Port 137 (UDP) – NetBIOS Name Service

What runs on port 137?

Port 137 carries the NetBIOS Name Service (NBT-NS), the legacy name-resolution component of NetBIOS over TCP/IP. Before DNS dominated Windows networking, hosts used NBT-NS broadcasts on UDP 137 to map NetBIOS names (like a computer or workgroup name) to IP addresses, register their own names, and answer queries. It remains enabled on many workstations and older servers for backward compatibility.

Why it matters for security

NBT-NS is a broadcast trust protocol with no authentication, which makes it a classic poisoning target. When DNS resolution fails, Windows falls back to broadcasting an NBT-NS query — and any machine on the segment can answer. An attacker simply replies "that's me," redirecting the victim's connection and capturing the NTLM authentication it offers. The service also leaks useful recon: hostnames, domain/workgroup, MAC address, and the logged-on user.

How it's attacked

Recon tools query NBT-NS to enumerate names, the logged-on user, and the MAC of every host. For credential theft, Responder listens for NBT-NS (and LLMNR) broadcasts and poisons them, forcing victims to authenticate to the attacker. Captured NTLMv2 hashes are cracked offline or relayed straight to SMB or LDAP for lateral movement.

Hardening checklist

Disable NetBIOS over TCP/IP wherever DNS provides resolution, and turn it off together with LLMNR and mDNS to close the whole broadcast-poisoning class. Enforce SMB signing so relayed authentication is rejected. Block UDP 137 at network boundaries and segment any legacy systems that still depend on NetBIOS. The nmap script above runs nbstat to show what a host discloses on networks you are authorized to test.