NetBios - Port 137,138,139

Basic Information

NetBIOS (Network Basic Input/Output System) is an API that allows applications on different computers to communicate over a local area network (LAN). It provides services related to the session layer (Layer 5) of the OSI model, including name resolution, data transmission, and session management.

NetBIOS uses several ports, but the most relevant ones are:

• Port 137 (UDP) - NetBIOS Name Service (NBNS), used for name resolution.

• Port 138 (UDP) - NetBIOS Datagram Service (NDS), used for sending broadcast messages.

• Port 139 (TCP) - NetBIOS Session Service (NSS), used for file and printer sharing over TCP/IP.

How does NetBIOS work?

• Port 137 (UDP): Used for NetBIOS Name Service (NBNS), responsible for the registration and resolution of NetBIOS names to IP addresses within a network.

• Port 138 (UDP): Handles NetBIOS Datagram Service (NDS), which is used to send broadcast messages, like sending messages to all machines within a network (e.g., sending network status notifications or alerts).

• Port 139 (TCP): Used for NetBIOS Session Service (NSS), which allows file and printer sharing between computers.

Identifying Exposed NetBIOS Services

Exposed NetBIOS services can be a potential vulnerability for attackers, as they provide information about the system and its resources. These ports are often misconfigured or left open by default, especially on Windows machines, making them valuable for attackers.

You can identify open NetBIOS services by running network scans or using specialized tools.

Nmap:

nmap -p 137,138,139 <target_ip>

Alternatively, using rpcclient (from the Samba suite) or nbtscan can help gather more information about NetBIOS services and identify vulnerabilities.

For example, to identify available shares:

rpcclient -U "" -N <target_ip>

nbtscan:

nbtscan <target_ip_range>

Common NetBIOS Attacks

1. Name Resolution Poisoning (NBNS Poisoning): By sending specially crafted NetBIOS Name Service requests (using tools like nbtscan or Responder), attackers can poison the local NetBIOS name resolution cache, directing clients to malicious machines.

   Example: Tools like Responder can be used to listen to NetBIOS name requests and redirect them to an attacker-controlled machine.

   Copy

   responder -I eth0

2. NetBIOS Enumeration: This involves enumerating shared files, services, and other resources on the target machine. Tools such as enum4linux, nmap, and Smbclient can be used to list available shares, user accounts, and other valuable information.

   Copy

   enum4linux -a <target_ip>

   This will return information such as the list of users, groups, shares, and more.

3. SMB Relay Attacks: NetBIOS over TCP/IP (NBT) can be abused in SMB relay attacks, where an attacker can intercept and relay SMB authentication to a server. This is often done by capturing valid credentials and relaying them to an SMB service on a different machine, potentially granting unauthorized access.

   Using impacket's smbrelayx.py to relay SMB authentication:

   Copy

   smbrelayx.py -t <target_ip> -s <attacker_ip>

4. Brute-forcing SMB Passwords: SMB shares on port 139 can be attacked by brute-forcing weak passwords to gain unauthorized access. Tools like Hydra or Medusa can be used to perform password guessing attacks against SMB services.

   Copy

   hydra -l <username> -P /path/to/password_list.txt smb://<target_ip>