Skip to content

NetBIOS - Network Basic Input/Output System

Some protocols cross the globe.
NetBIOS talks to its neighbors.
It is not about the internet. It is about discovering and speaking with devices on a single local network.

What this page covers

  • What NetBIOS is and what it does
  • How it fits into the TCP/IP stack
  • Where its data comes from
  • How it is structured and used
  • How it can be abused or defended
  • Tools I use to explore it

This page is my reference for understanding NetBIOS as a legacy API, a local discovery service, and a treasure trove for reconnaissance.

What NetBIOS Actually Is

NetBIOS is an API that provides services allowing applications on separate computers to communicate over a local area network (LAN). It is not a networking protocol itself, but a framework for how applications can identify and connect to each other.

It is heavily associated with early Windows networking and was the foundation for file and printer sharing. It provides three key services:

  • Name Service: For name registration and resolution.
  • Session Service: For reliable, connection-oriented communication.
  • Datagram Service: For unreliable, connectionless communication.

How NetBIOS Lives in the TCP/IP Stack

  • OSI Layer: Session Layer (Layer 5)
  • Transport: In modern networks, NetBIOS runs over TCP/IP. This is known as NBT or NetBIOS over TCP/IP.
  • Ports:
  • 137/udp: NetBIOS Name Service (NBNS)
  • 138/udp: NetBIOS Datagram Service (NBDGM)
  • 139/tcp: NetBIOS Session Service (NBSSN)

Historically, NetBIOS ran on its own protocol (NBF), but its integration with TCP/IP is what kept it relevant in modern networks, often alongside SMB.

Where NetBIOS Data Comes From

NetBIOS traffic is generated by operating system services, especially in Windows environments, that need to interact with other devices on the LAN. This is triggered by:

  • A computer starting up and announcing its name.
  • Windows Explorer browsing the "Network" neighborhood.
  • Applications attempting to access file shares or network printers by name.
  • Legacy applications that rely on NetBIOS for session management.

How NetBIOS Works

NetBIOS provides its three services through distinct mechanisms:

  • Name Service (Port 137): Allows a device to "claim" a unique 15-character name on the network. When one computer wants to find another, it broadcasts a query, asking "Who has this name?" The owner of the name then replies with its IP address.
  • Datagram Service (Port 138): Provides a fast but unreliable way to send small messages to a single name or broadcast them to a group. There is no acknowledgment of receipt.
  • Session Service (Port 139): Creates a reliable, connection-oriented link between two NetBIOS names, allowing for a stable conversation and larger data transfers. It handles error detection and recovery, much like a TCP connection.

NetBIOS and Security

NetBIOS is notoriously insecure and is a primary target during the internal reconnaissance phase of a penetration test.

  • Information Leakage: It is a very "chatty" protocol. Through simple queries, an attacker can discover computer names, workgroups/domains, and logged-in usernames.
  • Spoofing: Because name resolution is often done via unauthenticated broadcasts, it's possible for an attacker to impersonate a legitimate host.
  • Null Sessions: Older systems allowed attackers to connect to the Session Service without credentials (a "null session"), which could be used to enumerate even more sensitive information.

Defenses include:

  • Disable it: If not strictly required for a legacy application, NetBIOS over TCP/IP should be disabled. Modern networks can use DNS for all name resolution.
  • Firewalls: Block ports 137, 138, and 139 at the network perimeter and between internal network segments where it's not needed.
  • Host-based Firewalls: Configure personal firewalls on endpoints to restrict inbound NetBIOS traffic.

Tools I Use to Explore NetBIOS

nbtstat (Windows)

  • A built-in Windows utility to display the NetBIOS name table and cache.
  • Example: nbtstat -A 192.168.1.100

nmap

  • The Nmap scripting engine has powerful scripts for NetBIOS enumeration.
  • Example: nmap -sU -p 137 --script nbstat.nse 192.168.1.0/24

enum4linux

  • A tool designed to enumerate information from Windows and Samba systems, which heavily leverages NetBIOS queries.
  • Example: enum4linux -a 192.168.1.100

These tools help me quickly map out the Windows systems on a local network and identify potentially valuable information.

Final Thought

NetBIOS is the town crier of a local network.
It loudly announces the name of every resident to anyone who will listen.
Useful in a trusted village, but a dangerous liability in a modern city full of strangers.

This page is my study of that voice.
Not just how NetBIOS works, but the secrets it tells and why it should usually be silenced.