The NetBIOS name service is accessible through UDP port 137. In particular the service can process NetBIOS Name Table (NBT) requests, commonly found in environments where Windows is being used along with workgroups, domains, or active directory components.
You can easily enumerate the following system details by querying the name service:
NetBIOS hostname
The domain of which the system is a member
Authenticated users currently using the system
Accessible network interface MAC addresses
The inbuilt Windows nbtstat command can enumerate these details remotely. Example 9-13 shows how it can be run against 192.168.189.1.
C:\> nbtstat -A 192.168.189.1 NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- WEBSERV <00> UNIQUE Registered WEBSERV <20> UNIQUE Registered OSG-WHQ <00> GROUP Registered OSG-WHQ <1E> GROUP Registered OSG-WHQ <1D> UNIQUE Registered .._ _MSBROWSE_ _.<01> GROUP Registered WEBSERV <03> UNIQUE Registered _ _VMWARE_USER_ _<03> UNIQUE Registered ADMINISTRATOR <03> UNIQUE Registered MAC Address = 00-50-56-C0-A2-09
The information shown in Example 9-13 shows that the hostname is WEBSERV, the domain is OSG-WHQ, and two current users are _ _vmware_user__ and Administrator. Table 9-3 lists common NetBIOS name codes and descriptions.
NetBIOS code |
Type |
Information obtained |
---|---|---|
<00> |
UNIQUE |
Hostname |
<00> |
GROUP |
Domain name |
<host name><03> |
UNIQUE |
Messenger service running for that computer |
<use rname><03> |
UNIQUE |
Messenger service running for that individual logged-in user |
<20> |
UNIQUE |
Server service running |
<1D> |
GROUP |
Master browser name for the subnet |
<1B> |
UNIQUE |
Domain master browser name, identifies the PDC for that domain |
The NetBIOS name service is vulnerable to a number of attacks if UDP port 137 is accessible from the Internet or a nontrusted network. MITRE CVE lists these issues, shown in Table 9-4.
CVE name |
Date |
Notes |
---|---|---|
CVE-1999-0288 |
25/09/1999 |
Malformed NBNS traffic results in WINS crash. |
CVE-2000-0673 |
27/07/2000 |
NBNS doesn't perform authentication, which allows remote attackers to cause a denial of service by sending a spoofed Name Conflict or Name Release datagram. |
CAN-2003-0661 |
03/09/2003 |
NBNS in Windows NT 4.0, 2000, XP, and Server 2003 may include random memory in a response to a NBNS query, which can allow remote attackers to obtain sensitive information. |