What is NetBIOS Enumeration in Ethical Hacking? Tools, Commands, and Security Measures Explained
NetBIOS enumeration is a critical ethical hacking technique used to identify shared folders, usernames, and system information in Windows networks. Learn how to perform NetBIOS enumeration using tools like nbtstat, net view, enum4linux, and Metasploit, along with examples, commands, and defense strategies.
Table of Contents
- What is NetBIOS Enumeration?
- Why Is NetBIOS Enumeration Important?
- How NetBIOS Works
- Commonly Used Tools for NetBIOS Enumeration
- Important NetBIOS Enumeration Commands
- Null Session Attacks via NetBIOS
- Real-World Scenario: Enumeration on an Internal Network
- How to Prevent NetBIOS Enumeration Attacks
- Summary Table: Tools vs. Capabilities
- Conclusion
- Frequently Asked Questions (FAQs)
What is NetBIOS Enumeration?
NetBIOS (Network Basic Input/Output System) enumeration is a crucial technique in ethical hacking used to gather information from Windows-based networks. Through NetBIOS, hackers or penetration testers can discover:
-
Shared drives or folders
-
Active user accounts
-
System names
-
Workgroup or domain names
-
MAC addresses
This enumeration process is active and usually targets TCP ports 137, 138, and 139, which are responsible for file and printer sharing services.
Why Is NetBIOS Enumeration Important?
In the context of cybersecurity and penetration testing, NetBIOS enumeration helps professionals identify vulnerable systems and misconfigurations. Here's why it's valuable:
-
Helps map out network topology.
-
Identifies resources that are shared without proper access control.
-
Reveals potential entry points for lateral movement or privilege escalation.
-
Can be used to gather credentials through null sessions or brute force attacks.
How NetBIOS Works
NetBIOS provides services related to the name resolution and session layer of the OSI model:
-
Name service (port 137): Resolves names to IP addresses.
-
Datagram service (port 138): Supports connectionless communication.
-
Session service (port 139): Establishes and manages sessions for sharing resources.
Commonly Used Tools for NetBIOS Enumeration
| Tool Name | Description | Platform |
|---|---|---|
| nbtstat | Built-in Windows tool for NetBIOS name tables and statistics | Windows |
| Net View | Displays shared resources on a network | Windows |
| Enum | Extracts user, group, and share info via null sessions | Windows |
| Nmap | Can perform NetBIOS script scans | Cross-platform |
| SMBClient | Queries shared resources via SMB | Linux |
| Metasploit | Includes modules for SMB and NetBIOS enumeration | Cross-platform |
| NBTScan | Scans NetBIOS names and MAC addresses on a subnet | Linux/Windows |
| Enum4linux | Tool for SMB enumeration on Linux | Linux |
Important NetBIOS Enumeration Commands
nbtstat Commands (Windows)
nbtstat -A
-
Lists NetBIOS name table and MAC address of the target.
nbtstat -n
-
Displays local NetBIOS name table.
nbtstat -r
-
Shows names resolved by broadcast and via WINS.
net view Commands
net view \\
-
Lists shared resources of a remote host.
net view /domain
-
Lists computers in the domain or workgroup.
enum Tool Usage
enum -U # Enumerates user accounts
enum -S # Lists network shares
enum -P # Gets password policy
nmap Scripting Engine for NetBIOS
nmap -p 139 --script nbstat.nse
-
Performs NetBIOS name table scan.
nmap --script smb-enum-shares.nse -p 139
-
Enumerates SMB shares using Nmap.
nbtscan Example
nbtscan 192.168.1.0/24
-
Lists NetBIOS names and MAC addresses for each IP in the subnet.
Null Session Attacks via NetBIOS
NetBIOS services (specifically over SMB) can allow null sessions—unauthenticated connections that can be used to extract sensitive info. Null sessions are possible on systems that do not enforce SMB signing or have guest access enabled.
Real-World Scenario: Enumeration on an Internal Network
Objective:
To gather user and share info from a Windows machine in the same subnet.
Steps:
-
Identify live hosts with
pingornmap. -
Use
nbtstat -Ato get NetBIOS table. -
Run
net view \\to list shared folders. -
Use
enumorMetasploitfor deeper enumeration.
Outcome:
Information on shares like C$, Admin$, or public folders is gathered. If weak permissions are found, this could lead to unauthorized access.
