Information Gatheringnetbiosnetwork scanningsmb enumerationdiscoveryforensics

nbtscan

NBTscan scans IP networks for NetBIOS name information by sending status queries to each address in a supplied range. It lists IP address, NetBIOS computer name, logged-in user name, and MAC address for responding hosts.

Description

NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address (such as Ethernet).

This program is useful for security checks, network discovery and forensics investigations. It supports various output formats and options for verbose scanning, throttling, and script-friendly output.

The tool is particularly effective for enumerating SMB/NetBIOS services on Windows networks, aiding in reconnaissance and information gathering phases of penetration testing.

How It Works

NBTscan sends NetBIOS status queries (port 137) to each IP address in the specified range or file. It waits for responses (default 1000ms timeout) containing NetBIOS names, usernames, and MAC addresses, then parses and displays them. Options allow raw port usage (-r for port 137), retransmits, bandwidth throttling, and custom output formatting like /etc/hosts or lmhosts.

Installation

bash

sudo apt install nbtscan

Flags

-vverbose output. Print all names received from each host

-ddump packets. Print whole packet contents.

-eFormat output in /etc/hosts format.

-lFormat output in lmhosts format. Cannot be used with -v, -s or -h options.

-t timeoutwait timeout milliseconds for response. Default 1000.

-b bandwidthOutput throttling. Slow down output so that it uses no more that bandwidth bps. Useful on slow links, so that ougoing queries don't get dropped.

-ruse local port 137 for scans. Win95 boxes respond to this only. You need to be root to use this option on Unix.

-qSuppress banners and error messages

-s separatorScript-friendly output. Don't print column and record headers, separate fields with separator.

-hPrint human-readable names for services. Can only be used with -v option.

-m retransmitsNumber of retransmits. Default 0.

-f filenameTake IP addresses to scan from file filename. -f - makes nbtscan take IP addresses from stdin.

Examples

Scans the whole C-class network.

nbtscan -r 192.168.1.0/24

Scans a range from 192.168.1.25 to 192.168.1.137

nbtscan 192.168.1.25-137

Scans C-class network. Prints results in script-friendly format using colon as field separator.

nbtscan -v -s : 192.168.1.0/24

Scans IP addresses specified in file iplist.

nbtscan -f iplist

Scans a single IP address.

nbtscan 192.168.1.1

Scans C-class network with root privileges using port 137 and verbose output.

nbtscan -r -v 192.168.1.0/24

Reads IP addresses to scan from stdin.

nbtscan -f -

Updated 2026-04-16kali.org ↗