How To: Enumerate NetBIOS Shares with NBTScan & Nmap Scripting Engine

NetBIOS is a service that allows for communication over a network and is often used to join a domain and legacy applications. It is an older technology but still used in some environments today. Since it is an unsecured protocol, it can often be a good starting point when attacking a network. Scanning for NetBIOS shares with NBTScan and the Nmap Scripting Engine is a good way to begin.

To run through this technique, we'll be using Metasploitable 2, an intentionally vulnerable virtual machine, as our target machine. We will be attacking it with Kali Linux, the go-to distro for hackers and pentesters alike.

Overview of NetBIOS

NetBIOS, which stands for network basic input/output system, is a service that allows computers to communicate over a network. However, NetBIOS is not a networking protocol, it is an API. It runs over TCP/IP via the NBT protocol, allowing it to function on modern networks.

NetBIOS provides two primary communication methods. The datagram service allows for connectionless communication over a network, ideal for situations where fast transmission is preferred, such as error generation. The session service, on the other hand, allows two computers to establish a connection for reliable communication. NetBIOS also provides name services which allow for name resolution and registration over the network.

The primary way attackers exploit NetBIOS is through poisoning attacks, which occur when the attacker is on the network and spoofs another machine in order to control and misdirect traffic. An attacker can also obtain the hashed credentials of a user at this point to crack later on.

Scanning with NBTScan

NBTScan is a command line tool used for scanning networks to obtain NetBIOS shares and name information. It can run on both Unix and Windows and ships with Kali Linux by default.

The first thing we can do is print the help, which will give us all the usage options and some examples for scanning networks. Simply type nbtscan at the prompt.

nbtscan

NBTscan version 1.5.1. Copyright (C) 1999-2003 Alla Bezroutchko.
This is a free software and it comes with absolutely no warranty.
You can use, distribute and modify it under terms of GNU GPL.

Usage:
nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename)|(<scan_range>)
	-v		verbose output. Print all names received
			from each host
	-d		dump packets. Print whole packet contents.
	-e		Format output in /etc/hosts format.
	-l		Format output in lmhosts format.
			Cannot be used with -v, -s or -h options.
	-t timeout	wait timeout milliseconds for response.
			Default 1000.
	-b bandwidth	Output throttling. Slow down output
			so that it uses no more that bandwidth bps.
			Useful on slow links, so that ougoing queries
			don't get dropped.
	-r		use local port 137 for scans. Win95 boxes
			respond to this only.
			You need to be root to use this option on Unix.
	-q		Suppress banners and error messages,
	-s separator	Script-friendly output. Don't print
			column and record headers, separate fields with separator.
	-h		Print human-readable names for services.
			Can only be used with -v option.
	-m retransmits	Number of retransmits. Default 0.
	-f filename	Take IP addresses to scan from file filename.
			-f - makes nbtscan take IP addresses from stdin.
	<scan_range>	what to scan. Can either be single IP
			like 192.168.1.1 or
			range of addresses in one of two forms:
			xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx.
Examples:
	nbtscan -r 192.168.1.0/24
		Scans the whole C-class network.
	nbtscan 192.168.1.25-137
		Scans a range from 192.168.1.25 to 192.168.1.137
	nbtscan -v -s : 192.168.1.0/24
		Scans C-class network. Prints results in script-friendly
		format using colon as field separator.
		Produces output like that:
		192.168.0.1:NT_SERVER:00U
		192.168.0.1:MY_DOMAIN:00G
		192.168.0.1:ADMINISTRATOR:03U
		192.168.0.2:OTHER_BOX:00U
		...
	nbtscan -f iplist
		Scans IP addresses specified in file iplist.

The most basic way to run this tool is to give it a range of IP addresses. In this case, there is only one machine on the network so I will give its IP address as an example.

nbtscan 172.16.1.102

Doing NBT name scan for addresses from 172.16.1.102

IP address       NetBIOS Name     Server    User             MAC address
------------------------------------------------------------------------------
172.16.1.102     METASPLOITABLE   <server>  METASPLOITABLE   00:00:00:00:00:00

Here, we can see the IP address, the NetBIOS display name, the server if applicable, the user, and the MAC address of the target. Please note that machines running Samba will sometimes return all zeros as the MAC address in response to the query.

We can get a little more information by setting verbose output with the -v flag.

nbtscan 172.16.1.102 -v

Doing NBT name scan for addresses from 172.16.1.102

NetBIOS Name Table for Host 172.16.1.102:

Incomplete packet, 335 bytes long.
Name             Service          Type
----------------------------------------
METASPLOITABLE   <00>             UNIQUE
METASPLOITABLE   <03>             UNIQUE
METASPLOITABLE   <20>             UNIQUE
METASPLOITABLE   <00>             UNIQUE
METASPLOITABLE   <03>             UNIQUE
METASPLOITABLE   <20>             UNIQUE
__MSBROWSE__  <01>              GROUP
WORKGROUP        <00>              GROUP
WORKGROUP        <1d>             UNIQUE
WORKGROUP        <1e>              GROUP
WORKGROUP        <00>              GROUP
WORKGROUP        <1d>             UNIQUE
WORKGROUP        <1e>              GROUP

Adapter address: 00:00:00:00:00:00
----------------------------------------

We can see some services and their types. This is sort of jumbled, which brings us to the next option, which will print the services in human-readable form. Use the -h flag along with the -v option.

nbtscan 172.16.1.102 -vh

Doing NBT name scan for addresses from 172.16.1.102

NetBIOS Name Table for Host 172.16.1.102:

