IT Security in Health Care: Where Are We Now? Take Survey - Enter to Win iPad
Previous Question | Back to Intrusion Detection FAQ Home

Intrusion Detection FAQ: What is an NBT (NetBIOS) Name?

Dirk Lehmann, Siemens CERT
Updated by Jim McMillan
November 2009

A NetBIOS Name is a unique identifier, up to 15 characters long with a 16th character type identifier, that NetBIOS services use to identify resources on a network running NetBIOS over TCP/IP (NetBT). Due to security issues with NetBIOS, mainly information leaks, it is often disabled on corporate networks. However, it can still be found in use to support legacy systems and applications. So, if you happen to come across a NetBIOS name in your logs, how do you determine the IP address of the host using that NetBIOS Name?

NetBIOS Name Resolution The method used to resolve NetBIOS names depends on how the network is configured and what NetBIOS node type is being used. The following table from Microsoft explains the various node types available.

Node Type Description
B-node(broadcast) B-node uses broadcast NetBIOS name queries for name registration and resolution. B-node has two major problems: (1) Broadcasts disturb every node on the network, and (2) Routers typically do not forward broadcasts, so only NetBIOS names on the local network can be resolved.
P-node(peer-peer) P-node uses a NetBIOS name server (NBNS), such as a WINS server, to resolve NetBIOS names. P-node does not use broadcasts; instead, it queries the name server directly.
M-node(mixed) M-node is a combination of B-node and P-node. By default, an M-node functions as a B-node. If an M-node is unable to resolve a name by broadcast, it queries a NBNS using P-node.
H-node(hybrid) H-node is a combination of P-node and B-node. By default, an H-node functions as a P-node. If an H-node is unable to resolve a name through the NBNS, it uses a broadcast to resolve the name.

(Table 11.4 from http://technet.microsoft.com/en-us/library/bb727013.aspx.

As you can see, there is a mixture of NBNS queries and broadcasts used to resolve a NetBIOS Name. To perform a NetBIOS Name lookup, we can use a Microsoft command line tool called NBTStat.

NBTStat can be used to display NetBT protocol statistics, local and remote NetBIOS name tables, and the NetBIOS Name Cache. To display all options available for NBTStat, just run "nbtstat.exe" at the command prompt with no command line options.

To use NBTStat to find the IP address of the NetBIOS Name (NBT_NAME) we found in our log. From a command prompt, run "nbtstat.exe -a NBT_NAME" to establish a connection to the remote system. Then run "nbtstat.exe -c" to display the NetBIOS Name Cache, you will be able to identify the IP address belonging to NBT_NAME. The following is sample output for the investigation on a NETBIOS Name of "MORPHEUS":

C:\>nbtstat.exe -a morpheus

<Local Adapter Name>:
Node IpAddress: [<local IP address>] Scope Id: []

NetBIOS Remote Machine Name Table
Name Type Status
MORPHEUS <00> UNIQUE Registered
MATRIX <00> GROUP Registered
MORPHEUS <20> UNIQUE Registered

MAC Address = <Remote MAC address>

C:\>nbtstat.exe -c

<Local Adapter Name>:
Node IpAddress: [<local IP address>] Scope Id: []

NetBIOS Remote Cache Name Table
Name Type Host Address Life [sec]
MORPHEUS    <00>       UNIQUE        < remote IP address>     340
MORPHEUS    <20>       UNIQUE        < remote IP address>     337

Be aware that for NBTStat to work, the host you are looking up must be active on your network and NetBT must be enabled on both hosts.

If NetBT is not enabled on the local host where you run the nbtstat command, you will get a results of:

Failed to access NetBT driver -- NetBT may not be loaded.

If NetBT is not enabled on the remote host you are trying to get the IP address of, or the host is no longer online, you will get a results of:

Host not found.

We can easily find the IP address for NBT names by utilizing the NBTStat command.

Resources

Tech FAQ (n.d.). What are NetBIOS Names?. Retrieved from http://www.tech-faq.com/netbios-names.shtml

Microsoft Technet (2005, January 21). NetBIOS name resolution. Retrieved from http://technet.microsoft.com/en-us/library/cc738412(WS.10).aspx

Microsoft Technet (2005, June 27). Chapter 11 - NetBIOS over TCP/IP. Retrieved from http://technet.microsoft.com/en-us/library/bb727013.aspx

Microsoft (n.d.). Nbtstat. Retrieved from http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nbtstat.mspx?mfr=true

Microsoft Technet (n.d.). Appendix G - NetBIOS Names . Retrieved from http://technet.microsoft.com/en-us/library/cc751193.aspx

< Previous Question | Back to Intrusion Detection FAQ Home