windows网络是一套用于提供windows机器之间通讯的协议和服务以提供在工作组和域浏览器中打印和文件共享。

windows网络非常复杂和让人困惑是源于其历史。

在dos时代,机器之间通信使用netbios协议。与现在的IP协议相比,netbios协议相当的原始。

纯粹的netbios协议在现代网络中几乎不再使用,但是微软没有彻底放弃它,因为考虑到如此多的软件

包括微软自己的软件都依赖它。于是微软开发了netbios over Tcp/ip又称NBT,NBT允许NetBios API运行在IP网络上。

微软还开发了另外一个协议CIFS(common Internet file system)作为windows网络的核心功能如文件和打印共享,域。

CIFS的核心是被称为SMB(server message block)的一套协议。SMB使用NBT作为传输层,SMB还可以在除NBT之外的其他协议上得到实现。

微软的长期意图是放弃NBT.

NBT本质上是一套微软的协议,但是linux也提供了被称为Samba的模块允许linux向windows客户端提供服务。

以上这些缩写让人非常困惑,

NetBios名字用于标识机器和工作组的名字,它是NBT系统的最基础部分。

Netbios名字至多16个字符,全部大写。

16个字符的Netbios名字也用于标识服务类型。

因此一个windows机器会有很多个Netbios名字。

Netbios名字通常被编码为特殊的32个字符的格式,这样编码后很难具备可读性,除非解码。

在windows网络中,总共有4中类型的服务。


Service

Port

Description

NetBIOS Name Service (NBNS)

UDP 137

NBNS is also known as Windows Internet Name Service (WINS).

The job of NBNS is to match IP addresses with NetBIOS names and allow queries to be made of the matches. The name service is usually the first service that will be attacked. A visitor will need the information it can provide to begin a session on the other services.

NetBIOS Datagram

UDP 138

The Datagram service is used receive broadcasts of SMB packets via UDP.

This service receives a lot of legitimate traffic from other Windows machines on the LAN as they broadcast their names and services. It is rare for an attacker to use this service, unless they are trying to add their machine to the windows network.

NetBIOS Session Service

TCP 139

The Session Service is used to handle NBT sessions. NBT sessions are a light weight protocol used to contain an SMB session. The SMB protocol and sessions based on it are used to provide the complex functionality of the services supported by Window's networking; such as file and print sharing.

This is the service that attackers will be most interested in.

SMB Direct

TCP 445

In Windows 2000 Microsoft introduced an implementation of SMB that does not need NBT to communicate.

This service is in practice the same as the NetBIOS Session Service, but without the additional NBT protocol around the SMB session. The SMB Direct is not supported in older Windows versions. The older hacker tools do not target this service, instead they go for the NetBIOS Session Service.