Incomplete packet, 335 bytes long.
Name             Service          Type
----------------------------------------
METASPLOITABLE   Workstation Service
METASPLOITABLE   Messenger Service
METASPLOITABLE   File Server Service
METASPLOITABLE   Workstation Service
METASPLOITABLE   Messenger Service
METASPLOITABLE   File Server Service
__MSBROWSE__  Master Browser
WORKGROUP        Domain Name
WORKGROUP        Master Browser
WORKGROUP        Browser Service Elections
WORKGROUP        Domain Name
WORKGROUP        Master Browser
WORKGROUP        Browser Service Elections

Adapter address: 00:00:00:00:00:00
----------------------------------------

Now we can see a bit more information that might prove to be useful. We can also set the -d flag to dump the contents of the entire packet.

nbtscan 172.16.1.102 -d

Doing NBT name scan for addresses from 172.16.1.102

Packet dump for Host 172.16.1.102:

Incomplete packet, 335 bytes long.
Transaction ID: 0x00a0 (160)
Flags: 0x8400 (33792)
Question count: 0x0000 (0)
Answer count: 0x0001 (1)
Name service count: 0x0000 (0)
Additional record count: 0x0000 (0)
Question name:  CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Question type: 0x0021 (33)
Question class: 0x0001 (1)
Time to live: 0x00000000 (0)
Rdata length: 0x0119 (281)
Number of names: 0x0d (13)
Names received:
METASPLOITABLE    Service: 0x00 Flags: 0x0004
METASPLOITABLE    Service: 0x03 Flags: 0x0004
METASPLOITABLE    Service: 0x20 Flags: 0x0004
METASPLOITABLE    Service: 0x00 Flags: 0x0004
METASPLOITABLE    Service: 0x03 Flags: 0x0004
METASPLOITABLE    Service: 0x20 Flags: 0x0004
__MSBROWSE__   Service: 0x01 Flags: 0x0084
WORKGROUP         Service: 0x00 Flags: 0x0084
WORKGROUP         Service: 0x1d Flags: 0x0004
WORKGROUP         Service: 0x1e Flags: 0x0084
WORKGROUP         Service: 0x00 Flags: 0x0084
WORKGROUP         Service: 0x1d Flags: 0x0004
WORKGROUP         Service: 0x1e Flags: 0x0084

...

This provides packet data used in the query. Note that this cannot be used with the -v or -h options.

If you have a list of IP addresses you wish to scan stored in a file, the -f flag can be used to specify the input file to read from. Again, in this case, there is only one machine on the network so only that one shows up during our scan.

nbtscan -f addresses.txt

Doing NBT name scan for addresses from addresses.txt

IP address       NetBIOS Name     Server    User             MAC address
------------------------------------------------------------------------------
172.16.1.102     METASPLOITABLE   <server>  METASPLOITABLE   00:00:00:00:00:00

Conversely, if we wanted to store the output of any scan, simply append the name of the file we want to write to.

nbtscan 172.16.1.102 > scan.txt

Scanning with Nmap Scripting Engine

Nmap contains a handy little script as part of the Nmap Scripting Engine that we can also use to discover NetBIOS shares. This has the advantage that it can be ran with other NSE scripts, ultimately saving time when enumerating many different things on a network.

We will run Nmap in the usual way, and the nbstat script will complete at the end. Here, I am using the -sV option to probe ports for running services and their version, along with the -v flag for verbose output. Specify the script to use and we are good to go.

nmap -sV 172.16.1.102 --script nbstat.nse -v

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 14:12 CST
NSE: Loaded 44 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:12
Completed NSE at 14:12, 0.00s elapsed
Initiating NSE at 14:12
Completed NSE at 14:12, 0.00s elapsed
Initiating ARP Ping Scan at 14:12
Scanning 172.16.1.102 [1 port]
Completed ARP Ping Scan at 14:12, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:12
Completed Parallel DNS resolution of 1 host. at 14:12, 13.00s elapsed
Initiating SYN Stealth Scan at 14:12
Scanning 172.16.1.102 [1000 ports]

...

Host script results:
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   METASPLOITABLE<00>   Flags: <unique><active>
|   METASPLOITABLE<03>   Flags: <unique><active>
|   METASPLOITABLE<20>   Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>

Nmap starts and runs the usual scanning, and then near the end, we can finally see the host script results. This appears similar to one of the scans we ran earlier, but it never hurts to be knowledgeable of different ways to accomplish the same task.

How to Prevent NetBIOS Enumeration

Fortunately for all the administrators out there, there is a pretty easy solution to protect against unauthorized scanning of NetBIOS shares, and that is to simply disable NetBIOS. There are some scenarios where disabling this could break things, such as when certain legacy applications completely depend on it, but more often than not there will be better solutions available and it will be fine to disable it.

If you absolutely need to have NetBIOS enabled, be aware of common default naming conventions. On certain versions of Windows C$ or ADMIN$ are common names and should be avoided if possible. The good news for all you hackers out there is you can be aware and look for these.

Wrapping Up

In this tutorial, we learned about the NetBIOS service and how it could be leveraged into an attack. We performed scanning to enumerate open shares with NBTScan, a simple command line tool, and then learned how to use an Nmap script to do the same. NetBIOS may be an older technology, but it is still found in corporate environments today. It can often be a good jumping off point after recon, so it's good to know how to identify it.

• Follow Null Byte on Twitter, Flipboard, and YouTube
• Sign up for Null Byte's weekly newsletter
• Follow WonderHowTo on Facebook, Twitter, Pinterest, and Flipboard