137-139 - NetBIOS
Last updated
Last updated
Network Basic Input/Output System (NetBIOS) is a Windows API providing services related to the session layer (layer 5) of the OSI model, mostly for systems on the same link-local subnetwork. NetBIOS runs over TCP/IP via the NetBIOS over TCP/IP (NBT) protocol.
NetBIOS provides notably a name registration and resolution service: the NetBIOS Name Service (NBNS), which operates on UDP port 137 (and may operate on TCP 137). NetBIOS names are 16 ASCII characters in length (with out "\ / : * ? " < > |"), with the 16th character reserved for the resource NetBIOS Suffix. The NetBIOS-NS protocol is used, along (and before) the Link-Local Multicast Name Resolution (LLMNR) protocol, by Windows systems to perform name resolution operation if the Domain Name System (DNS) resolution fails. The name resolution is made through a NBNS Name query NB broadcast request on the link-local broadcast address and can thus only be used to resolve NetBIOS names for hosts on the same subnetwork.
A NetBIOS name table stores the NetBIOS records registered on the Windows system. A record consists of a NetBIOS name, a status, and can be of two type: Unique or Group. Unique record are unique among all systems on the link-local subnetwork and a verification is made by the system registering the NetBIOS name with the Windows Internet Name Service (WINS) server or through a broadcast Registration NB request to ensure that the newly registered name would effectively be unique. For example, such request is made by a Windows system at boot time to register the system NetBIOS hostname in the local-link subnetwork. On the contrary, Group records may take for value a NetBIOS name shared by others systems.
The 16th character of a record NetBIOS name is reserved and corresponds to the NetBIOS Suffix, which indicates the service type associated with the NetBIOS record.
| Type | Suffix | Value | Description |
|---|---|---|---|
Additionally, while NetBIOS is completely independent from the Server Message Block (SMB) protocol, SMB does rely on NetBIOS (SMB over NBT, TCP port 139) for communication with systems that do not support direct hosting of SMB over TCP/IP.
nmap can be used to scan the network for exposed NetBIOS services:
The Windows nbtstat and the Linux nmblookup utilities can be used to resolve NetBIOS name and retrieve the remote system NetBIOS name table information:
If the NetBIOS session service is accessible on the remote system, on TCP port 139, but not the SMB service, SMB over NBT can be used to access remote network shares or execute commands through PsExec-like utilities.
For more information, refer to the [L7] 445 - SMB and [Windows] Lateral movements notes.
Responses to the broadcasted NBNS name resolution requests can be spoofed, in order to intercept local network traffic. The interception can, notably, be used to capture, and eventually relay, local network SMB authentication requests.
For more information, refer to the [ActiveDirectory] NTLM Relaying note.
https://www.itprotoday.com/compute-engines/knowing-angles-netbios-suffixes https://www.itprotoday.com/compute-engines/what-are-netbios-suffixes-16th-character Network Security Assessment: Know Your Network Windows NT TCP/IP Network Administration
UNIQUE
00
NetBIOS system hostname
Registered by the Windows Workstation service. Yields for value the system registered NetBIOS hostname.
UNIQUE
20
NetBIOS system hostname
Registered by the Windows Server service. The Server service supports the sharing of shares and named-pipe over the network.
UNIQUE
1B
NetBIOS domain name
Domain Master Browser, part of the Browser Service, replaced by Windows Active Directory since Windows XP and only provided for backward compatibility reasons. Registered on the Primary Domain Controller Emulator of the Active Directory domain (only one server acts as the Domain Master Browser across an Active Directory domain).
UNIQUE
1D
NetBIOS domain or workgroup name
Master Browser, part of the Browser Service, replaced by Windows Active Directory since Windows XP and only provided for backward compatibility reasons. Only one server acts as the Master Browser in a link-local subnetwork.
GROUP
00
NetBIOS domain or workgroup name
Windows Workstation service. Registers the system in a workgroup or Active Directory domain and yields for value the Active Directory domain or workgroup the system is integrated to.
GROUP
1C
NetBIOS domain name
Registered on systems that are Domain Controller in an Active Directory domain.