1nbtscan(1) scan networks searching for NetBIOS information nbtscan(1)
2
6 nbtscan - scan networks for NetBIOS name information
7
9 nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q]
10 [-s separator] [-h] [-m retransmits] [-f filename | target]
11
14 NBTscan is a program for scanning IP networks for NetBIOS name informa‐
15 tion. It sends NetBIOS status query to each address in supplied range
16 and lists received information in human readable form. For each re‐
17 sponded host it lists IP address, NetBIOS computer name, logged-in user
18 name and MAC address (such as Ethernet).
19 NBTscan produces a report like that:
21 IP address NetBIOS Name Server User MAC address
23 -----------------------------------------------------------------------
24 192.168.1.2 MYCOMPUTER JDOE 00-a0-c9-12-34-56
25 192.168.1.5 WIN98COMP <server> RROE 00-a0-c9-78-90-00
26 192.168.1.123 DPTSERVER <server> ADMINISTRATOR 08-00-09-12-34-56
27 First column lists IP address of responded host. Second column is com‐
29 puter name. Third column indicates if this computer shares or is able
30 to share files or printers. For NT machine it means that Server Service
31 is running on this computer. For Windows 95 it means that "I want to be
32 able to give others access to my files" or "I want to be able to allow
33 others to print on my printer(s)" checkbox is ticked (in Control
34 Panel/Network/File and Print Sharing). Most often it means that this
35 computer shares files. Third column shows user name. If no one is
36 logged on from this computer it is same as computer name. Last column
37 shows adapter MAC address.
38 If run with -v switch NBTscan lists whole NetBIOS name table for each
40 responded address. The output looks like that:
41 NetBIOS Name Table for Host 192.168.1.123:
43 Name Service Type
45 ----------------------------------------
46 DPTSERVER <00> UNIQUE
47 DPTSERVER <20> UNIQUE
48 DEPARTMENT <00> GROUP
49 DEPARTMENT <1c> GROUP
50 DEPARTMENT <1b> UNIQUE
51 DEPARTMENT <1e> GROUP
52 DPTSERVER <03> UNIQUE
53 DEPARTMENT <1d> UNIQUE
54 ??__MSBROWSE__? <01> GROUP
55 INet~Services <1c> GROUP
56 IS~DPTSERVER <00> UNIQUE
57 DPTSERVER <01> UNIQUE
58 Adapter address: 00-a0-c9-12-34-56
60 ----------------------------------------
61
64 A summary of options is included below.
65 -v Verbose output. Print all names received from each host.
67 -d Dump packets. Print whole packet contents. Cannot be used with
69 -v, -s or -h options.
70 -e Format output in /etc/hosts format.
72 -l Format output in lmhosts format.
74 -t <timeout>
76 Wait timeout seconds for response. Default 1.
77 -b <bandwidth>
79 Output throttling. Slow down output so that it uses no more
80 that bandwidth bps. Useful on slow links, so that outgoing
81 queries don't get dropped.
82 -r Use local port 137 for scans. Win95 boxes respond to this only.
84 You need to be root to use this option.
85 -q Suppress banners and error messages.
87 -s <separator>
89 Script-friendly output. Don't print column and record headers,
90 separate fields with separator.
91 -h Print human-readable names for services. Can only be used with
93 -v option.
94 -m <retransmits>
96 Number of retransmits. Default 0.
97 -f <filename>
99 Take IP addresses to scan from file "filename"
100 target NBTscan is a command-line tool. You have to supply at least one
102 argument, the address range, in one of three forms:
103 xxx.xxx.xxx.xxx
105 Single IP in dotted-decimal notation. Example:
106 192.168.1.1
107 xxx.xxx.xxx.xxx/xx
109 Net address and subnet mask. Example: 192.168.1.0/24
110 xxx.xxx.xxx.xxx-xxx
112 Address range. Example: 192.168.1.1-127. This will scan
113 all addresses from 192.168.1.1 to 192.168.1.127
114
116 Scans the whole C-class network:
117 nbtscan 192.168.1.0/24
119 Scans the whole C-class network, using port 137:
121 nbtscan -r 192.168.1.0/24
123 Scans a range from 192.168.1.25 to 192.168.1.137:
125 nbtscan 192.168.1.25-137
127 Scans C-class network. Prints results in script-friendly format using
129 colon as field separator:
130 nbtscan -v -s : 192.168.1.0/24
132 The last command produces output like that:
134 192.168.0.1:NT_SERVER:00U
136 192.168.0.1:MY_DOMAIN:00G
137 192.168.0.1:ADMINISTRATOR:03U
138 192.168.0.2:OTHER_BOX:00U
139 ...
