NetBIOS Enumeration (135, 137-139, 445) Cheat Sheet: Essential Commands, Tools for Pentesters

What is NetBIOS?

NetBIOS (Network Basic Input/Output System) is a legacy networking protocol that allows computers on a local area network (LAN) to communicate and share resources. Here’s a simple breakdown of its main functions and features:

• Name Resolution: NetBIOS provides hostname-to-IP resolution, helping systems find the correct IP address for devices like “FileServer.”
• File and Printer Sharing: It enables file and printer sharing across the network, allowing access to shared files or printers on other machines.
• Session Management: NetBIOS manages sessions, enabling reliable data exchange between two computers.
• Broadcasting: It uses broadcast messages for network discovery, allowing devices to find and share resources.
• Common Usage: NetBIOS is commonly found in older Windows networking environments or mixed OS networks where Windows and non-Windows machines communicate.

For more detailed NetBIOS enumeration techniques, check out this guide from HackTricks.

---

Quick NetBIOS Enumeration Commands

• nmblookup -A 10.10.10.10
• nbtscan 10.10.10.10
• sudo nmap -sU -sV -T4 –script nbstat.nse -p137 -Pn -n 10.10.10.10

---

Purpose of Ports 137 and 138 in NetBIOS:

• Port 137 (NetBIOS Name Service – NBNS):
  • Resolves NetBIOS names to IP addresses.
  • Identifies computer names, workgroup or domain names, and network shares.
• Port 138 (NetBIOS Datagram Service – NBDS):
  • Sends datagrams like browser elections and announcements.
  • Enables hosts to find each other and broadcast name info in a LAN.

---

Tools and Commands for NetBIOS Enumeration on Ports 137 and 138:

• nbtstat (Windows Built-in Tool):
  • Query remote NetBIOS Name Table (port 137):
    nbtstat -A 192.168.1.10
    Returns the NetBIOS name table of the target system, showing hostnames, sessions, and shared resources.
  • View local NetBIOS name table:
    nbtstat -n
  • View active NetBIOS connections (port 138):
    nbtstat -S
• nbtscan:
  • A dedicated tool for NetBIOS name service enumeration over port 137.
  • Scan an IP or subnet for NetBIOS names (port 137):
    nbtscan 192.168.1.0/24
    Lists NetBIOS names and corresponding IP addresses for network mapping and asset identification.

---

Interpreting NetBIOS Enumeration Results

When scanning NetBIOS over ports 137 and 138, common flags include:

• <00>: Indicates the hostname or domain name.
• <20>: Indicates the system is running file-sharing services.
• <03>: Indicates the Messenger service is active on the machine.

These flags help identify the roles of systems on the network (e.g., file servers or domain controllers).

---

Securing Ports 137 and 138

To protect against NetBIOS enumeration vulnerabilities:

• Disable NetBIOS over TCP/IP if not required. This can be done in the network adapter settings (Windows).
• Block ports 137 and 138 using a firewall, especially on public-facing systems, to prevent external enumeration.
• Enforce strong authentication and access controls for shared network resources.

---

By using NetBIOS enumeration tools like nbtstat, nbtscan, and Nmap, pentesters can uncover valuable information about networked systems, including their names, services, and shared resources, helping to map the attack surface and discover potential vulnerabilities.