06 Apr, 2023

Network Basic Input/Output System (NETBIOS)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

NetBIOS (Network Basic Input/Output System) is an early network protocol originally developed by IBM and later adopted by Microsoft for use in Windows operating systems. NetBIOS provides a means for communication between computers on a local area network (LAN).

Port

TCP port 139: This port is used for NetBIOS session service and is used for file and printer sharing. It is also used by the Server Message Block (SMB) protocol, which is used for sharing files and resources over a network.

UDP port 137: This port is used for NetBIOS name service, which is used to resolve NetBIOS names to IP addresses. This service is often used in conjunction with the Windows Internet Name Service (WINS) to provide name resolution on a network.

UDP port 138: This port is used for NetBIOS datagram service, which is used for sending and receiving small messages between devices on a network.

Standard commands from unauthorized

NBTSTAT – This command allows you to obtain information about network connections, NetBIOS names and IP addresses, and the status of connections with other computers.

NETSTAT – This command allows you to obtain information about current connections and listening ports.

NET VIEW – This command allows you to view a list of available computers on the network.

NET USE – This command allows you to establish a network connection with another computer using a NetBIOS name or IP address.

NBTSTAT -RR – This command is used to refresh the NetBIOS name tables and cache.

Tools for using protocol NetBIOS

Manual Tools:

  • Nbtstat: A command-line tool that allows you to display NetBIOS name cache, resolve NetBIOS name to IP addresses, and other NetBIOS related information.

  • Netstat: A command-line tool that allows you to display network connections, routing tables, and other network-related information.

  • Net View: A command-line tool that displays a list of shared resources on a network.

  • Net Use: A command-line tool that allows you to connect to shared network resources.

  • Wireshark: A network protocol analyzer that allows you to capture and analyze network traffic, including NetBIOS packets.

Automated Tools:

  • Nessus: A vulnerability scanner that can scan for NetBIOS vulnerabilities, misconfigurations, and other security issues.

  • OpenVAS: Another vulnerability scanner that can scan for NetBIOS-related vulnerabilities and misconfigurations.

  • Nmap: A port scanner that can scan for open NetBIOS-related ports and services.

  • Metasploit: A penetration testing framework that can be used to exploit NetBIOS vulnerabilities and weaknesses.

  • Responder: A tool that can be used to poison NetBIOS name cache and steal authentication credentials.

Browser Plugins:

  • NetBIOS Enumerator: A browser plugin that can be used to enumerate NetBIOS information, including hostnames and IP addresses.

  • NetBIOS Auditing Tool: Another browser plugin that can be used to audit NetBIOS information, including shares, services, and users.

Last five known CVE for NetBIOS

CVE-2020-16897 – An informtion disclosure vulnerability exists when NetBIOS over TCP (NBT) Extensions (NetBT) improperly handle objects in memory, aka ‘NetBT Information Disclosure Vulnerability’.

CVE-2020-13159 – Artica Proxy before 4.30.000000 Community Edition allows OS command injection via the Netbios name, Server domain name, dhclient_mac, Hostname, or Alias field. NOTE: this may overlap CVE-2020-10818.

CVE-2020-10745 – A flaw was found in all Samba versions before 4.10.17, before 4.11.11 and before 4.12.4 in the way it processed NetBios over TCP/IP. This flaw allows a remote attacker could to cause the Samba server to consume excessive CPU use, resulting in a denial of service. This highest threat from this vulnerability is to system availability.

CVE-2018-7445 – A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system. The overflow occurs before authentication takes place, so it is possible for an unauthenticated remote attacker to exploit it. All architectures and all devices running RouterOS before versions 6.41.3/6.42rc27 are vulnerable.

CVE-2017-17083 – In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the NetBIOS dissector could crash. This was addressed in epan/dissectors/packet-netbios.c by ensuring that write operations are bounded by the beginning of a buffer.

Useful information

NetBIOS stands for “Network Basic Input/Output System.” It is a protocol that was originally developed by IBM in the 1980s to allow different computers on a network to communicate with each other. NetBIOS provides a way for applications running on different computers to find and connect to each other using a common naming convention.

NetBIOS is commonly used in Windows-based networks, although it is considered an older protocol that has largely been replaced by newer protocols like TCP/IP.

NetBIOS uses UDP ports 137 and 138, as well as TCP port 139, for communication. These ports can be used for both inbound and outbound traffic.

NetBIOS over TCP/IP (NBT) is a variant of NetBIOS that allows NetBIOS packets to be carried over TCP/IP networks. This allows NetBIOS applications to communicate over the internet and other TCP/IP networks.

