Nbtscan
Nbtscan queries NetBIOS names and resolves hostnames from IP addresses on Windows networks. Used for host discovery and OS fingerprinting.
Installation
# Debian/Ubuntu
sudo apt install nbtscan
# Kali Linux (pre-installed)
which nbtscan
# macOS
brew install nbtscan
# Build from source
git clone https://github.com/Konrad2221/nbtscan
cd nbtscan && make && sudo make installBasic Scanning
| Command | Description |
|---|---|
nbtscan target | Scan single IP |
nbtscan 192.168.1.0/24 | Scan subnet |
nbtscan -r 192.168.1.1 192.168.1.254 | Scan range |
nbtscan -f hostfile.txt | Scan from file |
nbtscan -h | Show help |
Single Host Queries
# Query single IP
nbtscan 192.168.1.100
# Verbose output
nbtscan -v 192.168.1.100
# Show all names
nbtscan -a 192.168.1.100
# Show IP and hostname
nbtscan 192.168.1.100Network Scanning
# Scan entire subnet
nbtscan 192.168.1.0/24
# Scan range of IPs
nbtscan -r 192.168.1.1 192.168.1.254
# Scan with specific range
nbtscan 192.168.1.10-20
# Custom timeout (ms)
nbtscan -t 100 192.168.1.0/24
# Increased timeout for slow networks
nbtscan -t 1000 192.168.1.0/24Output Filtering
# Save results to file
nbtscan 192.168.1.0/24 > nbtscan_results.txt
# Only show hostnames
nbtscan 192.168.1.0/24 | grep -v '<00>' | sort -u
# Extract machine names
nbtscan 192.168.1.0/24 | awk '{print $1, $2}' | sort -u
# Find workstations
nbtscan 192.168.1.0/24 | grep '<00>'
# Find domain controllers
nbtscan 192.168.1.0/24 | grep '<1c>'
# Find file servers
nbtscan 192.168.1.0/24 | grep '<20>'NetBIOS Name Service Codes
| Code | Type | Description |
|---|---|---|
<00> | WORKSTATION | Workstation or server name |
<01> | MESSENGER | Browser election service |
<03> | MESSENGER | Messenger service |
<06> | RAS | RAS server |
<1B> | NETDDE | Domain master browser |
<1C> | INTERNETGROUP | Domain controller group |
<1D> | MASTER | Master browser |
<1E> | BROWSER | Browser service elections |
<20> | SERVER | File server service |
<21> | RAS | RAS client service |
<22> | EXCHANGE | Exchange message handling system |
<23> | EXCHANGE | Exchange store |
<24> | EXCHANGE | Exchange directory services |
<30> | MODEM | Modem sharing server |
<31> | MODEM | Modem sharing client |
<43> | SNA | SNA gateway |
<44> | SNA | SNA server |
<45> | TCPIP | TCP/IP NetBIOS gateway |
<46> | TCPIP | TCP/IP NetBIOS name server |
<4B> | NETDDE | Distributed file system |
<87> | PROXY | Proxy server |
<BE> | NETLOGON | Network logon service |
<BF> | NETLOGON | Logon server cluster |
<C0> | SRVLOC | Server location service |
<FB> | FILESERVER | File server service cluster |
<FF> | DOMAIN | Domain name (master browsers) |
Advanced Scanning
# Very verbose output
nbtscan -v -v 192.168.1.0/24
# Suppress errors
nbtscan -s 192.168.1.0/24
# Original output format
nbtscan -r 192.168.1.0/24
# Show only active systems
nbtscan 192.168.1.0/24 | grep -v 'Timed out'Host Discovery Workflow
# Step 1: Scan subnet for active hosts
nbtscan 192.168.1.0/24 > hosts.txt
# Step 2: Extract unique hostnames
cat hosts.txt | awk '{print $2}' | sort -u > hostnames.txt
# Step 3: Identify domain controllers
grep '<1c>' hosts.txt
# Step 4: Identify domain names
grep '<1d>' hosts.txt
# Step 5: Identify master browser
grep '<1e>' hosts.txtDomain Enumeration
# Find all domain names
nbtscan 192.168.1.0/24 | grep '<00>' | awk '{print $2}' | sort -u
# Find domain controllers
nbtscan 192.168.1.0/24 | grep '<1c>'
# Find master browser
nbtscan 192.168.1.0/24 | grep '<1b>'
# Extract domain name (last field when <1c> present)
nbtscan 192.168.1.0/24 | grep '<1c>' | awk '{print $3}'Bulk Scanning
# Scan from file list
nbtscan -f /path/to/ips.txt
# Create IP list for scanning
nmap -sL 192.168.1.0/24 | grep 'Nmap scan' | awk '{print $5}' > ips.txt
nbtscan -f ips.txt
# Parallel scanning with xargs
cat ips.txt | xargs -P 4 -I {} nbtscan {}Integration with Other Tools
# Combine with nmap
nmap -p 139 192.168.1.0/24 -oG - | awk '{print $2}' | xargs nbtscan
# Combine with masscan
masscan 192.168.1.0/24 -p 139 | awk '{print $4}' | sort -u | xargs nbtscan
# Parse nbtscan output for further enumeration
nbtscan 192.168.1.0/24 | grep '<00>' | awk '{print $1}' | xargs -I {} smbclient -L \\\\{} -NTroubleshooting
# Increase timeout for unresponsive systems
nbtscan -t 500 192.168.1.100
# Check if port 139 is open
nmap -p 139 192.168.1.100
# Send broadcast query
nbtscan -b 255.255.255.255Last updated: March 2026