Founder

Resolving Rapid7 NetBIOS NBSTAT Amplification Vulnerability Findings on macOS

Site Owner: Michael Baggett

Role: Project Developer

Joined: May 2023

Overview

Security scanners such as Rapid7, Nessus, Qualys, and similar vulnerability management platforms may report a finding related to NetBIOS Name Service (NBNS) on macOS systems.

Typical findings include:

  • UDP port 137 open
  • Running CIFS Name Service service
  • NetBIOS NBSTAT query responses enabled
  • Configuration item advertised-name-count set to ‘1’
  • Potential UDP amplification vulnerability
  • Potential DRDoS participation risk

Example finding text:

A NetBIOS NBSTAT query will obtain the status from a NetBIOS-speaking endpoint, which will include any names that the endpoint is known to respond to as well as the device’s MAC address for that endpoint. A NBSTAT response is roughly 3x the size of the request, and because NetBIOS utilizes UDP, this can be used to conduct traffic amplification attacks against other assets, typically in the form of distributed reflected denial of service (DRDoS) attacks.

This document explains:

  • What the issue means
  • Why it occurs on macOS
  • Security implications
  • How to verify exposure
  • How to remediate the issue
  • Enterprise hardening recommendations
  • Validation procedures

Understanding the Vulnerability

What Is NetBIOS?

NetBIOS (Network Basic Input/Output System) is a legacy networking protocol originally designed for Windows networking and file sharing.

NetBIOS services commonly use:

ServiceProtocolPort
NetBIOS Name Service (NBNS)UDP137
NetBIOS Datagram ServiceUDP138
NetBIOS Session ServiceTCP139

Modern environments generally rely on:

  • DNS
  • mDNS/Bonjour
  • Active Directory DNS integration
  • SMB2/SMB3 over TCP/445

As a result, NetBIOS is largely considered legacy functionality.

Why Rapid7 Flags This

UDP Reflection and Amplification Risk

NBSTAT queries sent to UDP/137 can generate responses significantly larger than the original request.

Attackers may abuse this behavior by:

  1. Spoofing the victim’s IP address
  2. Sending many NBSTAT requests to exposed devices
  3. Causing devices to send amplified responses to the victim

This creates:

  • Distributed Reflected Denial of Service (DRDoS)
  • Amplification attacks
  • Information disclosure risks

Even if the Mac itself is not vulnerable to compromise, it may still participate in amplification attacks against other systems.

Why This Happens on macOS

On macOS, the issue is typically caused by:

  • SMB file sharing
  • CIFS compatibility services
  • NetBIOS name services
  • The netbiosd daemon
  • Legacy Windows interoperability support

Common associated services include:

  • smbd
  • netbiosd

In most environments, enabling:

  • File Sharing
  • SMB sharing

…automatically enables NetBIOS-related services.

Security Impact

Risks

RiskDescription
DRDoS ParticipationDevice may be abused in reflection attacks
Information DisclosureNBSTAT responses may expose hostnames and MAC addresses
Legacy Protocol ExposureUnnecessary attack surface
Security Audit FindingsFails vulnerability scans and compliance checks

Determining Whether NetBIOS Is Needed

Before disabling services, determine whether the Mac requires:

  • Windows SMB file sharing
  • Legacy Windows workgroup support
  • NetBIOS discovery
  • Old NAS/printer compatibility
  • Legacy CIFS interoperability

Most modern enterprise environments using:

  • Active Directory
  • DNS
  • SMB2/SMB3

…do not require NetBIOS.

Verifying the Vulnerability

Check Whether UDP/137 Is Listening

Run:

sudo lsof -nP -iUDP:137

or:

sudo netstat -anv | grep '\.137 '

Expected vulnerable output may show:

  • netbiosd
  • smbd

Example:

netbiosd   412 root   10u  IPv4 0x... UDP *:137

Identify Running NetBIOS Services

Check launchd services:

sudo launchctl list | grep -Ei 'smb|netbios'

Check SMB Sharing Status

Run:

sharing -l

or:

sudo defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server

Primary Remediation Options

Option 1 — Disable File Sharing (Recommended)

If SMB sharing is not required, disable it entirely.

GUI Method

Navigate to:

System Settings → General → Sharing

Disable:

  • File Sharing

Reboot the system afterward.

This resolves the issue in most cases.

Option 2 — Disable NetBIOS Services Directly

If SMB sharing must remain enabled, attempt to disable only NetBIOS-related services.

Temporarily Stop NetBIOS

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.netbiosd.plist

Verify:

sudo lsof -nP -iUDP:137

Expected result:

  • no output

Option 3 — Disable SMB and NetBIOS via launchctl

Disable SMB Service

sudo launchctl disable system/com.apple.smbd

Disable NetBIOS Daemon

sudo launchctl disable system/com.apple.netbiosd

Reboot afterward.

Verifying Remediation

After reboot:

sudo lsof -nP -iUDP:137

Expected:

  • no listening services

You may also test locally:

nc -zvu localhost 137

Expected:

  • connection failure or timeout

Firewall Hardening (Optional Additional Protection)

Disabling the service is preferred.

However, additional protection may include firewall rules.

Using PF Firewall

Edit:

/etc/pf.conf

Add:

block in proto udp from any to any port 137

Reload PF:

sudo pfctl -f /etc/pf.conf
sudo pfctl -e

Enterprise Hardening Recommendations

For enterprise-managed macOS systems:

RecommendationStatus
Disable File Sharing unless requiredRecommended
Disable NetBIOS servicesRecommended
Block UDP/137 inboundRecommended
Use SMB2/SMB3 onlyRecommended
Use DNS instead of NetBIOS discoveryRecommended
Disable legacy workgroup supportRecommended

Validation Checklist

After remediation:

CheckExpected Result
lsof -iUDP:137No output
netstatNo UDP/137 listener
Rapid7 rescanFinding resolved
NBSTAT queryNo response
SMB functionalityStill operational if required

Potential Side Effects

Disabling NetBIOS may affect:

  • Legacy Windows browsing
  • Old SMB discovery methods
  • Older NAS appliances
  • Some multifunction printers
  • Legacy CIFS environments

Modern Active Directory and SMB2/SMB3 environments are typically unaffected.

If SMB Sharing Is Not Required

Disable:

  • File Sharing
  • SMB services
  • NetBIOS services

This is the cleanest and safest solution.

If SMB Sharing Is Required

Recommended approach:

  1. Keep SMB enabled
  2. Disable NetBIOS if possible
  3. Restrict UDP/137 via firewall
  4. Use DNS/AD-based discovery only

Example End-to-End Remediation Procedure

Step 1

Disable File Sharing:

System Settings → General → Sharing → File Sharing OFF

Step 2

Disable services:

sudo launchctl disable system/com.apple.smbd
sudo launchctl disable system/com.apple.netbiosd

Step 3

Reboot:

sudo reboot

Step 4

Verify:

sudo lsof -nP -iUDP:137

Expected:

  • no output

Conclusion

Rapid7 NBSTAT findings on macOS are typically caused by legacy SMB/NetBIOS compatibility services exposing UDP/137.

While the issue does not necessarily indicate system compromise, it:

  • increases attack surface
  • allows participation in reflection/amplification attacks
  • exposes legacy network information
  • creates compliance and audit findings

For most modern enterprise environments, disabling NetBIOS services and UDP/137 exposure is safe and recommended.

The preferred remediation is:

  1. Disable File Sharing if unused
  2. Disable netbiosd
  3. Verify UDP/137 is closed
  4. Rescan with Rapid7

This eliminates the exposure while maintaining a more secure modern networking posture.

Posted: