nbtscan

Scan a network for NetBIOS names

$ nbtscan [192.168.0.1/24]

$ nbtscan [192.168.0.1]

$ nbtscan -v [192.168.0.1/24]

$ nbtscan -e [192.168.0.1/24]

$ nbtscan -f [path/to/file.txt]

nbtscan [options] <ip_range | hostname | file>
Examples:
nbtscan 192.168.1.0/24
nbtscan 192.168.1.1-254
nbtscan -f ip_list.txt

-r
    Scan local network using ARP. Requires root privileges for ARP scans.

-s
    Save output to the specified file.

-h
    Print host names retrieved by reverse lookups if possible.

-v
    Enable verbose output, showing more details during the scan process.

-f
    Read IP addresses or ranges from the specified file, one per line.

-P
    Disable pinging hosts before scanning, potentially speeding up scans on unresponsive networks.

-T
    Set the initial timeout for NetBIOS queries in milliseconds. Default is 200 ms.

-W
    Filter results to only show hosts belonging to the specified workgroup.

-m
    Include MAC addresses in the output.

-n
    Disable name resolution; display IP addresses only.

-d
    Enable debug mode, showing internal program messages.

-L
    List local NetBIOS names.

-t
    Set the number of retries for each query. Default is 2 retries.

-A
    Perform an ARP scan instead of a NetBIOS scan. Requires root privileges.

-B
    Attempt to grab banner information from discovered hosts (e.g., SMB banner).

-p
    Use a specific UDP port for NetBIOS queries (default is 137).

-R
    Perform reverse DNS lookups on discovered IP addresses.

-V
    Print program version and exit.

-l
    List all local IP addresses that can be used for scanning.

-i
    Specify the network interface to use for scanning (e.g., eth0).

-q
    Suppress banner information during startup.

nbtscan is a powerful command-line tool designed for network reconnaissance. It efficiently scans a range of IP addresses for NetBIOS name service information, which is primarily used by Windows-based systems. By sending UDP queries to port 137 (NetBIOS Name Service), nbtscan can discover hosts, their NetBIOS names, workgroup/domain names, user names, and even MAC addresses. This makes it invaluable for network administrators and security professionals looking to quickly map out Windows machines on a network, identify potential targets, or assess network configurations. Its output provides a concise overview of active NetBIOS services, aiding in tasks such as inventory management, vulnerability assessment, and troubleshooting.

nbtscan relies on the NetBIOS over TCP/IP (NBT) protocol, specifically querying UDP port 137. Many modern Windows operating systems might have NetBIOS disabled, filtered by a firewall, or use different discovery mechanisms (e.g., WS-Discovery). Consequently, nbtscan might not provide a comprehensive view of all Windows machines on a highly secured or modern network. It can also be quite 'noisy' on the network, making its activity noticeable.

When nbtscan successfully identifies a host, its default output typically includes columns such as: IP address, NetBIOS Name, User Name, Server (indicating if it's a server), and MAC Address (if requested with -m). This structured output provides immediate insights into the nature of the discovered device.

For best results, nbtscan is often used with an IP address range (e.g., CIDR notation like 192.168.1.0/24 or a dash-separated range like 192.168.1.1-254). Running nbtscan on a broad range or across slow networks might require adjusting the -T (timeout) and -t (retries) parameters for optimal performance.

nbtscan is an open-source utility that was originally developed by Stephen Schmidt. It gained popularity as a quick and effective tool for network reconnaissance, particularly in environments with a significant presence of Windows machines. Its straightforward usage and clear output made it a staple in many network administration and security toolkits. While newer discovery methods exist, nbtscan remains relevant for legacy systems and specific network auditing tasks.

nmblookup(1), smbclient(1), samba(7), net(8), arp(8), ping(8)