NetBIOS (Network Basic Input/Output System) is a legacy Windows networking API from the 1980s that helps computers communicate on local networks. It handles name resolution, sessions, and messaging. NetBIOS operates at the session layer of the OSI model, managing conversations between computers.

NetBIOS Ports and Services

NetBIOS uses three ports, each for a different purpose:

• UDP 137 - NetBIOS Name Service (NBNS): Resolves computer names to IP addresses. Windows Internet Name Service (WINS) uses this port. Think of it as a phone book lookup for the network.

• UDP 138 - NetBIOS Datagram Service: Handles connectionless broadcasts for quick one-way messages to multiple computers. Like shouting to everyone in a room.

• TCP 139 - NetBIOS Session Service: Provides connection-oriented file and printer sharing by establishing sessions between computers. Like a phone call with a direct connection.

Modern Evolution: Port 445

TCP Port 445 - SMB Direct over TCP/IP: Introduced in Windows 2000, this allows SMB (Server Message Block, the actual file-sharing protocol) to run directly on TCP/IP without needing the NetBIOS layer. This is faster and more secure than port 139. Both ports exist today for backward compatibility with older systems.

Key difference: Port 139 requires NetBIOS as a transport layer, while port 445 eliminates that dependency entirely.

NetBIOS Names and Resource Codes

Every computer registers multiple NetBIOS names with hexadecimal codes identifying different services:

• <00> - Workstation Service: Basic computer or workgroup name registration. This says "I exist on the network."

• <20> - File Server Service: Indicates that file and printer sharing is enabled. If you see this code, the computer has shared resources available.

• <1D> - Master Browser: The computer maintaining the browse list for the workgroup.

• <1E> - Browser Elections: Used during the Master Browser election process.

When you run nbtstat -n, you'll see your computer name listed multiple times with different hex codes, each representing a different service or capability.

Master Browser System

• The Master Browser is the computer that maintains the network's browse list - a directory of all computers and shared resources on that network segment.

• Browser Election happens automatically when the Master Browser goes offline or a better-qualified computer joins. Computers compete based on operating system type (Server beats Desktop), Windows version (newer beats older), and uptime (longer beats shorter). The winner becomes the new Master Browser and takes over maintaining the browse list.

This system is why Network Neighborhood or Network in File Explorer sometimes takes time to update or shows incomplete information.

NetBIOS Components

• Local Name Table: The list of NetBIOS names registered on your computer, showing what services you're running.

• Remote Name Table: A cached list of NetBIOS names for other computers on the network that you've communicated with or discovered.

• NetBIOS Name Cache: Temporary storage of recently resolved NetBIOS name-to-IP address mappings. Similar to DNS cache, this speeds up repeat connections by avoiding the need to query the network again. Cache entries typically expire after about 10 minutes.

• NetBT Statistics: Performance metrics tracking NetBIOS communications, including packets sent and received, connections established, errors, and timeouts. Used for monitoring network health and troubleshooting.

Essential Commands

• nbtstat -n: Shows your local NetBIOS name table with all the names and services registered on your computer.

• nbtstat -c: Displays your NetBIOS name cache, showing recently resolved names and their IP addresses.

• nbtstat -a COMPUTERNAME: Queries a remote computer by name to see its NetBIOS name table.

• nbtstat -A <IP Address>: Same as -a but uses an IP address instead of a computer name.

• nbtstat -r: Shows NetBIOS name resolution statistics, including how many names were resolved via broadcast versus WINS.

• nbtstat -s: Displays the NetBIOS session table showing active connections.

• net view: Lists computers in your workgroup that the Master Browser knows about.

• net view \COMPUTER: Shows available shares on a specific computer.

• net view \COMPUTER /all: Includes hidden administrative shares in the listing.

• ping -4 COMPUTERNAME: Forces IPv4 resolution to get the IP address of a computer.

Accessing Shared Files

To access files on another computer, you need the computer name or IP address. Use ping -4 or nbtstat -a to find the IP address.

Access files through File Explorer. Press Win + R and type two backslashes followed by the computer name or IP address: \COMPUTERNAME or \192.168.1.100

You can also access specific shares directly: \192.168.1.100\ShareName

Workgroups

Workgroups are logical groupings of computers for organization and discovery purposes. Some key information about workgroups:

• Workgroups are for browsing and organization only, not security. Computers in the same workgroup appear together in Network Neighborhood, making them easier to find. However, computers in different workgroups can still communicate if you know the computer name or IP address.

• A computer can only belong to one workgroup at a time, though you can change workgroups anytime. Being in a different workgroup doesn't prevent network access - it just means computers won't automatically appear in each other's browse lists.

• Modern corporate networks use Domains with Active Directory instead of workgroups because domains provide actual security, centralized management, and authentication.

Security Issues

NetBIOS has serious security vulnerabilities that make it dangerous on modern networks.

• Information Disclosure: Port 137 can reveal computer names, usernames, workgroup information, and MAC addresses through simple unauthenticated queries. This gives attackers valuable reconnaissance information.

• Null Session Attacks: Attackers can establish anonymous connections to enumerate shares, users, groups, and other sensitive information without providing credentials.

• Man-in-the-Middle: NetBIOS name resolution is vulnerable to spoofing attacks where an attacker can intercept traffic by responding to name queries with false IP addresses.

• Known Exploits: The EternalBlue exploit, which was used by the WannaCry ransomware in 2017, targeted vulnerabilities in SMBv1 over ports 139 and 445, causing massive worldwide damage.

Best Practices: Disable NetBIOS on any internet-facing network connections. Block ports 137, 138, 139, and 445 at your firewall for external traffic. Use modern protocols like DNS instead of WINS for name resolution. Completely disable SMBv1, which has known vulnerabilities. Implement network segmentation to limit the spread of attacks.

NetBIOS should be minimized or eliminated entirely on modern networks due to these security risks.