Skip to content

Instantly share code, notes, and snippets.

@sudosuraj

sudosuraj/NetBIOS.md

Last active February 18, 2025 05:11
Show Gist options
  • Save sudosuraj/28049e1e97c006689180453acc768cc6 to your computer and use it in GitHub Desktop.
Save sudosuraj/28049e1e97c006689180453acc768cc6 to your computer and use it in GitHub Desktop.
Download ZIP
What is NetBIOS? How to use it in penetration testing? Here is all you need to know about NetBIOS as penetration tester.
Raw
NetBIOS.md

NetBIOS (Network Basic Input/Output System) is a legacy protocol that still plays a role in many Windows networks. It handles several functions:

  • Name Servicing:
    NetBIOS allows computers to register and resolve 16-character names. This makes it possible to identify and communicate with devices on a local network using human-readable names.

  • Connectionless Communication:
    It supports communication methods that don’t require a sustained connection. This means messages can be sent without establishing a persistent link.

  • Session Layer Functions:
    While primarily associated with lower-level operations, NetBIOS also provides some session layer capabilities to manage communication sessions.

Additionally, Windows networks use a Browser Service based on NetBIOS. This service maintains a list of all machines within the domain or TCP/IP network segment, which can then be browsed by users in the “Network Neighborhood” or “My Network Places.”

NetBIOS Names

  • A NetBIOS name is a 16-character ASCII string that uniquely identifies a device on a network.
  • This name allows systems to be recognized by human-friendly identifiers rather than just IP addresses.

Using nbtstat on Windows

The nbtstat command is a useful tool for enumerating NetBIOS information:

  • nbtstat (no options):
    Displays your own machine’s NetBIOS information, including the registered names and their status.
    Example:

    nbtstat

  • nbtstat -n:
    Shows the local NetBIOS name table. This table lists all the names your machine has registered (both unique and group names).
    Example:

    nbtstat -n

  • nbtstat -A IPADDRESS:
    Retrieves the NetBIOS table for a remote computer by using its IP address. This is helpful for identifying what NetBIOS names a remote host is using.
    Example:

    nbtstat -A 192.168.1.10

  • nbtstat -c:
    Displays the contents of the local NetBIOS name cache. This cache holds recently resolved NetBIOS names from the network.
    Example:

    nbtstat -c

Practical Implications

  • Enumeration:
    Network administrators and even penetration testers can use these commands to gather information about active devices, their roles, and shared resources on the network.

  • Security Considerations:
    Because NetBIOS can reveal sensitive information like shared resources and network structure, it can be exploited by attackers to map out the network and plan further attacks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment