Understanding Network Basic Input/Output System (NetBIOS)

Updated on August 4, 2025

Network Basic Input/Output System (NetBIOS) is a key part of networking history that still impacts modern IT environments. Developed by IBM in the early 1980s, NetBIOS is a legacy API and session layer service that allows applications on different computers in a LAN to communicate. 

While most networks have moved beyond NetBIOS, it remains important for IT professionals. Many organizations still use legacy systems that rely on it, and security analysts often encounter NetBIOS during penetration tests. Network administrators managing mixed environments must understand how NetBIOS can introduce security risks. 

NetBIOS remains present in Windows systems—including Windows 11—for backward compatibility. Its integration with SMB file sharing and role in network enumeration attacks ensures that NetBIOS knowledge is still relevant today.

Definition and Core Concepts

NetBIOS functions as both an API and a session layer (Layer 5 in the OSI model) service. The protocol provides three essential services: name resolution, datagram communication, and session management. These services facilitate resource sharing within local area networks.

Key Technical Components

• API Structure: NetBIOS operates as an interface rather than a complete network protocol. Applications use NetBIOS calls to establish network communications without needing to understand underlying transport mechanisms.
• Session Layer Operation: NetBIOS manages communication sessions between networked devices. It handles connection establishment, data transfer, and session termination at OSI Layer 5.
• LAN Focus: The protocol was designed specifically for local area network environments. Its broadcast-based discovery mechanisms work best in small, unrouted networks.

Essential NetBIOS Elements

• NetBIOS Names: Each device or service uses a unique 16-character identifier. The first 15 characters are user-defined, while the 16th character serves as a suffix indicating the service type. These names enable human-readable device identification across the network.
• NetBIOS over TCP/IP (NBT): Modern implementations encapsulate NetBIOS services within TCP/IP packets. This approach, defined in RFCs 1001 and 1002, allows NetBIOS to function over routed networks.
• NetBEUI Protocol: NetBIOS Extended User Interface served as the original non-routable transport protocol for NetBIOS. NetBEUI provided an improved NetBIOS implementation but remained limited to single network segments.
• WINS Service: Windows Internet Name Service provides centralized NetBIOS name resolution for routed environments. WINS servers maintain databases of NetBIOS name-to-IP address mappings.

How It Works

NetBIOS delivers network functionality through three distinct services. Each service operates on specific TCP or UDP ports and serves unique communication purposes.

Name Service (NetBIOS-NS)

The Name Service handles NetBIOS name registration, release, and resolution functions. When a computer starts, it registers its unique NetBIOS name on the network through broadcast announcements. Other devices query the name service to resolve NetBIOS names to corresponding IP addresses.

Port Usage: NetBIOS Name Service primarily operates on UDP Port 137.

Resolution Methods: The service supports multiple name resolution approaches. Broadcast queries work within single network segments. LMHOSTS files provide static name-to-IP mappings. WINS servers enable name resolution across routed networks.

Registration Process: Devices broadcast name registration requests to claim specific NetBIOS names. If no conflicts exist, the device successfully registers the name. Duplicate name conflicts generate error messages and prevent registration.

Datagram Service (NetBIOS-DGM)

The Datagram Service provides connectionless, unreliable communication for small message transmission. Applications can send datagrams up to 512 bytes to specific NetBIOS names or broadcast messages to groups.

Port Usage: NetBIOS Datagram Service operates on UDP Port 138.

Communication Model: Senders transmit datagrams without establishing connections. No acknowledgment confirms message receipt. This approach works well for status updates and simple notifications.

Broadcast Capability: The service supports both unicast and broadcast datagram transmission. Broadcast messages reach all devices listening for specific NetBIOS group names.

Session Service (NetBIOS-SSN)

The Session Service facilitates connection-oriented, reliable communication between devices. Applications establish virtual circuits between NetBIOS names for exchanging larger amounts of data.

Port Usage: NetBIOS Session Service operates on TCP Port 139.

Connection Management: The service establishes reliable connections between NetBIOS endpoints. Data transfer occurs over these established sessions with guaranteed delivery.

SMB Integration: Server Message Block file sharing traditionally runs over NetBIOS Session Service. SMB clients and servers expect NetBIOS as the underlying transport mechanism.

Key Features and Components

NetBIOS provides several distinctive capabilities that made it popular in early network implementations.

