Port 137: NetBIOS Name Service — The Name Shouted Into the Void

Port 137 carries the NetBIOS Name Service (NBNS), the protocol that lets computers find each other by name on a local network. When a machine needs to reach \\FILESERVER, port 137 is the voice that calls out into the network asking "Who is FILESERVER? Please respond."

This is the original naming system for Windows networking. It predates the World Wide Web. It predates modern DNS. It was built in 1983 for networks of fewer than 80 computers, and somehow, forty years later, it is still running on millions of machines.

What Port 137 Actually Does

The NetBIOS Name Service handles three fundamental operations¹:

1. Name Registration: When a computer boots up, it broadcasts its name to the network. "I am WORKSTATION-7. Does anyone object?" If no one responds, the name is claimed.

2. Name Resolution: When a computer needs to contact another machine by name, it broadcasts a query. "Who is FILESERVER? What is your IP address?" The machine with that name responds.

3. Name Release: When a computer shuts down gracefully, it releases its name back to the network.

The mechanism is elegant in its simplicity: broadcast a question, trust whoever answers.

How NetBIOS Names Work

NetBIOS names are exactly 16 bytes long². The first 15 characters are the human-readable name (like FILESERVER padded with spaces). The 16th character is a suffix byte that identifies what service is running:

• 00 = Workstation Service (the computer itself)
• 20 = File Server Service (shares files)
• 03 = Messenger Service (receives messages)
• 1B = Domain Master Browser
• 1C = Domain Controllers

A single machine registers multiple names with different suffixes. Your Windows computer might appear as MYPC<00> (workstation), MYPC<20> (file server), and MYPC<03> (messenger) all at once³.

Run nbtstat -n on any Windows machine and you will see this in action, each service announcing itself to the network under the same name with different suffixes.

The History: Sytek, IBM, and the 80-Computer Limit

In 1983, IBM needed networking software for their new PC Network hardware. They contracted with Sytek Inc., a Silicon Valley company, to create the software interface⁴. What Sytek built was NetBIOS: Network Basic Input/Output System.

The design reflected its era. PC Network supported a maximum of 80 devices in baseband mode⁵. At that scale, broadcasting every name query to every machine was fine. The network was a single room, maybe a single floor of an office building. Everyone could hear everyone.

NetBIOS was just an API at first, a way for programs to access networking functions. The actual wire protocol was Sytek's proprietary format. But the API caught on. Software developers wrote applications targeting NetBIOS, and those applications needed to keep working.

In 1985, IBM moved to Token Ring networks. They needed NetBIOS applications to work on the new hardware, so they created NetBEUI (NetBIOS Extended User Interface), an emulator that implemented the NetBIOS API over Token Ring⁶.

Then came TCP/IP. By 1987, TCP/IP was becoming the lingua franca of networking. The Internet was growing. And thousands of NetBIOS applications existed that couldn't speak TCP/IP.

RFC 1001 and RFC 1002: The Translation Layer

In March 1987, RFC 1001 and RFC 1002 were published⁷. They defined NetBIOS over TCP/IP (NBT), a way to carry NetBIOS traffic over standard Internet protocols. The goal was explicit: "allow NetBIOS interoperation in the Internet"⁸.

The design was a collaboration. Special acknowledgment went to CMC/Syros, Excelan, Sytek (the original creators), and Ungermann-Bass for sharing knowledge from their existing implementations⁹.

RFC 1001 defined three services running on three ports:

• Port 137 (UDP): Name Service, for resolving names to addresses
• Port 138 (UDP): Datagram Service, for connectionless messaging
• Port 139 (TCP): Session Service, for connection-oriented data transfer

Port 137's packet format was deliberately based on DNS¹⁰. The key additions were dynamic registration, conflict detection, and the "Node Status" query that could enumerate all names registered on a remote machine.

Node Types: How Name Resolution Actually Works

RFC 1001 defined several modes for name resolution, acknowledging that pure broadcast wouldn't scale¹¹:

B-Node (Broadcast): The original model. Every query is broadcast to every machine on the network segment. Simple, but generates traffic and cannot cross routers.

P-Node (Point-to-Point): Queries go to a central name server (NBNS). No broadcasts. Requires infrastructure.

M-Node (Mixed): Try broadcast first, then fall back to the name server.

H-Node (Hybrid): Try the name server first, then fall back to broadcast.

Modern Windows systems default to H-Node when a WINS server is available¹². They check the local cache, query WINS, broadcast if that fails, then check LMHOSTS, HOSTS, and finally DNS.

WINS: Microsoft's Answer to Scaling NetBIOS

In 1994, Microsoft introduced Windows Internet Name Service (WINS) with Windows NT 3.5¹³. WINS was Microsoft's implementation of the NetBIOS Name Server described in the RFCs.

Instead of broadcasting to find names, clients would register with a central WINS server and query it for resolutions. This allowed NetBIOS to work across routed networks, across subnets, across the entire enterprise.

