Quick Summary
NetBIOS Over TCP/IP Enabled is a network service misconfiguration where the legacy NetBIOS protocol is enabled over TCP/IP. This configuration may allow attackers to enumerate system information, shared resources, and user accounts, increasing reconnaissance capabilities and exposure to credential-based attacks.
Vulnerability Classification
| Field | Value |
|---|---|
| Vulnerability Type | Legacy Service Exposure |
| CWE ID | CWE-319 – Cleartext Transmission of Sensitive Information |
| CVE ID | N/A (Configuration Issue) |
| CVSS 4.0 Base Score | 7.3 (High) |
| CVSS Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N |
| OWASP Category | A05:2021 – Security Misconfiguration |
| Attack Surface | Internal Network |
Affected Asset / Environment
- Service: NetBIOS
- Common Ports: 137 (UDP), 138 (UDP), 139 (TCP)
- Platforms: Windows Systems, Legacy Network Environments
- Testing Method: Internal Network Assessment
- Tools Used: Nmap, nbtscan, smbclient
Description
The assessor observed that NetBIOS over TCP/IP is enabled on the target system. NetBIOS is a legacy protocol used for name resolution and session services in Windows environments.
When enabled, NetBIOS may expose system names, logged-in users, shared folders, and domain information. Attackers can leverage this information to identify potential targets and conduct further attacks such as SMB relay, password spraying, or lateral movement.
Modern environments using DNS and Active Directory typically do not require NetBIOS, making its presence unnecessary in many configurations.
Root Cause
The issue occurs due to default network configuration settings where NetBIOS over TCP/IP is enabled.
Common root causes include:
- Legacy compatibility requirements
- Default Windows network settings
- Lack of system hardening
- Absence of secure baseline enforcement
Business Impact
Exploitation of this vulnerability may allow attackers to enumerate internal systems and identify valid usernames and shared resources. This information may facilitate password attacks, targeted phishing campaigns, and lateral movement within the network.
In enterprise environments, unnecessary exposure of network metadata may increase the likelihood of broader compromise.
Technical Impact
An attacker can:
- Enumerate NetBIOS names
- Identify hostnames and domain membership
- Discover shared resources
- Map internal network structure
- Support SMB-based attack techniques
Although NetBIOS exposure alone may not result in immediate compromise, it significantly enhances reconnaissance capabilities.
Proof of Concept (PoC)
Step1: Identify NetBIOS Ports
nmap -sU -p 137,138 <target-ip>
nmap -p 139 <target-ip>
If ports 137, 138, or 139 are open, NetBIOS services may be enabled.
Step2: Enumerate NetBIOS Information
nbtscan <target-ip>
If hostname, MAC address, or domain information is returned, NetBIOS is active.
Step3: Enumerate Shares via NetBIOS
nmap --script smb-enum-shares -p 139 <target-ip>
If shared folders are listed, exposure is confirmed.
Step4: Attempt Null Session Enumeration (If Applicable)
smbclient -L //<target-ip>/ -N
If share information is returned without credentials, risk level increases.
Exploitation Prerequisites
- Internal network access
- NetBIOS over TCP/IP enabled
- Ports 137–139 accessible
- No firewall restrictions
Remediation
It is recommended that NetBIOS over TCP/IP be disabled where not required.
Recommended actions:
- Disable NetBIOS over TCP/IP in network adapter settings
- Use DNS for name resolution instead of NetBIOS
- Block ports 137–139 at firewall level
- Enforce secure system hardening baseline
- Conduct periodic network configuration audits
Detection and Monitoring
- Monitor for NetBIOS traffic on internal networks
- Restrict legacy protocol usage
- Alert on unexpected NetBIOS name queries
- Regularly scan for exposed NetBIOS services