Microsoft windows 2000; NetBIOS

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

       Microsoft windows 2000, "the most secure operating system we have ever shipped", by Keith White [1] (Director of Windows marketing at Microsoft). One of the important features named NetBIOS which is used to allow an application which is running on a separate computer to communicate over a local area network (LAN) dragged the statement by Keith White to dilemma. It gave a chance to an intruder to crack in to a windows system.

As windows is the popular operating system used by most of the people. This vulnerability makes these many number of windows operating system users to be a victim.

      In this paper I'm going to present mainly about four important consequences. Those consequences are description about NetBIOS and its functionality, Enumeration process of a domain using NetBIOS, Vulnerabilities associated with NetBIOS and way to exploit them and finally about the way to mitigate the security problems associated with it.


NetBIOS stand for Network Basic Input Output system. It is a program which allows different applications on different computers to communicate with each other. IBM takes the pride of its creation for its early PC communication which was adopted by Microsoft. The vendor independent interface for the IBM personal computers and compatible systems made it dominant mechanism for personal computer networking [RFC 1001].

NetBIOS designed for sharing a broadcast medium between groups of PC's provides both connection and connectionless services (i.e. session and datagram services).Session mode allows establishing connection between two computers. It is connection oriented service so it allows conversations with large messages that are been handled, also provides error detection and recovery. Datagram, as it is connectionless each message is send independently and small messages must be send.

In order that NetBIOS allows computer to communicate it depends on different types of ports.

PORT                        DESCRIPTION

135                            MS NetBIOS

137                            MS NetBIOS - NS (Name Service)

138                            MS NetBIOS - DGM (Datagram Service)

139                            MS NetBIOS - SSN (Session Service)


Enumeration, dictionary meaning of it is "to count off or name one by one". It can be explained in many ways coming to the present situation enumeration represents as extraction of user names, machine names, network resources, shared resources and different services.

During the enumeration process first step of intrusion an intruder mainly tries to gather information like

§ Network resources and shares

§ Users and groups

§ Applications and banners

Let us consider the Windows NT/ 2000 to explain the enumeration process using NetBIOS. During its lifetime WINDOWS NT has achieved a well deserved reputation for giving away free information to remote pilferers. This is due to common internet file system and NetBIOS data transport protocols upon which network services are heavily dependent. [2]


Initial but crucial thing any intruder concentrate on well secured WIN NT/2000 network is what exists on it. He tries to gather the at most information he can from the target system. As we all know information gathered is directly proportional to performance of the hack (i.e. the more information we gather easier the hack will be).

The tools and techniques that are used for peering along the NetBIOS are readily available in most of the operating systems as they are built into the OS itself. Let's have a overview of these in built tools.

Net view:

Among the built in enumeration tools net view is very important tool. This command line tool will give a list of all the domains available on the network and then bare all the machines in those domains. It also gives the list of shared resources of that system. 

The figure above represents the use of this net view command.

In that I used three commands

First one is

C:\ net view /domain

This gives the list of domains on the network. In this case there is only one i.e. teaching

C:\ net view /domain:teaching

This gives the list of computers in that particular domain

In the third command it scans the entire IP and gives a list of all the shared resources.


This command line tool, scans for open NETBIOS name servers on a local or remote TCP/IP network.             

nbtscan[-v] [-d] [-e] [-l] [-ttimeout] [-bbandwidth] [-r] [-q] [-sseparator] [-h] [-mretransmits] [-filename|scan_range]

This sends a status query to each address which is been supplied

(i.e. scan_range specified in the above syntax) and obtain information listing IP address, NetBIOS Name, Server, User, MAC address.

The figure bellow represents the use of this nbtscan command.


In the figure above with the command "nbtscan -h" we can have a list of the syntax or structure of the command to gain the advantage of the nbtscan command and number of options to narrow the process and obtained the desired options depending on the request(by selecting command(s))


In the above figure I try to explain how the response of a nbtscan command will be with two examples circled with red above

First one is a general scan which gives IP address, NetBIOS Name, Server, User and MAC address of the give IP address( in this case) and the second example is with an option -v (Verbose output) which Prints all names received from each host.



