Skip to content

Windows Security – SMB – Server Message Blocks – Ports and Enumeration of Domain users and Trust relationships within the Domain


Why are these such deadly attack vectors?

– Set up by DEFAULT on all Windows machines.

– Provides a powerful way to enumerate Domain Controllers, Hosts, Users, Groups.


TCP Port 139 = SESSION service

UDP Port 137 = NAME service

UDP Port 138 = DATAGRAM service

Windows 2003/XP also run



Try it on your own computer

1. cmd prompt – right click – run as Administrator

net view /domain

net view/domain:WORKGROUP


Now imagine how dangerous that is, against a domain controller, where it would reveal all user accounts and trust relationships between domains.


If you are working within a domain, then you can find all the Domain Controllers in the domain:


dclistThis is the error for a workgroup, as there is no domain.  But you can see how it works – it will give you info about the domain.

Nltest /whowill:Domain UserName

This will tell us where a UserName will be authenticated – I have no domain, but the syntax here is looking for the DC for both Administrator and Guest accounts.


Nltest /trusted_domains

This will map out trusted domains for you.  It was designed to map the trusts are working, but we are misusing the tool to attack.

How to dump all the User Names known to a system (Domain controller, Computer or even your Router)

nbtstat -A with ip address (-Capital A)

nbtstat -a with computer name (-lowercase a)

nbtstat -A

nbtstat pc

What do the codes mean?

<00> = Workstation Name

<20> Unique = Sharing is enabled.

<1B> = Domain master browswer

<1C> = IIS is running

<03> Unique = this is a user logged onto the machine


Port 445 or Port 139  (SMB – most dangerous ports on the internet)

– Gain a NULL Session

– Enumerate Local Admin

– Enumerate Domain Admin

– Enumerate Shares

– Enumerate Hidden Shares & password Dump

– Enumerate Account and Password policies (how many attempts until user name is locked out)


Port 137 – Attack vector to provide…

– Enumerate Domains

– Enumerate the hosts on the Domain

– Enumerate Domain Controllers (nltest.exe)

– Enumerate Trust relationships within the Domain (netdom.exe)

– Enumerate NETBIOS name tables (nbtstat.exe)


Hopefully this will demonstrate the security issues with Windows products.  The default ports used for Windows allow some of the most devastating attacks – and most are related to SMB and ports 139 and ports 445.

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: