Everhart,Glenn From: Espinola, Micheal [MEspinola@Rational.Com] Sent: Wednesday, April 22, 1998 8:59 AM To: 'nagy_l@vaxst2.tii.matav.hu' Cc: 'ntsecurity@iss.net' Subject: RE: [NTSEC] NetBIOS codes TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net Contact ntsecurity-owner@iss.net for help with any problems! --------------------------------------------------------------------------- Appendix D from my Hardening document: [D] NetBIOS Names Microsoft networking services running on a Windows NT-based computer are identified by using NetBIOS names. NetBIOS names can be used to identify a unique computer or a special group of computers. NetBIOS names are 16 characters in length and the 16th character is a special character used by most Microsoft networking services. Various networking service and group names are registered with a WINS server by direct name registration from WINS-enabled computers or by broadcast on the local subnet by non-WINS enabled computers. The nbtstat command is a utility that you can use to obtain information about NetBIOS names. In the following example, the nbtstat -n command produced this list of registered NetBIOS names for user "MESPINOLA" logged on to a computer configured as a primary domain controller and running under Windows NT Server with Internet Information Server. Names Name 16TH Type Description MESPINOLA1 <00> UNIQUE workstation service name MESPINOLA1 <20> GROUP server service name MESPINOLAD <00> GROUP domain name MESPINOLAD <1C> UNIQUE domain controller name MESPINOLAD <1B> UNIQUE master browser name MESPINOLA1 <03> UNIQUE messenger name INet~Services <1C> GROUP Internet Information Server group name IS~MESPINOLA1.. <00> UNIQUE Internet Information Server unique name MESPINOLA1+++++ UNIQUE network monitor name Unique-Type Names 16TH Byte Description <00> Workstation service name. In general, this is the name that is referred to as the NetBIOS computer name. <03> Messenger service name used when receiving and sending messages. This is the name that is registered with the WINS server as the messenger service on the WINS client and is usually appended to the computer name and to the name of the user currently logged on to the computer. <1B> Domain master browser name. This name identifies the primary domain controller and indicates which clients and other browsers to use to contact the domain master browser. <06> RAS server service <1F> NetDDE service <20> Server service name used to provide share-points for file sharing. <21> RAS client Network Monitor agent Network Monitor utility Group-Type Names 16TH Byte Description <1C> A domain group name, which contains a list of the specific addresses of computers that have registered the domain name. The domain controller registers this name. WINS treats this as a domain group, where each member of the group must renew its name individually or be released. The domain group is limited to 25 names. When a static 1C name is replicated that clashes with a dynamic 1C name on another WINS server, a union of the members is added, and the record is marked as static. If the record is static, members of the group do not have to renew their IP addresses. <1D> The master browser name that is used by clients to access the master browser. There is one master browser on a subnet. WINS servers return a positive response to domain name registrations but do not store the domain name in their databases. If a computer sends a domain name query to the WINS server, the WINS server returns a negative response. If the computer that sent the domain name query is configured as h-node or m-node, it will then broadcast the name query to resolve the name. <1E> A Normal group name. Browsers can broadcast to this name and listen on it to elect a master browser. These broadcasts are for the local subnet and should not cross routers. <20> A special group name called the Internet group that is registered with WINS servers to identify groups of computers for administrative purposes. For example, "printersg" could be a registered group name used to identify an administrative group of print servers. _MSBROWSE_, Instead of a single appended 16th character, "_MSBROWSE_," is appended to a domain name and broadcast on the local subnet to announce the domain to other master browsers. This can all be found in the Resource Kit documentation as well. Run a search for "NetBIOS". ---------------------------------------- MICHEAL ESPINOLA JR NT Network Administrator mailto:micheale@ix.netcom.com : (private email) http://www.netcom.com/~honeyluv/ : (Hardening NT w3 site) -----Original Message----- From: nagy_l@vaxst2.tii.matav.hu [mailto:nagy_l@vaxst2.tii.matav.hu] Sent: Tuesday, April 21, 1998 2:53 PM To: ntsecurity@iss.net Subject: [NTSEC] netbios codes TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net Contact ntsecurity-owner@iss.net for help with any problems! ------------------------------------------------------------------------ --- Hi! One questions : Where a documentation of codes ? $ nmblookup -A 145.236.48.80 Sending queries to 145.236.49.255 Looking up status of 145.236.48.80 received 9 names HTCBDCBPTAVIRO1 <20> - M HTCBDCBPTAVIRO1 <00> - M HTC_CENTRAL <00> - M HTC_CENTRAL <1c> - M HTC_CENTRAL <1e> - M HTCBDCBPTAVIRO1 <03> - M HTCBDCBPTAVIRO1 - M HTC_CENTRAL <1d> - M ..__MSBROWSE__. <01> - M num_good_sends=0 num_good_receives=0 <06> = RAS server. Ant the other codes ? Thanks in advance! ps: I have Resource kit and Technet, but I'm not found the info... Bye!Lajos