Friday 22 March 2013

nbtstat usage

Putting together a resource on nbtstat.

Nbtstat is a diagnostic tool provided by Microsoft in several of its WIndows versions for NetBIOS. It can provide a source of information for a PenTester that may be useful.

Understanding NetBIOS and the output of the nbtstat tool can help identify machines and servers within a network.


From Wikipedia

NetBIOS is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network.  NetBIOS normally runs over TCP/IP via the NetBIOS over TCP/IP (NBT) protocol. This results in each computer in the network having both an IP address and a NetBIOS name corresponding to a (possibly different) host name.


NetBIOS runs over TCP/IP and is the network component that performs computer name to IP address mapping, name resolution. It provides three distinct services:


  • Name service for name registration and resolution.
  • Datagram distribution service for connectionless communication.
  • Session service for connection-oriented communication.


These operate over the following network ports


  • the name service operates on UDP port 137 (TCP port 137 can also be used, but rarely is).
  • the datagram service runs on UDP port 138
  • the session service runs on TCP port 139.


Computers names

Microsoft Windows are identified by names, there is the DNS host name which is out of scope for this article and the hostname which has limitations.


Minimum name length: 1 character.
Maximum name length: 15 characters.

You may of expected the length to be 16 characters however the last character is reserved to identify the functionality that is installed on the registered network device.


From Wikipedia

The NetBIOS name is 16 ASCII characters, however Microsoft limits the host name to 15 characters and reserves the 16th character as a NetBIOS Suffix. This suffix describes the service or name record type such as host record, master browser record, or domain controller record. The host name (or short host name) is specified when Windows networking is installed/configured, the suffixes registered are determined by the individual services supplied by the host.

I have collated from a number of sources some of the unique Identifiers and these are listed below.

Unique Identifiers


Number (Hex) Usage for unique usernames Name
03 name of the user currently logged on in the WINS database <username>
Number (Hex) Usage for unique names Name
00 Workstation, Domain Name <computername>
01 Messenger (Workstation) <computername>
03 Messenger (User) <computername>
06 Remote Access Server <computername>
1F NetDDE <computername>
20 File Server <computername>
21 Remote Access Server Client <computername>
22 Microsoft Exchange Interchange <computername>
23 Microsoft Exchange Store <computername>
24 Microsoft Exchange Directory <computername>
30 Modem Sharing Server Service <computername>
31 Modem Sharing Client Service <computername>
42 mccaffee anti-virus <computername>
43 SMS clients remote control <computername>
44 SMS Administrators Remote Control tool <computername>
45 SMS Clients Remote Chat <computername>
46 SMS Clients Remote Transfer <computername>
4C DEC Pathworks TCPIP service on Windows NT <computername>
52 DEC Pathworks TCPIP service on Windows NT <computername>
53 Domain Name Service (DNS)?? <computername>
87 Microsoft Exchange MTA <computername>
6A Microsoft Exchange IMC <computername>
1B Domain Master Browser <computername>
1F NetDDE Service ID <computername>
BE Network monitor agent <computername>
BF Network monitor utility ID <computername>
Number (Hex) Usage for group names Name
00 Name Domain <domain>
01 Master Browser <\\--__MSBROWSE__>
20 Internet Group name ID <domain>
1C Domain Controller <domain>
1D Master Browser name <domain>
1E Browser Service Elections <domain>
Number (Hex) Usage for group names (IIS) Name
00 IS~computer name <INet~Services>
01 INet~Services <computername>    

nbtstat tool


To run Nbtstat there is no authentication required across domains and workgroups on the Windows computers.

NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [interval] ]


-a   (adapter status)
     Lists the remote machine's name table given its name
-A   (Adapter status)
      Lists the remote machine's name table given its IP address.
-c   (cache)        
     Lists NBT's cache of remote [machine] names and their IP addresses
-n   (names)        
     Lists local NetBIOS names.
-r   (resolved)    
     Lists names resolved by broadcast and via WINS
-R   (Reload)      
     Purges and reloads the remote cache name table
-S   (Sessions)    
     Lists sessions table with the destination IP addresses
-s   (sessions)    
     Lists sessions table converting destination IP addresses to computer NETBIOS names.
-RR  (ReleaseRefresh)
     Sends Name Release packets to WINS and then, starts Refresh


where


RemoteName - Remote host machine name.
IP address - Dotted decimal representation of the IP address.
interval - Redisplays selected statistics, pausing interval seconds between each display. Press Ctrl+C to stop redisplaying statistics.

The useful commands are the -a,-A which allow querying of remote machines either by name or IP address, the -n returns the local hosts information.

From security point of view by analysis of the NetBIOS information on a computer it is possible to identity a machines NetBIOS name, the domain it is part of and the domain controller, along with the function of the machine. All this is from understanding the NetBIOS and the character type identifier. To gain this information we need to use the nbtstat tool or equivalents.

Other tools


The output of nbtstat is collected by a number of standard PenTesting tools, below is an example of the output from NMAP when run against a target machine


| nbstat:
|   NetBIOS name: INSECURE-62400A, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:fc:55:b3 (Cadmus Computer Systems)
|   Names
|     INSECURE-62400A<00>  Flags: <unique><active>
|     WORKGROUP<00>        Flags: <group><active>
|     INSECURE-62400A<20>  Flags: <unique><active>
|     WORKGROUP<1e>        Flags: <group><active>
|     WORKGROUP<1d>        Flags: <unique><active>
|_    \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>


This clears shows the machine workstation with a workgroup, however if it had been part of a domain we could identify the domain and the domain controller.

Useful NMAP scripts


broadcast-netbios-master-browser - Attempts to discover master browsers and the domains they manage.
nbstat - Attempts to retrieve the target's NetBIOS names and MAC address.

No comments:

Post a Comment