NetBIOS Pentest

A basic primer on NetBIOS enumeration and exploitation

Attackers use the NetBIOS enumeration to obtain:

  • The list of computers that belong to a domain

  • The list of shares on the individual hosts in the network

  • Policies and passwords

Enumeration

Using nbtstat utility in Windows

The nbtstat utility in Windows displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local and remote computers, and the NetBIOS name cache.

Get the NetBIOS name table of a remote computer

Using the -a flag all the records in the NetBIOS name list using the remote hostname or NetBIOS name of the computer/target in the NetBIOS network.

nbtstat -a <Remote Name>

Using the -A flag we can dump all records in the NetBIOS name list using the IP address of the target. It can be used interchangeably with the -a flag.

nbtstat -A <IP Address>

The common NetBIOS Codes are:

NameNetBIOS CodeTypeInformation Obtained

<host name>

<00>

UNIQUE

Hostname

<domain>

<00>

GROUP

Domain name

<host name>

<03>

UNIQUE

Messenger service running for the computer

<user name>

<03>

UNIQUE

Messenger service running for the logged-in user

<host name>

<20>

UNIQUE

Server service running

<domain>

<1D>

GROUP

Master browser name for the subnet

<domain>

<1B>

UNIQUE

Domain master browser name, which identifies the primary domain controller (PDC) for the domain

<domain>

<1E>

GROUP

Browser service elections

Fetch the contents/names in NetBIOS name cache 

nbtstat -c

Display the names registered locally

The -n flag displays the names registered locally by NetBIOS applications such as the server and redirector.

nbtstat -n

Count of all names resolved by a broadcast or WINS server

nbtstat -r

Purges the name cache and reloads all #PRE-tagged entries from the Lmhosts file

nbtstat -R

Release and re-register all names with the name server

nbtstat -RR

List the NetBIOS sessions

List the current NetBIOS sessions and their status with the IP addresses

nbtstat -S

List the NetBIOS sessions table converting destination IP addresses to computer NetBIOS names

nbtstat -s

Re-displays selected statistics, pausing at each display for the number of seconds specified in the interval

nbtstat Interval

Using nmap scripts

The nbstat. nse script can be used for NetBIOS enumeration

nmap -sV -v --script nbstat.nse <target IP address>

Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-03 06:43 EST
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 17.65% done; ETC: 06:43 (0:00:28 remaining)
Nmap scan report for 10.10.1.22
Host is up (0.066s latency).
Not shown: 983 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-12-03 18:43:30Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: CEH.com0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: CEH)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
1801/tcp open  msmq?
2103/tcp open  msrpc         Microsoft Windows RPC
2105/tcp open  msrpc         Microsoft Windows RPC
2107/tcp open  msrpc         Microsoft Windows RPC
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: CEH.com0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
MAC Address: 08:62:75:78:00:6E (Unknown)
Service Info: Host: SERVER2022; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| nbstat: NetBIOS name: SERVER2022, NetBIOS user: <unknown>, NetBIOS MAC: 08:62:75:78:00:6e (unknown)
| Names:
|   SERVER2022<00>       Flags: <unique><active>
|   CEH<00>              Flags: <group><active>
|   CEH<1c>              Flags: <group><active>
|   SERVER2022<20>       Flags: <unique><active>
|   CEH<1e>              Flags: <group><active>
|   CEH<1b>              Flags: <unique><active>
|   CEH<1d>              Flags: <unique><active>
|_  \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.53 seconds

sudo nmap -sV -sU --script nbstat.nse 10.10.1.22 -p 137
Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-03 07:05 EST
Nmap scan report for 10.10.1.22
Host is up (0.00082s latency).

PORT    STATE SERVICE    VERSION
137/udp open  netbios-ns Microsoft Windows netbios-ns (Domain controller: CEH)
MAC Address: 08:62:75:78:00:6E (Unknown)
Service Info: Host: SERVER2022; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| nbstat: NetBIOS name: SERVER2022, NetBIOS user: <unknown>, NetBIOS MAC: 08:62:75:78:00:6e (unknown)
| Names:
|   SERVER2022<00>       Flags: <unique><active>
|   CEH<00>              Flags: <group><active>
|   CEH<1c>              Flags: <group><active>
|   SERVER2022<20>       Flags: <unique><active>
|   CEH<1e>              Flags: <group><active>
|   CEH<1b>              Flags: <unique><active>
|   CEH<1d>              Flags: <unique><active>
|_  \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds

Using net tool on windows

View all available shares

net view \\<computername> /ALL

In the above command <computername>, is the name or IP address of a specific computer, the resources of which are to be displayed.

To view all available shares for the current host we can also use the share command.

net share

Display all the shares in the domain

net view /domain

Display all the shares on the specified domain.

net view /domain:<domain name>

Listing Mapped Network Drives or available shares on the host:

The net use command is used to list the shared folder/drive available on the Windows Server.

net use

Mapping a network drive

net use [DriveLetter:] \\ComputerName\ShareName [/persistent:{yes | no}]

An example of this would be:

net use Z: \\Included\Share
net use Z: \\Included\Share /persistent:yes

Mapping with different credentials

net use Z: \\Server\SharedFolder /user:John secret123

Disconnect a mapped drive

net use Z: /delete

Using the NetBIOS enumerator GUI tool on Windows

NetBIOS enumerator is a GUI tool on Windows which can be used to enumerate NetBIOS names and

Exploitation

PreviousNetBIOS BasicsNextBGP(Border Gateway Protocol) and AS Numbers (Autonomous System Numbers)

Last updated