NetBIOS over TCP/IP

nbtstat
Developer(s)	Microsoft
Operating system	Microsoft Windows
Type	Command
License	Proprietary commercial software
Website	nbtstat

NetBIOS over TCP/IP (NBT, or sometimes NetBT) is a networking protocol that allows legacy computer applications relying on the NetBIOS API to be used on modern TCP/IP networks.

NetBIOS was developed in the early 1980s, targeting very small networks (about a dozen computers). Some applications still use NetBIOS, and do not scale well in today's networks of hundreds of computers when NetBIOS is run over NBF. When properly configured, NBT allows those applications to be run on large TCP/IP networks (including the whole Internet, although that is likely to be subject to security problems) without change.

NBT is defined by the RFC 1001 and RFC 1002 standard documents.

Services[edit]

NetBIOS provides three distinct services:

Name service for name registration and resolution (ports: 137/udp and 137/tcp)
Datagram distribution service for connectionless communication (port: 138/udp)
Session service for connection-oriented communication (port: 139/tcp)

NBT implements all of those services.

Name service[edit]

In NetBIOS, each participant must register on the network using a unique name of at most 15 characters. In legacy networks, when a new application wanted to register a name, it had to broadcast a message saying "Is anyone currently using that name?" and wait for an answer. If no answer came back, it was safe to assume that the name was not in use. However, the wait timeout was a few seconds, making the name registration a very lengthy process, as the only way of knowing that a name was not registered was to not receive any answer.

NBT can implement a central repository, or Name Service, that records all name registrations. An application wanting to register a name would therefore contact the name server (which has a known network address) and ask whether the name is already registered, using a "Name Query" packet. This is much faster, as the name server returns a negative response immediately if the name is not already in the database, meaning it is available. The Name Service, according to RFCs 1001 and 1002, is called NetBIOS Naming Service or NBNS. Microsoft WINS is an implementation of NBNS. It is worth saying that due to constant development of the way in which the Name Service handles conflict or merges, "group names" varies from vendor to vendor and can even be different by version e.g. with the introduction of a service pack.

The packet formats of the Name Service are identical to DNS. The key differences are the addition of NetBIOS "Node Status" query, dynamic registration and conflict marking packets. They are encapsulated in UDP. Later implementation includes an optional Scope part of the name, making NetBIOS name hierarchical like DNS, but this is seldom used.

In addition, to start a session or to send a datagram to a particular host rather than to broadcast the datagram, NBT will have to determine the IP address of the host with a given NetBIOS name; this is done by broadcasting a "Name Query" packet, and/or sending it to the NetBIOS name server. The response will have the IP address of the host with that name.

NBNS is one of the first proper dynamic peer-to-peer distributed name registration services. The NBNS protocol was brought into disrepute by Microsoft: it earned a bad name for being 'chatty', swamping networks with dynamic registration traffic on multiple protocols (IPX/SPX, NBF and TCP/IP) as people badly misconfigured their machines and their networks^{[citation needed]}. The principles implemented in NBNS have been reimplemented many times, including in such systems as zeroconf and MobileIP.

Datagram distribution service[edit]

Datagram mode is "connectionless"; NetBIOS datagrams are sent over UDP. A datagram is sent with a "Direct Unique" or "Direct Group" packet if it's being sent to a particular NetBIOS name, or a "Broadcast" packet if it's being sent to all NetBIOS names on the network.

Session service[edit]

Session mode lets two computers establish a connection for a "conversation", allows larger messages to be handled, and provides error detection and recovery.

Sessions are established by exchanging packets. The computer establishing the session attempts to make a TCP connection to port 139 on the computer with which the session is to be established. If the connection is made, the computer establishing the session then sends over the connection a "Session Request" packet with the NetBIOS names of the application establishing the session and the NetBIOS name to which the session is to be established. The computer with which the session is to be established will respond with a "Positive Session Response" indicating that a session can be established or a "Negative Session Response" indicating that no session can be established (either because that computer isn't listening for sessions being established to that name or because no resources are available to establish a session to that name).

Data is transmitted during an established session by Session Message packets.

TCP handles flow control and retransmission of all session service packets, and the dividing of the data stream over which the packets are transmitted into IP datagrams small enough to fit in link-layer packets.

Sessions are closed by closing the TCP connection.

Security vulnerabilities[edit]

NBT exposes information and interfaces that are often appropriate for a LAN under an organization's administrative control, but which are not appropriate for a less trusted network such as the Internet. For example, the NetBIOS Name Service (NBNS), running over UDP or TCP port 137, allows any computer to register its hostname with other computers. An attacker could contact any host and claim that they are a particular service the host regularly contacts, such as a file server. This could result in a middleperson attack against listening hosts, and ultimately in the compromise of credentials used by the listening hosts to access network services over NBT. Tools such as NBNSpoof can be used to perform this attack.^[1]^[2]

Exposure of NBT to the Internet also discloses, as a practical matter, that the host answering on NBT ports is running Windows. This can be used to better target malicious activity that might be specific to one operating system.

