What is NetBIOS (Network Basic Input\/Output System)?<\/p>\n\n\n\n
Programs running on Microsoft Windows-based systems communicate with one another across a local area network using the API (Application Programming Interface) known as NetBIOS (LAN)<\/p>\n\n\n\n
NetBIOS was developed as a part of the IBM PC Network operating system in the 1980s. NetBIOS was ultimately adopted by Microsoft for use in MS-DOS and Windows.<\/p>\n\n\n\n
Applications can execute fundamental network functions including name resolution, session establishment, and data transmission using the standardized interface provided by NetBIOS. Network resources including computers, printers, and file sharing are identified by their NetBIOS names, which can be up to 15 characters long. All computers with the same name that receives the broadcast from the asking machine will respond. NetBIOS names are resolved in this manner.<\/p>\n\n\n\n
The NetBIOS operating system was updated to use the NetBIOS over TCP\/IP (NBT) protocol to allow communication across existing TCP\/IP networks. To function at first, NetBIOS relied on the NetBIOS over IPX\/SPX protocol. NBT is susceptible to enumeration, spoofing, and other forms of attacks, hence it can present security problems if improperly set up.<\/p>\n\n\n\n
And that’s why we will look closer at how can Hackers use NetBIOS to misuse your network.<\/p>\n\n\n\n
<\/p>\n\n\n\n
What is NetBIOS enumeration?<\/mark><\/strong><\/p>\n\n\n\n NetBIOS enumeration is the procedure for learning about the resources on a target network. Applications on several computers can connect with one another via a local area network thanks to the NetBIOS protocol (LAN). Using NetBIOS protocols, a target system’s resources are enumerated in the NetBIOS enumeration process. Enumeration can disclose information such as user account names and security policies, as well as the names of computers, printers, and file shares on the network. Attackers can utilize this information to map out a network, find possible targets for exploitation, and compile intelligence for additional attacks.<\/p>\n\n\n\n The attacker may perform connections to remote systems without the need for authentication known as null sessions. The NetBIOS service can be accessed by null sessions by default in Windows, which an attacker might use to acquire sensitive data about the target network. Administrators can stop the NetBIOS service or limit access to it by setting the Windows firewall to deny inbound connections to NetBIOS ports in order to prevent null session NetBIOS enumeration (139 and 445). Also, it’s crucial to make sure that all user accounts have secure passwords and that no superfluous network shares are made accessible to the public network. For null session can be performed commands such as: The ‘nbtstat’ command, the ‘net use’ command, and\/or the ‘Nmap’ network scanner are just a few examples of the tools and methods that can be used to do NetBIOS enumeration. To learn more about a target system’s setup, resources, and users, these programs can query NetBIOS services on the system. We receive a list of all the NetBIOS names and IP addresses related to the target system by using the nbtstat command to query the NetBIOS name database on that system.<\/p>\n\n\n\n <\/p>\n\n\n\n There are several methods for performing NetBIOS enumeration, including:<\/mark><\/strong><\/p>\n\n\n\n <\/p>\n\n\n\n Nbtstat command:<\/strong> This Windows default command shows NetBIOS details about a target computer. An attacker can use the nbtstat command to query the NetBIOS name table on a target system to obtain a list of its NetBIOS names and IP addresses. For example, the command example of what the output of <\/p>\n\n\n\n net user command:<\/strong> You can use the Net user command with the “\/domain” argument together with the IP address or hostname of the remote machine to find out information about user accounts on that system. For instance:<\/p>\n\n\n\n <\/p>\n\n\n\n net use command:<\/strong> Using the example of what the output of <\/p>\n\n\n\n <\/p>\n\n\n\n Net view command:<\/strong> a Windows command-line tool that lists the network’s accessible resources, such as computers, file shares, and printers. By default, the net view command presents a list of all computers on the network, together with their NetBIOS names and descriptions. For instance, the command net view will list every network computer that is accessible to the local system. <\/p>\n\n\n\n To enumerate resources on a specific computer use the syntax Remember that the net view command depends on the Server Message Block (SMB) protocol, which is frequently misused by attackers to reconnaissance and take advantage of weaknesses. In order to prevent unauthorized access and exploitation, it is crucial to adequately secure SMB services and adopt network security best practices.