NetBIOS in Windows Environment

Introduction

NetBIOS is an application programming interface (API) that defines interactions between various applications on a PC and a Local Area Network (LAN). It is an acronym that stands for Network Input/output System created and adopted by IBM in the 1980s and later Microsoft. IBM used the API for its PC network and later grew into being the standard networking API for networking protocols. In simpler words, it is an API that offers communication services on local networks; allows PC to communicate with network hardware equipment and transmit data across the network. Initially, NetBIOS packets lacked a network address, which made routing between systems difficult. The interface between NetBIOS and transport layer in NetBIOS got separated to have NetBIOS applications support routable protocols like TCP/IP and SPX/IPX. The original name of the API was retained as API, and the transport protocol was renamed to NetBEUI. It is important to note that NetBIOS is similar to the session layer protocol, which supports two modes; datagram and session. There is an assurance that a connection is established, and the delivery is made in session mode, but datagram mode doesn’t guarantee delivery.

Key Takeaways

Purpose of Penetration Testing:
- Penetration testing aims to identify vulnerabilities in computer systems, networks, or web applications, providing proactive defence against potential cyber threats.
Evolution of Cyber Threats:
- The cyber threat landscape is rapidly evolving, witnessing a surge in sophisticated attacks, especially targeting endpoints like computers, smartphones, and IoT devices.
Critical Role in Cyber Defence:
- Penetration testing is a critical component in cybersecurity defence, offering insights to address vulnerabilities before they can be exploited by sophisticated threats.
Economic Threat of Cybercrime:
- The economic threat from cybercrime is significant, with the average global data breach costing millions, emphasising the need for robust defence mechanisms.
Cost-Benefit Analysis:
- Despite upfront costs, penetration testing is economically prudent compared to potential losses from breaches, ensuring compliance, protecting reputation, and maintaining trust.
Case Study – Norsk Hydro:
- Norsk Hydro’s experience demonstrates the value of penetration testing in saving millions by identifying and addressing security gaps exploited during a ransomware attack.
Financial Impact:
- Upfront investment in penetration testing pays dividends by preventing potential disasters, safeguarding against exorbitant costs, and improving overall cybersecurity posture.

How NetBIOS works

NetBIOS provides services required in the session layer in the OSI model to allow computers in a network to communicate. Older computer systems ran over IEEE 802.2 and IPX/SPX using NetBIOS Frames (NBF) and NetBIOS over TCP/IP (NBT) protocol. NetBIOS in modern networks operates on TCP/IP through NetBIOS over TCP/IP (NBT) protocol. The TCP/IP protocol leads to a situation where the computers in a network have a NetBIOS name and an IP address that corresponds to the hostname. The process through which a computer’s NetBIOS name is translated to an IP Address is known as NetBIOS name resolution. NetBIOS name resolution makes NETBIOS hosts communicate using TCP/IP. After being resolved into an IP address, the address resolution protocol (ARP) is then used in determining the IP address into a MAC address. After the Physical address of the host is recognised, packets and frames can be channelled to it.

Applications in a network can look for the resources they need, create a connection, and transmit or receive data using NetBIOS.

Modes of communication in NetBIOS

NetBIOS allows communication in two ways; session and datagram. In session mode, the communicating computers are allowed to create a connection to initiate conversation, and allow messages to be handled, offer error detection and recovery mechanisms. Datagram communication mode makes it easy to send messages to all computers in the network.

The two NetBIOS modes allow or support various primitives, which include the following for Session mode.

The Call Primitive which is responsible for initiating a session using the assigned NetBIOS name of the computer
Listen to Primitive checks if there is an attempt to initiate a session to either send or receive information over a network
Hung Up primitive which check if the communication is over and plays the role of ending the communication between the devices in a network
The Send primitive is a command used in sharing or sending data from one computer to another in NetBIOS
The Send No ACK plays the same role as the send except for requiring approval
The Receive Primitive’s work is to check for incoming packets.

Primitives in Datagram Mode

The following primitives are supported while in NetBIOS datagram mode

Send Primitive: Responsible for sending datagram using the (). the NetBIOS name
Send Broadcast Datagram: Used to send a datagram to all computers with NetBIOS names registered in a Local Area Network.
The Receive Datagram: Its primary role is awaiting the Send Datagram packet to be sent to receive it
Receive Broadcast Datagram awaits and receives sent broadcast packets

Security and Weaknesses

Even though Microsoft Windows use NetBIOS for its name resolution in cases where DNS is unavailable, NetBIOS offers resiliency and resource accessibility but having it active compromises the security. NetBIOS brings out various security concerns, and it’s advisable to have it disabled on the network and devices. Having NetBIOS disabled helps mitigate attacks and the ability of attackers to access data confidential information. It is worth noting that NetBIOS in modern networks operate on TCP/IP through NBT protocol, which means that today’s networks have its legacy functions.

NetBIOS is not a networking protocol but an API; it is not an authentic protocol and, therefore, susceptible to attacks. An attacker using the network can impersonate the identity of another resource and redirect traffic of the victim to another destination. Misdirecting requests by an attacker can be on legitimate requests required by the victim. There are other mechanisms the attacker can use to crack passwords! Network administrators should determine whether NetBIOS is used in a network and learn how to disable it and the possible implications.

Strengthening Security in NetBIOS

NetBIOS is a legacy API and is not needed when old applications are in use or the old versions of the Windows operating system. It is advisable to disable NetBIOS altogether after determining if it is necessary for a network and ensure that the computers being used have DNS, which is an alternative. Another alternative, if used in a system, is avoiding using its default settings to keep bad guys at bay.

Daniel Phillips

book endpoint test

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Table of Contents

Related Articles