NetBIOS (Network Basic Input/Output System) Service Enumeration

NetBIOS (Network Basic Input/Output System) #

At a Glance #

Default Port/s:

  • NetBIOS Name Service: UDP/137
  • NetBIOS Datagram Service: UDP/138
  • NetBIOS Session Service: TCP/139

NetBIOS is a non-routable service that allows applications and computers to communicate over a local area network (LAN).

As an API, NetBIOS relies on network protocols to communicate. In modern networks, NetBIOS runs over TCP/IP via the NetBIOS over TCP/IP protocol or NBT.1

NetBIOS provides three distinct services:

  • Name Service (NetBIOS-NS) for name registration and resolution.
  • Datagram Distribution Service (NetBIOS-DGM) for connectionless communication.
  • Session Service (NetBIOS-SSN) for connection-oriented communication.

Note: SMB runs on top of the Session Service and Datagram Service. It is not an integral part of NetBIOS.

Name Service #

On a NetBIOS network, applications locate and identify each other through their NetBIOS names. NetBIOS Name Service serves much the same purpose as DNS does: translate human-readable names to IP addresses.

NetBIOS names are 16 octets long, however, Microsoft limits the hostname to 15 characters and reserves the 16th character as a NetBIOS Suffix. This suffix, aka NetBIOS End Character (endchar), describes the service or name record type.2 See NetBIOS Suffixes.

In NBT, NetBIOS-NS runs on UDP port 137.

Datagram Distribution Service #

The Datagram service is an unreliable, non-sequenced, connectionless service.

Datagrams may be sent to a specific name or explicitly broadcast. Usually used to broadcast names and register services.3

In NBT, NetBIOS-DGM runs on UDP port 138.

Session Service #

The Session service offers a reliable message exchange, conducted between a pair of NetBIOS applications. Sessions are full-duplex, sequenced, and reliable.3

The service facilitates authentication and provides access to shared resources, such as files and printers. It is where NULL Sessions are established.

In NBT, NetBIOS-DGM runs on UDP port 139.

Enumeration #

nmblookup 4 #

nmblookup -A
  • <name>: NetBIOS Name
  • -A <ip>: Interpret name as an IP Address and do a node status query on this address.

nbtscan 5 #


Note: Continue NetBIOS enumeration with SMB.

Refer to Exploits Search

NetBIOS Suffixes 6 #

<\\−−__MSBROWSE__>01GMaster Browser
<computername>06URAS Server
<computername>20UFile Server
<computername>21URAS Client
<computername>22UMicrosoft Exchange Interchange
<computername>23UMicrosoft Exchange Store
<computername>24UMicrosoft Exchange Directory
<computername>30UModem Sharing Server
<computername>31UModem Sharing Client
<computername>43USMS Clients Remote Control
<computername>44USMS Administrators Remote Control Tool
<computername>45USMS Clients Remote Chat
<computername>46USMS Clients Remote Transfer
<computername>4CUDEC Pathworks TCPIP
<computername>42UMcAfee Antivirus
<computername>52UDEC Pathworks TCPIP
<computername>87UMicrosoft Exchange MTA
<computername>6AUMicrosoft Exchange IMC
<computername>BEUNetwork Monitor Agent
<username>BFUNetwork Monitor Application
<domain>00GDomain Name
<domain>1BUDomain Master Browser
<domain>1CGDomain Controllers
<domain>1DUMaster Browser
<domain>1EGBrowser Service Elections
<computername>[2B]UIBM Lotus Notes Server
Forte_$ND800ZA[20]UDCA IrmaLan Gateway Server Service

Further Reading #

  1. Contributors to Wikimedia projects. “NetBIOS - Wikipedia.” Wikipedia, the Free Encyclopedia, Wikimedia Foundation, Inc., 2 Feb. 2003,↩︎

  2. Deland-Han. “Name Computers, Domains, Sites, and OUs - Windows Server | Microsoft Docs.” Technical Documentation, API, and Code Examples | Microsoft Docs,↩︎

  3. “RFC 1001 - Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Concepts and Methods.” IETF Tools,↩︎

  4. “Nmblookup.” Samba - Opening Windows to a Wider World,↩︎

  5. “Nbtscan - NETBIOS Nameserver Scanner.” Steve Friedl’s Home Page, Accessed 28 Sept. ↩︎

  6. McNab, Chris. Network Security Assessment. “O’Reilly Media, Inc.,” 2007, p. 195. ↩︎