# 137-139 - NetBIOS

### Overview

`Network Basic Input/Output System (NetBIOS)` is a Windows API providing services related to the session layer (layer 5) of the OSI model, mostly for systems on the same link-local subnetwork. `NetBIOS` runs over `TCP/IP` via the `NetBIOS over TCP/IP (NBT)` protocol.

`NetBIOS` provides notably a name registration and resolution service: the `NetBIOS Name Service (NBNS)`, which operates on `UDP` port 137 (and may operate on `TCP` 137). `NetBIOS` names are 16 ASCII characters in length (with out "\ / : \* ? " < > |"), with the 16th character reserved for the resource `NetBIOS Suffix`. The `NetBIOS-NS` protocol is used, along (and before) the `Link-Local Multicast Name Resolution (LLMNR)` protocol, by Windows systems to perform name resolution operation if the `Domain Name System (DNS)` resolution fails. The name resolution is made through a `NBNS` `Name query NB` broadcast request on the link-local broadcast address and can thus only be used to resolve `NetBIOS` names for hosts on the same subnetwork.

A `NetBIOS` name table stores the `NetBIOS` records registered on the Windows system. A record consists of a `NetBIOS` name, a status, and can be of two type: `Unique` or `Group`. `Unique` record are unique among all systems on the link-local subnetwork and a verification is made by the system registering the `NetBIOS` name with the `Windows Internet Name Service (WINS)` server or through a broadcast `Registration NB` request to ensure that the newly registered name would effectively be unique. For example, such request is made by a Windows system at boot time to register the system `NetBIOS` hostname in the local-link subnetwork. On the contrary, `Group` records may take for value a `NetBIOS` name shared by others systems.

The 16th character of a record `NetBIOS` name is reserved and corresponds to the `NetBIOS Suffix`, which indicates the service type associated with the `NetBIOS` record.

| Type     | Suffix | Value                              | Description                                                                                                                                                                                                                                                                                                                                          |
| -------- | ------ | ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `UNIQUE` | `00`   | `NetBIOS` system hostname          | Registered by the Windows `Workstation` service. Yields for value the system registered `NetBIOS` hostname.                                                                                                                                                                                                                                          |
| `UNIQUE` | `20`   | `NetBIOS` system hostname          | Registered by the Windows `Server` service. The `Server` service supports the sharing of shares and named-pipe over the network.                                                                                                                                                                                                                     |
| `UNIQUE` | `1B`   | `NetBIOS` domain name              | `Domain Master Browser`, part of the `Browser Service`, replaced by Windows Active Directory since `Windows XP` and only provided for backward compatibility reasons. Registered on the `Primary Domain Controller` Emulator of the Active Directory domain (only one server acts as the `Domain Master Browser` across an Active Directory domain). |
| `UNIQUE` | `1D`   | `NetBIOS` domain or workgroup name | `Master Browser`, part of the `Browser Service`, replaced by Windows Active Directory since `Windows XP` and only provided for backward compatibility reasons. Only one server acts as the `Master Browser` in a link-local subnetwork.                                                                                                              |
| `GROUP`  | `00`   | `NetBIOS` domain or workgroup name | Windows `Workstation` service. Registers the system in a workgroup or Active Directory domain and yields for value the Active Directory domain or workgroup the system is integrated to.                                                                                                                                                             |
| `GROUP`  | `1C`   | `NetBIOS` domain name              | Registered on systems that are `Domain Controller` in an Active Directory domain.                                                                                                                                                                                                                                                                    |

Additionally, while `NetBIOS` is completely independent from the `Server Message Block (SMB)` protocol, `SMB` does rely on `NetBIOS` (`SMB` over `NBT`, `TCP` port 139) for communication with systems that do not support direct hosting of `SMB` over `TCP/IP`.

### Network scan

`nmap` can be used to scan the network for exposed `NetBIOS` services:

```
nmap -v -sS -sU -sV -sC -p U:137,T:137,138,139 -oA nmap_netbios <RANGE | CIDR>
```

### NetBIOS name resolution and name table enumeration

The Windows `nbtstat` and the Linux `nmblookup` utilities can be used to resolve `NetBIOS` name and retrieve the remote system `NetBIOS` name table information:

```
# Linux
# Performs NetBIOS name resolution
nmblookup <NETBIOS_NAME>
# Lists the remote machine's name table given its NetBIOS name / IP address
nmblookup -A <NETBIOS_NAME | IP>

# Windows
# Lists the remote machine's name table given its NetBIOS name / IP address
nbtstat -a <NETBIOS_NAME>
nbtstat -A <IP>
```

### SMB over NetBIOS

If the `NetBIOS` `session service` is accessible on the remote system, on `TCP` port 139, but not the `SMB` service, `SMB` over `NBT` can be used to access remote network shares or execute commands through `PsExec`-like utilities.

```
# If no username provided, null session assumed
smbmap -P 139 [-d <DOMAIN>] [-u <USERNAME>] [-p <PASSWORD | HASH>] (-H <HOSTNAME | IP> | --host-file <FILE>)  

# TARGETS can be IP(s), range(s), CIDR(s), hostname(s), FQDN(s) or file(s) containing a list of targets
crackmapexec <TARGETS> --port 139 [-M <MODULE> [-o <MODULE_OPTION>]] (-d <DOMAIN> | --local-auth) -u <USERNAME | USERNAMES_FILE> (-p <PASSWORD | PASSWORDS_FILE> | -H <HASH>) [--sam] [-x <COMMAND> | -X <PS_COMMAND>]
```

For more information, refer to the `[L7] 445 - SMB` and `[Windows] Lateral movements` notes.

### NBT-NS poisoning

Responses to the broadcasted `NBNS` name resolution requests can be spoofed, in order to intercept local network traffic. The interception can, notably, be used to capture, and eventually relay, local network `SMB` authentication requests.

For more information, refer to the `[ActiveDirectory] NTLM Relaying` note.

***

### References

<https://www.itprotoday.com/compute-engines/knowing-angles-netbios-suffixes> <https://www.itprotoday.com/compute-engines/what-are-netbios-suffixes-16th-character> Network Security Assessment: Know Your Network Windows NT TCP/IP Network Administration


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.qazeer.io/l7/methodology-7.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.