Decreasing relevance in post-NT Client-Server Networks[edit]

In relation to post-MS Windows 2000 / NT, client-server based networks, NetBIOS is effectively becoming a legacy protocol. NetBIOS was also developed for non-routable LANs. In most post year 2000 networks operating Windows 2000 or later, NetBIOS effectively offers backwards compatibility for network devices that predate compatibility with DNS. A central role of NetBIOS in Client-Server networks (and also those networks that have networked peripheral hardware that also predates DNS compatibility) is to provide name resolution to computers and networked peripherals. Further, it allows for such networked hardware to be accessed and shared and also enables the mapping and browsing of network folders, shares and shared printers, faxes, etc. In its primary capacity, it acts as a session-layer protocol transported over TCP/IP to provide name resolution to a computer and shared folders. To that end, Windows 2000-based, Client-Server networks - and later - do not require this insecure means of name resolving and addressing or navigating of network shares.^[3]

Troubleshooting NetBIOS[edit]

nbtstat[edit]

The nbtstat command is a diagnostic tool for NetBIOS over TCP/IP. Its primary design is to help troubleshoot NetBIOS name resolution problems.^[4] The command is included in several versions of Microsoft Windows. There are several commands involved with nbtstat that allows several options such as: local cache lookup, WINS Server query, broadcast, LMHOSTS lookup, and Hosts lookup. It is not for DNS server query.^[5]

When a network is functioning normally, NetBIOS over TCP/IP (NetBT) resolves NetBIOS names to IP addresses. It does this through several options for NetBIOS name resolution, including local cache lookup, WINS server query, broadcast, LMHOSTS lookup, Hosts lookup, and DNS server query. The command removes and corrects preloaded entries using a number of case-sensitive switches. The nbtstat -a < name > command performs a NetBIOS adapter status command on the computer name specified by < name >. The adapter status command returns the local NetBIOS name table for that computer as well as the MAC address of the adapter card. The nbtstat -A < IP address > command performs the same function using a target IP address rather than a name.

Syntax[edit]

nbtstat [-a RemoteName] [-A IPAddress] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [Interval]

The common parameters are:<^[5]

nbtstat -c: displays the contents of the NetBIOS name cache, the table of NetBIOS names and their resolved IP addresses.
nbtstat -n: displays the names that have been registered locally on the system.
nbtstat -r: displays the count of all NetBIOS names resolved by broadcast and querying a WINS server.
nbtstat -R: purges and reloads the remote cache name table.
nbtstat -RR: sends name release packets to WINs and then starts Refresh.
nbtstat -s: lists the current NetBIOS sessions and their status, including statistics.
nbtstat -S: lists sessions table with the destination IP addresses.

References[edit]

^ mubix (2012-09-01). "Old School On-target NBNS Spoofing". malicious.link. Retrieved 2022-02-02.
^ Lladro, David (2021-07-02), NBNSpoof - NetBIOS Name Service Spoofer, retrieved 2022-02-02
^ "NetBIOS over TCP/IP". Microsoft Docs. July 18, 2012.
^ "Nbtstat". Microsoft Docs. July 18, 2012.
^ ^a ^b "nbtstat". Windows XP Professional Product Documentation. Archived from the original on 2016-07-21. Retrieved 2016-04-13.

External links[edit]

KB204279 - KB article describing the more modern, direct hosting of SMB
nbtscan - open-source program to scan IP networks for NetBIOS name information

[1] ubix (2012-09-01). "Old School On-target NBNS Spoofing". malicious.link. Retrieved 2022-02-02.

[2] Lladro, David (2021-07-02), NBNSpoof - NetBIOS Name Service Spoofer, retrieved 2022-02-02

[3] "NetBIOS over TCP/IP". Microsoft Docs. July 18, 2012.

[4] "Nbtstat". Microsoft Docs. July 18, 2012.

[xp-nbtstat-documentation-5] "nbtstat". Windows XP Professional Product Documentation. Archived from the original on 2016-07-21. Retrieved 2016-04-13.

[1]

[2]

[3]

[4]

[5]

v t e Windows command-line programs and shell builtins
COMMAND.COM Command Prompt Windows PowerShell Recovery Console
File system navigation	cd (chdir) dir popd pushd tree
File management	attrib cacls cipher compact copy del (erase) deltree icacls mkdir (md) mklink move openfiles recover ren (rename) replace rmdir (rd) robocopy takeown xcopy
Archiving	expand extrac32 extract makecab pax tar
Disk management	chkdsk convert defrag diskcomp diskcopy diskpart diskraid diskshadow drvspace fdisk format fsutil label manage-bde refsutil subst scandisk sys vol vssadmin
Processes	at exit kill powercfg runas sc schtasks shutdown start taskkill tasklist
Registry	assoc ftype reg regini regsvr32
User environment	chcp cmdkey date graftabl mode path set setver setx time title ver where whoami
File contents	comp edit edlin fc find findstr print type
Scripting	choice clip cscript doskey echo for forfiles goto if more pause prompt rem timeout
Networking	arp bitsadmin curl getmac hostname ipconfig nbtstat net netsh netstat nslookup PathPing ping rpcping route scp setspn sftp ssh ssh-add ssh-agent ssh-keygen ssh-keyscan tracert winrm winrs
Maintenance and care	auditpol dispdiag driverquery eventcreate eventtriggers logman mofcomp msiexec ntbackup pnpunattend pnputil REAgentC relog sfc sxstrace systeminfo tracerpt typeperf w32tm WBAdmin wecutil wevtutil winmgmt winsat wmic
Boot management	bcdedit bootcfg bootsect fixboot fixmbr
Software development	debug exe2bin QBasic
Miscellaneous	break cls dism dpath gpresult gpupdate help MSCDEX pentnt tpmtool tpmvscmgr wsl
List of DOS commands Environment variables Windows Support Tools