# NetBios - Port 137,138,139

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}
Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**

* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚
  {% endtab %}
  {% endtabs %}

## **Basic Information**

NetBIOS (Network Basic Input/Output System) is an API that allows applications on different computers to communicate over a local area network (LAN). It provides services related to the session layer (Layer 5) of the OSI model, including name resolution, data transmission, and session management.

NetBIOS uses several ports, but the most relevant ones are:

* **Port 137 (UDP)** - NetBIOS Name Service (NBNS), used for name resolution.
* **Port 138 (UDP)** - NetBIOS Datagram Service (NDS), used for sending broadcast messages.
* **Port 139 (TCP)** - NetBIOS Session Service (NSS), used for file and printer sharing over TCP/IP.

### **How does NetBIOS work?**

* **Port 137 (UDP)**: Used for NetBIOS Name Service (NBNS), responsible for the registration and resolution of NetBIOS names to IP addresses within a network.
* **Port 138 (UDP)**: Handles NetBIOS Datagram Service (NDS), which is used to send broadcast messages, like sending messages to all machines within a network (e.g., sending network status notifications or alerts).
* **Port 139 (TCP)**: Used for NetBIOS Session Service (NSS), which allows file and printer sharing between computers.

## **Identifying Exposed NetBIOS Services**

Exposed NetBIOS services can be a potential vulnerability for attackers, as they provide information about the system and its resources. These ports are often misconfigured or left open by default, especially on Windows machines, making them valuable for attackers.

You can identify open NetBIOS services by running network scans or using specialized tools.

**Nmap:**

```bash
nmap -p 137,138,139 <target_ip>
```

Alternatively, using **rpcclient** (from the **Samba** suite) or **nbtscan** can help gather more information about NetBIOS services and identify vulnerabilities.

For example, to identify available shares:

```bash
rpcclient -U "" -N <target_ip>
```

`nbtscan`:

```bash
nbtscan <target_ip_range>
```

***

**Common NetBIOS Attacks**

1. **Name Resolution Poisoning (NBNS Poisoning)**: By sending specially crafted NetBIOS Name Service requests (using tools like **nbtscan** or **Responder**), attackers can poison the local NetBIOS name resolution cache, directing clients to malicious machines.

   **Example:** Tools like **Responder** can be used to listen to NetBIOS name requests and redirect them to an attacker-controlled machine.

   ```bash
   responder -I eth0
   ```
2. **NetBIOS Enumeration**: This involves enumerating shared files, services, and other resources on the target machine. Tools such as **enum4linux**, **nmap**, and **Smbclient** can be used to list available shares, user accounts, and other valuable information.

   ```bash
   enum4linux -a <target_ip>
   ```

   This will return information such as the list of users, groups, shares, and more.
3. **SMB Relay Attacks**: NetBIOS over TCP/IP (NBT) can be abused in SMB relay attacks, where an attacker can intercept and relay SMB authentication to a server. This is often done by capturing valid credentials and relaying them to an SMB service on a different machine, potentially granting unauthorized access.

   &#x20;Using **impacket**'s `smbrelayx.py` to relay SMB authentication:

   ```bash
   smbrelayx.py -t <target_ip> -s <attacker_ip>
   ```
4. **Brute-forcing SMB Passwords**: SMB shares on port 139 can be attacked by brute-forcing weak passwords to gain unauthorized access. Tools like **Hydra** or **Medusa** can be used to perform password guessing attacks against SMB services.

   ```bash
   hydra -l <username> -P /path/to/password_list.txt smb://<target_ip>
   ```

{% hint style="success" %}
earn & practice [**For the OSCP.**](https://shop.verylazytech.com/)

<details>

<summary>Support VeryLazyTech 🎉</summary>

Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**

* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚

</details>
{% endhint %}