This article will give a brief account of what NetBIOS can tell us. What kind of information it can provide to a potential attacker/pentester.
The demonstrated scope of intelligence techniques refers to internal networks, i.e., isolated and inaccessible from the outside. As a rule, anyone, even the tiniest company, has such networks.
The NetBIOS itself is typically used to get a network name. And this will be enough to do at least 4 things.
Due to the fact that NetBIOS can use UDP as a transport, its speed allows to detect hosts in very large networks. For example, the nbtscan tool included in the packet of the same name can resolve 192.168.0.0/16 network addresses in just 2 seconds (can put a network in), while traditional TCP scanning takes tens of minutes. This feature can be used as a host sweep technique in very large networks about which nothing is known before running nmap. Although the result does not guarantee a 100% detection, since mostly windows-hostes will respond and not all of them, it will still allow to determine in which ranges or so live hosts are located.
Using the results of obtaining names from ip addresses:
You can see: apart from the fact that the name reveals the owner of the workstation (although this is not always the case), one of the addresses clearly stands out from the others. We can see that the name KALI was received. This behavior is typical for unix implementations SMB/NetBIOS as part of the samba software package or very old Windows 2000.
Obtaining the name KALI while on other hosts it is <unknown> indicates a so-called null-session. With default settings, SMB servers on linux are prone to it. Null-session only allows absolutely anonymous (and we haven’t entered any passwords, as you can see in the screenshot) to get quite a bit of additional information, such as the local password policy, the list of local users, groups, and the list of blown resources (ball):
Often on linux SMB-servers there are publicly available balls not only for reading, but even for writing. The presence of both carries a variety of threats that are beyond the scope of this article.
NetBIOS also provides names of all types that a workstation stores:
In this case it allows you to know that the host is also a ARRIVA domain controller.
Also worth noting is that NetBIOS allows you to get the mac address. And unlike arp queries, NetBIOS queries can go beyond the subnet. This can be useful if, for example, you need to find a notebook or specific hardware on the network knowing its manufacturer. Since the first three octets of macaddresses identify the manufacturer, it is possible to send such NetBIOSqueries to all known subnets to try to find the right device (http://standards-oui.ieee.org/oui.txt).
Often, when moving through internal corporate networks, it is required to attack the workstation included in the domain (for example, to raise privileges to the level of domain administrator) or vice versa. In this case NetBIOS again can help:
In this case, all names of all types were obtained with NetBIOS. Among them, you can see, in addition to the PC name (what was already received before), also the workgroup name. By default, for windows it is usually something like WORKGROUP or IVAN-PC, but if the workstation is in a domain, its workgroup is the domain name.
Thus, with NetBIOS it is possible to find out if the workstation is in the domain and if so, which workstation is in the domain.
If you want to get a list of domain hosts within a subnet, one broadcast request with the name of the desired domain is enough:
as a result, all hosts that are members of this domain will respond.
Detect multihomed hosts
Finally, another probably very little known technique, which is simply indispensable for finding paths to protected, perhaps even physically isolated networks. These could be workshop networks of enterprises, stuffed with controllers. Access to this network for an intruder means an opportunity to influence the technological process, and for the enterprise the risk of incurring huge losses.
So, the point is that even if the network is isolated from the corporate network, often some administrators, whether by their laziness or not, like to lift another network card on their PC to access this very network. In this case, all this happens, of course, bypassing all the rules of the corporate network screens. Convenient, yes, but not very safe, in case you are hacked, then you will be a bridge to this network and be responsible.
However, for an intruder, there is one problem here – to find the very administrator who joined the protected network in such an illegal way. Moreover, it is not an easy problem for the network security guards themselves. In large enterprises, it is a real challenge as if to find a needle in a haystack.
In this situation, there would be two obvious options for the cracker:
- try to use each PC in the corporate subnet as a gateway to the required network. This would be very convenient, but is rarely the case, as windows hosts ip forwarding are almost always disabled. Moreover, such a check is only possible within its subnet and also requires the attacker to know the exact target address from an isolated network
- try to remotely login to each host and run the banal command ipconfig/ifconfig. And that’s not so smooth. Even if the attacker has secured domain administrator rights, no one cancelled the network screens and local firewalls. So, this task is not 100% automated. As a result, it remains painful to go to each host, overcoming the network screens (often blocking the port 445/tcp), hoping to finally see the desired network interface.
However, everything is much simpler. There is one extremely simple trick that allows you to get a list of network interfaces from a particular host. Let’s say we have a host of some kind:
is the reverse resonance of the ip address → network name. If we now try to directly resolve the network name → ip address:
then we will know that this host is also a gateway (apparently) to some other network. It should be noted that in this case the request was broadcast. In other words, the hosts will only hear it from the intruder’s subnet.
If the target host is outside the subnet, a targeted request can be sent:
In this case you can see that the target is outside the intruder’s subnet. With the -B key it was specified that the request should be sent to a specific address, not a broadcast one.
Now, all that remains is to quickly collect information from the entire subnet of interest, not from a single address. A small python-script can be used for this:
And in a few seconds:
It is a dedicated host, in this improvised case, that would have been the first target for an attacker if he had been chasing the 172.16.1/24 network.
Repeated names on different ips indicate that the host also has two network cards, but already on the same subnet. It should be noted here that NetBIOS does not disclose alias-yes (which can easily be computed through arp queries as an ip with the same mac). In this case, ip addresses have different mac.
Another example of using this method is public Wi-Fi. Sometimes you may find that among guest devices, staff working in a closed corporate segment are connecting to the public network. Then, with the help of this intelligence technology, the attacker will be able very quickly to chart his way to the closed network:
In this case among 65 clients of public Wi-Fi there were two workstations with additional interface, probably related to the corporate network.
If sometimes there is a filtering of traffic on port 445/tcp between the network segments or directly on the workstations, which prevents remote login (remote code execution), in this case to resolve the names by NetBIOS port 137/udp is used, conscious blocking of which is almost not encountered, because it will greatly affect the convenience of the network, for example, may disappear the network environment, and so on.
As they say, enumeration is the key.
Is there protection against it? It does not exist, because it is not a vulnerability in everything. It is only a standard feature of what windows has a little bit of default (in linux the behavior is a bit different). And if you are suddenly uncoordinated, bypassing the network routing rules, and you are on a closed segment, the attacker will find you and do it very quickly.