Originally Posted by crazycat
if you want more information go here http://www.phrack.org/issues.html?is...id=11&mode=txt
NETBIOS (for NETwork Basic Input and Outpout System) is widely use
on Microsoft networks. It is a sofware interface and a naming system.
Each computer has a NETBIOS name, which is 15 characters long, and a
sixteenth character is used to identify the type of computer
( Domain Name server, workstation...).
Value for the sixteenth character :
0x00 base computer, workstation.
0x20 resource sharing server.
There are other values but these are the most interessant for us. The
first (0x00) identify a workstation and the second (0x20) the server.
On a SMB packet, the NETBIOS header corresponds to the NETBIOS
Session header, defined like this :
UCHAR Type; // Type of the packet
UCHAR Flags; // Flags
USHORT Length; // Count of data bytes (netbios header
For the "Flags" field, the value is always 0. (with SMB, not in general !)
For the "Type" field, several values are possible :
0x81 corresponds to a NETBIOS session request. This code
is used when the client sends its NETBIOS name to the server.
0x82 is a positive response to a NETBIOS session request.
This code is used by the server to authorize a NETBIOS session.
0x00 correspond to a session message. This code is always
used in a SMB session i.e when the client has sent his NETBIOS name to
the server and has received a positive reply.
The "Length" field contains a count of data bytes (The netbios header
is not included), "data" means what is above the NETBIOS header (it
could be the SMB Base header + SMB Command header + DATA or NETBIOS
NETBIOS names and encoding
A NETBIOS encoded name is 32 bytes long.
A NETBIOS name is always given in upper case characters.
It's very easy to encode a NETBIOS name. For example the NETBIOS name
of my computer is "BILL" and it's a workstation so there is a "0x00"
for the sixteenth character.
Firstly, when a NETBIOS name is shorter than 15 bytes, it may be padded
on the right with spaces.
In hexadecimal 0x42 0x49 0x4c 0x4c 0x20 0x20 ......0x00
Each bytes are splited into 4-bit halves.
0x4 0x2 0x4 0x9 0x4 0xc 0x4 0xc 0x2 0x0 .......
And each 4-bit half is added to the ASCII value of the 'A' letter (0x41)
0x4 + 0x41 = 0x45 -> ASCII value = E
0x2 + 0x41 = 0x43 -> ASCII value = C
And you have the encoded NETBIOS name which is 32 bytes long.
SMB can run directly over TCP without NBT (it's supported on Win2k
and XP on port 445). The NETBIOS name are not limited to 15 characters.