Overview
nbtscan is a command-line utility that scans IP networks for NetBIOS name information. It queries the NetBIOS Name Service (port 137/UDP) to enumerate Windows hosts, retrieve computer names, workgroup/domain memberships, and identify logged-in users. Essential for network reconnaissance and Windows environment discovery.
Installation
Linux / Debian-based
# Debian/Ubuntu
sudo apt-get update
sudo apt-get install nbtscan
# Or from source
wget http://www.inetcat.net/software/nbtscan-1.5.1.tar.gz
tar xzf nbtscan-1.5.1.tar.gz
cd nbtscan-1.5.1
./configure && make && sudo make install
Kali Linux
# Pre-installed in Kali
which nbtscan
# Or update
sudo apt-get install nbtscan
macOS
brew install nbtscan
Windows
# Download from inetcat.net or use WSL
# Or use nmblookup (Samba suite) as alternative
nmblookup -A <IP>
Basic Syntax
| Command | Description |
|---|
nbtscan <IP> | Scan single IP address |
nbtscan <CIDR> | Scan CIDR range (e.g., 192.168.1.0/24) |
nbtscan <start>-<end> | Scan IP range (e.g., 192.168.1.1-192.168.1.255) |
nbtscan -h | Display help menu |
nbtscan -V | Show version information |
Essential Options
| Option | Description | Example |
|---|
-r | Targeting by hostname (resolve names) | nbtscan -r hostname.txt |
-A | Adapter to use (specify interface) | nbtscan -A eth0 192.168.1.0/24 |
-t <ms> | Timeout in milliseconds | nbtscan -t 1000 192.168.1.0/24 |
-v | Verbose output (detailed info) | nbtscan -v 192.168.1.0/24 |
-f | Filename for output file | nbtscan -f results.txt 192.168.1.0/24 |
-m | Show MAC addresses | nbtscan -m 192.168.1.0/24 |
-s | Separator character for output | nbtscan -s ':' 192.168.1.0/24 |
Human-Readable (Default)
nbtscan 192.168.1.0/24
# Output:
# IP ADDR NETBIOS NAME LOGGED IN USER MAC ADDRESS
# -----------------------------------------------------------------------
# 192.168.1.10 WORKSTATION1 DOMAIN\admin aa:bb:cc:dd:ee:01
# 192.168.1.11 SERVER1 <unknown> aa:bb:cc:dd:ee:02
nbtscan -s ',' 192.168.1.0/24 > results.csv
# Output: IP,NETBIOS_NAME,USER,MAC_ADDRESS
Tab-Separated Values
nbtscan -s '\t' 192.168.1.0/24 > results.tsv
# Output with tab separators
Custom Delimiter
nbtscan -s '|' 192.168.1.0/24
# Output: 192.168.1.10|WORKSTATION1|DOMAIN\admin|aa:bb:cc:dd:ee:01
Verbose Mode
Detailed Output
nbtscan -v 192.168.1.10
# Shows:
# IP: 192.168.1.10
# Netbios Name: WORKSTATION1 Workstation Service
# Netbios Name: DOMAIN Domain Name
# Netbios Name: ADMIN Messenger Service
# MAC Address: aa:bb:cc:dd:ee:01
Verbose with File Output
nbtscan -v -f scan_results.txt 192.168.1.0/24
# Detailed results saved to file
Timeout Settings
Default Timeout (1000ms)
nbtscan 192.168.1.0/24
# Standard operation, waits 1 second per response
Quick Scan (Low Timeout)
nbtscan -t 500 192.168.1.0/24
# Timeout after 500ms (faster but may miss slow hosts)
Patient Scan (High Timeout)
nbtscan -t 3000 192.168.1.0/24
# Timeout after 3 seconds (catches slow/distant hosts)
Network Conditions
# LAN environment (fast network)
nbtscan -t 500 192.168.1.0/24
# WAN/slower networks
nbtscan -t 2000 10.0.0.0/16
# Through VPN/tunnels
nbtscan -t 5000 172.16.0.0/12
Common Usage Scenarios
Basic Network Enumeration
# Scan entire subnet
nbtscan 192.168.1.0/24
# Output shows all Windows hosts and logged-in users
# Useful for quick host discovery
Identify Active Users
# Find who is logged in across network
nbtscan -v 192.168.1.0/24 | grep -i "logged"
# Output displays DOMAIN\username for each host
MAC Address Collection
# Gather MAC addresses during reconnaissance
nbtscan -m 192.168.1.0/24
# Useful for tracking devices, bypass prevention
Large Network Scan
# Scan with extended timeout for reliability
nbtscan -t 2000 10.0.0.0/16 > network_hosts.txt
# Suitable for larger environments
Single Host Verification
# Check specific computer
nbtscan 192.168.1.100
# Verify hostname and logged-in user
Export and Analysis
Save to Text File
nbtscan 192.168.1.0/24 > hosts.txt
cat hosts.txt
Save to CSV for Spreadsheet
nbtscan -s ',' 192.168.1.0/24 > hosts.csv
# Import into Excel or Google Sheets
Save Verbose Output
nbtscan -v 192.168.1.0/24 > detailed_scan.txt
# Complete host information including services
Filter Results
# Show only specific domain
nbtscan 192.168.1.0/24 | grep "DOMAIN"
# Show only hosts with logged-in users
nbtscan -v 192.168.1.0/24 | grep -i "logged in user"
# Exclude specific hosts
nbtscan 192.168.1.0/24 | grep -v "192.168.1.254"
NetBIOS Codes and Services
| Code | Service | Description |
|---|
<20> | File Server | SMB/CIFS service running |
