NetBIOS is a transport protocol that Microsoft Windows systems use to share resources. For example, if a PC running Windows wants to connect to and access a share on a file server, it probably uses NetBIOS. There have been some changes in recent days, however, that allow this connection without it. SMB, the method used to access file and printer shares, can also run independently of NetBIOS over TCP ports 139 and 445. Both of these approaches, however, tend to increase the attack surface of a network.
The ports that that are open to the Internet are UDP/137, UDP/138, and TCP/139. Unfortunately, the most popular attacker target is NetBIOS and against these ports.
Once an attacker discovers an active port 139 on a device, he can run NBSTAT to begin the very important first step of an attack—footprinting. With the NBSTAT command, he can obtain some or all of the following information:
With this information, the attacker has information about the OS, services, and major applications running on the system. He also has private IP addresses that the LAN/WAN and security engineers have tried hard to hide behind NAT. And that’s not all. The lists provided by running NBSTAT also include user IDs.
If null sessions are allowed against IPC$, it isn’t difficult to take the next step and connect to the target device. This connection provides a list of all available shares.
These services have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. In addition it opens up your system to 0-day attacks or worm/virus infections that exploit a vulnarability in Windows to gain access to your system.
Either use the Windows Firewall or even better an external firewall to prevent access to Netbios (and other Windows ports). The windows firewall has an nasty way of trying to think for himself and for example automaticly starts to open ports if you install something that uses Netbios. In all cases the administrator is unaware of these open ports.
If you really need NETBIOS open for the entire world, then ensure that the exposed system(s) are hardened by:
In a privileged DOS box run the following commands:
netsh advfirewall firewall add rule name="NetBIOS UDP Port 137" dir=in action=deny protocol=UDP localport=137