NetBIOS (Network Basic Input/Output System) is a protocol used for file sharing, printer sharing, and other network services in older versions of Windows operating systems. Over the years, several vulnerabilities and security issues have been identified in the NetBIOS protocol. Some notable NetBIOS vulnerabilities include:
NetBIOS Name Service (NBNS) Spoofing: Attackers can spoof NetBIOS Name Service (NBNS) responses to redirect network traffic to malicious systems. This can lead to various attacks, such as Man-in-the-Middle (MITM) attacks and session hijacking.
Here's how a typical NBNS spoofing or NBSCAN attack unfolds:
The impact and consequences of an NBNS spoofing attack can be significant. By redirecting network traffic, the attacker can gain unauthorized access to sensitive data, conduct eavesdropping or data interception, impersonate legitimate servers or services, manipulate network communications, and potentially compromise the overall security and integrity of the network.
Null Session Attacks: Null sessions allow unauthenticated access to NetBIOS services. Attackers can exploit this vulnerability to enumerate user and group information, browse file shares, and gain unauthorized access to sensitive data.
Remote Code Execution: In some cases, vulnerabilities in NetBIOS implementations have allowed remote code execution, where an attacker can execute arbitrary code on a target system. This can leadto complete system compromise and control.
NetBIOS requests are typically crafted at a lower-level network protocol level, such as using raw sockets or network programming libraries. The specific programming language or tools used may vary, but the general steps involved in crafting NetBIOS requests for null session attacks are as follows:
Password Cracking: Due to the way NetBIOS authentication works, weak passwords can be vulnerable to password cracking attacks. Attackers can attempt to guess or crack passwords to gain unauthorized access to systems. The most vulnerable are BUILTIN\guest and BUILTIN\Administrator accounts
Example of a NetBIOS attack
Here I do a NetBIOS scan with no Domain credentials involved, scrape host and session information, find a Domain Controller and a File Server, scrape session info and then surveil available shares, who they are available to, read/write permissions for everyone and event Domain Kerberos certificate information.
I initially perform an nbtscan to find hosts on the network where NetBIOS is enabled
I can identify the domain name, the fileserver and domain controller just from a NetBIOS scan information available through the listener
From here, I can request the host broadcasting on NetBIOS for information on other hosts in its NetBIOS name table
What’s the big deal? Well the big deal is that I am not using any Windows Domain credentials to get this information. I am purely running nbtscan on a Linux.
Next I can use an NMAP utility to scan IP I know about to scrape for authentication and connection encryption information and available shares and list required permissions to access.
Scrape connection info
Scrape SMB info
I can find at least 1 share that I can get into with any account – EVERYONE read/write which includes Guest
available shares to determine which one I ca use to deliver a payload or steal data from. All I need is any domain compromised account which I will likely harvest inn many available ways.
It's important to note that NetBIOS vulnerabilities primarily affect older versions of Windows (such as Windows XP, Windows Server 2003) that still have NetBIOS enabled by default. More recent Windows versions have deprecated or disabled NetBIOS by default due to its security concerns.
How to disable NetBIOS and eliminate this vulnerability
To mitigate these vulnerabilities, it is recommended to disable or block NetBIOS services if they are not required, regularly patch and update Windows systems, use strong and unique passwords, and implement network segmentation and access controls to limit the exposure of NetBIOS services to the internet or untrusted networks.
To disable NetBIOS via Group Policy, you can follow these steps:
Press the Windows key + R on your keyboard to open the Run dialog box.
Type "gpedit.msc" in the Run dialog box and press Enter. This will open the Local Group Policy Editor.
In the Local Group Policy Editor, navigate to the following path:
Computer Configuration -> Administrative Templates -> Network -> DNS Client
Recommended by LinkedIn
On the right-hand side, locate the policy named "Turn off multicast name resolution."
Double-click on the policy to open its properties.
Select the "Enabled" option.
Click on the "Apply" button and then click "OK" to save the changes.
Close the Local Group Policy Editor.
The policy "Turn off multicast name resolution" disables the NetBIOS over TCP/IP (NetBT) service, which is used for multicast name resolution. Disabling this service effectively disables NetBIOS.
NetBIOS can also be enabled to listen on individual NICs, in this case it should be disabled via the registry
The key location to check is: HKLM\SYSTEM\CurrentControlSet\Services|NetBT\Parameters\Interfaces\Tcpip_xxxx for NIC identificatioin
To check if your computer is exposed to NetBIOS attacks, you can perform the following steps:
Open a command prompt by pressing the Windows key + R, typing "cmd," and pressing Enter.
In the command prompt, type the following command and press Enter:
netstat -a -n
Look for port numbers 137, 138, and 139 in the output. These are the default ports used by NetBIOS. If you see these ports listed as "Listening" or "Established," it indicates that NetBIOS is active and potentially exposed to attacks.
Perform a vulnerability scan:
Use a network vulnerability scanning tool, such as Nessus, OpenVAS, or Qualys, to scan your computer or network for NetBIOS-related vulnerabilities. These tools can identify if your system is exposed to known NetBIOS vulnerabilities.
Monitor network traffic:
You can use network monitoring tools, such as Wireshark, to capture and analyze network traffic. Look for any suspicious NetBIOS-related activity or unexpected connections.
Here I am using Microsoft Network Monitor to check for NetBIOS ports 137,138,139
You will need to install Microsoft Network Monitor, configure the filter for those specific ports.
tcp.port == 137
OR
Payloadheader.LowerProtocol.port == 137
OR
tcp.port == 138
OR
Payloadheader.LowerProtocol.port == 138
OR
tcp.port == 139
OR
Payloadheader.LowerProtocol.port == 139
If you find that NetBIOS is enabled and open to the internet or untrusted networks, it is recommended to disable or block NetBIOS services if they are not required. Additionally, keep your operating system and security software up to date, use strong passwords, and follow security best practices to protect your system from potential NetBIOS attacks.