Commonly Exploited Services: The Windows OS is popular with both users and attackers for various reasons, but for now let’s focus on attackers and what they exploit.
Windows has long been known for running number services by default, each of which opens up a can of worms for a defender and a target of opportunity for an attacker.
Each service on a system is designed to provide extra features and capabilities to the system such as file sharing, name resolution, and network management, among others.
Windows can have 30 or so services running by default, not including the ones that individual applications may install.
One step in gaining a foothold in a Windows system is exploiting the NetBIOS API.
This service was originally intended to assist in the access to resources on a local area network only.
The services was designed to use 16-character names, with the first 15 character identifying the machine and the last character representing a service on item on the machine itself.
NetBIOS has proven to be a blessing to some and a curse to others. Let’s look at why.
NOTE: NetBIOS was developed by Sytek and IBM many years ago for the LANs that were available at the time. Due to the design of the protocol and the evolution of networks, the service is no longer preferred.
An attacker who is using certain tools and techniques (more on this in a moment) can extract quite a bit of information from NetBIOS.
Using scanning techniques, an attacker can sweep a system, find port 139, and know that this port is commonly associated with NetBIOS.
Once the port has been identified, they can attempt to view or access information such as file shares, printer sharing, usernames, group information, or other goodies that may prove helpful.
One of the many tools that can be used to work with NetBIOS is a commonly command-line utility called nbtstat.
This utility can display information, including name tables and protocols statistics, for local or remote systems.
Included with every version of the Windows operating system, nbtstat can assist in network troubleshooting and maintenance.
It is specifically designed to troubleshoot name-resolution issues that are a result of the NetBIOS service.
During normal operation, a service in Windows known as NetBIOS over TCP/IP will resolve NetBIOS names to IP addresses. Nbtstat is designed to locate problems with this service.
In addition, the utility has the ability to return names (if any) registered with the Windows Internet Naming Service (WINS).