139 — NETBIOS / SMB (Legacy)

0) What is NETBIOS / SMB over NetBIOS?

Port 139 historically carries SMB traffic encapsulated over NetBIOS (NetBIOS Session Service). It's used by older Windows networks for file/print sharing and name services (NetBIOS name resolution). Many modern systems use SMB directly on TCP/445, but 139 remains relevant on legacy or mixed environments. It exposes shares, NetBIOS names, and RPC interfaces — often revealing hosts, users, and share configurations.

1) Recon Phase

- Discover port 139 and related NetBIOS services: nmap -sV -p 139,137,138 
- NetBIOS name scan: nmap --script nbstat.nse -p 137 
- Enumerate available NetBIOS names and broadcasts
- Passive recon: check Windows/legacy device ranges and SMB/NetBIOS footprints

Start with combined scanning of UDP 137/138 (NetBIOS name/service) and TCP 139 to map legacy SMB endpoints and NetBIOS names that help target enumeration.

2) Enumeration Phase

- smbclient -L // -U ""            # list shares via NetBIOS/SMB (anonymous)
- enum4linux -a                    # comprehensive SMB/NetBIOS enumeration
- nmblookup -A                     # query NetBIOS name table and MAC
- nbtscan                    # scan NetBIOS names across a subnet
- rpcclient -U ""                  # RPC enumeration over SMB/NetBIOS
- smbmap -H                        # list shares and permissions (when SMB accessible)

Look for NetBIOS names, domain/workgroup info, open/writable shares, and user lists returned by RPC or SMB over NetBIOS. NetBIOS can reveal hostnames and mapped drives useful for follow-up.

3) Exploitation Phase

- Connect to discovered shares:
    smbclient /// -U ""        # download readable files (authorized only)

- Test for null sessions (legacy systems may allow):
    smbclient -N -L //

- Leverage MS08-067 / older NetBIOS-related exploits on unpatched systems (use exploit frameworks, only authorized)
- Use harvested credentials to access SMB on 445 or authenticate to other services
- Pivot: escalate to domain services using SYSVOL/NETLOGON artifacts if available

Prioritize data extraction from exposed shares and harvesting of credentials or scripts in SYSVOL/NETLOGON. Legacy services are more likely to be vulnerable to older exploits—only use those in authorized tests.

NETBIOS/SMB Info — What to Look For

NetBIOS names revealing hostnames, workgroup/domain names
Null session support (anonymous access) — legacy high-risk
Open or writable shares accessible via SMB over NetBIOS
SYSVOL / NETLOGON contents on domain controllers
Old/unpatched Windows versions or services exposing known CVEs
Mapped drive info or scripts that include plaintext credentials

Tools required

sudo apt install nmap smbclient smbmap enum4linux nbtscan nmblookup rpcbind
# Optional / advanced:
# - Metasploit (for legacy exploit modules; authorized only)
# - smbclient/samba-utils (rpcclient, smbstatus)
# - Responder (LLMNR/NetBIOS poisoning in lab environments; authorized use only)

Quick copy-paste command cheatsheet

# discovery (NetBIOS + SMB)
nmap -sU -p 137,138 --script nbstat.nse 
nmap -sV -p 139,445 

# NetBIOS name lookup
nmblookup -A 

# scan NetBIOS names across a subnet
nbtscan 

# SMB/NetBIOS enumeration
enum4linux -a 
smbclient -L // -U ""
smbclient -N -L //   # null session test

# list shares / permissions
smbmap -H 

# RPC user enumeration
rpcclient -U "" 
rpcclient> enumdomusers

Citations

Disclaimer: Use these techniques only on systems you own or are explicitly authorized to test. Testing NetBIOS/legacy SMB can impact older systems—exercise caution and get permission.