• API Services: NetBIOS offers a comprehensive set of communication services for applications. Developers can use standardized function calls without understanding transport protocol details.
• Name Resolution: The protocol translates human-readable NetBIOS names to network addresses. This capability simplifies network resource identification and access.
• Dual Communication Models: NetBIOS supports both connectionless datagram and connection-oriented session communication. Applications can choose appropriate communication methods based on their requirements.
• Broadcast Discovery: Original NetBIOS implementations rely heavily on broadcast messages for device discovery and name resolution. This approach works effectively in small, flat networks.
• Transport Independence: NetBIOS can operate over various transport protocols including NetBEUI, IPX/SPX, and TCP/IP. This flexibility allowed deployment across different network architectures.

Use Cases and Applications

NetBIOS found extensive use in Microsoft-centric network environments and continues to support legacy applications.

Primary Applications

• File and Printer Sharing: Windows networks historically used SMB over NetBIOS for file and printer sharing. This combination provided the foundation for Windows network resource access.
• Legacy Windows Networks: Older Windows environments prior to Windows 2000 depended heavily on NetBIOS for network functionality. Many organizations maintain these systems for specific applications.
• Network Browsing: NetBIOS enables the Network Neighborhood and Network Places features in Windows Explorer. These tools populate lists of available computers and shared resources.
• WINS Implementation: Windows Internet Name Service extends NetBIOS name resolution to routed environments. WINS servers provide centralized name management for enterprise networks.
• Samba Integration: Linux and Unix systems use Samba to implement SMB and NetBIOS functionality. This enables interoperability with Windows-based networks.

Advantages and Trade-offs

Understanding NetBIOS requires recognizing both its historical benefits and significant modern limitations.

Historical Advantages

• Simplicity: NetBIOS provided straightforward setup and configuration for small LAN environments. Network administrators could implement file sharing with minimal technical complexity.
• Windows Integration: Microsoft Windows operating systems included native NetBIOS support. This deep integration simplified network resource access for users and applications.
• Resource Sharing: NetBIOS enabled easy file and printer sharing across network segments. Users could access resources using simple, memorable names rather than IP addresses.

Modern Limitations and Security Concerns

• Routing Limitations: Original NetBIOS over NetBEUI cannot cross router boundaries. This restriction severely limits network scalability and design flexibility.
• Broadcast Traffic: NetBIOS generates excessive broadcast traffic in larger networks. These broadcasts can cause network congestion and performance degradation.
• Security Vulnerabilities: NetBIOS presents multiple security risks that make it inappropriate for modern network designs.
• Reconnaissance Attacks: Attackers can easily query NetBIOS Name Service on UDP port 137 to enumerate computer names, user lists, and shared resources. This information gathering, known as NetBIOS enumeration, provides valuable intelligence for further attacks.
• Name Service Poisoning: NetBIOS name resolution is vulnerable to man-in-the-middle attacks. Attackers can intercept and manipulate name resolution requests, redirecting traffic to malicious systems. LLMNR and NBT-NS poisoning attacks exploit these weaknesses.
• Authentication Weaknesses: Native NetBIOS communications lack authentication and encryption. Messages transmitted over NetBIOS are susceptible to eavesdropping and spoofing attacks.
• Scalability Issues: The flat 15-character naming scheme cannot support large, hierarchical networks. Modern internet-scale networks require the hierarchical structure provided by DNS.
• Protocol Obsolescence: Modern networks use DNS for name resolution and SMB over TCP port 445 for file sharing. NetBIOS functionality has been largely superseded by more secure and scalable alternatives.

Key Terms Appendix

• NetBIOS (Network Basic Input/Output System): A legacy API and session layer service for communication on LANs.
• API (Application Programming Interface): A set of rules allowing software components to interact.
• Session Layer (OSI Layer 5): The OSI layer responsible for managing communication sessions.
• LAN (Local Area Network): A computer network in a limited geographical area.
• NetBIOS Name: A unique 16-character name identifying a computer or service in NetBIOS.
• NetBIOS over TCP/IP (NBT / NetBT): Encapsulation of NetBIOS services within TCP/IP.
• NetBEUI (NetBIOS Extended User Interface): A non-routable transport protocol historically used by NetBIOS.
• WINS (Windows Internet Name Service): Microsoft’s centralized NetBIOS name resolution server.
• UDP Port 137: Used for NetBIOS Name Service (NBNS).
• UDP Port 138: Used for NetBIOS Datagram Service (NBDGM).
• TCP Port 139: Used for NetBIOS Session Service (NBSS).
• SMB (Server Message Block): A network file-sharing protocol that historically ran over NetBIOS.
• DNS (Domain Name System): The modern hierarchical naming system for the Internet.
• NetBIOS Enumeration: A reconnaissance technique to gather NetBIOS network information.
• NetBIOS Poisoning: An attack that manipulates NetBIOS name resolution.
• Samba: A free software re-implementation of SMB/NetBIOS for Unix-like systems.