NetBIOS is vulnerable to a number of security issues, including buffer overflow attacks, denial-of-service attacks, and man-in-the-middle attacks. As a result, it is important to keep NetBIOS implementations up-to-date and to apply any relevant security patches in a timely manner.

Some common tools for working with NetBIOS include nbtstat, which is a command-line tool that allows you to troubleshoot NetBIOS name resolution issues, and Wireshark, which is a network protocol analyzer that can be used to capture and analyze NetBIOS traffic.

Overall, while NetBIOS is an older protocol that is less commonly used today, it can still be found in many legacy systems and environments. As a result, it is important to have a basic understanding of NetBIOS and its associated risks and vulnerabilities.

Known banners

NetBIOS does not have specific banners, but the underlying protocol that NetBIOS uses, SMB (Server Message Block), has banners that can provide information about the server or system being accessed.

Here are some examples of SMB banners:

  • Windows 10: “Windows 10 Pro <version>”

  • Windows Server 2019: “Windows Server 2019 Standard <version>”

  • Samba: “Samba <version>”

  • NAS devices: “Netgear ReadyNAS” or “Synology DiskStation”

These banners can provide useful information for attackers trying to identify vulnerable systems or targets for further attacks. However, it is worth noting that some systems may be configured to obscure or hide their banners in order to make it more difficult for attackers to identify them

Books for studies NetBIOS

NetBIOS and NetBEUI: A Developer’s Guide by Alan R. Miller – This book provides a comprehensive guide to NetBIOS and NetBEUI, including their history, design, and practical uses. It also includes code examples and troubleshooting tips for developers working with these protocols.

Mastering NetBIOS by Peter Dyson – This book provides an in-depth look at NetBIOS and its uses, including network naming, authentication, and sharing resources. It also covers troubleshooting and security considerations for NetBIOS-enabled networks.

Microsoft Windows NetBIOS: Implementation and Integration Guide by Rajeev Nagar – This book is a comprehensive guide to implementing and integrating NetBIOS in Microsoft Windows environments. It covers NetBIOS naming, sharing resources, troubleshooting, and security considerations specific to Windows.

NetBIOS, SMB, CIFS and RPC Protocols Explained by Thomas Schulz – This book provides an overview of NetBIOS, SMB, CIFS, and RPC protocols, including their design, functionality, and security considerations. It also includes practical examples and troubleshooting tips.

Understanding NetBIOS by David Solomon – This book provides a detailed overview of NetBIOS and its uses, including network naming, file sharing, and printer sharing. It also covers security considerations and troubleshooting tips for NetBIOS-enabled networks.

List of Payload for NetBIOS

  • NetBIOS name service (NBNS) spoofing: This payload can be used to spoof the NBNS service to intercept traffic and potentially launch a man-in-the-middle attack.

  • NetBIOS session hijacking: This payload can be used to hijack an established NetBIOS session and gain access to network resources.

  • NetBIOS enumeration: This payload can be used to scan for NetBIOS-enabled systems and services, as well as gather information about system names, shares, and other network resources.

  • NetBIOS-based denial of service (DoS): This payload can be used to launch a DoS attack against NetBIOS-enabled systems by flooding them with traffic or otherwise overwhelming their resources.

  • NetBIOS password cracking: This payload can be used to test the strength of NetBIOS passwords by attempting to crack them using brute force methods.

Mitigation

  1. Disable NetBIOS over TCP/IP (NBT): Unless NetBIOS is essential to your network’s operation, it is recommended to disable NBT, which is used by NetBIOS to communicate over TCP/IP. This can help prevent certain types of attacks, such as NBNS spoofing and NetBIOS enumeration.

  2. Implement firewalls: Implementing firewalls can help block unauthorized access to NetBIOS-enabled resources by limiting the traffic that can pass through to only those that are explicitly allowed.

  3. Limit access to NetBIOS-enabled resources: Limit access to NetBIOS-enabled resources to only those users who need it, and ensure that permissions are properly configured to prevent unauthorized access.

  4. Implement strong passwords and authentication protocols: Use strong passwords and authentication protocols to protect NetBIOS-enabled resources from unauthorized access. Consider using multi-factor authentication for an extra layer of security.

  5. Regularly update and patch systems: Keep NetBIOS-enabled systems up-to-date with the latest security updates and patches to help prevent exploitation of known vulnerabilities.

  6. Monitor network traffic: Regularly monitor network traffic to detect any suspicious or unusual activity, and investigate any anomalies promptly.

Conclusion

NetBIOS is an older networking protocol that was widely used in the past but has largely been replaced by newer, more secure protocols. While it is still in use in some legacy systems, it is generally not recommended to use NetBIOS in modern networks due to its potential security risks and vulnerabilities.

Other Services

Ready to secure?

Let's get in touch