ll check on my end eventually, but in the interim, if someone could provide this?
  8. Via ShieldsUP, test specifically the port(s) that Rogers has identified as problematic - for me, the email from them identified my problem port as 137 - my results using the test computer came back as all stealthed, perfect! Note: I was not however getting the same results when testing earlier with the Synology router in place (that is, prior to starting this suggested process) - port 137 was listed as "closed" (blue on the nice graphical interface of your test results from ShieldsUP) and not "stealthed" (green). I thought that being "closed" was OK, until I got a second warning from Rogers for that very port which was listed as "closed" by ShieldsUP. By deduction, it looks like all your results from ShieldsUP need to come back as "stealthed", or you will get another warning from Rogers eventually. 
  9. I then tested my test computer via a second test site that I discovered - one that seems to give similar results to what Rogers reports to you in your warning letter. Maybe its even the site that Rogers uses for it’s testing (this is an educated guess, deduced from looking at at the various results that came back from about a dozen different sites that test for port status  -  however, I could be totally wrong! ... but I got consistent results throughout this process)? I'll be reaching out to some of the Rogers resident experts for their opinions before I say anything else about this site.  At any rate, I got a message that my IP address was not found - perfect! BUT …The problem with the second test site results is that I seem to be getting the results from someone else’s IP before it was assigned to me, as the test results are dated from about 6 days ago. Is this why Rogers techs cannot confirm that a customer who worked on their issue has effectively “passed” the Rogers security test? Maybe … but I could be very wrong also - maybe Rogers developed its own in-house test. 
  10. So, now I know what are the Mac notebook shieldsUP results, and the test results from that second site (when I went back and tested the next day, I got results that were only about 15 minutes old - and those are the results that I have relied upon since they are very likely mine, given that the IP address was still the same) - and I can now proceed to the next step (I made sure to take lots of notes on the results and printed these out - I found this helpful and it avoided me getting confused with the many test results that I generated).
  11. I then re-connected the Synology router to the Rogers modem/router (still in bridge mode), and as expected, Rogers assigns a new IP address… and …  ShieldsUp reports port 137 closed, but not stealthed. Uh oh, not good!  As noted a bit earlier, this is a problem as I already got a second notice from Rogers identical to the first, a bit earlier this week. So, either something isn’t setup right with the router, or the router cannot actually stealth its closed ports (this was confirmed in later research).
  12. I then removed the cable connecting to the Synology modem since it is a problem (and to avoid a possible 3rd negative test and warning email by Rogers since I dont have a clue when the next test will be done - could be that very day) and proceeded with further testing of my other devices by adding them individually to my home network (which I am glad I did BTW, as you will read a bit later).
  13. Based on those results for the Synology router, I took the Rogers modem/router out of bridge mode (by doing a factory reset) and setup a wifi network. Of course, the original reason why I put the Synology router into place was because the Coda router has lousy Wifi signal in my residence (and I now had the very same issue again). I tested the Rogers modem/router via Shields up and everything came back stealthed. Perfect! I then tested with that second site (that I suspect Rogers uses possibly for testing) and the site reported that my IP address couldn’t be found. Perfect (For that 2nd testing site: I can only assume that if a site or IP address cannot be read, then it sends back a "not found' message which suggests that the IP is likely stealthed. If however a site can be read, this 2nd testing site appear to offer up the most recent report is has on file, and not the immediate test result as some of those test came back with dates from 2 to 6 days ago and some were from earlier today - this is just speculation on my part though, but the information offered on this 2nd site seems to corroborate this).
  14. I then setup the Synology router behind the Coda router to give access to the internet to my other devices. As expected, as the Synology is now behind the Rogers router, all my tests came back as stealthed or no IP detected.
  15. Added back to the home network an Apple AirPort Extreme (an old router I keep to extend the range of the Synology) and … what … port 135 is no longer reported as stealthed by ShieldsUP!. How is this possible given that Rogers appears to already stealth this port for its customers? And that anything behind a main router (the Rogers Coda) is supposed to be opaque to outside probes? I test using the second test site and no IP address can be found. This is weird, so I retest with ShieldsUP and the test results have changed - ShieldsUP reports that all ports are stealthed. What???
  16. I then tested an Airport Express hooked into my home theatre and sound system - and I get exactly the same results as with the Apple Extreme - port 135 is closed, but not stealthed. How is this possible? I redo the test and the results now show all ports are now stealthed and IP address not found by that second site. A wild guess here, somehow Rogers manages to stealth that port on the second try? I shouldn’t be concerned I guess, as the Rogers warning was for port 137and not port 135 (at least, I hope not).
  17. I then added in the remaining PCs and an older Mac to the home network (all with firewalls activated, ports 135-139 +445 blocked) - all ports stealthed and IP address still hidden, except for those connect to the Apple Extreme router (same results as in item 15).
  18. Added tablet and smartphone devices -  all ports remain stealthed and IP address still hidden. Ran Fing (app for smartphone - I really like this app) to check for open ports on all devices. All good.
  19. I don’t have time to figure out what is happening with those older Apple Routers - so I pulled them and replaced these with the Synology router and an extra switch box (ran out of ports on the Synology router) - I am assuming that all ports will remain stealthed and IP address still hidden. Confirmed by the test results.
  20. I decided NOT to test my NAS on the network, which is still being setup and well, because it is a Synology NAS and now I am quite leery of it - given my experience with the Synology router that is supposed to be locked down, but actually isn't (it's pretty buggy and many of the bugs I found were confirmed by others in 2 different Synology forums). What a waste of time, money and effort it feels like. 
  21. I decide to purchase a new router, which I expect to arrive in the next couple of days. I’ll put the Rogers modem/router at that time back into bridge mode and test that new router.
  22. I then wait and, if I hear nothing from Rogers in the next couple of weeks, I will assume then that I am in the clear. I will continue to monitor my network with that second site that I think Rogers may be using to test its network, and will update this page should my test results change. If I do not hear back from Rogers (I sure wish someone at Rogers could confirm at least, instead waiting on pins and needles), in other words I have  “passed", then even if that second site is not the correct one (maybe Rogers built its own test), that 2nd site would logically still serve as a secondary reference point for your own testing.

