NBTscan
NBTScan is a command line tool
used for scanning networks to obtain NetBIOS shares and name information. It
can run on both Unix and Windows and ships with Kali Linux by default.
The first thing we can do is print the help, which will give
us all the usage options and some examples for scanning networks. Simply
type nbtscan at the prompt.
nbtscan
NBTscan version 1.5.1. Copyright (C) 1999-2003 Alla
Bezroutchko.
This is a free software and it comes with absolutely no
warranty.
You can use, distribute and modify it under terms of GNU
GPL.
Usage:
nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r]
[-q] [-s separator] [-m retransmits] (-f filename)|(<scan_range>)
-v verbose output.
Print all names received
from
each host
-d dump packets. Print
whole packet contents.
-e Format output in
/etc/hosts format.
-l Format output in
lmhosts format.
Cannot
be used with -v, -s or -h options.
-t
timeout wait timeout
milliseconds for response.
Default
1000.
-b
bandwidth Output throttling. Slow down
output
so
that it uses no more that bandwidth bps.
Useful
on slow links, so that ougoing queries
don't
get dropped.
-r use local port 137
for scans. Win95 boxes
respond
to this only.
You
need to be root to use this option on Unix.
-q Suppress banners and
error messages,
-s
separator Script-friendly output.
Don't print
column
and record headers, separate fields with separator.
-h Print human-readable
names for services.
Can
only be used with -v option.
-m
retransmits Number of retransmits.
Default 0.
-f
filename Take IP addresses to
scan from file filename.
-f
- makes nbtscan take IP addresses from stdin.
<scan_range> what to scan. Can either be single IP
like
192.168.1.1 or
range
of addresses in one of two forms:
xxx.xxx.xxx.xxx/xx
or xxx.xxx.xxx.xxx-xxx.
Examples:
nbtscan
-r 192.168.1.0/24
Scans
the whole C-class network.
nbtscan
192.168.1.25-137
Scans
a range from 192.168.1.25 to 192.168.1.137
nbtscan
-v -s : 192.168.1.0/24
Scans
C-class network. Prints results in script-friendly
format
using colon as field separator.
Produces
output like that:
192.168.0.1:NT_SERVER:00U
192.168.0.1:MY_DOMAIN:00G
192.168.0.1:ADMINISTRATOR:03U
192.168.0.2:OTHER_BOX:00U
...
nbtscan
-f iplist
Scans
IP addresses specified in file iplist.
The most basic way to run this tool is to give it a range of
IP addresses. In this case, there is only one machine on the network so I will
give its IP address as an example.
nbtscan 172.16.1.102
Doing NBT name scan for addresses from 172.16.1.102
IP address
NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
172.16.1.102
METASPLOITABLE
<server>
METASPLOITABLE 00:00:00:00:00:00
Here, we can see the IP address, the NetBIOS display name,
the server if applicable, the user, and the MAC
address of the target. Please note that machines running Samba will
sometimes return all zeros as the MAC address in response to the query.
We can get a little more information by setting verbose
output with the -v flag.
nbtscan 172.16.1.102 -v
Doing NBT name scan for addresses from 172.16.1.102
NetBIOS Name Table for Host 172.16.1.102:
Incomplete packet, 335 bytes long.
Name Service Type
----------------------------------------
METASPLOITABLE
<00> UNIQUE
METASPLOITABLE
<03> UNIQUE
METASPLOITABLE
<20> UNIQUE
METASPLOITABLE
<00> UNIQUE
METASPLOITABLE
<03> UNIQUE
METASPLOITABLE
<20> UNIQUE
__MSBROWSE__
<01> GROUP
WORKGROUP
<00> GROUP
WORKGROUP
<1d> UNIQUE
WORKGROUP
<1e> GROUP
WORKGROUP
<00> GROUP
WORKGROUP
<1d> UNIQUE
WORKGROUP
<1e> GROUP
Adapter address: 00:00:00:00:00:00
----------------------------------------
We can see some services and their types. This is sort of
jumbled, which brings us to the next option, which will print the services in
human-readable form. Use the -h flag along with the -v option.
nbtscan 172.16.1.102 -vh
Doing NBT name scan for addresses from 172.16.1.102
NetBIOS Name Table for Host 172.16.1.102:
Incomplete packet, 335 bytes long.
