February 22nd, 2018
Saying Goodbye to NetBIOS
NetBIOS (Network Basic Input/Output System) was created in the early 1980's, but is surprisingly still alive and well on many networks today. Microsoft Windows still uses it for its name resolution function (often by default), when DNS is not available. Network resiliency and access to resources is a good thing, but keeping NetBIOS enabled for that reason, is not. There are many security concerns with NetBIOS; and disabling its support on your network and devices is strongly recommended. Disabling the use and support of NetBIOS can help to mitigate an attacker's ability to: poison and spoof responses, obtain a user's hashed credentials, inspect web traffic, etc.
Understanding NetBIOS
It's important to point out that NetBIOS itself is an API, not a networking protocol. However, in modern networks, NetBIOS runs over TCP/IP via the NBT protocol. Therefore, the legacy functions are still supported on today's networks. So, What are NetBIOS used for? NetBIOS is used for name resolution and communication on a local network.
NetBIOS provides three distinct services:
- Name Services (utilizing UDP or TCP port 137) allows for name registration and resolution.
- Datagram Services (utilizing UDP port 138) is for connectionless communication over a network, such as error reporting. It allows for message broadcasts to all computers on a network.
- Session Services (utilizing TCP port 139) lets two computers establish a connection for conversation.
The most common use for NetBIOS over TCP/IP (NBT) is for name resolution, if DNS is not supported or is not working on the local network. On modern networks, instances of an application or device not supporting DNS are rare. Additionally, DNS setup and redundancy configuration are well within the abilities of a network administrator. There are multiple ways to disable NBT, described later in this article.
Security Concerns with NetBIOS
Since NBT is an unauthenticated protocol, it's susceptible to poisoning attacks. This is when an attacker on the network impersonates, or 'spoofs,' another resource's identity and misdirects the victim's traffic. This can occur to legitimate requests, or mistyped resource names the victim intends to access. At the same time the spoof occurs, the attacker also grabs the NTLM hash of the user's credentials presented by the victim's computer. This hash can be taken and run through a hash cracking mechanism to obtain the victim's plain-text password. This type of attack can occur on a compromised local network, a public wireless network, or a rogue access point setup to mimic a legitimate wireless network.
A similar attack is leveraging NBT to spoof Web Proxy Auto-Discovery Protocol (WPAD). WPAD is used by web browsers to configure proxy settings in which to access web-based resources. An attacker can spoof the WPAD IP address, serve up an altered wpad.dat file, and then view all browser traffic of a victim's computer.
Disabling NetBIOS
CAUTION!!! DANGER!!!
It's important for an administrator to determine if NBT is in use on the network, understand how to disable its use, and the implications of disabling. For example, disabling NetBIOS can break functionality for some processes if fully qualified domain names are not being used.
A good defense strategy for protecting your network from an attacker is to learn what the attacker knows, and use what the attacker uses. Many tools, such as Wireshark as well as various Metasploit modules, are available that allow an attacker to discover and take advantage of NBT on a network in order to compromise its resources. It is strongly recommended that an administrator learn how these tools work in order to better secure their network from such attacks.
Determining if you have NetBIOS on your network can be accomplished in multiple ways. Review your DHCP server settings and computer network configurations and disable if enabled (recommended steps are later in this article). Once you have NetBIOS disabled, you still need to ensure NetBIOS traffic is not present on your network. One method is to sniff the network for NetBIOS traffic. Wireshark is a commonly used software tool to analyze network traffic. A Wireshark capture listening on UDP port 137 will show NetBIOS Name Query packets. This capture will help you verify if NetBIOS traffic is still present on your network, and identify the source of the queries.
Disabling NetBIOS can (and should) be accomplished from both sides of the client/server model. You should disable it via DHCP server settings, as well as on the client via registry settings. Disabling from the DHCP server will ensure new devices obtaining a DHCP address will receive the appropriate setting. Disabling it via the registry will ensure these devices retain the setting when they are not connected to the controlled network, such as a traveling laptop.
Disabling the NetBIOS support from a (Windows) DHCP server can be accomplished by the following steps:
- Open Administrative Tools, click DHCP
- Expand the DHCP server name, expand scope, right-click scope options, then click Configure Options.
- Click the advanced tab, then 'Microsoft Windows 2000 Options' in the Vendor Class list.
- Make sure 'Default User Class' is selected in the User Class list.
- Select the checkbox for '001 Microsoft Disable NetBIOS Option' under Available Options.
- In the Data Entry area, type '0x2' in the Long box, then click OK.
Disabling the NetBIOS support on a client computer can be accomplished by the following steps
Manually via Network Adapter settings:
- Open Network Connection Properties.
- Select TCP/IP v4.
- Click Advanced, then select the WINS tab.
- Select 'Disable NetBIOS over TCP/IP'.
- Click OK and reboot the computer.
Via registry settings
It is worth noting that these settings are for each network adapter; scripts are available to configure these settings for all adapters in a computer. Evaluate the use of a script in your environment, and consider the implications if deployed in masse.
- Open registry editor.
- Edit the data for 'NetbiosOptions' and set the parameter to 2 (it will be 0 by default).
- Perform the above steps for each adapter in the computer.
- Close the registry editor and reboot the computer.
As with any setting, it is imperative to test the settings on a subset of computers and evaluate its effect in your environment before deploying to a larger subset of computers.
The following links were used in the compilation of this article and provide reference for the technologies and settings discussed.
Background on NetBIOS and NBT:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc940063(v=technet.10)?redirectedfrom=MSDNhttps://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP
Security Concerns:
https://isc.sans.edu/diary/Is+it+time+to+get+rid+of+NetBIOS/12454
Securing against attacks:
https://blog.westmonroepartners.com/secure-nbt-ns-poisoning-attacks/
Disabling NetBIOS:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/disable-netbios-tcp-ip-using-dhcphttps://woshub.com/how-to-disable-netbios-over-tcpip-and-llmnr-using-gpo/
Authored By: Dave Kelly, CEH