What is NetBIOS? Does Windows need its ports 137 and 138 open?
From hackerthreads.org:
NetBIOS stands for Network basic input output system and is used in Windows for its file and printer sharing.
From Wikipedia:
It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network.
From TechNet:
A Session layer programming interface. NetBIOS is a standard application programming interface (API) at the Session layer of the Open Systems Interconnect (OSI) reference model so that user applications can utilize the services of installed network protocol stacks. An application that uses the NetBIOS interface API for network communication can be run on any protocol stack that supports a NetBIOS interface.`
A session management and data transport protocol NetBIOS is also a protocol that functions at the Session and Transport layers and that provides commands and support for the following services:
- Network name registration and verification.
- Session establishment and termination.
- Reliable connection-oriented session data transfer.
- Unreliable connectionless datagram data transfer.
- Protocol and adapter monitoring and management.
NetBIOS over TCP/IP (NetBT) sends the NetBIOS protocol over the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP).
From another TechNet article, NetBIOS implementation over TCP/IP?:
The Windows 2000 implementation of NetBIOS over TCP/IP is referred to as NetBT. NetBT uses the following TCP and UDP ports:
- UDP port 137 (name services)
- UDP port 138 (datagram services)
TCP port 139 (session services)
NetBIOS over TCP/IP is specified by RFC 1001 and RFC 1002. The
Netbt.sys
driver is a kernel -mode component that supports the TDI interface. Services such as workstation and server use the TDI interface directly, while traditional NetBIOS applications have their calls mapped to TDI calls through theNetbios.sys
driver. Using TDI to make calls to NetBT is a more difficult programming task, but can provide higher performance and freedom from historical NetBIOS limitations.
The architecture would be like this:
You can try a hack on NetBIOS over SSN – NetBIOS usage in Linux:
C:\>nbtstat.exe -a morpheus
<Local Adapter Name>:
Node IpAddress: [<local IP address>] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
MORPHEUS <00> UNIQUE Registered
MATRIX <00> GROUP Registered
MORPHEUS <20> UNIQUE Registered
MAC Address = <Remote MAC address>
C:\>nbtstat.exe -c
<Local Adapter Name>:
Node IpAddress: [<local IP address>] Scope Id: []
How does NetBT behave over DNS/internet enhancements:
I just wanted to add that for versions of Windows from Windows 2000 and onward, all of the legacy NetBIOS functionality from ports 137, 138 and 139 is by default handled by SMB (Server Message Block) over port 445. If the computers on both end of the network connection are Windows 2000 or later, you can safely block ports 137, 138 and 139 as long as port 445 is open