References

Port 137(UDP)/138(UDP)/139(TCP)

139, netbios-ssn, connections made to support file sharing activities usually with Windows machines but also with other systems running Samba (SMB).

NULL sessions (NetBIOS NULL sessions are enabled by default in Windows NT and 2000. Windows XP and 2003 will allow anonymous enumeration of shares, but not SAM accounts.)

For the NETBIOS suffix code, please refer to: http://www.pyeung.com/pages/microsoft/winnt/netbioscodes.html

root@kali:~/scripts# nbtscan 192.168.130.132 -v
Doing NBT name scan for addresses from 192.168.130.132

NetBIOS Name Table for Host 192.168.130.132:

Incomplete packet, 227 bytes long.
Name             Service          Type             
----------------------------------------
KIOPTRIX         <00>             UNIQUE
KIOPTRIX         <03>             UNIQUE
KIOPTRIX         <20>             UNIQUE
__MSBROWSE__  <01>              GROUP
MYGROUP          <00>              GROUP
MYGROUP          <1d>             UNIQUE
MYGROUP          <1e>              GROUP

Or we can use nmblookup

root@kali:~/scripts# nmblookup -A 192.168.130.132
Looking up status of 192.168.130.132
	KIOPTRIX        <00> -         B  
	KIOPTRIX        <03> -         B  
	KIOPTRIX        <20> -         B  
	..__MSBROWSE__. <01> -  B  
	MYGROUP         <00> -  B  
	MYGROUP         <1d> -         B  
	MYGROUP         <1e> -  B  

In this case, we can perform a -L to obtain the services available. -N will bypass the password prompt

oot@kali:~/scripts# smbclient -L \\KIOPTRIX -I 192.168.130.132 -N
WARNING: The "syslog" option is deprecated
Server does not support EXTENDED_SECURITY  but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is set
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]

	Sharename       Type      Comment
	---------       ----      -------
	IPC$            IPC       IPC Service (Samba Server)
	ADMIN$          IPC       IPC Service (Samba Server)
Server does not support EXTENDED_SECURITY  but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is set
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]

	Server               Comment
	---------            -------
	KIOPTRIX             Samba Server

	Workgroup            Master
	---------            -------
	MYGROUP              KIOPTRIX

The IPC$ share is also known as a null session connection. By using this session, Windows lets anonymous users perform certain activities, such as enumerating the names of domain accounts and network shares.

root@kali:~/scripts# smbclient //KIOPTRIX/IPC$ -I 192.168.130.132 -N
WARNING: The "syslog" option is deprecated
Server does not support EXTENDED_SECURITY  but 'client use spnego = yes' and 'client ntlmv2 auth = yes' is set
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
smb: \> ?
?              allinfo        altname        archive        backup         
blocksize      cancel         case_sensitive cd             chmod          
chown          close          del            dir            du             
echo           exit           get            getfacl        geteas         
hardlink       help           history        iosize         lcd            
link           lock           lowercase      ls             l              
mask           md             mget           mkdir          more           
mput           newer          notify         open           posix          
posix_encrypt  posix_open     posix_mkdir    posix_rmdir    posix_unlink   
posix_whoami   print          prompt         put            pwd            
q              queue          quit           readlink       rd             
recurse        reget          rename         reput          rm             
rmdir          showacls       setea          setmode        scopy          
stat           symlink        tar            tarmode        timeout        
translate      unlock         volume         vuid           wdel           
logon          listconnect    showconnect    tcon           tdis           
tid            logoff         ..             !              
smb: \> 

https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows

References
Share this