NetBIOS Disabled

ID: netbios-disabled

Severity: medium

Author: princechaddha

Tags: windows,netbios,network,security,code,windows-audit

Description

Determine if NetBIOS over TCP/IP is disabled on all network adapters.

YAML Source

id: netbios-disabled

info:
  name: NetBIOS Disabled
  author: princechaddha
  severity: medium
  description: Determine if NetBIOS over TCP/IP is disabled on all network adapters.
  impact: |
    Enabling NetBIOS can expose systems to network-related attacks such as traffic interception and spoofing.
  remediation: |
    Disable NetBIOS on all network adapters to mitigate potential security risks.
  tags: windows,netbios,network,security,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      $netbiosStatus = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_."TCP/IPNetBIOSOptions" -ne 2 }
      if ($netbiosStatus) {"NetBIOS is misconfigured or enabled"} else {"NetBIOS is correctly disabled"}

    matchers:
      - type: word
        words:
          - "NetBIOS is misconfigured or enabled"
# digest: 4b0a00483046022100e85ea6c57f3fa56e4736caaaf47eb109b51ee0978b66cc95ba1ab671560af6cc022100ffcdeb9d0c8013bea7ebdb1cd2a83b1f0224854dfa78c19017a6c5270b12f646:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "code/windows/audit/netbios-disabled.yaml"

View on Github