NetBIOS(Network Basic Input Output System) was developed as an API(Application Programming Interface) which allows communication between applications such as a printer or other computer in a LAN.

This service uses a unique 16 ASCII character string in order to identify the network devices over TCP/IP.
First 15 characters - identify Devices
16th character - identify the service

Workgroup: It is a peer-to-peer network for a maximum of 10 computers in the same LAN or subnet. It has no Centralized Administration, which means no computer has control over another computer. Each user controls the resources and security locally on their system.

Domain: It is a client/server network for up to 2000 computers anywhere in the world. The administrator manages the domain and its users and resources. A user with an account on the domain can log onto any computer system, without having the account on that computer.

• Microsoft Remote Procedure Call between client and server to listen to the query of the client. Basically, it is used for communication between client- client and server -client for sending messages.
• Name service (NetBIOS-NS) for name registration and resolution
• Datagram distribution service (NetBIOS-DGM) for connection less communication
• Session service (NetBIOS-SSN) for connection-oriented communication

---

Enumeration

1. nbstat command can be used to display NetBIOS information like NetBIOS name tables,name cache etc.
   It is for Windows only.On linux nmblookup can be used.

nbstat -A [TARGET]
Display NetBIOS name table,MAC address information

2. netview - This utility is used to enumerate shared resources and displays a list of domains, computers, or resources that are being shared by the specified computer.
   It also works on Windows only.

net view [\\ComputerName or IP [/CACHE] | [/ALL] | /DOMAIN[:DomainName]]

---

Enumerating NetBIOS in Metasploitable2

1. Nmap Scripts

• nbstat - Attempts to retrieve the target's NetBIOS names and MAC address.To display all names use verbose(-v).

T - TCP Connect scan
U - UDP scan
V - Version Detection

NetBIOS Suffixes
NetBIOS End Character (endchar)= the 16th character of a NetBIOS name.

For unique names:
00: Workstation Service (workstation name)
03: Windows Messenger service
06: Remote Access Service
20: File Service (also called Host Record)
1D: Master Browser

For group names:
00: Workstation Service (workgroup/domain name)
1E: Browser Service Elections
01:Master Browser (represented with MSBOWSE)

Computer Browser Service is a feature of Microsoft Windows to let users easily browse and locate shared resources in neighboring computers. This is done by aggregating the information in a single computer "Browse Master".

A server’s browser role is defined dynamically with periodic elections .
All the computers on a LAN hold an “election”. This election depends on a number of factors, all the computers get together and vote on who will be the Master Browser on the LAN.
Once a computer is elected, it will keep track of what machines are connected to the LAN.

• broadcast-netbios-master-browser - It discovers master browsers and the domains they manage.

2. Metasploit modules

• nbname - Discover host information through NetBIOS.

Note:

• We do not exploit NetBIOS itself instead we exploit older versions of SMB/Samba running over it.

• NetBIOS only provide us information about the network.

Using nmblookup on Metasploitable2
NetBIOS(Network Basic Input Output System) was developed as an API(Application Programming Interface) which allows communication between applications such as a printer or other computer in a LAN.

This service uses a unique 16 ASCII character string in order to identify the network devices over TCP/IP.
First 15 characters - identify Devices
16th character - identify the service

Workgroup: It is a peer-to-peer network for a maximum of 10 computers in the same LAN or subnet. It has no Centralized Administration, which means no computer has control over another computer. Each user controls the resources and security locally on their system.

Domain: It is a client/server network for up to 2000 computers anywhere in the world. The administrator manages the domain and its users and resources. A user with an account on the domain can log onto any computer system, without having the account on that computer.

• Microsoft Remote Procedure Call between client and server to listen to the query of the client. Basically, it is used for communication between client- client and server -client for sending messages.
• Name service (NetBIOS-NS) for name registration and resolution
• Datagram distribution service (NetBIOS-DGM) for connection less communication
• Session service (NetBIOS-SSN) for connection-oriented communication

---

Enumeration

1. nbstat command can be used to display NetBIOS information like NetBIOS name tables,name cache etc.
   It is for Windows only.On linux nmblookup can be used.

nbstat -A [TARGET]
Display NetBIOS name table,MAC address information

2. netview - This utility is used to enumerate shared resources and displays a list of domains, computers, or resources that are being shared by the specified computer.
   It also works on Windows only.

net view [\\ComputerName or IP [/CACHE] | [/ALL] | /DOMAIN[:DomainName]]

---

Enumerating NetBIOS in Metasploitable2

1. Nmap Scripts

• nbstat - Attempts to retrieve the target's NetBIOS names and MAC address.To display all names use verbose(-v).

