Windows Architecture: NETBIOS
NETBIOS is one of those protocols that I've been aware of and used for years, but never really took the time to understand it. So, heres me understanding it.
Technically, NETBIOS is an API. Its used by developers to allow applications to communicate across a network. With that said, there are 3 types of NETBIOS.
NETBIOS over NETBEUI stands for NETBIOS Enhanced User Interface and is also known as NETBIOS FRAMES (NBF). This is none-routable and was discontinued in Windows XP. The latest version of NETBIOS is NETBIOS over TCP (NBT).
NBT is the latest iteration of NETBIOS and it has three services:
The NETBIOS Name Service, often known as NBNS, is a part of the NBT protocol suite. Its use is to translate a human-readable name, into an IP address. Example: google.com --> 220.127.116.11.
Because of SMB-over-TCP, it is not required to have a hosts NETBIOS name in order for the machine to make connections to an SMB server or in for SMB connections to be made to that host. Furthermore,due to "dynamic DNS", a host can register its name and IP address(s) with a DNS server when it boots.
Newer Windows systems, starting with Windows 2000, can use DNS for all the purposes in which NBNS was used. NBNS is still widely used especially within Windows environments because of legacy systems.
PS: This runs on tcp/137.
Every NETBIOS datagram has a named source and destination (NBDS). To transmit a NETBIOS datagram, the datagram service must perform a name query operation to learn the IP address and the attributes of the destination NETBIOS name. (This information may be cached to avoid the overhead of name query on subsequent NETBIOS datagrams.)
NETBIOS datagrams are carried within UDP packets. If a NETBIOS datagram is larger than a single UDP packet, it may be fragmented into several UDP packets. End-nodes may receive NETBIOS datagrams addressed to names not held by the receiving node. Such datagrams should be discarded. If the name is unique then a DATAGRAM ERROR packet is sent to the source ofthat NETBIOS datagram. The general usage for this service is error detection and recovery.
The NetBIOS session service, NBSS, begins after one or more IP addresses have been found for the target name. These addresses may have been acquired using the name query transactions or by other means, such as a local name table or cache.
NetBIOS session service transactions, packets, and protocols are identical for all end-node types. They involve only directed (point-to-point).
NBSS has three phases:
- 1. Session Establishment - during this phase, the IP address and TCP port of the called name are determined, and then a TCP connection is established with this party.
- 2. Steady State - this phase is where the NETBIOS data messages are exchanged over the session.
- 3. Session Close - a session is closed whenever either party closes the session or it is determined that one of the parties has died.
Each of these phases are covered in terrible depth within the RFC.
The TL;DR is that this is the service that creates the connection and it does so with the following primitives:
- Call – opens a session to a remote NetBIOS name.
- Listen – listen for attempts to open a session to a NetBIOS name.
- Hang Up – close a session.
- Send – sends a packet to the computer on the other end of a session.
- Send No Ack – like Send, but doesn't require an acknowledgment.
- Receive – wait for a packet to arrive from a Send on the other end of a session.
Thats the general gist of it, the next post in this Windows architectural series will be SMB.