<\/p>\n\n\n\n example of what the output of <\/p>\n\n\n\n Using Nmap:<\/strong> An attacker can use the Nmap network scanner to perform a variety of NetBIOS enumeration techniques, such as port scanning or using the example:<\/p>\n\n\n\n This command will perform a scan of the UDP and TCP NetBIOS ports (137, 138, and 139) on the IP address 192.168.0.10. The ‘-sU’ option specifies to scan using UDP, while the ‘-sT’ option specifies to scan using TCP.<\/p>\n\n\n\n The ports 137, 138, and 139 on the IP address 192.168.0.10 have been scanned in this sample using the Nmap command. The output demonstrates the openness of all three ports and lists the associated NetBIOS services for each one: netbios-ns for port 137, netbios-dgm for port 138, and netbios-ssn for port 139. Further NetBIOS enumeration using other tools to learn the name, domain, users, and shared resources of the distant system can benefit from this information.<\/p>\n\n\n\n <\/p>\n\n\n\n Using Metasploit:<\/strong> An attacker can enumerate NetBIOS devices using the Metasploit Framework and take advantage of known NetBIOS service flaws. A target system’s file shares and user accounts can be enumerated via the SMB protocol by using the For example, the In this example, the <\/p>\n\n\n\n System administrators and security experts may find NetBIOS enumeration to be a helpful approach for evaluating the security of their networks and locating potential flaws. It’s crucial to employ NetBIOS enumeration techniques responsibly, ethically, and only with correct authorisation because attackers may also use them to obtain information for illegal purposes.<\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" What is NetBIOS (Network Basic Input\/Output System)? Programs running on Microsoft Windows-based systems communicate with one another across a local area network using the API (Application Programming Interface) known as NetBIOS (LAN) NetBIOS was developed as a part of the<\/p>\n","protected":false},"author":1,"featured_media":475,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-474","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-enumeration"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kybersec.me\/index.php?rest_route=\/wp\/v2\/posts\/474","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kybersec.me\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kybersec.me\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kybersec.me\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kybersec.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=474"}],"version-history":[{"count":6,"href":"https:\/\/kybersec.me\/index.php?rest_route=\/wp\/v2\/posts\/474\/revisions"}],"predecessor-version":[{"id":485,"href":"https:\/\/kybersec.me\/index.php?rest_route=\/wp\/v2\/posts\/474\/revisions\/485"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kybersec.me\/index.php?rest_route=\/wp\/v2\/media\/475"}],"wp:attachment":[{"href":"https:\/\/kybersec.me\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=474"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kybersec.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=474"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kybersec.me\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=474"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}} nbtstat -A <IP address><\/code><\/mark> , net view \\\\IP address <\/mark><\/code> , or net user \/domain \\\\IP address<\/mark><\/p>\n\n\n\nnbtstat -A <IP address><\/mark> <\/mark><\/code> can be used to obtain a list of NetBIOS names associated with a target system, and the command nbtstat -a <IP hostname><\/mark> <\/mark> can be used to obtain information about a specific NetBIOS name.<\/p>\n\n\n\nnbtstat -A <IP address><\/code> might look like:<\/p>\n\n\n\nC:>nbtstat -A 192.168.0.10<\/code><\/p>\n\n\n\nLocal Area Connection:
