Description

Microsoft Directory Services is the newer version of NetBIOS Session Service which allows the exchange of data between two hosts using the SMB protocol.

Port 139 was used by NetBIOS before Windows 2000 since TCP wasn’t invented yet, so it uses it’s own protocol.

Nowadays, NetBIOS uses port 445 over TCP to exchange data with the SMB protocol.

netbios-ssn (NetBIOS Session Service)

Enumeration

A great first thing to do is to enumerate the available shares with smbmap. This will output all the available shares with the read/write permissions:

smbmap -u "" -p "" -H $IP

nmap also has a great set of SMB scripts which you can launch with:

nmap -p 445 --script=smb* -oX ./nmap/smb.xml $IP

If you find some shares that you can read and/or write, smbclient can be used to browse the share and retrieve files from it.

smbclient \\\\\\\\$IP\\\\$SHARE "$PASSWORD" -U "$USERNAME"
smbclient \\\\\\\\$IP\\\\$SHARE -N

ls, cd and get will allow you to list the current directory, move to another directory and download a file respectively. help will display the available commands.

Exploitation

Capturing LM/NTML Hashes

Both LLMNR and NBT-NS are used in Windows environments as a fallback for when the resolving of a hostname via DNS fails.

After a machine resolves a host, it sends NTLMv1/v2 hashes, which can be captured by pretending to be the hostname the machine was looking for.