134 Chapter 6 ■ Enumeration of Services
One step in gaining a foothold in a Windows system is exploiting the NetBIOS API.
This service was originally intended to assist in the access to resources on a local area
network (LAN) only. The service was designed to use 16 character names, with the first
15 characters identifying the machine and the last character representing a service or item
on the machine itself. NetBIOS has proven to be a blessing to some and a curse to others.
Let’s look at why.NetBIOS was originally developed by Syntek and IBM many years ago for
the LANs that were available at the time. Due to the design of the protocol
and the evolution of networks, the service is no longer preferred.An attacker who is using certain tools and techniques (more on this in a moment) can
extract quite a bit of information from NetBIOS. Using scanning techniques, an attacker
can sweep a system, find port 139 open, and know that this port is commonly associated
with NetBIOS. Once the port has been identified, they can attempt to view or access infor-
mation such as file shares, printer sharing, usernames, group information, or other goodies
that may prove helpful.
One of the many tools that can be used to work with NetBIOS is a command-line utility
nbtstat. This utility can display information, including name tables and protocol statistics,
for local or remote systems. Included with every version of the Windows operating system,
nbtstat can assist in network troubleshooting and maintenance. It is specifically designed to
troubleshoot name resolution issues that are a result of the NetBIOS service. During nor-
mal operation, a service in Windows known as NetBIOS over TCP/IP will resolve NetBIOS
names to IP addresses. nbtstat is designed to locate problems with this service.
In addition, the utility has the ability to return names (if any) registered with the Win-
dows Internet Naming Service (WINS).Tasks You Can Do with nbtstat
Run the nbtstat command as follows to return the name table on a remote system:
nbtstat.exe –a < "netbios name of remote system"The -a switch can be used to return a list of addresses and NetBIOS names the system
has resolved. The command line that uses this option would look like the following if the
targeted system had an IP address of 192.168.1.10:
nbtstat -A 192.168.1.10The nbtstat command can do much more than these two functions. The following is a
partial listing of the options available with the nbtstat command:
■ -a Returns the NetBIOS name table and mandatory access control (MAC) address of
the address card for the computer name specified
■ -A Lists the same information as -a when given the target’s IP address
■ -c Lists the contents of the NetBIOS name cache