NetBIOS Enumeration

Objectives: NetBIOS Enumeration

NetBIOS Enumeration - Full Notes

NetBIOS Enumeration – Full Notes

1. Introduction

NetBIOS Enumeration is the process of gathering preliminary information (reconnaissance) about Windows computers on a local network (LAN) without using any usernames or passwords. It leverages the NetBIOS over TCP/IP (NetBT) service, which allows Windows devices to communicate, share files, and identify their names on the network.

In cybersecurity, NetBIOS Enumeration is commonly used by:

  • Penetration Testers: To identify potential network vulnerabilities.
  • Attackers: To plan attacks.
  • Network Administrators: To identify and fix security risks.

2. What is NetBIOS?

NetBIOS (Network Basic Input/Output System) is an old technology used in Windows systems that allows devices to:

  • Identify computer names on the network
  • Share files and printers
  • Communicate via SMB services

NetBIOS uses the following ports:

  • UDP 137 – Name Service
  • UDP 138 – Datagram Service
  • TCP 139 – Session Service

NetBIOS works best on a single LAN because it relies on broadcast communication.

3. Main Goal of NetBIOS Enumeration

The primary goal of NetBIOS Enumeration is:

Discovering and gathering critical preliminary information about Windows computers on a LAN to understand the network structure and identify potential security weaknesses.

4. Information Gathered and Its Importance

4.1 Computer Name (NetBIOS Name)

Description: This is the name of the Windows machine on the network. Examples:

  • FINANCE-PC
  • HR-SERVER
  • DESKTOP-HP

Security Importance:

  • Shows the role of the machine (server or user PC)
  • Helps attackers know which machine is more valuable
Real-Life Example: Seeing office doors labeled "Finance Department" or "HR Department" – you know where sensitive information is located.

4.2 IP Address

Description: A unique number that identifies a device on the network. Example: 192.168.56.106

Security Importance:

  • Needed for direct communication with the target
  • Required for scanning or attacks
Real-Life Example: Like knowing the house address – you cannot visit it without knowing its location.

4.3 Workgroup or Domain

Description: Shows whether a computer belongs to a:

  • Workgroup (small network)
  • Domain (corporate network)

Security Importance:

  • Domains indicate Active Directory presence
  • Targets in domains are often more valuable for attacks
Real-Life Example: Workgroup = a small village, Domain = a large city with multiple institutions.

4.4 File Sharing Services (NetBIOS <20>)

Description: Indicates if the device allows file sharing via SMB.

Security Importance:

  • Files may be read or corrupted
  • Used to spread malware or ransomware
Real-Life Example: Like an unlocked door at a house – anyone can enter.

4.5 Shared Folders (net view)

Description: Folders shared with other users. Examples:

  • C$
  • SharedDocs
  • FinanceReports

Security Importance:

  • May contain sensitive information
  • Poor permissions increase risk
Real-Life Example: An office cabinet labeled "Open for Everyone".

4.6 User Information (Indirect)

Description: By analyzing computer names and domain information, attackers can guess usernames.

Security Importance:

  • Used in brute force or password spraying attacks
Real-Life Example: Knowing employee names before attempting to trick them into giving access.

4.7 Network Structure

Description: IP range indicates the network size and layout.

Security Importance:

  • Helps in planning attack steps
Real-Life Example: Like a building blueprint before entering inside.

4.8 Information Gathering Without Login

Description: NetBIOS allows information gathering without authentication.

Security Importance:

  • This is a major security risk
Real-Life Example: Reading company internal information without entering the building.

5. Tools Used in Lab

5.1 nbtstat

Windows command to query NetBIOS names and statistics.

nbtstat -a <IP>     // Shows NetBIOS name table of the target
nbtstat -c             // Shows NetBIOS cache
nbtstat -n             // Shows local NetBIOS names
nbtstat -r             // Shows NetBIOS name resolution statistics

5.2 net view

Lists Windows computers and their shared resources.

net view <IP>        // Displays shared folders on the target machine
net view /domain           // Lists computers in the domain

5.3 net use

Shows SMB connections.

net use \\<IP>\<ShareName>   // Connects to a shared folder
net use /delete                     // Disconnects a mapped network drive

6. Importance of This Lab in Cybersecurity

  • Builds foundation for penetration testing
  • Helps understand how attackers gather information
  • Helps administrators disable unsafe services

7. Conclusion

NetBIOS Enumeration is an essential preliminary step in network security. It demonstrates how sensitive information can be accessed easily if NetBIOS services and file sharing are not properly configured. Understanding this lab helps students, IT professionals, and penetration testers identify risks early and take actions to secure the network.

Reference Book: N/A

Author name: SIR H.A.Mwala Work email: biasharaboraofficials@gmail.com
#MWALA_LEARN Powered by MwalaJS #https://mwalajs.biasharabora.com
#https://educenter.biasharabora.com

:: 1::