How to Prevent NetBIOS Enumeration Attacks
| Defense Strategy | Description |
|---|---|
| Disable NetBIOS | Turn off NetBIOS on systems where it’s not needed |
| Restrict Ports | Use firewalls to block ports 137–139 |
| Disable Null Sessions | Enforce SMB signing and restrict anonymous logins |
| Patch Systems | Apply latest security updates to SMB/NetBIOS services |
| Audit Shares | Remove unnecessary shared folders or limit access |
Summary Table: Tools vs. Capabilities
| Tool | User Info | Shared Folders | Null Session Support | OS Detection |
|---|---|---|---|---|
nbtstat |
✅ | ❌ | ❌ | ❌ |
net view |
❌ | ✅ | ❌ | ❌ |
enum |
✅ | ✅ | ✅ | ❌ |
nmap |
✅ | ✅ | ✅ | ✅ |
nbtscan |
✅ | ❌ | ❌ | ❌ |
Conclusion
NetBIOS enumeration is a powerful step in a penetration tester’s toolkit for Windows-based network reconnaissance. Whether you're targeting shared resources, user accounts, or system names, understanding NetBIOS can give attackers the visibility they need—and defenders the insights to tighten security. Disabling unnecessary services, monitoring SMB traffic, and regularly auditing permissions are essential defenses.
FAQs
What is NetBIOS enumeration in ethical hacking?
NetBIOS enumeration is a method used by ethical hackers to extract information such as shared folders, users, and system names from Windows-based networks using NetBIOS protocol.
Why is NetBIOS enumeration important in penetration testing?
It helps identify network shares, usernames, and misconfigurations that can be exploited for unauthorized access or lateral movement.
Which port does NetBIOS enumeration target?
It primarily targets ports 137, 138, and 139 which handle name resolution, datagrams, and session services.
What are the main tools used for NetBIOS enumeration?
Common tools include nbtstat, net view, enum4linux, nbtscan, Nmap, Metasploit, and SMBClient.
What is the use of the nbtstat -A command?
It displays the NetBIOS name table and MAC address of the remote system using an IP address.
What does the net view command do?
It lists all shared resources on a specific system or within a domain.
What is a null session attack?
A null session attack is when an attacker connects to a Windows system with no authentication to extract sensitive information.
How does enum4linux help in enumeration?
It gathers user names, group info, shares, and OS info from Windows machines over SMB.
What is SMB enumeration?
It is the process of collecting data from the Server Message Block protocol, including shares, printers, and users.
How can Metasploit be used for NetBIOS enumeration?
Metasploit has modules for SMB and NetBIOS enumeration that automate the information-gathering process.
What is nbtscan used for?
Nbtscan scans IP ranges to find NetBIOS name tables and MAC addresses of hosts.
What does nmap --script nbstat.nse do?
It uses Nmap's scripting engine to extract NetBIOS name tables from target machines.
Can NetBIOS be disabled for security?
Yes, disabling NetBIOS on interfaces where it's not needed can help reduce attack surfaces.
What information can be revealed via NetBIOS?
Usernames, machine names, workgroup/domain names, shared folders, and MAC addresses.
Is NetBIOS still used in modern networks?
Yes, especially in legacy Windows networks, but its use is decreasing due to security concerns.
How can organizations protect against NetBIOS enumeration?
Disable NetBIOS, enforce SMB signing, block ports 137–139, and monitor network activity.
What is the difference between NetBIOS and SMB?
NetBIOS is a naming protocol, while SMB is used for file and printer sharing; both often work together.
What are some signs of NetBIOS enumeration attacks?
Unusual access to port 139, repeated NetBIOS name queries, and null session attempts in logs.
What is the function of port 137?
Port 137 is used by the NetBIOS Name Service (NBNS) for name resolution.
Can NetBIOS enumeration be done remotely?
Yes, if ports are open and services are accessible from the attacker’s machine.
What is the impact of a successful NetBIOS enumeration?
It can lead to deeper network attacks such as brute-force login attempts or data theft via exposed shares.
What is the difference between NetBIOS and DNS?
NetBIOS is used for local network name resolution, while DNS is used for global internet name resolution.
Is NetBIOS enumeration detectable?
Yes, intrusion detection systems can flag abnormal NetBIOS traffic or scanning behavior.
What is the best tool for beginners to learn NetBIOS enumeration?
nbtstat and net view are good starting tools for Windows users.
What does enum -U do?
It retrieves a list of user accounts from the target machine using null session techniques.
Can Linux machines be targets of NetBIOS enumeration?
Rarely, since NetBIOS is a Windows protocol, but Samba shares on Linux can expose similar data.
What is an example of NetBIOS name format?
A typical NetBIOS name may look like WORKGROUP\COMPUTER1.
What is the role of firewalls in preventing NetBIOS enumeration?
Firewalls block unauthorized traffic on NetBIOS-related ports, reducing the chances of enumeration.
Are there alternatives to NetBIOS enumeration?
Yes, tools like LDAP enumeration or SNMP enumeration are alternatives in different environments.
What does NetBIOS stand for?
NetBIOS stands for Network Basic Input/Output System.
How is NetBIOS enumeration used in red teaming?
Red teamers use it to find weak access points, shared files, and user credentials in corporate networks.
![Top 10 Ethical Hackers in the World [2025]](https://www.webasha.com/blog/uploads/images/202408/image_100x75_66c2f983c207b.webp)
![[2025] Top 100+ VAPT Interview Questions and Answers](https://www.webasha.com/blog/uploads/images/image_100x75_6512b1e4b64f7.jpg)