Node IpAddress: [192.168.0.1] Scope Id: []<\/code><\/p>\n\n\n\n NetBIOS Remote Machine Name Table<\/code><\/pre>\n\n\n\nName Type Status<\/code><\/h2>\n\n\n\nMYCOMPUTER <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
MYCOMPUTER <20> UNIQUE Registered
WORKGROUP <1E> GROUP Registered
WORKGROUP <1D> UNIQUE Registered
..MSBROWSE<\/strong>.<01> GROUP Registered<\/code><\/p>\n<\/div><\/div>\n\n\n\nMAC Address = 11-22-33-44-55-66<\/code><\/p>\n<\/div><\/div>\n<\/div><\/div>\n\n\n\nnet user \/domain \\192.168.0.10<\/mark><\/code><\/p>\n\n\n\nC:>net user \/domain \\192.168.0.10
User accounts for \\192.168.0.10<\/mark><\/code><\/p>\n\n\n\n
\n\n\n\nAdministrator Guest HelpAssistant
support_388945a0 TheUser
The command completed successfully.<\/mark><\/code><\/p>\n<\/div><\/div>\n<\/div>\n<\/div><\/div>\n<\/div><\/div>\n<\/div><\/div>\n\n\n\nnet use<\/code> command an attacker can enumerate file shares on a target system by attempting to connect to the IPC$ share. For example, the command net use \\\\<IP address>\\IPC$ \"\" \/u:\"\"<\/code> <\/mark> can be used to attempt to connect to the IPC$ share on a target system, which may reveal information about file shares and user accounts on the system.<\/p>\n\n\n\nnet use \\\\IP address \/user:\"\"<\/code> might look like:<\/p>\n\n\n\nC:>net use \\192.168.0.10 \/user:\"\"<\/code><\/p>\n\n\n\nStatus Local Remote Network<\/code><\/p>\n\n\n\n
\n\n\n\n \\\\192.168.0.10\\ADMIN$ Microsoft Windows Network\n \\\\192.168.0.10\\C$ Microsoft Windows Network\n \\\\192.168.0.10\\IPC$ Microsoft Windows Network<\/code><\/pre>\n\n\n\nThe command completed successfully.<\/code><\/p>\n<\/div><\/div>\n<\/div><\/div>\n\n\n\nnet view \\\\[computername]<\/code> <\/mark> . For example, the command net view \\\\192.168.1.100<\/code> <\/mark> will display a list of resources, including file shares and printers, that are available on the system with the IP address 192.168.1.100. <\/p>\n\n\n\nnet view \\\\IP address<\/code> might look like:<\/p>\n\n\n\nC:>net view \\192.168.0.10
Shared resources at \\192.168.0.10<\/code><\/p>\n\n\n\nShare name Type Used as Comment<\/code><\/h2>\n\n\n\nADMIN$ Disk Remote Admin
C$ Disk Default Share
IPC$ IPC Remote IPC<\/code><\/p>\n<\/div><\/div>\n<\/div><\/div>\n<\/div><\/div>\n\n\n\nnbtscan<\/code> script to scan for NetBIOS names and IP addresses on a target network. For example, the command nmap -sU -p 137 --script nbtscan <IP range><\/code><\/mark> can be used to scan for NetBIOS names and IP addresses using the nbtscan<\/code> script. By port scanning: NetBIOS uses a number of ports, including 139 and 445, which can be checked to see if NetBIOS is active on a target computer. By locating the open NetBIOS ports on a remote system, port scanning is a method for NetBIOS enumeration. For its numerous NetBIOS functions, including name resolution, file and printer sharing, and surfing services, NetBIOS relies on two main ports: UDP 137, 138, and TCP 139. <\/p>\n\n\n\nnmap -sU -sT -p 137,138,139 192.168.0.10<\/mark><\/code><\/p>\n\n\n\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2023-03-10 09:00 Pacific Standard Time
Nmap scan report for 192.168.0.10
Host is up (0.016s latency).<\/code><\/p>\n\n\n\nPORT STATE SERVICE
137\/tcp open netbios-ns
138\/tcp open netbios-dgm
139\/tcp open netbios-ssn<\/code><\/p>\n<\/div><\/div>\n<\/div><\/div>\n\n\n\nsmb_enumshares<\/mark><\/code> and smb_enumusers <\/mark> modules, respectively.<\/p>\n\n\n\nenum_nbdomain<\/code> module can be used to enumerate NetBIOS information from a remote system. This module uses null sessions to connect to the remote system and gather information about its NetBIOS domain name, computer name, logged-on users, and available shares. Here is an example of how to use the enum_nbdomain<\/code> module in Metasploit:<\/p>\n\n\n\nmsf6 > use auxiliary\/scanner\/smb\/enum_nbdomain
msf6 auxiliary(scanner\/smb\/enum_nbdomain) > set RHOSTS 192.168.0.10
msf6 auxiliary(scanner\/smb\/enum_nbdomain) > set SMBDomain WORKGROUP
msf6 auxiliary(scanner\/smb\/enum_nbdomain) > run<\/mark><\/code><\/p>\n<\/div><\/div>\n\n\n\nenum_nbdomain<\/code> module is used to scan the IP address 192.168.0.10 for NetBIOS information. The SMBDomain<\/code> option is set to WORKGROUP<\/code> to specify the NetBIOS domain name to use for the scan. The output of the scan will include information about the NetBIOS domain name, computer name, logged-on users, and available shares.<\/p>\n\n\n\n