What is it?

Network Basic Input/Output System (NetBIOS) is the mechanism that Microsoft Windows systems use to share resources, particularly file and printer shares. NetBIOS uses ports 137, 138 and 139.

Why is it a risk?

Using a command called NBSTAT (link below), an attacker can discover computer names, IP addresses, NetBIOS names, Windows Internet Name Service (WINS) names, session information and user IDs. This information can be used to mount focussed attacks on administrative accounts. When combined with “null sessions” the attacker can obtain a list of available shares.

How can you mitigate the risk?

The most effective mitigation is to not use NetBIOS (Windows file and printer shares) at all, but many organizations rely on these services.

The next best approach is to block NetBIOS traffic to/from the Internet, or limit its use to specific IP addresses, using firewall rules.

The TechRepublic link below provides tips for hardening NetBIOS which must be exposed to the Internet (not recommended).

Resources:

TechRepublic
https://www.techrepublic.com/blog/it-security/the-problem-with-netbios/

NBStat
http://www.windowscommandline.com/nbstat-command-windows-command-line/

Share →