# 137,138,139 - Pentesting NetBios
{% hint style="success" %}
Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: 
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
## NetBios Name Service
**NetBIOS Name Service** plays a crucial role, involving various services such as **name registration and resolution**, **datagram distribution**, and **session services**, utilizing specific ports for each service.
[From Wikidepia](https://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP):
* Name service for name registration and resolution (ports: 137/udp and 137/tcp).
* Datagram distribution service for connectionless communication (port: 138/udp).
* Session service for connection-oriented communication (port: 139/tcp).
### Name Service
For a device to participate in a NetBIOS network, it must have a unique name. This is achieved through a **broadcast process** where a "Name Query" packet is sent. If no objections are received, the name is considered available. Alternatively, a **Name Service server** can be queried directly to check for name availability or to resolve a name to an IP address. Tools like `nmblookup`, `nbtscan`, and `nmap` are utilized for enumerating NetBIOS services, revealing server names and MAC addresses.
```bash
PORT STATE SERVICE VERSION
137/udp open netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)
```
Enumerating a NetBIOS service you can obtain the names the server is using and the MAC address of the server.
```bash
nmblookup -A
nbtscan /30
sudo nmap -sU -sV -T4 --script nbstat.nse -p137 -Pn -n
```
### Datagram Distribution Service
NetBIOS datagrams allow for connectionless communication via UDP, supporting direct messaging or broadcasting to all network names. This service uses port **138/udp**.
```bash
PORT STATE SERVICE VERSION
138/udp open|filtered netbios-dgm
```
### Session Service
For connection-oriented interactions, the **Session Service** facilitates a conversation between two devices, leveraging **TCP** connections through port **139/tcp**. A session begins with a "Session Request" packet and can be established based on the response. The service supports larger messages, error detection, and recovery, with TCP handling flow control and packet retransmission.
Data transmission within a session involves **Session Message packets**, with sessions being terminated by closing the TCP connection.
These services are integral to **NetBIOS** functionality, enabling efficient communication and resource sharing across a network. For more information on TCP and IP protocols, refer to their respective [TCP Wikipedia](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) and [IP Wikipedia](https://en.wikipedia.org/wiki/Internet_Protocol) pages.
```bash
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
```
**Read the next page to learn how to enumerate this service:**
{% content-ref url="137-138-139-pentesting-netbios.md" %}
[137-138-139-pentesting-netbios.md](137-138-139-pentesting-netbios.md)
{% endcontent-ref %}
## HackTricks Automatic Commands
```
Protocol_Name: Netbios #Protocol Abbreviation if there is one.
Port_Number: 137,138,139 #Comma separated if there is more than one.
Protocol_Description: Netbios #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for NetBios
Note: |
Name service for name registration and resolution (ports: 137/udp and 137/tcp).
Datagram distribution service for connectionless communication (port: 138/udp).
Session service for connection-oriented communication (port: 139/tcp).
For a device to participate in a NetBIOS network, it must have a unique name. This is achieved through a broadcast process where a "Name Query" packet is sent. If no objections are received, the name is considered available. Alternatively, a Name Service server can be queried directly to check for name availability or to resolve a name to an IP address.
https://book.hacktricks.xyz/pentesting/137-138-139-pentesting-netbios
Entry_2:
Name: Find Names
Description: Three scans to find the names of the server
Command: nmblookup -A {IP} &&&& nbtscan {IP}/30 &&&& nmap -sU -sV -T4 --script nbstat.nse -p 137 -Pn -n {IP}
```
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}