NetBIOS attack simulation and prevention (2024)

NetBIOS (Network Basic Input/Output System) is a protocol used for file sharing, printer sharing, and other network services in older versions of Windows operating systems. Over the years, several vulnerabilities and security issues have been identified in the NetBIOS protocol. Some notable NetBIOS vulnerabilities include:

NetBIOS Name Service (NBNS) Spoofing: Attackers can spoof NetBIOS Name Service (NBNS) responses to redirect network traffic to malicious systems. This can lead to various attacks, such as Man-in-the-Middle (MITM) attacks and session hijacking.

Here's how a typical NBNS spoofing or NBSCAN attack unfolds:

1. NBNS Request: A legitimate device on the network sends an NBNS query to resolve the IP address associated with a NetBIOS name. The query is usually sent as a broadcast to the local subnet.
2. Spoofed Response: The attacker, who has positioned themselves strategically on the network, intercepts the NBNS query and quickly responds with a spoofed NBNS response. The spoofed response contains false information, typically with the attacker's IP address associated with the requested NetBIOS name.
3. Redirected Traffic: The requesting device receives the spoofed NBNS response and believes it has obtained the correct IP address for the desired NetBIOS name. Consequently, all subsequent network traffic intended for that NetBIOS name will be sent to the attacker's IP address. Instead of redirection an attacker can also flood the listening NetBIOS ports with requests This can cause the system to become unresponsive or crash.
4. Exploitation or Eavesdropping: With the network traffic redirected, the attacker can exploit the situation in various ways. They may perform a Man-in-the-Middle (MITM) attack, intercepting and manipulating the network traffic for malicious purposes. This can include capturing sensitive information, injecting malware, modifying or redirecting traffic, or even launching further attacks on the compromised devices.

The impact and consequences of an NBNS spoofing attack can be significant. By redirecting network traffic, the attacker can gain unauthorized access to sensitive data, conduct eavesdropping or data interception, impersonate legitimate servers or services, manipulate network communications, and potentially compromise the overall security and integrity of the network.

Null Session Attacks: Null sessions allow unauthenticated access to NetBIOS services. Attackers can exploit this vulnerability to enumerate user and group information, browse file shares, and gain unauthorized access to sensitive data.

Remote Code Execution: In some cases, vulnerabilities in NetBIOS implementations have allowed remote code execution, where an attacker can execute arbitrary code on a target system. This can leadto complete system compromise and control.

NetBIOS requests are typically crafted at a lower-level network protocol level, such as using raw sockets or network programming libraries. The specific programming language or tools used may vary, but the general steps involved in crafting NetBIOS requests for null session attacks are as follows:

1. Network Socket Creation: The attacker creates a network socket or establishes a connection to the target system's NetBIOS service. This allows them to send and receive data at the NetBIOS protocol level.
2. NetBIOS Request Format: The attacker constructs the NetBIOS request packets according to the NetBIOS protocol specifications. This involves populating various fields and parameters within the packet to achieve the desired functionality.
3. Null Session Identification: To initiate a null session, the attacker typically sets specific fields within the NetBIOS request packet to indicate that no authentication credentials are being provided. This may involve setting the username and password fields to null or empty values.
4. Sending the Request: Once the NetBIOS request packet is constructed, the attacker sends it to the target system's NetBIOS service using the established network connection or socket.
5. Parsing the Response: The attacker receives the response from the target system and extracts the relevant information. This could include details about usernames, group memberships, shared resources, or other data of interest.

Password Cracking: Due to the way NetBIOS authentication works, weak passwords can be vulnerable to password cracking attacks. Attackers can attempt to guess or crack passwords to gain unauthorized access to systems. The most vulnerable are BUILTIN\guest and BUILTIN\Administrator accounts

Example of a NetBIOS attack

Here I do a NetBIOS scan with no Domain credentials involved, scrape host and session information, find a Domain Controller and a File Server, scrape session info and then surveil available shares, who they are available to, read/write permissions for everyone and event Domain Kerberos certificate information.

