Windows Name Resolution and SMB

NetBIOS Name Service and LLMNR

NetBIOS (Network Basic Input/Output System) and LLMNR (Link-Local Multicast Name Resolution) are used primarily by Windows for host identification. LLMNR is based on the DNS protocol format, and allows hosts on the same local link to perform name resolution for other hosts.

NetBIOS provides three different services:

• NetBIOS Name Service (NetBIOS-NS) for name registration and resolution.

• Datagram Service (NetBIOS-DGM) for connectionless communication.

• Session Service (NetBIOS-SSN) for connection-oriented communication.

NetBIOS using the following ports & protocols:

• TCP 135: MS-RCP (Microsoft Remote Call Procedure) endpoint mapper.

• TCP 139: NetBIOS Session Service.

• TCP 445: SMB Protocol for sharing files.

• UDP 137: NetBIOS Name Service.

• UDP 139: NetBIOS Datagram Service.

Traditionally, a NetBIOS name would been a 16-character name assigned to a computer in a Workgroup for name resolution of an IP to NetBIOS Name. This is now replaced with DNS.

A workgroup is a LAN peer-to-peer network supporting ten hosts in the same subnet. There is no central administration, each user controls the resources and security on their own system. A domain-based implementation is a client-to-server network supporting thousands of hosts across many subnets. A user with a domain account can logon to any computer by authenticating with a domain controller.

A common vulnerability in LLMNR involves an attacker spoofing an authoritative source for name resolution on a victim system by responding to LLMNR traffic over UDP 5355 and NBT-NS traffic over UDP 137. Several tools can be used for this, suhc as NBNSSpoof, Metasploit, and Responder.

Some basic terms to understand about SMB functions:

• Relative Identifier (RID): uniquely identifies a user, group, system, or domain.

• Security Identifier (SID): uniquely identifies users and groups within local domain.

• Domain Controller (DC): server managing network and identity security requests.

• Lightweight Directory Access Protocol (LDAP): directory access protocol enabling services and clients using LDAP naming services to communicate. LDAP typically operates over TCP 389.

• Workgroup: group of standalone computers being independently administered.