Information Gatheringnetbiosnbtscannetwork-scanningsharesworkgroup

nbtscan-unixwiz

nbtscan-unixwiz scans for open NETBIOS nameservers on local or remote TCP/IP networks to identify potential open shares. It operates like the Windows nbtstat tool but supports scanning address ranges.

Description

nbtscan-unixwiz is a command-line tool for discovering NETBIOS nameservers, providing a first step in identifying open network shares. It enumerates services such as Workstation Service, Messenger Service, File Server Service, Master Browser, Domain Name, and Browser Service Elections across target IP ranges or individual hosts.

Use cases include network reconnaissance during penetration testing, mapping Windows workgroups or domains, and detecting legacy systems exposing NETBIOS. The tool displays hostnames, workgroup names, and service types, helping identify sharing-enabled systems.

It is particularly useful for scanning class C subnets or specific address ranges without requiring inverse DNS lookups, making it efficient for large scans.

How It Works

nbtscan-unixwiz sends UDP queries to port 137 (NETBIOS Name Service) across specified IP targets, parsing full NBT resource record responses including node types (UNIQUE/GROUP), service codes (e.g., <00> Workstation, <20> File Server), and optional MAC addresses. It handles ranges in /nbits or octet-range notation, with configurable timeouts and verbosity for no-response handling.

Installation

bash

sudo apt install nbtscan-unixwiz

Flags

-nNo looking up inverse names of IP addresses responding

-fshow Full NBT resource record responses (recommended)

-Vshow Version information

-Hgenerate HTTP headers

-vturn on more Verbose debugging

-p <n>bind to UDP Port <n> (default=0)

-minclude MAC address in response (implied by '-f')

-T <n>Timeout the no-responses in <n> seconds (default=2 secs)

Examples

Scan a range of IP addresses (192.168.0.100-110) without doing inverse name lookups

nbtscan-unixwiz -n 192.168.0.100-110

Scan a single IP address (192.168.0.38) and show Full NBT resource record responses

nbtscan-unixwiz -f 192.168.0.38

Scan a range of IP addresses (192.168.0.100-110) with default inverse name lookups

nbtscan-unixwiz 192.168.0.100-110

Scan a subnet using /nbits notation (192.168.12.0/24)

nbtscan-unixwiz 192.168.12.0/24

Scan a range in the last octet (192.168.12.64-97)

nbtscan-unixwiz 192.168.12.64-97

Scan single host with full records and MAC address

nbtscan-unixwiz -f -m 192.168.0.38

Scan range with verbose debugging output

nbtscan-unixwiz -v 192.168.0.100-110

Updated 2026-04-16kali.org ↗