T - TCP Connect scan
U - UDP scan
V - Version Detection

NetBIOS Suffixes
NetBIOS End Character (endchar)= the 16th character of a NetBIOS name.

For unique names:
00: Workstation Service (workstation name)
03: Windows Messenger service
06: Remote Access Service
20: File Service (also called Host Record)
1D: Master Browser

For group names:
00: Workstation Service (workgroup/domain name)
1E: Browser Service Elections
01:Master Browser (represented with MSBOWSE)

Computer Browser Service is a feature of Microsoft Windows to let users easily browse and locate shared resources in neighboring computers. This is done by aggregating the information in a single computer "Browse Master".

A server’s browser role is defined dynamically with periodic elections .
All the computers on a LAN hold an “election”. This election depends on a number of factors, all the computers get together and vote on who will be the Master Browser on the LAN.
Once a computer is elected, it will keep track of what machines are connected to the LAN.

• broadcast-netbios-master-browser - It discovers master browsers and the domains they manage.

2. Metasploit modules

• nbname - Discover host information through NetBIOS.

Note:

• We do not exploit NetBIOS itself instead we exploit older versions of SMB/Samba running over it.

• NetBIOS only provide us information about the network.

Using nmblookup on Metasploitable2

NetBIOS(Network Basic Input Output System) was developed as an API(Application Programming Interface) which allows communication between applications such as a printer or other computer in a LAN.

This service uses a unique 16 ASCII character string in order to identify the network devices over TCP/IP.
First 15 characters - identify Devices
16th character - identify the service

Workgroup: It is a peer-to-peer network for a maximum of 10 computers in the same LAN or subnet. It has no Centralized Administration, which means no computer has control over another computer. Each user controls the resources and security locally on their system.

Domain: It is a client/server network for up to 2000 computers anywhere in the world. The administrator manages the domain and its users and resources. A user with an account on the domain can log onto any computer system, without having the account on that computer.

• Microsoft Remote Procedure Call between client and server to listen to the query of the client. Basically, it is used for communication between client- client and server -client for sending messages.
• Name service (NetBIOS-NS) for name registration and resolution
• Datagram distribution service (NetBIOS-DGM) for connection less communication
• Session service (NetBIOS-SSN) for connection-oriented communication

---

Enumeration

1. nbstat command can be used to display NetBIOS information like NetBIOS name tables,name cache etc.
   It is for Windows only.On linux nmblookup can be used.

nbstat -A [TARGET]
Display NetBIOS name table,MAC address information

2. netview - This utility is used to enumerate shared resources and displays a list of domains, computers, or resources that are being shared by the specified computer.
   It also works on Windows only.

net view [\\ComputerName or IP [/CACHE] | [/ALL] | /DOMAIN[:DomainName]]

---

Enumerating NetBIOS in Metasploitable2

1. Nmap Scripts

• nbstat - Attempts to retrieve the target's NetBIOS names and MAC address.To display all names use verbose(-v).

T - TCP Connect scan
U - UDP scan
V - Version Detection

NetBIOS Suffixes
NetBIOS End Character (endchar)= the 16th character of a NetBIOS name.

For unique names:
00: Workstation Service (workstation name)
03: Windows Messenger service
06: Remote Access Service
20: File Service (also called Host Record)
1D: Master Browser

For group names:
00: Workstation Service (workgroup/domain name)
1E: Browser Service Elections
01:Master Browser (represented with MSBOWSE)

Computer Browser Service is a feature of Microsoft Windows to let users easily browse and locate shared resources in neighboring computers. This is done by aggregating the information in a single computer "Browse Master".

A server’s browser role is defined dynamically with periodic elections .
All the computers on a LAN hold an “election”. This election depends on a number of factors, all the computers get together and vote on who will be the Master Browser on the LAN.
Once a computer is elected, it will keep track of what machines are connected to the LAN.

• broadcast-netbios-master-browser - It discovers master browsers and the domains they manage.

2. Metasploit modules

• nbname - Discover host information through NetBIOS.

Note:

• We do not exploit NetBIOS itself instead we exploit older versions of SMB/Samba running over it.

• NetBIOS only provide us information about the network.

Using nmblookup on Metasploitable2

As you can see, we already got some of this information in our enumeration.

---