The NetBIOS name service is accessible through UDP port 137. In particular the service can process NetBIOS Name Table (NBT) requests, commonly found in environments where Windows is being used along with workgroups, domains, or active directory components. 9.3.1 Enumerating System DetailsYou can easily enumerate the following system details by querying the name service:
The inbuilt Windows nbtstat command can enumerate these details remotely. Example 9-13 shows how it can be run against 192.168.189.1. Example 9-13. Using nbtstat to dump the NetBIOS name tableC:\> nbtstat -A 192.168.189.1 NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- WEBSERV <00> UNIQUE Registered WEBSERV <20> UNIQUE Registered OSG-WHQ <00> GROUP Registered OSG-WHQ <1E> GROUP Registered OSG-WHQ <1D> UNIQUE Registered .._ _MSBROWSE_ _.<01> GROUP Registered WEBSERV <03> UNIQUE Registered _ _VMWARE_USER_ _<03> UNIQUE Registered ADMINISTRATOR <03> UNIQUE Registered MAC Address = 00-50-56-C0-A2-09 The information shown in Example 9-13 shows that the hostname is WEBSERV, the domain is OSG-WHQ, and two current users are _ _vmware_user__ and Administrator. Table 9-3 lists common NetBIOS name codes and descriptions.
9.3.2 Attacking the NetBIOS Name ServiceThe NetBIOS name service is vulnerable to a number of attacks if UDP port 137 is accessible from the Internet or a nontrusted network. MITRE CVE lists these issues, shown in Table 9-4.
|