9.3 The NetBIOS Name Service

The NetBIOS name service is accessible through UDP port 137. In particular the service can process NetBIOS Name Table (NBT) requests, commonly found in environments where Windows is being used along with workgroups, domains, or active directory components.

9.3.1 Enumerating System Details

You can easily enumerate the following system details by querying the name service:

  • NetBIOS hostname

  • The domain of which the system is a member

  • Authenticated users currently using the system

  • Accessible network interface MAC addresses

The inbuilt Windows nbtstat command can enumerate these details remotely. Example 9-13 shows how it can be run against

Example 9-13. Using nbtstat to dump the NetBIOS name table
C:\> nbtstat -A

           NetBIOS Remote Machine Name Table

       Name               Type         Status


    WEBSERV        <00>  UNIQUE      Registered

    WEBSERV        <20>  UNIQUE      Registered

    OSG-WHQ        <00>  GROUP       Registered

    OSG-WHQ        <1E>  GROUP       Registered

    OSG-WHQ        <1D>  UNIQUE      Registered

    .._  _MSBROWSE_  _.<01>  GROUP       Registered

    WEBSERV        <03>  UNIQUE      Registered

    _  _VMWARE_USER_  _<03>  UNIQUE      Registered

    ADMINISTRATOR  <03>  UNIQUE      Registered

    MAC Address = 00-50-56-C0-A2-09

The information shown in Example 9-13 shows that the hostname is WEBSERV, the domain is OSG-WHQ, and two current users are _ _vmware_user__ and Administrator. Table 9-3 lists common NetBIOS name codes and descriptions.

Table 9-3. Common NetBIOS Name Table (NBT) names and descriptions

NetBIOS code


Information obtained






Domain name

<host name><03>


Messenger service running for that computer

<use rname><03>


Messenger service running for that individual logged-in user



Server service running



Master browser name for the subnet



Domain master browser name, identifies the PDC for that domain

9.3.2 Attacking the NetBIOS Name Service

The NetBIOS name service is vulnerable to a number of attacks if UDP port 137 is accessible from the Internet or a nontrusted network. MITRE CVE lists these issues, shown in Table 9-4.

Table 9-4. NetBIOS name service vulnerabilities

CVE name





Malformed NBNS traffic results in WINS crash.



NBNS doesn't perform authentication, which allows remote attackers to cause a denial of service by sending a spoofed Name Conflict or Name Release datagram.



NBNS in Windows NT 4.0, 2000, XP, and Server 2003 may include random memory in a response to a NBNS query, which can allow remote attackers to obtain sensitive information.