I initially perform an nbtscan to find hosts on the network where NetBIOS is enabled

I can identify the domain name, the fileserver and domain controller just from a NetBIOS scan information available through the listener

From here, I can request the host broadcasting on NetBIOS for information on other hosts in its NetBIOS name table

See Also

How to disable NetBIOS port 139 (TCP)CVE - Search ResultsNetBIOS Information Retrieval Fixes | Beyond SecuritySteps to Enable NetBios Over TCP on Windows

What’s the big deal? Well the big deal is that I am not using any Windows Domain credentials to get this information. I am purely running nbtscan on a Linux.

Next I can use an NMAP utility to scan IP I know about to scrape for authentication and connection encryption information and available shares and list required permissions to access.

Scrape connection info

Scrape SMB info

I can find at least 1 share that I can get into with any account – EVERYONE read/write which includes Guest

available shares to determine which one I ca use to deliver a payload or steal data from. All I need is any domain compromised account which I will likely harvest inn many available ways.

It's important to note that NetBIOS vulnerabilities primarily affect older versions of Windows (such as Windows XP, Windows Server 2003) that still have NetBIOS enabled by default. More recent Windows versions have deprecated or disabled NetBIOS by default due to its security concerns.

How to disable NetBIOS and eliminate this vulnerability

To mitigate these vulnerabilities, it is recommended to disable or block NetBIOS services if they are not required, regularly patch and update Windows systems, use strong and unique passwords, and implement network segmentation and access controls to limit the exposure of NetBIOS services to the internet or untrusted networks.

To disable NetBIOS via Group Policy, you can follow these steps:

Press the Windows key + R on your keyboard to open the Run dialog box.

Type "gpedit.msc" in the Run dialog box and press Enter. This will open the Local Group Policy Editor.

In the Local Group Policy Editor, navigate to the following path:

Computer Configuration -> Administrative Templates -> Network -> DNS Client

On the right-hand side, locate the policy named "Turn off multicast name resolution."

Double-click on the policy to open its properties.

Select the "Enabled" option.

Click on the "Apply" button and then click "OK" to save the changes.

Close the Local Group Policy Editor.

The policy "Turn off multicast name resolution" disables the NetBIOS over TCP/IP (NetBT) service, which is used for multicast name resolution. Disabling this service effectively disables NetBIOS.

NetBIOS can also be enabled to listen on individual NICs, in this case it should be disabled via the registry

The key location to check is: HKLM\SYSTEM\CurrentControlSet\Services|NetBT\Parameters\Interfaces\Tcpip_xxxx for NIC identificatioin

To check if your computer is exposed to NetBIOS attacks, you can perform the following steps:

Open a command prompt by pressing the Windows key + R, typing "cmd," and pressing Enter.

In the command prompt, type the following command and press Enter:

netstat -a -n

Look for port numbers 137, 138, and 139 in the output. These are the default ports used by NetBIOS. If you see these ports listed as "Listening" or "Established," it indicates that NetBIOS is active and potentially exposed to attacks.

Perform a vulnerability scan:

Use a network vulnerability scanning tool, such as Nessus, OpenVAS, or Qualys, to scan your computer or network for NetBIOS-related vulnerabilities. These tools can identify if your system is exposed to known NetBIOS vulnerabilities.

Monitor network traffic:

You can use network monitoring tools, such as Wireshark, to capture and analyze network traffic. Look for any suspicious NetBIOS-related activity or unexpected connections.

Here I am using Microsoft Network Monitor to check for NetBIOS ports 137,138,139

You will need to install Microsoft Network Monitor, configure the filter for those specific ports.

tcp.port == 137

OR

Payloadheader.LowerProtocol.port == 137

OR

tcp.port == 138

OR

Payloadheader.LowerProtocol.port == 138

OR

tcp.port == 139

OR

Payloadheader.LowerProtocol.port == 139

If you find that NetBIOS is enabled and open to the internet or untrusted networks, it is recommended to disable or block NetBIOS services if they are not required. Additionally, keep your operating system and security software up to date, use strong passwords, and follow security best practices to protect your system from potential NetBIOS attacks.