137-138-139 - Netbios

💡 学习提示: 本文档介绍 137-138-139 - NetBIOS 的渗透测试方法,适合信息安全初学者和从业人员参考。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

137,138,139 - 渗透测试 NetBios

NetBios Name 服务

NetBIOS Name 服务 plays a crucial role, involving various services such as name registration and resolution, datagram distribution, and session services, utilizing specific ports for each service.

From Wikidepia:

  • Name service for name registration and resolution (ports: 137/udp and 137/tcp).
  • Datagram distribution service for connectionless communication (port: 138/udp).
  • Session service for connection-oriented communication (port: 139/tcp).

Name 服务

For a device to participate in a NetBIOS network, it must have a unique name. This is achieved through a broadcast process where a “Name Query” packet is sent. If no objections are received, the name is considered available. Alternatively, a Name 服务 server can be queried directly to check for name availability or to resolve a name to an IP address. Tools like nmblookup, nbtscan, and nmap are utilized for enumerating NetBIOS services, revealing server names and MAC addresses.

PORT    STATE SERVICE    VERSION
137/udp open  netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)

Enumerating a NetBIOS service you can obtain the names the server is using and the MAC address of the server.

nmblookup -A <IP>
nbtscan <IP>/30
sudo nmap -sU -sV -T4 --script nbstat.nse -p137 -Pn -n <IP>

Datagram Distribution 服务

NetBIOS datagrams allow for connectionless communication via UDP, supporting direct messaging or broadcasting to all network names. This service uses port 138/udp.

PORT    STATE         SERVICE     VERSION
138/udp open|filtered netbios-dgm

Session 服务

For connection-oriented interactions, the Session 服务 facilitates a conversation between two devices, leveraging TCP connections through port 139/tcp. A session begins with a “Session Request” packet and can be established based on the response. The service supports larger messages, error detection, and recovery, with TCP handling flow control and packet retransmission.

Data transmission within a session involves Session Message packets, with sessions being terminated by closing the TCP connection.

These services are integral to NetBIOS functionality, enabling efficient communication and resource sharing across a network. For more information on TCP and IP protocols, refer to their respective TCP Wikipedia and IP Wikipedia pages.

PORT      STATE SERVICE      VERSION
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn

Read the next page to learn how to enumerate this service:

137-138-139-pentesting-netbios.md

HackTricks Automatic Commands

Protocol_Name: Netbios    #Protocol Abbreviation if there is one.
Port_Number:  137,138,139     #Comma separated if there is more than one.
Protocol_Description: Netbios         #Protocol Abbreviation Spelled out

Entry_1:
  Name: Notes
  Description: Notes for NetBios
  Note: |
    Name service for name registration and resolution (ports: 137/udp and 137/tcp).
    Datagram distribution service for connectionless communication (port: 138/udp).
    Session service for connection-oriented communication (port: 139/tcp).

    For a device to participate in a NetBIOS network, it must have a unique name. This is achieved through a broadcast process where a "Name Query" packet is sent. If no objections are received, the name is considered available. Alternatively, a Name Service server can be queried directly to check for name availability or to resolve a name to an IP address.

    https://book.hacktricks.wiki/en/network-services-pentesting/137-138-139-pentesting-netbios.html

Entry_2:
  Name: Find Names
  Description: Three scans to find the names of the server
  Command: nmblookup -A {IP} &&&& nbtscan {IP}/30 &&&& nmap -sU -sV -T4 --script nbstat.nse -p 137 -Pn -n {IP}

搜索引擎语法

FOFA

# FOFA 搜索语法
port="137-138-139"

Shodan

# Shodan 搜索语法
port:137-138-139

ZoomEye

# ZoomEye 搜索语法
port:137-138-139

📖 参考资料