mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-22 11:03:24 +00:00
112 lines
6.2 KiB
Markdown
112 lines
6.2 KiB
Markdown
|
# 137,138,139 - Pentesting NetBios
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
## NetBios Name Service
|
||
|
|
||
|
**NetBIOS Name Service** plays a crucial role, involving various services such as **name registration and resolution**, **datagram distribution**, and **session services**, utilizing specific ports for each service.
|
||
|
|
||
|
[From Wikidepia](https://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP):
|
||
|
|
||
|
* Name service for name registration and resolution (ports: 137/udp and 137/tcp).
|
||
|
* Datagram distribution service for connectionless communication (port: 138/udp).
|
||
|
* Session service for connection-oriented communication (port: 139/tcp).
|
||
|
|
||
|
### Name Service
|
||
|
|
||
|
For a device to participate in a NetBIOS network, it must have a unique name. This is achieved through a **broadcast process** where a "Name Query" packet is sent. If no objections are received, the name is considered available. Alternatively, a **Name Service server** can be queried directly to check for name availability or to resolve a name to an IP address. Tools like `nmblookup`, `nbtscan`, and `nmap` are utilized for enumerating NetBIOS services, revealing server names and MAC addresses.
|
||
|
|
||
|
```bash
|
||
|
PORT STATE SERVICE VERSION
|
||
|
137/udp open netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)
|
||
|
```
|
||
|
|
||
|
Enumerating a NetBIOS service you can obtain the names the server is using and the MAC address of the server.
|
||
|
|
||
|
```bash
|
||
|
nmblookup -A <IP>
|
||
|
nbtscan <IP>/30
|
||
|
sudo nmap -sU -sV -T4 --script nbstat.nse -p137 -Pn -n <IP>
|
||
|
```
|
||
|
|
||
|
### Datagram Distribution Service
|
||
|
|
||
|
NetBIOS datagrams allow for connectionless communication via UDP, supporting direct messaging or broadcasting to all network names. This service uses port **138/udp**.
|
||
|
|
||
|
```bash
|
||
|
PORT STATE SERVICE VERSION
|
||
|
138/udp open|filtered netbios-dgm
|
||
|
```
|
||
|
|
||
|
### Session Service
|
||
|
|
||
|
For connection-oriented interactions, the **Session Service** facilitates a conversation between two devices, leveraging **TCP** connections through port **139/tcp**. A session begins with a "Session Request" packet and can be established based on the response. The service supports larger messages, error detection, and recovery, with TCP handling flow control and packet retransmission.
|
||
|
|
||
|
Data transmission within a session involves **Session Message packets**, with sessions being terminated by closing the TCP connection.
|
||
|
|
||
|
These services are integral to **NetBIOS** functionality, enabling efficient communication and resource sharing across a network. For more information on TCP and IP protocols, refer to their respective [TCP Wikipedia](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) and [IP Wikipedia](https://en.wikipedia.org/wiki/Internet_Protocol) pages.
|
||
|
|
||
|
```bash
|
||
|
PORT STATE SERVICE VERSION
|
||
|
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|
||
|
```
|
||
|
|
||
|
**Read the next page to learn how to enumerate this service:**
|
||
|
|
||
|
{% content-ref url="137-138-139-pentesting-netbios.md" %}
|
||
|
[137-138-139-pentesting-netbios.md](137-138-139-pentesting-netbios.md)
|
||
|
{% endcontent-ref %}
|
||
|
|
||
|
## HackTricks Automatic Commands
|
||
|
|
||
|
```
|
||
|
Protocol_Name: Netbios #Protocol Abbreviation if there is one.
|
||
|
Port_Number: 137,138,139 #Comma separated if there is more than one.
|
||
|
Protocol_Description: Netbios #Protocol Abbreviation Spelled out
|
||
|
|
||
|
Entry_1:
|
||
|
Name: Notes
|
||
|
Description: Notes for NetBios
|
||
|
Note: |
|
||
|
Name service for name registration and resolution (ports: 137/udp and 137/tcp).
|
||
|
Datagram distribution service for connectionless communication (port: 138/udp).
|
||
|
Session service for connection-oriented communication (port: 139/tcp).
|
||
|
|
||
|
For a device to participate in a NetBIOS network, it must have a unique name. This is achieved through a broadcast process where a "Name Query" packet is sent. If no objections are received, the name is considered available. Alternatively, a Name Service server can be queried directly to check for name availability or to resolve a name to an IP address.
|
||
|
|
||
|
https://book.hacktricks.xyz/pentesting/137-138-139-pentesting-netbios
|
||
|
|
||
|
Entry_2:
|
||
|
Name: Find Names
|
||
|
Description: Three scans to find the names of the server
|
||
|
Command: nmblookup -A {IP} &&&& nbtscan {IP}/30 &&&& nmap -sU -sV -T4 --script nbstat.nse -p 137 -Pn -n {IP}
|
||
|
```
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|