This is another built in tool which gives great results. It "calls up the NetBIOS Name table from a remote system" [2].


In the above figure an nbtstat command is been used which results a list of remote machine's name table when it's IP is been given. In the result the value within < > along with the name can be used to identify the type of resource it is. The table below gives a list of resources depending on the combinations of different values. [2][5]


With all those built in command line tools for enumeration process. But there is another command line tool known as enum which plays a major role in enumeration of a system. But it is not a built in command and can be obtained online.


There also exits a command line tool known as enum which on successful execution results with users in that system, different groups and share names.


There are many vulnerabilities associated with NetBIOS, among those NetBIOS Null Session Vulnerability is more popular. CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2005-3595 [6] [7] are the associated CVE identifiers related to this null session recorded by CVE MITRE.


Null session is establishing a session with user name " ", password " " on domain " ". Null session is known as "Holy Grail" of enumeration. Using null session administrator account can be extracted. An attacker use null session command an attacker can talk to port 139 and launch an attack against the target system. Before attacking a system the initial step is to gathering information about the target system. As we know the more we know about the target system the easier hack will be. Now I'm going to explain about how this attack is performed

The following shows stepwise procedure of the enumeration process and how an intruder can gain access to a system by using null session.


To perform a hack the main thing which an intruder looks for is a vulnerable system which can be identified by finding the system with an open 139 port. For this identification process there are many port scanning command line and GUI tools which help to identify. Nmap, Superscan, Yaps, Angry IP Scanner, Newt are some of the examples. Let us consider Nmap for our case

Nmap is a fast and simple tool to perform port scanning. It provides the intruder with the information about the port 139(state of the port and service running on it).

C:\nmap [scan type(s)] [option] {target specification}

The above statement is the structure of the command used to retrieve the data

After identifying the vulnerable system, by running the nbtstat command. As mentioned above it returns with a NetBIOS Remote Machine Name table. This is used to analyse the machine.

Note: There are many other GUI tools which can be used to gain entire information about the system. A simple example of it is Winfingerprint.


Creating a null session

Now we have scanned the system and identified the vulnerable system. We then try to create a null session between the machines. Using the net command a session can be created and checked.

C:>\net use\\\ipc$ "" /u:"

net use command is used followed by the IP address of the system to set up an IPC null session. In the above command ipc$ is inter process communication which is mainly used for server to server communication. After performing this command it returns with the following

C:>\net use\\\ipc$ "" /u:"

The command completed successfully.

This indicates the session is created and a connection is been established.

Now we can go more technical after establishing a connection we can identify all the services that are running, obtain the list of valid users, groups and software packages that are installed on the system. Using commands like "net view" all the network share information is also been gathered.


This is the final step of intrusion. Now we manage to get almost very important data about the target system. A connection is also been established to the target system using null session. So we can directly contact with the target system. It's time to launch a password cracking attack on the target system.

There are many types of attacks that can be performed. Brute force and Dictionary attack is a efficient tool kit that can be used to crack the system. The only requirement now is a superior password file to obtain fortunate results.

In Windows there exits two simple utilities user2sid and sid2user command line tools.

The first one will retrieve the SID (security identifier) from SAM which is located at C:\WINDOWS\SYSTEM32\config.

C:\>User2sid [\\computer_name] account_name

Second utility will retrieve the name of all the accounts in the computer.

C:\>Sid2user [\\computer_name] authority subauthority1

These user accounts which are retrieved from the two utilities specified above can be used as user names in brute force attack and find out the password.



  • [1] in introduction

    Online ref:

    6th paragraph


    Text book reference:

    Hacking Exposed - Network Security Secrets & Solutions, 2nd Edition (2001) page 72-

    [3] NBTSCAN

    [4] nbtscan

    [5] Nbtstat


    program about null session.