 Notes:

  1. Remember - You want the rest of your home network totally isolated from your test computer during this suggested process of elimination (For my home network, I left those old Apple routers in place as extenders for my home network. I left these running, so that I could do some printing on a report that I was working on, but the entire network was separated from the internet.). Since they were sitting behind my Synology router, and the Synology router was disconnected from the Rogers modem/router, I could continue running a local network, but without internet access. Wifi was not running at this point.
  2. Synology router fail: I have to say that having spent many hours reading and fine-tuning the Synology router, I have not been able to secure it. I thought that I had done a decent job when I first got it and I relied on a some very well done YouTube sites that had a series of lessons setup to walk you through the various functions and security settings. I spent hours watching and learning from those videos. What I can conclude is that Synology simply has some weird ways doing things (based on their unique SRM), especially the process for blocking ports - and even when you dig in and change settings, the built-in security advisor wizard tells you that you are still not secure, despite following the advisors instructions to the letter. So, you repeat the instructions, reboot (just in case) and … you get the same error messages. For me, this is a fail, as it tells me that I cannot trust this router. There are a lot of glowing statements about the security of the Synology router, but in my many hours spent trying to secure it, I found that many setup default settings were simply wrong or not activated (yikes) or really hard to find - if you trusted the defaults, then you would be in living with a very insecure router (firewall on is not a default setting, for example - this is another fail IMHO). With respect to port 137, checking with support and with other users, I discovered that all that router can do is block incoming and outbound port connects for ports 135-139 for example (those are problematic ports for security) but you cannot actually hide the port (i.e. when it is blocked via the Synology firewall, it still responds to outside probes and does not go silent like I expected). I would never have expected this, but both test sites I used clearly showed that I was wrong.
  3.  Rogers: Silence is golden they say, but I will have to live with the stress of not knowing immediately if my IP address is secured. I sort of resent this, as I really need my internet connection to gain a living and I really feel on my own here. I generally appreciate Rogers but I  think that Rogers could do a better job by offering some better resources (things to try besides running your AV software) to its customers. There should at least be some sort of FAQ page that would answer some of the basic questions that we need information on in order to figure out how to manage these cryptic emails. Maybe I should start a FAQ? Maybe this is the start of one? 

 

CONCLUDING REMARKS;

 

I basically spent 3 days full-time this week researching, learning and applying some of the stuff I learnt. There are a lot of opinions out there and I quickly learnt that just because someone had a strong and well-articulated opinion that it didn’t mean that they really knew what they were talking about - they might know some things very well but it was too narrow in scope, or they were too techie and couldn’t be bothered to better explain their expert advice. I can understand the latter point of view (“RTFM you lazy person”) but they weren’t nearly as helpful as they assumed they would be, IMHO.

 

The home consumer router business is a mess IMHO - while searching for a new router, I was quite interested in security this time around, as opposed to speed and other interesting functions. I narrowed down my choices to about 4-5 routers but while reading reviews, and now being a bit more knowledgeable about routers and security, I realized that consumers really do trust the router providers to offer users with at least a minimally safe setup. To the contrary, this is not the case and I was disheartened to see so many routers with default settings that were wrong, or had not been activated by default, or lacked security features that were essential in this online environment which so much now resembles a “digital war age”. In other words, some routers were being sold to trusting consumers who, if they weren’t so inclined (and that would include me normally) to learn a bit more about their devices, who expect their routers to be safe. So, in a strange way, Rogers is responsible with its cryptic warnings for pushing me to figure this out on my own and I don’t think that what I learnt will be wasted. I certainly am very far from being an expert, but I now know enough to ask better questions and to watch for certain minimal functions within a router that are essential to online safety.

 

Lastly, there are some very kind and helpful people out there and to them, even though we have never met, I say thank you for sharing your time, expertise and suggestions.