What is NetBIOS (Network Basic Input/Output System)?
Programs running on Microsoft Windows-based systems communicate with one another across a local area network using the API (Application Programming Interface) known as NetBIOS (LAN)
NetBIOS was developed as a part of the IBM PC Network operating system in the 1980s. NetBIOS was ultimately adopted by Microsoft for use in MS-DOS and Windows.
Applications can execute fundamental network functions including name resolution, session establishment, and data transmission using the standardized interface provided by NetBIOS. Network resources including computers, printers, and file sharing are identified by their NetBIOS names, which can be up to 15 characters long. All computers with the same name that receives the broadcast from the asking machine will respond. NetBIOS names are resolved in this manner.
The NetBIOS operating system was updated to use the NetBIOS over TCP/IP (NBT) protocol to allow communication across existing TCP/IP networks. To function at first, NetBIOS relied on the NetBIOS over IPX/SPX protocol. NBT is susceptible to enumeration, spoofing, and other forms of attacks, hence it can present security problems if improperly set up.
And that’s why we will look closer at how can Hackers use NetBIOS to misuse your network.
What is NetBIOS enumeration?
NetBIOS enumeration is the procedure for learning about the resources on a target network. Applications on several computers can connect with one another via a local area network thanks to the NetBIOS protocol (LAN). Using NetBIOS protocols, a target system’s resources are enumerated in the NetBIOS enumeration process. Enumeration can disclose information such as user account names and security policies, as well as the names of computers, printers, and file shares on the network. Attackers can utilize this information to map out a network, find possible targets for exploitation, and compile intelligence for additional attacks.
The attacker may perform connections to remote systems without the need for authentication known as null sessions. The NetBIOS service can be accessed by null sessions by default in Windows, which an attacker might use to acquire sensitive data about the target network. Administrators can stop the NetBIOS service or limit access to it by setting the Windows firewall to deny inbound connections to NetBIOS ports in order to prevent null session NetBIOS enumeration (139 and 445). Also, it’s crucial to make sure that all user accounts have secure passwords and that no superfluous network shares are made accessible to the public network. For null session can be performed commands such as: nbtstat -A <IP address> , net view \\IP address , or net user /domain \\IP address
The ‘nbtstat’ command, the ‘net use’ command, and/or the ‘Nmap’ network scanner are just a few examples of the tools and methods that can be used to do NetBIOS enumeration. To learn more about a target system’s setup, resources, and users, these programs can query NetBIOS services on the system. We receive a list of all the NetBIOS names and IP addresses related to the target system by using the nbtstat command to query the NetBIOS name database on that system.
There are several methods for performing NetBIOS enumeration, including:
Nbtstat command: This Windows default command shows NetBIOS details about a target computer. An attacker can use the nbtstat command to query the NetBIOS name table on a target system to obtain a list of its NetBIOS names and IP addresses. For example, the command nbtstat -A <IP address> can be used to obtain a list of NetBIOS names associated with a target system, and the command nbtstat -a <IP hostname> can be used to obtain information about a specific NetBIOS name.
example of what the output of nbtstat -A <IP address> might look like:
C:>nbtstat -A 192.168.0.10
Local Area Connection:
Node IpAddress: [192.168.0.1] Scope Id: []
NetBIOS Remote Machine Name TableName Type Status
MYCOMPUTER <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
MYCOMPUTER <20> UNIQUE Registered
WORKGROUP <1E> GROUP Registered
WORKGROUP <1D> UNIQUE Registered
..MSBROWSE.<01> GROUP Registered
MAC Address = 11-22-33-44-55-66
net user command: You can use the Net user command with the “/domain” argument together with the IP address or hostname of the remote machine to find out information about user accounts on that system. For instance:
net user /domain \192.168.0.10
C:>net user /domain \192.168.0.10
User accounts for \192.168.0.10
Administrator Guest HelpAssistant
support_388945a0 TheUser
The command completed successfully.
net use command: Using the net use command an attacker can enumerate file shares on a target system by attempting to connect to the IPC$ share. For example, the command net use \\<IP address>\IPC$ "" /u:"" can be used to attempt to connect to the IPC$ share on a target system, which may reveal information about file shares and user accounts on the system.
example of what the output of net use \\IP address /user:"" might look like:
C:>net use \192.168.0.10 /user:""
Status Local Remote Network
\\192.168.0.10\ADMIN$ Microsoft Windows Network
\\192.168.0.10\C$ Microsoft Windows Network
\\192.168.0.10\IPC$ Microsoft Windows NetworkThe command completed successfully.
