Profiling an Operating System (Part 4)

If you would like to read the other parts in this article series please go to:

Profiling an operating system Part IV

A Microsoft Windows computer network is a very busy one. There is all kinds of traffic flying around the various computers. You may have heard that the NetBIOS protocols are quite chatty, and indeed they are. What we will be looking at in this article is the NetBIOS protocols and what they in turn will tell you about a computers role on a network. How we shall go about detecting this NebBIOS supplied information is via the NBTSTAT command available to you courtesy of a DOS prompt. Being able to gather this type of hard information is useful to you as a system administrator, for it will allow you to see your network as an attacker would.

In almost every corporate network ports 137, 138, 139, and 445 would be blocked at the border gateway. However they are unfiltered on almost every computer within the corporate intranet. This is needed so that computers can do what Microsoft Windows is very good at: sharing information. Well that sharing of information can come at a cost. There have been many statistics claimed about the amount of attacks that originate from a trusted insider ie: someone working at a company, who in turn attacks the network from within. While I won’t hazard a guess as to how high that percentage is, what we will look at is what type of information an internal attacker could gather to help further their aims.

NetBIOS and NBTSTAT

What we shall do now is use the NBTSTAT command to gather host information in an effort to profile it, and perhaps further a possible exploitation of computers on that network. On that note let’s get to it. We can see in the screenshot below that I am issuing the NBSTAT command.


Figure 1

The information of interest to us is contained within the table that contains the “Name”, “Type” and “Status”. The Name table is simple enough to understand as that is what the computer itself is named. We can see that “W2KLAB” is the computer’s NetBIOS name, and that its function is <00>. This table also tells us that the name of “W2KLAB” is also unique on that network. What does it all mean? Well for that let’s take a look at this link. We are now able to correlate our findings via NBTSTAT and break out the rather cryptic <00> numbers. In the case of <00> we now know that this denotes the computer “W2KLAB” as being a simple workstation. That, in and of itself, does not necessarily make it a high profile target from an internal attacker’s perspective.

Following that we have the “INet~Services <1C>  GROUP UNIQUE Registered” entry. What information can we pull from this which might help us were we an internal attacker? First off this computer is also called “INet~Services” and we know it has a NebBIOS suffix of <1C>. The NetBIOS suffix is the numerical designator assigned to the computer by the computers operating system itself. It is a means of identifying it and its role on the network. Via this information is also how an attacker can profile what computer is offering what services, if any. While “INet~Services” may sound a bit cryptic we can still use the NetBIOS suffix of <1C> to determine its role via the hyperlink I provided in the above paragraph. After having consulted the list, we now know that there is an Internet Information Services (IIS) server running on this computer. The “GROUP” entry tells us that it belongs to the “INet~Services” group, and the “UNIQUE” that the name is unique on that network. Lastly, this information has been registered on that network with the Primary Domain Controller (PDC), or Active Directory (AD) server.

We can see that there is a lot of information contained within the NBTSTAT response. The fields that are of most interest to a possible internal attacker, or internal pen-tester for that matter, are the “Name” and the NetBIOS suffix. I won’t go through the remainder of the NBTSTAT entries as it is fairly simple to do once you get the hang of it. Now what I shall do is use the NBTSTAT command against another Windows computer to see what it gives back, and also compare its output against the one we have up top. Please see the screenshot below for the output from another Windows computer.


Figure 2

In the NBTSTAT output seen above we note that the computers NetBIOS name is “WIN2K2” and that it is also a simple workstation as evidenced by the NetBIOS suffix of <00>. Also noted is that it is unique on the network, and lastly that it is registered. To further expand on the last sentence, you cannot have two computers with the same name on the network. As mentioned earlier, is that the NBTSTAT information is also registered with the domain controller for that network. Now moving onto the next entry we can see the NetBIOS suffix of <20>. Upon consulting the list at the hyperlink above we note that the “file server service” is running. What the heck is that? This is due to the fact that the computer is sharing files and has its TCP port 139 open. It is not because the computer is a file server. It can be confusing if you are not very familiar with Windows.

What else can we pull out of this NBTSTAT output? We can see that the computer belongs to a workgroup called “WORKGROUP” as a workstation, and that “WORKGROUP” is a “GROUP” as it is listed under the “Type” table. It is also registered as are all the entries. Another item of interest is that this computer is the “MSBROWSE” or master browser. This is the computer that then holds all of the information for that particular segment that it is on. What that means is that it knows what all the other computers are sharing in terms of files, as well as their NetBIOS names. In other words a treasure trove of information, for it is this that populates the “network neighborhood” on your Windows computer.

Wrap Up

While we only covered some of the entries on the second computers NBTSTAT output, it was enough to realize that there is indeed a great deal of information to be had by using such a command. This is why, as mentioned earlier, a corporate network would have the NetBIOS ports blocked at the gateway router, though opened internally. This would be no different for you as a home user. You would want to have a firewall installed and blocking external access to these ports of 137, 138, 139, and 445. They are however needed on your internal network if you want to successfully share files amongst your various computers. The NetBIOS protocols provide a core function on your Windows network. All you need to do is understand the risk of having them unprotected, and take appropriate measures to harden access to them. That would also include limiting access to them internally. This article has hopefully shed some light on the use and possible abuse of the NetBIOS protocols on your network. As always, I welcome your feedback and/or future article ideas. Till next time.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top