Name
Service Type
----------------------------------------
METASPLOITABLE
Workstation Service
METASPLOITABLE
Messenger Service
METASPLOITABLE File
Server Service
METASPLOITABLE
Workstation Service
METASPLOITABLE
Messenger Service
METASPLOITABLE File
Server Service
__MSBROWSE__ Master
Browser
WORKGROUP
Domain Name
WORKGROUP
Master Browser
WORKGROUP
Browser Service Elections
WORKGROUP
Domain Name
WORKGROUP
Master Browser
WORKGROUP
Browser Service Elections
Adapter address: 00:00:00:00:00:00
----------------------------------------
Now we can see a bit more information that might prove to be
useful. We can also set the -d flag to dump the contents of the
entire packet.
nbtscan 172.16.1.102 -d
Doing NBT name scan for addresses from 172.16.1.102
Packet dump for Host 172.16.1.102:
Incomplete packet, 335 bytes long.
Transaction ID: 0x00a0 (160)
Flags: 0x8400 (33792)
Question count: 0x0000 (0)
Answer count: 0x0001 (1)
Name service count: 0x0000 (0)
Additional record count: 0x0000 (0)
Question name:
CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Question type: 0x0021 (33)
Question class: 0x0001 (1)
Time to live: 0x00000000 (0)
Rdata length: 0x0119 (281)
Number of names: 0x0d (13)
Names received:
METASPLOITABLE
Service: 0x00 Flags: 0x0004
METASPLOITABLE
Service: 0x03 Flags: 0x0004
METASPLOITABLE Service: 0x20 Flags: 0x0004
METASPLOITABLE
Service: 0x00 Flags: 0x0004
METASPLOITABLE
Service: 0x03 Flags: 0x0004
METASPLOITABLE
Service: 0x20 Flags: 0x0004
__MSBROWSE__
Service: 0x01 Flags: 0x0084
WORKGROUP
Service: 0x00 Flags: 0x0084
WORKGROUP
Service: 0x1d Flags: 0x0004
WORKGROUP
Service: 0x1e Flags: 0x0084
WORKGROUP
Service: 0x00 Flags: 0x0084
WORKGROUP
Service: 0x1d Flags: 0x0004
WORKGROUP
Service: 0x1e Flags: 0x0084
...
This provides packet data used in the query. Note that this
cannot be used with the -v or -h options.
If you have a list of IP addresses you wish to scan stored
in a file, the -f flag can be used to specify the input file to read
from. Again, in this case, there is only one machine on the network so only
that one shows up during our scan.
nbtscan -f addresses.txt
Doing NBT name scan for addresses from addresses.txt
IP address
NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
172.16.1.102
METASPLOITABLE
<server>
METASPLOITABLE 00:00:00:00:00:00
Conversely, if we wanted to store the output of any scan,
simply append the name of the file we want to write to.
nbtscan 172.16.1.102 > scan.txt
Scanning with Nmap Scripting Engine
Nmap contains
a handy little script as part of the Nmap
Scripting Engine that we can also use to discover NetBIOS shares. This
has the advantage that it can be ran with other NSE scripts, ultimately saving
time when enumerating many different things on a network.
We will run Nmap in the usual way, and the nbstat script
will complete at the end. Here, I am using the -sV option to probe
ports for running services and their version, along with the -v flag
for verbose output. Specify the script to use and we are good to go.
nmap -sV 172.16.1.102 --script nbstat.nse -v
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 14:12
CST
NSE: Loaded 44 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:12
Completed NSE at 14:12, 0.00s elapsed
Initiating NSE at 14:12
Completed NSE at 14:12, 0.00s elapsed
Initiating ARP Ping Scan at 14:12
Scanning 172.16.1.102 [1 port]
Completed ARP Ping Scan at 14:12, 0.05s elapsed (1 total
hosts)
Initiating Parallel DNS resolution of 1 host. at 14:12
Completed Parallel DNS resolution of 1 host. at 14:12,
13.00s elapsed
Initiating SYN Stealth Scan at 14:12
Scanning 172.16.1.102 [1000 ports]
...
Host script results:
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user:
<unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|
METASPLOITABLE<00> Flags:
<unique><active>
|
METASPLOITABLE<03> Flags:
<unique><active>
| METASPLOITABLE<20> Flags: <unique><active>
|
\x01\x02__MSBROWSE__\x02<01>
Flags: <group><active>
|
WORKGROUP<00> Flags:
<group><active>
|
WORKGROUP<1d> Flags:
<unique><active>
|_
WORKGROUP<1e> Flags:
<group><active>
Nmap starts and runs the usual scanning, and then near the end, we can
finally see the host script results. This appears similar to one of the scans
we ran earlier, but it never hurts to be knowledgeable of different ways to
accomplish the same task.
No comments