140 Scans IP addresses specified in file iplist:
142 nbtscan -f iplist
144
147 NetBIOS Suffix, aka NetBIOS End Character (endchar), indicates service
148 type for the registered name. The most known codes are listed below. (U
149 = Unique Name, G = Group Name)
150 Name Number(h) Type Usage
152 --------------------------------------------------------------------------
153 <computername> 00 U Workstation Service
155 <computername> 01 U Messenger Service
156 <\--__MSBROWSE__> 01 G Master Browser
157 <computername> 03 U Messenger Service
158 <computername> 06 U RAS Server Service
159 <computername> 1F U NetDDE Service
160 <computername> 20 U File Server Service
161 <computername> 21 U RAS Client Service
162 <computername> 22 U Exchange Interchange(MSMail Connector)
163 <computername> 23 U Exchange Store
164 <computername> 24 U Exchange Directory
165 <computername> 30 U Modem Sharing Server Service
166 <computername> 31 U Modem Sharing Client Service
167 <computername> 43 U SMS Clients Remote Control
168 <computername> 44 U SMS Administrators Remote Control Tool
169 <computername> 45 U SMS Clients Remote Chat
170 <computername> 46 U SMS Clients Remote Transfer
171 <computername> 87 U Microsoft Exchange MTA
172 <computername> 6A U Microsoft Exchange IMC
173 <computername> BE U Network Monitor Agent
174 <computername> BF U Network Monitor Application
175 <username> 03 U Messenger Service
176 <domain> 00 G Domain Name
177 <domain> 1B U Domain Master Browser
178 <domain> 1C G Domain Controllers
179 <domain> 1D U Master Browser
180 <domain> 1E G Browser Service Elections
181 <INet~Services> 1C G IIS
182 <IS~computer name> 00 U IIS
183
186 1. NBTscan lists my Windows boxes just fine but does not list my
187 Unixes or routers. Why?
188 R: That is the way it is supposed to work. NBTscan uses NetBIOS for
190 scanning and NetBIOS is only implemented by Windows (and some software
191 on Unix such as Samba).
192 2. Why do I get "Connection reset by peer" errors on Windows 2000?
194 R: NBTscan uses port 137 UDP for sending queries. If the port is closed
196 on destination host destination will reply with ICMP "Port unreachable"
197 message. Most operating system will ignore this message. Windows 2000
198 reports it to the application as "Connection reset by peer" error. Just
199 ignore it.
200 3. Why NBTscan doesn't scan for shares? Are you going to add share
202 scanning to NBTscan?
203 R: No. NBTscan uses UDP for what it does. That makes it very fast.
205 Share scanning requires TCP. For one thing, it will make nbtscan more
206 slow. Also adding share scanning means adding a lot of new code to
207 nbtscan. There is a lot of good share scanners around, so there is no
208 reason to duplicate that work.
209 4. Why do I get 00-00-00-00-00-00 instead of MAC address when I scan a
211 Samba box?
212 R: Because that's what Samba send in response to the query. Nbtscan
214 just prints out what it gets.
215
217 NBTscan was created by Alla Bezroutchko <alla@inetcat.org>. Currently
218 is maintained by some volunteers at https://github.com/resurrecting-
219 open-source-projects/nbtscan
220 This manual page was written for the first time by Ryszard Lach
222 <rla@debian.org> and rewritten, from scratch, by Joao Eriberto Mota
223 Filho <eriberto@debian.org> for the Debian GNU/Linux system (but may be
224 used by others).
225nbtscan-1.7.2 13 Jan 2022 nbtscan(1)