hacktricks/network-services-pentesting/137-138-139-pentesting-netbios.md
2024-12-12 11:39:29 +01:00

6.2 KiB

137,138,139 - Pentesting NetBios

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

NetBios Name Service

NetBIOS Name Service plays a crucial role, involving various services such as name registration and resolution, datagram distribution, and session services, utilizing specific ports for each service.

From Wikidepia:

  • Name service for name registration and resolution (ports: 137/udp and 137/tcp).
  • Datagram distribution service for connectionless communication (port: 138/udp).
  • Session service for connection-oriented communication (port: 139/tcp).

Name Service

For a device to participate in a NetBIOS network, it must have a unique name. This is achieved through a broadcast process where a "Name Query" packet is sent. If no objections are received, the name is considered available. Alternatively, a Name Service server can be queried directly to check for name availability or to resolve a name to an IP address. Tools like nmblookup, nbtscan, and nmap are utilized for enumerating NetBIOS services, revealing server names and MAC addresses.

PORT    STATE SERVICE    VERSION
137/udp open  netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)

Enumerating a NetBIOS service you can obtain the names the server is using and the MAC address of the server.

nmblookup -A <IP>
nbtscan <IP>/30
sudo nmap -sU -sV -T4 --script nbstat.nse -p137 -Pn -n <IP>

Datagram Distribution Service

NetBIOS datagrams allow for connectionless communication via UDP, supporting direct messaging or broadcasting to all network names. This service uses port 138/udp.

PORT    STATE         SERVICE     VERSION
138/udp open|filtered netbios-dgm

Session Service

For connection-oriented interactions, the Session Service facilitates a conversation between two devices, leveraging TCP connections through port 139/tcp. A session begins with a "Session Request" packet and can be established based on the response. The service supports larger messages, error detection, and recovery, with TCP handling flow control and packet retransmission.

Data transmission within a session involves Session Message packets, with sessions being terminated by closing the TCP connection.

These services are integral to NetBIOS functionality, enabling efficient communication and resource sharing across a network. For more information on TCP and IP protocols, refer to their respective TCP Wikipedia and IP Wikipedia pages.

PORT      STATE SERVICE      VERSION
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn

Read the next page to learn how to enumerate this service:

{% content-ref url="137-138-139-pentesting-netbios.md" %} 137-138-139-pentesting-netbios.md {% endcontent-ref %}

HackTricks Automatic Commands

Protocol_Name: Netbios    #Protocol Abbreviation if there is one.
Port_Number:  137,138,139     #Comma separated if there is more than one.
Protocol_Description: Netbios         #Protocol Abbreviation Spelled out

Entry_1:
  Name: Notes
  Description: Notes for NetBios
  Note: |
    Name service for name registration and resolution (ports: 137/udp and 137/tcp).
    Datagram distribution service for connectionless communication (port: 138/udp).
    Session service for connection-oriented communication (port: 139/tcp).

    For a device to participate in a NetBIOS network, it must have a unique name. This is achieved through a broadcast process where a "Name Query" packet is sent. If no objections are received, the name is considered available. Alternatively, a Name Service server can be queried directly to check for name availability or to resolve a name to an IP address.

    https://book.hacktricks.xyz/pentesting/137-138-139-pentesting-netbios

Entry_2:
  Name: Find Names
  Description: Three scans to find the names of the server
  Command: nmblookup -A {IP} &&&& nbtscan {IP}/30 &&&& nmap -sU -sV -T4 --script nbstat.nse -p 137 -Pn -n {IP}

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}