Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/137-138-139-pentesting-netbios.md
Translator workflow b442ae90c4 Translated to Klingon
2024-02-10 17:52:19 +00:00

8.1 KiB
Raw Permalink Blame History

137,138,139 - Pentesting NetBios

htARTE (HackTricks AWS Red Team Expert) !HackTricks!

Other ways to support HackTricks:

NetBios Name Service

NetBIOS Name Service plays a crucial role, involving various services such as name registration and resolution, datagram distribution, and session services, utilizing specific ports for each service.

From Wikidepia:

  • Name service for name registration and resolution (ports: 137/udp and 137/tcp).
  • Datagram distribution service for connectionless communication (port: 138/udp).
  • Session service for connection-oriented communication (port: 139/tcp).

Name Service

For a device to participate in a NetBIOS network, it must have a unique name. This is achieved through a broadcast process where a "Name Query" packet is sent. If no objections are received, the name is considered available. Alternatively, a Name Service server can be queried directly to check for name availability or to resolve a name to an IP address. Tools like nmblookup, nbtscan, and nmap are utilized for enumerating NetBIOS services, revealing server names and MAC addresses.

PORT    STATE SERVICE    VERSION
137/udp open  netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)

137/138/139 - Pentesting NetBIOS

Enumerating a NetBIOS service you can obtain the names the server is using and the MAC address of the server.

NetBIOS is a protocol used for communication between computers on a local area network (LAN). It provides services such as name resolution, file sharing, and printer sharing.

When pentesting a NetBIOS service, one of the key objectives is to enumerate the names the server is using and obtain the MAC address of the server. This information can be valuable for further exploitation or reconnaissance.

To achieve this, you can use various tools and techniques:

1. Nbtscan

Nbtscan is a command-line tool that scans for NetBIOS name information. It sends NetBIOS status query requests to a specified range of IP addresses and displays the responses received. The tool can be used to enumerate NetBIOS names and gather information about the target server.

nbtscan <target IP range>

2. Nmap

Nmap is a versatile network scanning tool that can also be used for NetBIOS enumeration. By using the -p 137,138,139 option, Nmap can scan for open NetBIOS ports and gather information about the server.

nmap -p 137,138,139 <target IP>

3. Wireshark

Wireshark is a powerful network protocol analyzer that can capture and analyze network traffic. By capturing packets related to NetBIOS communication, you can extract information such as server names and MAC addresses.

4. NetBIOS-NS and NetBIOS-SSN

NetBIOS-NS (NetBIOS Name Service) and NetBIOS-SSN (NetBIOS Session Service) are two NetBIOS services that can be queried to obtain information about the server. Tools like nbtstat and nblookup can be used to interact with these services and gather relevant information.

Remember to always obtain proper authorization before performing any network service pentesting activities. Unauthorized access to systems is illegal and unethical.

nmblookup -A <IP>
nbtscan <IP>/30
sudo nmap -sU -sV -T4 --script nbstat.nse -p137 -Pn -n <IP>

Datagram Distribution Service

NetBIOS datagrams allow for connectionless communication via UDP, supporting direct messaging or broadcasting to all network names. This service uses port 138/udp.

qo'wI' qonwI'wI'

NetBIOS datagrams, UDP jangnISmo' 'e' vItlhutlh, network names Hoch messaging directly broadcasting teywI'pu' 'ej. 'ej port 138/udp vay'.

PORT    STATE         SERVICE     VERSION
138/udp open|filtered netbios-dgm

tlhIngan Hol

For connection-oriented interactions, the Session Service facilitates a conversation between two devices, leveraging TCP connections through port 139/tcp. A session begins with a "Session Request" packet and can be established based on the response. The service supports larger messages, error detection, and recovery, with TCP handling flow control and packet retransmission.

Data transmission within a session involves Session Message packets, with sessions being terminated by closing the TCP connection.

These services are integral to NetBIOS functionality, enabling efficient communication and resource sharing across a network. For more information on TCP and IP protocols, refer to their respective TCP Wikipedia and IP Wikipedia pages.

PORT      STATE SERVICE      VERSION
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn

ghItlh pagh vItlhutlh.

{% content-ref url="137-138-139-pentesting-netbios.md" %} 137-138-139-pentesting-netbios.md {% endcontent-ref %}

HackTricks Automatic Commands

Protocol_Name: Netbios    #Protocol Abbreviation if there is one.
Port_Number:  137,138,139     #Comma separated if there is more than one.
Protocol_Description: Netbios         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for NetBios
Note: |
Name service for name registration and resolution (ports: 137/udp and 137/tcp).
Datagram distribution service for connectionless communication (port: 138/udp).
Session service for connection-oriented communication (port: 139/tcp).

For a device to participate in a NetBIOS network, it must have a unique name. This is achieved through a broadcast process where a "Name Query" packet is sent. If no objections are received, the name is considered available. Alternatively, a Name Service server can be queried directly to check for name availability or to resolve a name to an IP address.

https://book.hacktricks.xyz/pentesting/137-138-139-pentesting-netbios

Entry_2:
Name: Find Names
Description: Three scans to find the names of the server
Command: nmblookup -A {IP} &&&& nbtscan {IP}/30 &&&& nmap -sU -sV -T4 --script nbstat.nse -p 137 -Pn -n {IP}
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: