Network

NBNS

Link: ΠΎΡ‡Π΅Π½ΡŒ ΠΏΠΎΠ΄Ρ€ΠΎΠ±Π½ΠΎ ΠΏΡ€ΠΎ NetBIOS ΠΈ NBNS: https://zer1t0.gitlab.io/posts/attacking_ad/#netbios

About

NetBIOS Name Service β€” ΡƒΡΡ‚Π°Ρ€Π΅Π²ΡˆΠΈΠΉ ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ», Π½ΠΎ Π³Π΄Π΅-Ρ‚ΠΎ Π΅Ρ‰Π΅ Ρ€Π°Π±ΠΎΡ‚Π°Π΅Ρ‚

Π Π°Π±ΠΎΡ‚Π°Π΅Ρ‚ Π½Π°Π΄ UDP (ΠΎΠ±Ρ‹Ρ‡Π½ΠΎ)

src/dst port 137

ΠŸΠΎΡΠΌΠΎΡ‚Ρ€Π΅Ρ‚ΡŒ записи Π½Π° локальной машинС:

C:\> nbtstat -n

Ethernet 2:
Node IpAddress: [192.168.100.10] Scope Id: []

                NetBIOS Local Name Table

       Name               Type         Status
    ---------------------------------------------
    WS01-10        <20>  UNIQUE      Registered
    WS01-10        <00>  UNIQUE      Registered
    CONTOSO        <00>  GROUP       Registered

It must be noted that, in case of a broadcast request, any computer can respond to the query, so it allows to an attacker to impersonate the real computer. This is one of the tactics followed by responder.py and Inveigh to collect NTLM hashes.

Also, it must taked into account that NBNS is not used if any other protocol can resolve the name request. The order of preference is the following:

  1. DNS

  2. mDNS

  3. LLMNR

  4. NBNS

Furthermore, it is possible to use this capability to perform a NetBIOS scan in a network and discover machines and services. This can be accomplished with nbtscan or nmap script nbtstat.nse, from both Windows or Linux.

root@debian10:~# nbtscan 192.168.100.0/24
192.168.100.2   CONTOSO\DC01                    SHARING DC
192.168.100.7   CONTOSO\WS02-7                  SHARING
*timeout (normal end of scan)
PreviousLLMNRNextWinRM

Last updated