<00> | Workstation | Computer name (general service) |
<03> | Messenger | Messenger/popup service |
<1B> | Domain Master | Primary Domain Controller |
<1C> | Domain Controllers | List of DCs in domain |
<1D> | Master Browser | Network browse master |
<1E> | Browser Election | Browser service |
<1F> | NetDDE | Network DDE service |
Interpreting Results
# WORKSTATION1<20> = File Server (SMB enabled)
# WORKSTATION1<00> = Workstation service
# DOMAIN<1B> = Domain Master (Primary DC)
# DOMAIN<1C> = Domain Controllers
Combine with nmap
# Find open NetBIOS ports first
nmap -sU -p 137 192.168.1.0/24
# Then scan with nbtscan
nbtscan 192.168.1.0/24
Feed Results to Other Scanners
# Extract IPs from nbtscan
nbtscan 192.168.1.0/24 | awk '{print $1}' > ips.txt
# Use with nmap
nmap -iL ips.txt -sV
Samba Integration
# Use nmblookup for NetBIOS queries (Samba)
nmblookup -A 192.168.1.10
# Similar functionality to nbtscan
Wireshark Analysis
# Capture NetBIOS traffic
sudo tcpdump -i eth0 'port 137' -w netbios.pcap
# Analyze in Wireshark
wireshark netbios.pcap
Reconnaissance Workflow
Step 1: Discover Active Hosts
nbtscan 192.168.1.0/24 > active_hosts.txt
Step 2: Identify Domain Structure
nbtscan -v 192.168.1.0/24 | grep -i "domain"
# Identify domain name and controllers
Step 3: Find Logged-In Users
nbtscan 192.168.1.0/24 | grep -v "<unknown>" | awk '{print $3}'
# List active user accounts
Step 4: Enumerate Services
nbtscan -v 192.168.1.0/24 | grep -i "service"
# Find file servers, printers, etc.
Step 5: Follow-Up Enumeration
# For each discovered host, run deeper scans
nmap -sV -p 139,445 192.168.1.100
# Check SMB versions and services
Batch Operations
Scan Multiple Subnets
#!/bin/bash
for subnet in 192.168.{1..5}.0/24; do
echo "Scanning $subnet..."
nbtscan -t 1000 $subnet >> all_results.txt
done
Scan from List
# Create ranges.txt with IP ranges
192.168.1.0/24
192.168.2.0/24
10.0.0.0/25
# Scan all
for range in $(cat ranges.txt); do
nbtscan $range >> output.txt
done
Continuous Monitoring
# Periodic scan for changes
while true; do
nbtscan -s ',' 192.168.1.0/24 > "scan_$(date +%s).csv"
sleep 3600 # Scan every hour
done
| Scenario | Command | Notes |
|---|
| Fast LAN scan | nbtscan -t 500 192.168.1.0/24 | Low timeout, assumes fast network |
| Typical network | nbtscan 192.168.1.0/24 | Default 1000ms timeout |
| Slow/WAN network | nbtscan -t 2000 10.0.0.0/16 | Higher timeout for reliability |
| Large subnets | nbtscan -t 1500 10.0.0.0/8 | Balance speed and reliability |
| High packet loss | nbtscan -t 5000 172.16.0.0/12 | Very patient for unreliable networks |
Troubleshooting
| Issue | Solution |
|---|
| ”No response” | Verify network connectivity, check firewall |
| Timeout errors | Increase timeout with -t option |
| Permission denied | Run with sudo for raw socket access |
| No results returned | Target may not support NetBIOS, try nmap |
| MAC address unknown | Some hosts don’t respond to NetBIOS queries |
| Slow scans | Reduce timeout (-t 500) or scan smaller ranges |
Security Considerations
# nbtscan reveals sensitive information
# - Computer names
# - Domain names
# - Logged-in users
# - Service types
# Should be restricted network-side
Defense Against nbtscan
# Disable NetBIOS on systems not requiring it
# Restrict port 137/UDP at firewall
# Use NPS (Network Policy Server) for access control
# Disable unnecessary services
Privacy in Results
# Results may contain:
# - Employee usernames
# - System names
# - Admin account identifiers
# Handle results securely and confidentially
| Tool | Use Case | Difference |
|---|
nmblookup | Samba suite alternative | More features, slower |
nmap | Comprehensive scanning | More detailed, larger scans |
getent | Active Directory queries | Requires authentication |
nbtstat (Windows) | Windows-native NetBIOS tool | Platform-specific |
masscan | Ultra-fast port scanning | Uses different protocol |
Advanced Examples
Aggressive Enumeration
# Fast scan with verbose output and MAC addresses
nbtscan -v -m -t 800 192.168.1.0/24
Domain Discovery
# Find domain structure
nbtscan -v 192.168.0.0/16 | grep -E "Domain|1B|1C"
User Identification
# Extract unique users from scan
nbtscan 192.168.1.0/24 | awk '{print $3}' | sort | uniq -c
Service Mapping
# Identify services across network
nbtscan -v 192.168.1.0/24 | grep "Service"
Post-Scan Processing
# Save and analyze results
nbtscan -v 192.168.1.0/24 > raw_results.txt
grep "File Server" raw_results.txt | awk '{print $2}' > smb_hosts.txt
nmap -sV -p 445 -iL smb_hosts.txt
