UDP Dangerous Other

Port 137 (NetBIOS Name)

Learn about port 137 (NetBIOS Name) - security risks, vulnerabilities, and common uses. Find devices with port 137 open.

Quick Info

Port Number

137

Protocol

UDP

Service

NetBIOS Name

IANA Name

NetBIOS Name

Service Description

UDP port 137 is primarily used for NetBIOS Name Service (NBNS), a crucial component of the NetBIOS over TCP/IP (NBT) protocol suite. NBNS allows computers on a local network to resolve NetBIOS names to IP addresses, similar to how DNS resolves domain names to IP addresses on the internet. This facilitates communication between machines using NetBIOS names, which are 16-byte names used to identify network resources such as computers, services, and shares. The protocol functions via broadcasts and point-to-point communication. When a machine needs to resolve a NetBIOS name, it typically sends a broadcast name query to the local network. The machine owning the requested name responds directly to the querying machine with its IP address. This enables the querying machine to then establish a connection to the desired resource. Historically, NetBIOS was developed by Sytek in the early 1980s and later adopted by IBM. NBT was introduced to allow NetBIOS applications to operate over TCP/IP networks, providing a more scalable and routable alternative to NetBEUI.

## Firewall Recommendations

UDP port 137 should be blocked at the firewall, especially for traffic originating from the internet. It should only be allowed within trusted internal networks where NetBIOS is absolutely necessary. If NetBIOS is required, consider using NetBIOS over TCP/IP only within a segmented and closely monitored network. Disable NetBIOS over TCP/IP on network adapters exposed to untrusted networks. Modern Windows environments should prioritize using DNS for name resolution and SMB Direct over TCP, which are more secure alternatives to NetBIOS. Implement network intrusion detection systems (NIDS) and intrusion prevention systems (IPS) to monitor for suspicious NetBIOS traffic and potential attacks. Regularly audit and patch systems to address any known vulnerabilities in NetBIOS implementations.

Security Information

Exposing UDP port 137 to the internet or untrusted networks presents significant security risks. The NetBIOS Name Service is inherently vulnerable to attacks due to its reliance on broadcasts and lack of strong authentication. Attackers can exploit this by spoofing NetBIOS name responses, redirecting traffic to malicious servers. This can be used for man-in-the-middle attacks, allowing attackers to intercept or modify data transmitted between machines. Furthermore, attackers can use NetBIOS name resolution to enumerate hosts and services on a network, gathering valuable information for reconnaissance purposes. The lack of built-in encryption means that sensitive data transmitted via NetBIOS can be easily intercepted. The older nature of the protocol also means that its implementations are often riddled with exploitable vulnerabilities. Due to the prevalence of more secure alternatives, relying on NetBIOS is generally discouraged.

Known Vulnerabilities

CVE	Name	Severity	Description
CVE-2017-0143	MS17-010: Security Update for Windows SMB Server	Critical	This vulnerability, exploited by WannaCry and other ransomware, allows remote code execution due to how SMBv1 handles specially crafted packets. While not directly a NetBIOS vulnerability, it often relies on NetBIOS for initial network discovery and propagation.
CVE-2000-1201	NetBIOS Name Service Spoofing Vulnerability	Medium	Allows a remote attacker to spoof NBNS responses and redirect traffic.
CVE-2003-0533	Windows NetBIOS Name Server Memory Corruption Vulnerability	High	A memory corruption vulnerability in the NetBIOS Name Server could allow a remote attacker to execute arbitrary code.