NetBIOS (Network Basic Input/Output System) Service Enumeration

NetBIOS (Network Basic Input/Output System)

At a Glance

Default Port/s:

  • NetBIOS Name Service: UDP/137
  • NetBIOS Datagram Service: UDP/138
  • NetBIOS Session Service: TCP/139

NetBIOS is a non-routable service that allows applications and computers to communicate over a local area network (LAN).

As an API, NetBIOS relies on network protocols to communicate. In modern networks, NetBIOS runs over TCP/IP via the NetBIOS over TCP/IP protocol or NBT.1

NetBIOS provides three distinct services:

  • Name Service (NetBIOS-NS) for name registration and resolution.
  • Datagram Distribution Service (NetBIOS-DGM) for connectionless communication.
  • Session Service (NetBIOS-SSN) for connection-oriented communication.

Note: SMB runs on top of the Session Service and Datagram Service. It is not an integral part of NetBIOS.

Name Service

On a NetBIOS network, applications locate and identify each other through their NetBIOS names. NetBIOS Name Service serves much the same purpose as DNS does: translate human-readable names to IP addresses.

NetBIOS names are 16 octets long, however, Microsoft limits the hostname to 15 characters and reserves the 16th character as a NetBIOS Suffix. This suffix, aka NetBIOS End Character (endchar), describes the service or name record type.2 See NetBIOS Suffixes.

In NBT, NetBIOS-NS runs on UDP port 137.

Datagram Distribution Service

The Datagram service is an unreliable, non-sequenced, connectionless service.

Datagrams may be sent to a specific name or explicitly broadcast. Usually used to broadcast names and register services.3

In NBT, NetBIOS-DGM runs on UDP port 138.

Session Service

The Session service offers a reliable message exchange, conducted between a pair of NetBIOS applications. Sessions are full-duplex, sequenced, and reliable.3

The service facilitates authentication and provides access to shared resources, such as files and printers. It is where NULL Sessions are established.

In NBT, NetBIOS-DGM runs on UDP port 139.

Enumeration

nmblookup 4

nmblookup -A 10.0.0.3
Parameters
  • <name>: NetBIOS Name
  • -A <ip>: Interpret name as an IP Address and do a node status query on this address.

nbtscan 5

nbtscan 10.0.0.3

Note: Continue NetBIOS enumeration with SMB.

Refer to Exploits Search

NetBIOS Suffixes 6

NameSuffixTypeService
<computername>00UWorkstation
<computername>01UMessenger
<\\−−__MSBROWSE__>01GMaster Browser
<computername>03UMessenger
<computername>06URAS Server
<computername>1FUNetDDE
<computername>20UFile Server
<computername>21URAS Client
<computername>22UMicrosoft Exchange Interchange
<computername>23UMicrosoft Exchange Store
<computername>24UMicrosoft Exchange Directory
<computername>30UModem Sharing Server
<computername>31UModem Sharing Client
<computername>43USMS Clients Remote Control
<computername>44USMS Administrators Remote Control Tool
<computername>45USMS Clients Remote Chat
<computername>46USMS Clients Remote Transfer
<computername>4CUDEC Pathworks TCPIP
<computername>42UMcAfee Antivirus
<computername>52UDEC Pathworks TCPIP
<computername>87UMicrosoft Exchange MTA
<computername>6AUMicrosoft Exchange IMC
<computername>BEUNetwork Monitor Agent
<username>BFUNetwork Monitor Application
<domain>03UMessenger
<domain>00GDomain Name
<domain>1BUDomain Master Browser
<domain>1CGDomain Controllers
<domain>1DUMaster Browser
<domain>1EGBrowser Service Elections
<INet~Services>1CGIIS
<IS~computername>00UIIS
<computername>[2B]UIBM Lotus Notes Server
IRISMULTICAST[2F]GIBM Lotus Notes
IRISNAMESERVER[33]GIBM Lotus Notes
Forte_$ND800ZA[20]UDCA IrmaLan Gateway Server Service

Further Reading


  1. Contributors to Wikimedia projects. “NetBIOS - Wikipedia.” Wikipedia, the Free Encyclopedia, Wikimedia Foundation, Inc., 2 Feb. 2003, https://en.wikipedia.org/wiki/NetBIOS. ↩︎

  2. Deland-Han. “Name Computers, Domains, Sites, and OUs - Windows Server | Microsoft Docs.” Technical Documentation, API, and Code Examples | Microsoft Docs, https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou. ↩︎

  3. “RFC 1001 - Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Concepts and Methods.” IETF Tools, https://tools.ietf.org/html/rfc1001. ↩︎

  4. “Nmblookup.” Samba - Opening Windows to a Wider World, https://www.samba.org/samba/docs/current/man-html/nmblookup.1.html. ↩︎

  5. “Nbtscan - NETBIOS Nameserver Scanner.” Steve Friedl’s Home Page, http://unixwiz.net/tools/nbtscan.html. Accessed 28 Sept. ↩︎

  6. McNab, Chris. Network Security Assessment. “O’Reilly Media, Inc.,” 2007, p. 195. ↩︎