NBT-NS Poisoning
What is NBT-NS Poisoning?
NBT-NS PoisoningAn adversary-in-the-middle attack that abuses legacy NetBIOS Name Service traffic on UDP/137 to spoof name responses and harvest NTLM authentications.
NetBIOS Name Service (NBT-NS) is a 30-year-old Windows name-resolution protocol that broadcasts UDP/137 queries when LLMNR also fails. NBT-NS poisoning, like LLMNR poisoning, lets any host on the local segment answer with its own IP, redirecting the victim's SMB or HTTP client to attacker infrastructure where its NTLMv2 credentials can be captured. NBT-NS broadcasts use 16-character padded names and a query-type byte, which Responder transparently handles. Disabling NetBIOS over TCP/IP on every interface via DHCP option 001 or through interface settings removes the fallback entirely. Because some legacy applications and older Windows clients still rely on it, defenders must inventory and migrate before disabling.
● Examples
- 01
Capturing the NTLMv2 hash of a domain admin who mistypes a server name while NetBIOS is still enabled.
- 02
Spoofing the name WPAD over NBT-NS to inject a malicious proxy configuration on legacy hosts.
● Frequently asked questions
What is NBT-NS Poisoning?
An adversary-in-the-middle attack that abuses legacy NetBIOS Name Service traffic on UDP/137 to spoof name responses and harvest NTLM authentications. It belongs to the Attacks & Threats category of cybersecurity.
What does NBT-NS Poisoning mean?
An adversary-in-the-middle attack that abuses legacy NetBIOS Name Service traffic on UDP/137 to spoof name responses and harvest NTLM authentications.
How does NBT-NS Poisoning work?
NetBIOS Name Service (NBT-NS) is a 30-year-old Windows name-resolution protocol that broadcasts UDP/137 queries when LLMNR also fails. NBT-NS poisoning, like LLMNR poisoning, lets any host on the local segment answer with its own IP, redirecting the victim's SMB or HTTP client to attacker infrastructure where its NTLMv2 credentials can be captured. NBT-NS broadcasts use 16-character padded names and a query-type byte, which Responder transparently handles. Disabling NetBIOS over TCP/IP on every interface via DHCP option 001 or through interface settings removes the fallback entirely. Because some legacy applications and older Windows clients still rely on it, defenders must inventory and migrate before disabling.
How do you defend against NBT-NS Poisoning?
Defences for NBT-NS Poisoning typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for NBT-NS Poisoning?
Common alternative names include: NBNS poisoning, NetBIOS Name Service spoofing.
● Related terms
- attacks№ 620
LLMNR Poisoning
An adversary-in-the-middle technique (MITRE T1557.001) that abuses the Link-Local Multicast Name Resolution protocol on UDP/5355 to redirect victims to attacker-controlled hosts.
- attacks№ 924
Responder Attack
An attack that uses Laurent Gaffie's Responder tool to poison LLMNR, NBT-NS, and mDNS, run rogue authentication servers, and capture or relay NTLM credentials on a local network.
- attacks№ 746
NTLM Relay Attack
An adversary-in-the-middle attack (MITRE T1557.001) in which an attacker forwards a victim's NTLM authentication to another service to impersonate them without ever knowing the password.
- attacks№ 1057
SMB Relay Attack
A specific NTLM relay variant in which an attacker forwards a victim's SMB authentication to another SMB server to gain code execution or file access as the victim.
- attacks№ 790
Pass-the-Hash
A credential-reuse attack that authenticates to Windows systems using a stolen NTLM password hash instead of the cleartext password.