Simple Security Tests

14th June 2019

Some Simple Security Tests to get Small Businesses started

Thycotic Weak Password finder; tests for LanMan, Weak hashes etc. and shows which of those accounts have Administrator privilege.
https://thycotic.com/solutions/free-it-tools/weak-password-finder/

Wireshark
LLMNR
udp.port == 5355 (display filter)
udp port 5355 (capture filter)
Leave running for 1 hour +
clients that send requests have “Netbios over TCP” enabled
multiple random requests = dns pre-fetching in Chrome
https://osqa-ask.wireshark.org/questions/12840/weird-nbns-queries

Disable Netbios & LLMNR
http://woshub.com/how-to-disable-netbios-over-tcpip-and-llmnr-using-gpo/

Netbios test
start, run, cmd, nbtstat -n
should return “Failed to access NetBT driver — NetBT may not be loaded”
else Netbios is enabled

How to turn NetBios off (single Computer)

net stop “TCP/IP NetBIOS Helper”
net stop netbt
sc config netbt start= disabled

NetBios is only used when trying to share files locally on a HOME network. Not used for Internet anything. Not used by DropBox, OneDrive, Google Drive etc.

Just for reference this is the order that Windows uses to turn a name into a IP address (Name resolution)

DNS (ie server.domain.tld used by the internet)
WINS (Windows Internal Name Service can span multiple Subnets if setup properly)
LLMNR (Link Local Multicast Name Resolution can span multiple Switches if setup properly)
NetBIOS (local Subnet only)
Broadcast (local Subnet only)

Microsoft PortQryUI https://www.microsoft.com/en-ca/download/details.aspx?id=24009
there is also a PortQry command line without the UI