Net view command: a Windows command-line tool that lists the network’s accessible resources, such as computers, file shares, and printers. By default, the net view command presents a list of all computers on the network, together with their NetBIOS names and descriptions. For instance, the command net view will list every network computer that is accessible to the local system.
To enumerate resources on a specific computer use the syntax net view \\[computername] . For example, the command net view \\192.168.1.100 will display a list of resources, including file shares and printers, that are available on the system with the IP address 192.168.1.100.
Remember that the net view command depends on the Server Message Block (SMB) protocol, which is frequently misused by attackers to reconnaissance and take advantage of weaknesses. In order to prevent unauthorized access and exploitation, it is crucial to adequately secure SMB services and adopt network security best practices.
example of what the output of net view \\IP address might look like:
C:>net view \192.168.0.10
Shared resources at \192.168.0.10
Share name Type Used as Comment
ADMIN$ Disk Remote Admin
C$ Disk Default Share
IPC$ IPC Remote IPC
Using Nmap: An attacker can use the Nmap network scanner to perform a variety of NetBIOS enumeration techniques, such as port scanning or using the nbtscan script to scan for NetBIOS names and IP addresses on a target network. For example, the command nmap -sU -p 137 --script nbtscan <IP range> can be used to scan for NetBIOS names and IP addresses using the nbtscan script. By port scanning: NetBIOS uses a number of ports, including 139 and 445, which can be checked to see if NetBIOS is active on a target computer. By locating the open NetBIOS ports on a remote system, port scanning is a method for NetBIOS enumeration. For its numerous NetBIOS functions, including name resolution, file and printer sharing, and surfing services, NetBIOS relies on two main ports: UDP 137, 138, and TCP 139.
example:
nmap -sU -sT -p 137,138,139 192.168.0.10
This command will perform a scan of the UDP and TCP NetBIOS ports (137, 138, and 139) on the IP address 192.168.0.10. The ‘-sU’ option specifies to scan using UDP, while the ‘-sT’ option specifies to scan using TCP.
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-10 09:00 Pacific Standard Time
Nmap scan report for 192.168.0.10
Host is up (0.016s latency).
PORT STATE SERVICE
137/tcp open netbios-ns
138/tcp open netbios-dgm
139/tcp open netbios-ssn
The ports 137, 138, and 139 on the IP address 192.168.0.10 have been scanned in this sample using the Nmap command. The output demonstrates the openness of all three ports and lists the associated NetBIOS services for each one: netbios-ns for port 137, netbios-dgm for port 138, and netbios-ssn for port 139. Further NetBIOS enumeration using other tools to learn the name, domain, users, and shared resources of the distant system can benefit from this information.
Using Metasploit: An attacker can enumerate NetBIOS devices using the Metasploit Framework and take advantage of known NetBIOS service flaws. A target system’s file shares and user accounts can be enumerated via the SMB protocol by using the smb_enumshares and smb_enumusers modules, respectively.
For example, the enum_nbdomain module can be used to enumerate NetBIOS information from a remote system. This module uses null sessions to connect to the remote system and gather information about its NetBIOS domain name, computer name, logged-on users, and available shares. Here is an example of how to use the enum_nbdomain module in Metasploit:
msf6 > use auxiliary/scanner/smb/enum_nbdomain
msf6 auxiliary(scanner/smb/enum_nbdomain) > set RHOSTS 192.168.0.10
msf6 auxiliary(scanner/smb/enum_nbdomain) > set SMBDomain WORKGROUP
msf6 auxiliary(scanner/smb/enum_nbdomain) > run
In this example, the enum_nbdomain module is used to scan the IP address 192.168.0.10 for NetBIOS information. The SMBDomain option is set to WORKGROUP to specify the NetBIOS domain name to use for the scan. The output of the scan will include information about the NetBIOS domain name, computer name, logged-on users, and available shares.
System administrators and security experts may find NetBIOS enumeration to be a helpful approach for evaluating the security of their networks and locating potential flaws. It’s crucial to employ NetBIOS enumeration techniques responsibly, ethically, and only with correct authorisation because attackers may also use them to obtain information for illegal purposes.
