Woudja look at that? It’s time for another 2600 report. Since I’m writing this at four in the afternoon before the first Friday of the month, I’m a little rushed to get all of the content down on paper.

This month’s topic is yet another possibility for a Windows DNS (that’s Denial of Service) attack. It is, as yet, theoretical (i.e. I have yet to write code to back this up). It is based on the Browser Service (what you see when you double-click on Network Neighborhood). Most of the text and references are pulled from the Windows NT Server Resource Kit. It will only work in a LAN environment (although I’m looking into using BrowseMasterAnnouncement directed datagrams and WINS see if a form of this is possible over a WAN or internet link).

So, what happens with you double-click on Network Neighborhood? This is a question I asked myself a few weeks ago. A little research turned up the answer and some potential "hacks."

Every computer running Windows (3.11, 95, or NT) also runs a service in the background called the Browser Service. When your system wants to see what is out on the network, it asks your Browser service, which then talks across the network to another system’s Browser service. These services are what maintain a list of which computers are currently connected to the network.

One of the computers running the Browser service declares itself to be "Master Browser," who is responsible for maintaining the list. Every computer, when it first connects to the network, looks for the Master Browser and says, "hey, I’m here." The Master Browser takes note and adds the computer to it’s list. Once the computer has established a presence on the network, it continues to say, "Hey, I’m still here" every 1-12 minutes--that way the Master Browser knows if it was unplugged, crashed, or otherwise shut down. If your computer wants a list of which computers are on the network, it talks to the Master Browser, who returns a list of computers. There are also 0-2 backup browsers on the network. The Master Browser (incrementally) updates these every 15 minutes--just in case the Master Browser computer dies unexpectedly.

All of this is done in the background. YOUR very computer may, without your knowledge, be the Browse Master. It may be a backup browser. It may be just another machine requesting lookups on the Browse Master. Typically, the Browser Master happens to be an NT Server. Typically, it is the PDC (Primary Domain Controller). But why and how? Who tells the machine "you’re going to be Master Browser." There is no Control Panel option. There is no registry setting (technically, there is an indirect registry setting).

It all works the same way our government is supposed to work--with elections. Let us picture this scenario: lots of computers networked together, a few NT Servers, a PDC, bunches of NT and 95 Workstations, even a few 3.11 machines. (This scenario is a little simplified. Technically, when the PDC was turned on, it would call for an election). Every computer is turned on at exactly the same time and left to sit. You come along to one of them and double click the Network Neighborhood. Your computer screams down the network cable to all of the systems "Hey, which one of you is the Master Browser?!?!" Silence on the network. Repeated scream. More silence. Your computer then screams to all others, "Let’s have a little election. I’m a Win95 machine, my name is Copper, I have been running for 2 minutes. Is anyone better than me?" The 3.11 machines remain quiet. The NT Workstations and NT Servers WANT to jump in and say "Shut up. I’m better than you." Because only one machine can talk on the network at a time, each machine wait between 100 and 3000ms before responding. NT Workstation: "I’m an NT Workstation. My name is Iron. I’ve been on for 2 minutes. I’m better. Can anyone beat me?" NT Server: "I’m an NT Server. Name’s Gold. On for 2 minutes. Who can beat that?" PDC: "I’m not just a Server, but also the PDC! My name’s Platinum and I’ve been online for 2 minutes. Anyone better?" After a few seconds there is no response, so Platinum declares itself to be Master Browser.

This is exactly how a Master Browser comes to be. All the computers seceretly fight over the network to become Master. The Master then arbitrarily picks backups (if required). All computers then talk to the Master to add themselves to the network and to get a list of computers on the network.

Potential "modifications" and experiments All are theory, none are tested...

• Remove/Stop the Browser service on your machine. You will not appear on the Browse lists, although you will not be able to use the browse lists--you will have to already know the machine name or address that you wish to connect to.
• The NT Server Resource Kit comes with a program called browstat.exe that allows you to retrieve and set browse information. It can force an election or tickle the Master Browser into stopping. Put in a loop, this floods the network with election packets
• Unfortunately, browstat.exe adds an event to your system log so that Mr. Administrator knows that you have been a bad boy or girl--especially when the log becomes maxed out with these entries. browstat can be patched to not log these requests.
• Since spoofing is so popular these days, and since these are broadcast packets, it is entirely possible to write a little tool that inserts a steady stream of bogus packets into the network. The other computers will choke on their own responses.
• Taking that a step further, a program can be written to listen for election requests and send out a packet saying "I’m God. I’ve been online forever. I’m better than an NT Server PDC." It would then summarily ignore browse requests. The rankings for "which computer is more powerful" are as follows:

A sample Election Request packet looks like this:

00000000 03 00 00 00 00 01 00 A0 24 43 DF 39 00 A6 F0 F0 ........$C.9....
00000010 03 2C 00 FF EF 08 00 00 00 00 00 00 00 53 55 42 .,...........SUB
00000020 53 50 41 43 45 20 20 20 20 20 20 20 1E 42 50 5F SPACE........BP_
00000030 50 31 36 36 20 20 20 20 20 20 20 20 20 FF 53 4D P166..........SM
00000040 42 25 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B%..............
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 11 00 00 ................
00000060 21 00 00 00 00 00 00 00 00 00 E8 03 00 00 00 00 !...............
00000070 00 00 00 00 21 00 56 00 03 00 01 00 00 00 02 00 ....!.V.........
00000080 32 00 5C 4D 41 49 4C 53 4C 4F 54 5C 42 52 4F 57 2.\MAILSLOT\BROW
00000090 53 45 00 0F 00 80 FC 0A 00 42 50 5F 50 31 36 36 SE.......BP_P166
000000A0 00 00 00 00 00 00 00 00 00 04 00 03 10 05 00 0F ................
000000B0 01 55 AA 00 .U..


Back to the main page.