· Security · 3 min read
NetBIOS Enumeration Cheatsheet: Essential Commands for Pentesters
Table of Contents
- 1.What is NetBIOS?
- 2.Quick NetBIOS Enumeration Commands
- 3.Purpose of Ports 137 and 138 in NetBIOS
- 3.1Port 137 (NetBIOS Name Service – NBNS)
- 3.2Port 138 (NetBIOS Datagram Service – NBDS)
- 4.Tools and Commands for NetBIOS Enumeration
- 4.1nbtstat (Windows Built-in Tool)
- 4.2nbtscan
- 5.Interpreting NetBIOS Enumeration Results
- 6.Securing Ports 137 and 138
- 7.Conclusion
What is NetBIOS?
NetBIOS (Network Basic Input/Output System) is a legacy networking protocol that allows computers on a local area network (LAN) to communicate and share resources. Here’s a simple breakdown of its main functions and features:
- Name Resolution: NetBIOS provides hostname-to-IP resolution, helping systems find the correct IP address for devices like “FileServer”
- File and Printer Sharing: It enables file and printer sharing across the network, allowing access to shared files or printers on other machines
- Session Management: NetBIOS manages sessions, enabling reliable data exchange between two computers
- Broadcasting: It uses broadcast messages for network discovery, allowing devices to find and share resources
- Common Usage: NetBIOS is commonly found in older Windows networking environments or mixed OS networks where Windows and non-Windows machines communicate
Quick NetBIOS Enumeration Commands
Here are some essential commands for quick NetBIOS enumeration:
nmblookup -A 10.10.10.10nbtscan 10.10.10.10sudo nmap -sU -sV -T4 --script nbstat.nse -p137 -Pn -n 10.10.10.10Purpose of Ports 137 and 138 in NetBIOS
Port 137 (NetBIOS Name Service – NBNS)
- Resolves NetBIOS names to IP addresses
- Identifies computer names, workgroup or domain names, and network shares
Port 138 (NetBIOS Datagram Service – NBDS)
- Sends datagrams like browser elections and announcements
- Enables hosts to find each other and broadcast name info in a LAN
Tools and Commands for NetBIOS Enumeration
nbtstat (Windows Built-in Tool)
Query remote NetBIOS Name Table (port 137):
nbtstat -A 192.168.1.10This command returns the NetBIOS name table of the target system, showing hostnames, sessions, and shared resources.
View local NetBIOS name table:
nbtstat -nView active NetBIOS connections (port 138):
nbtstat -Snbtscan
A dedicated tool for NetBIOS name service enumeration over port 137:
Scan an IP or subnet for NetBIOS names:
nbtscan 192.168.1.0/24This lists NetBIOS names and corresponding IP addresses for network mapping and asset identification.
Interpreting NetBIOS Enumeration Results
When scanning NetBIOS over ports 137 and 138, look for these common flags:
| Flag | Meaning |
|---|---|
<00> | Indicates the hostname or domain name |
<20> | Indicates the system is running file-sharing services |
<03> | Indicates the Messenger service is active on the machine |
These flags help identify the roles of systems on the network (e.g., file servers or domain controllers).
Securing Ports 137 and 138
To protect against NetBIOS enumeration vulnerabilities:
- Disable NetBIOS over TCP/IP if not required
- This can be done in the network adapter settings (Windows)
- Block ports 137 and 138 using a firewall
- Especially important on public-facing systems
- Prevents external enumeration
- Enforce strong authentication and access controls
- Implement for all shared network resources
Conclusion
By using NetBIOS enumeration tools like nbtstat, nbtscan, and Nmap, pentesters can uncover valuable information about networked systems, including their names, services, and shared resources. This information helps map the attack surface and discover potential vulnerabilities. However, it’s crucial to use these tools ethically and only on systems you have permission to test.
