NETBIOS is a service which allows communication between applications such as printer or other computer in Ethernet or token ring network via NETBIOS name.
NETBIOS name is 16 digits long character assign to a computer in workgroup by WINS for name resolution of an IP address into NETBIOS name.
Workgroup VS Domain
Workgroup: It is a peer to peer network for maximum 10 computers in same LAN or subnet. It has no Centralized Administration, which means no computer has control over another computer. Each user controls the resources and security locally on their system.
Domain: It is a client/server network for up to 2000 computers anywhere in the world. The administrator manages the domain and its users and resources. A user with an account on the domain can log onto any computer system, without having the account on that computer.
NetBIOS provides three distinct services:
- Name service (NetBIOS-NS) for name registration and resolution via port 137.
- Datagram distribution service (NetBIOS-DGM) for connectionless communication via port 138.
- Session service (NetBIOS-SSN) for connection-oriented communication via port 139.
- 135 TCPMS-RPC endpoint mapper
- 137 UDPNetBIOS Name Service
- 138 UDPNetBIOS Datagram Service
- 139 TCPNetBIOS Session Service
- 445 TCPSMB Protocol
Port 135: it is used for Microsoft Remote Procedure Call between client and server to listen the query of client. Basically it is used for communication between client- client and server -client for sending messages.
Port 137: the name service operates on UDP port 137. The name service primitives offered by NetBIOS are:
- Add name – registers a NetBIOS name.
- Add group name – registers a NetBIOS “group” name.
- Delete name – un-registers a NetBIOS name or group name.
- Find name – looks up a NetBIOS name on the network.
Port 138: Datagram mode is connectionless; the application is responsible for error detection and recovery. In NBT, the datagram service runs on UDP port 138.The datagram service primitives offered by NetBIOS are:
- Send Datagram – send a datagram to a remote NetBIOS name.
- Send Broadcast Datagram – send a datagram to all NetBIOS names on the network.
- Receive Datagram – wait for a packet to arrive from a Send Datagram operation.
- Receive Broadcast Datagram – wait for a packet to arrive from a Send Broadcast Datagram operation.
Port 139: Session mode lets two computers establish a connection, allows messages to span multiple packets, and provides error detection and recovery. In NBT, the session service runs on TCP port 139.
The session service primitives offered by NetBIOS are:
- Call – opens a session to a remote NetBIOS name.
- Listen – listen for attempts to open a session to a NetBIOS name.
- Hang Up – close a session.
- Send – sends a packet to the computer on the other end of a session.
- Send No Ack – like Send, but doesn’t require an acknowledgment.
- Receive – wait for a packet to arrive from a Send on the other end of a session.
Nbtstat is a windows utility that helps troubleshooting Netbios name resolution problems.
There are number of tools that can be employed to enumerate NetBios. The most often used are
Hyena is a tool for day-to-day administration of Windows and Active Directory systems.
Hyena brings together all of the administrative tools from Windows and many of the MMC components in Windows 200x into a single, easy-to-use, centralized program. Hyena arranges all system objects, such as users, servers, and groups, in a hierarchical tree for easy and logical system administration. Here’s a sample of just a few of Hyena’s functions:
The Windows NT and Windows 2000 Resource Kits come with a number of command-line tools that help you administer your Windows NT/2K systems. Over time, I’ve grown a collection of similar tools, including some not included in the Resource Kits. What sets these tools apart is that they all allow you to manage remote systems as well as the local one.
The tools included in the PsTools suite, which are downloadable as a package, are:
- PsExec – execute processes remotely
- PsFile – shows files opened remotely
- PsGetSid – display the SID of a computer or a user
- PsInfo – list information about a system
- PsPing – measure network performance
- PsKill – kill processes by name or process ID
- PsList – list detailed information about processes
- PsLoggedOn – see who’s logged on locally and via resource sharing (full source is included)
- PsLogList – dump event log records
- PsPasswd – changes account passwords
- PsService – view and control services
- PsShutdown – shuts down and optionally reboots a computer
- PsSuspend – suspends processes
- PsUptime – shows you how long a system has been running since its last reboot (PsUptime’s functionality has been incorporated into PsInfo