WINS worked. For a decade, it was the backbone of Windows name resolution. But it was also one more piece of infrastructure to maintain, one more database to replicate, one more service to secure.

The Security Problem: Trust Without Verification

Here is the fundamental flaw in NetBIOS name resolution: it trusts any response it receives¹⁴.

When a machine broadcasts "Who is FILESERVER?", it accepts the first answer. There is no authentication. No verification. No cryptographic proof that the responder is who they claim to be.

This was fine in 1983 when the network was 80 computers in the same office, all under the same administrator's control. It is catastrophic in 2025.

The Responder Attack

The attack is simple enough that it has its own widely-used tool called Responder¹⁵. Here is how it works:

1. An attacker sits on the local network running Responder.
2. A user mistypes a share name: \\FLIEESERVER instead of \\FILESERVER.
3. DNS doesn't know this name. It doesn't exist.
4. Windows falls back to LLMNR (port 5355) and NBT-NS (port 137), broadcasting the query.
5. Responder answers: "I'm FLIEESERVER! Connect to me!"
6. The victim's machine tries to authenticate to the attacker.
7. The attacker captures the NTLMv2 hash.
8. The hash can be cracked offline or relayed to other services¹⁶.

One typo. One broadcast. Credentials captured.

This technique is documented in MITRE ATT&CK as T1557.001: LLMNR/NBT-NS Poisoning and SMB Relay¹⁷. It is a standard part of penetration testing and red team operations. It has been used in real attacks for years.

Other Vulnerabilities

MS00-047 documented a name spoofing vulnerability where attackers could force machines to release their registered names or prevent them from registering new ones¹⁸.

MS03-034 documented a memory disclosure vulnerability where specially crafted queries to port 137 could leak random data from the target system's memory¹⁹.

These are old vulnerabilities, patched long ago. But they illustrate the fundamental problem: a protocol designed for trust in a hostile world.

The Long Goodbye: Deprecation

Microsoft has been slowly turning off NetBIOS for decades²⁰.

Windows 2000 (2000): DNS became the preferred name resolution method. NetBIOS was no longer required for core functionality.

Windows Vista (2006): LLMNR was introduced as a partial replacement, though it has its own security problems.

Windows Server 2022: WINS was formally deprecated.

Windows 11 Insider Builds (2022-present): NetBIOS name resolution has been placed in "learning mode," used only as a fallback after mDNS and LLMNR fail²¹.

Windows Server 2025: WINS will not be included in releases after this version. Microsoft has announced that "mDNS is the only multicast name resolution protocol on by default" is the goal²².

After 42 years, port 137 is finally being put to rest. The sunset date for remaining WINS components is November 14, 2034²³.

Related Ports

Port 137 does not work alone. It is part of a trio:

Port 445 is the modern alternative, carrying SMB directly over TCP without the NetBIOS layer. When you see only port 445 open and not 139, you're looking at a network that has moved beyond NetBIOS.

What Still Uses Port 137

Despite deprecation, port 137 traffic persists:

• Legacy Windows applications that hardcode NetBIOS
• Older network-attached storage devices
• Embedded systems and industrial equipment
• Virtual machine environments with legacy guests
• Any environment where "it's worked for 20 years, don't touch it"

On modern networks, security teams typically block ports 137-139 at the firewall perimeter and disable NetBIOS over TCP/IP on individual hosts²⁴.

Checking Your Exposure

On Windows, check what NetBIOS names your machine is broadcasting:

nbtstat -n

Query a remote machine's NetBIOS names:

nbtstat -A <ip-address>

To disable NetBIOS on a specific adapter:

1. Open Network Connections
2. Right-click the adapter → Properties
3. Select TCP/IPv4 → Properties → Advanced → WINS tab
4. Select "Disable NetBIOS over TCP/IP"

Or via PowerShell for all adapters²⁵:

Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\tcpip* -Name NetbiosOptions -Value 2

The Weight of What It Carries

Port 137 carries names. The names of every Windows computer that has ever needed to find another Windows computer on the local network.

For forty years, when someone typed \\ACCOUNTING or \\PRINTSERVER or \\JOHNS-PC, port 137 was the voice that went out asking for directions. It was the protocol that let secretaries print documents and executives access file shares and IT administrators manage servers.

The design was trusting. Perhaps naive by modern standards. It assumed that everyone on the network was who they claimed to be. It assumed that the network itself was a trusted place.

That trust was exploited. Attackers learned to answer questions they weren't asked, to claim names that weren't theirs, to harvest credentials from machines that believed them.

And so port 137 is being retired. Not because it stopped working, but because the world changed around it. The network is no longer 80 computers in a single office. The network is the entire Internet, and the Internet contains adversaries.

But before it goes, remember what it was: the first practical answer to "how do computers find each other by name?" It worked for four decades. It connected millions of machines. It was the reason you could type a friendly name instead of an IP address.

Port 137 asked the network "Who is there?" and trusted the answer. That was its gift, and its curse.