1. Home
  2. Networking
  3. Network security assessment

9.3 The NetBIOS Name Service

The NetBIOS name service is accessible through UDP port 137. In particular the service can process NetBIOS Name Table (NBT) requests, commonly found in environments where Windows is being used along with workgroups, domains, or active directory components.

9.3.1 Enumerating System Details

You can easily enumerate the following system details by querying the name service:

  • NetBIOS hostname

  • The domain of which the system is a member

  • Authenticated users currently using the system

  • Accessible network interface MAC addresses

The inbuilt Windows nbtstat command can enumerate these details remotely. Example 9-13 shows how it can be run against 192.168.189.1.

Example 9-13. Using nbtstat to dump the NetBIOS name table
C:\> nbtstat -A 192.168.189.1



           NetBIOS Remote Machine Name Table



       Name               Type         Status

    ---------------------------------------------

    WEBSERV        <00>  UNIQUE      Registered

    WEBSERV        <20>  UNIQUE      Registered

    OSG-WHQ        <00>  GROUP       Registered

    OSG-WHQ        <1E>  GROUP       Registered

    OSG-WHQ        <1D>  UNIQUE      Registered

    .._  _MSBROWSE_  _.<01>  GROUP       Registered

    WEBSERV        <03>  UNIQUE      Registered

    _  _VMWARE_USER_  _<03>  UNIQUE      Registered

    ADMINISTRATOR  <03>  UNIQUE      Registered



    MAC Address = 00-50-56-C0-A2-09

The information shown in Example 9-13 shows that the hostname is WEBSERV, the domain is OSG-WHQ, and two current users are _ _vmware_user__ and Administrator. Table 9-3 lists common NetBIOS name codes and descriptions.

Table 9-3. Common NetBIOS Name Table (NBT) names and descriptions

NetBIOS code

Type

Information obtained

<00>

UNIQUE

Hostname

<00>

GROUP

Domain name

<host name><03>

UNIQUE

Messenger service running for that computer

<use rname><03>

UNIQUE

Messenger service running for that individual logged-in user

<20>

UNIQUE

Server service running

<1D>

GROUP

Master browser name for the subnet

<1B>

UNIQUE

Domain master browser name, identifies the PDC for that domain

9.3.2 Attacking the NetBIOS Name Service

The NetBIOS name service is vulnerable to a number of attacks if UDP port 137 is accessible from the Internet or a nontrusted network. MITRE CVE lists these issues, shown in Table 9-4.

Table 9-4. NetBIOS name service vulnerabilities

CVE name

Date

Notes

CVE-1999-0288

25/09/1999

Malformed NBNS traffic results in WINS crash.

CVE-2000-0673

27/07/2000

NBNS doesn't perform authentication, which allows remote attackers to cause a denial of service by sending a spoofed Name Conflict or Name Release datagram.

CAN-2003-0661

03/09/2003

NBNS in Windows NT 4.0, 2000, XP, and Server 2003 may include random memory in a response to a NBNS query, which can allow remote attackers to obtain sensitive information.



    		Network Security Assessment
    		Foreword
    		Preface
    		Chapter 1. Network Security Assessment
    		Chapter 2. The Tools Required
    		Chapter 3. Internet Host and Network Enumeration
    		Chapter 4. IP Network Scanning
    		Chapter 5. Assessing Remote Information Services
    		Chapter 6. Assessing Web Services
    		Chapter 7. Assessing Remote Maintenance Services
    		Chapter 8. Assessing FTP and Database Services
    		Chapter 9. Assessing Windows Networking Services
    		9.1 Microsoft Windows Networking Services
    		9.2 Microsoft RPC Services
    		9.3 The NetBIOS Name Service
    		9.4 The NetBIOS Datagram Service
    		9.5 The NetBIOS Session Service
    		9.6 The CIFS Service
    		9.7 Unix Samba Vulnerabilities
    		9.8 Windows Networking Services Countermeasures
    		Chapter 10. Assessing Email Services
    		Chapter 11. Assessing IP VPN Services
    		Chapter 12. Assessing Unix RPC Services
    		Chapter 13. Application-Level Risks
    		Chapter 14. Example Assessment Methodology
    		Appendix A. TCP, UDP Ports, and ICMP Message Types
    		Appendix B. Sources of Vulnerability Information
    		Colophon