Download NBTscan sources | Download NBTscan binaries for Win32 | Previous version | This page in Romanian (Translation by Iulian Benea)
NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.
Version 1.5 is now available. See Change Log for changes since previous release.
NBTscan compiles and runs on Unix and Windows. I have tested it on Windows NT 4.0, Windows 2000, FreeBSD 4.3, OpenBSD 2.8 and RedHat Linux 7.1 and 7.3. It should also compile and run on Solaris and other Linuxes as well.
Steve Coleman (Steve (dot) Coleman (at) jhuapl (dot) edu) ported previous versions of NBTscan to Solaris, HP-UX and OSF/1 and fixed several bugs. He reports that NBTscan also runs on IRIX/SGI with minor problems. I was also told that NBTscan runs on AIX (Antonio Dell'elce) and SunOS 4.1.3_U1 (Joe Cline). Mohammad A. Haque (mhaque (at) haque (dot) net) ported nbtscan to Darwin.
This program is a successor of a perl script with the same name and does essentially the same thing, being much faster though. NBTscan produces a report like that:
IP address NetBIOS Name Server User MAC address ------------------------------------------------------------------------------ 192.168.1.2 MYCOMPUTER JDOE 00-a0-c9-12-34-56 192.168.1.5 WIN98COMP <server> RROE 00-a0-c9-78-90-00 192.168.1.123 DPTSERVER <server> ADMINISTRATOR 08-00-09-12-34-56
First column lists IP address of responded host. Second column is computer name. Third column indicates if this computer shares or is able to share files or printers. For NT machine it means that Server Service is running on this computer. For Windows 95 it means that "I want to be able to give others access to my files" or "I want to be able to allow others to print on my printer(s)" checkbox is ticked (in Control Panel/Network/File and Print Sharing). Most often it means that this computer shares files. Third column shows user name. If no one is logged on from this computer it is same as computer name. Last column shows adapter MAC address.
If run with -v switch NBTscan lists whole NetBIOS name table for each responded address. The output looks like that:
NetBIOS Name Table for Host 192.168.1.123: Name Service Type ---------------------------------------- DPTSERVER <00> UNIQUE DPTSERVER <20> UNIQUE DEPARTMENT <00> GROUP DEPARTMENT <1c> GROUP DEPARTMENT <1b> UNIQUE DEPARTMENT <1e> GROUP DPTSERVER <03> UNIQUE DEPARTMENT <1d> UNIQUE ??__MSBROWSE__? <01> GROUP INet~Services <1c> GROUP IS~DPTSERVER <00> UNIQUE DPTSERVER <01> UNIQUE Adapter address: 00-a0-c9-12-34-56 ----------------------------------------
Download it from http://www.inetcat.org/software/nbtscan.html
Yes. Same as above.
That is the way it is supposed to work. NBTscan uses NetBIOS for scanning and NetBIOS is only implemented by Windows (and some software on Unix such as Samba)
If you get errors compiling there is not much I can help you with. I don't have every possible version of every possible OS, so I wouldn't be able to reproduce your problem. Try to figure out what is going wrong, make a patch and send it to me. :)
If you get unexpected results running nbtscan and you think it is a bug, send me a bug report. Describe your environment (OS, version of nbtscan, how big the network you are scanning is, are there any firewalls on the way) and make a packet dump if possible. Comparing the results produced by nbtscan with results of nbtstat -a (Windows utility) also helps to find the problem. If you get same results from nbtscan and nbtstat, this probably means that the problem is in the network setup, not in nbtscan.
No. I am too lazy to do translation. If you are willing to translate docs to Russian or any other language for that matter, you are more than welcome.
Just like any other program:
nbtscan 18.104.22.168 > filename
Works on both Unix and Windows.
Just like any other program:
nbtscan 22.214.171.124 | more
Works on both Unix and Windows.
Run nbtscan with "-s ," option (script-friendly output, use comma as a field separator) and open the resulting file in Excel.
NBTscan uses port 137 UDP for sending queries. If the port is closed on destination host destination will reply with ICMP "Port unreachable" message. Most operating system will ignore this message. Windows 2000 reports it to the application as "Connection reset by peer" error. Just ignore it.
Yes. There are a couple of different GUIs sent to me by different people at different times. Warning: I got this software at different times from different people. I didn't test it and I didn't read the source code. I don't know if it works and what it does when it works, so don't blame me if it does something completely awfull to you or your computer. You have been warned.
No. NBTscan uses UDP for what it does. That makes it very fast. Share scanning requires TCP. For one thing, it will make nbtscan more slow. Also adding share scanning means adding a lot of new code to nbtscan. There is a lot of good share scanners around, so I see no reason to duplicate that work.
Because that's what Samba send in response to the query. Nbtscan just prints out what it gets.
NBTscan is a command-line tool. You have to supply at least one argument - address range in one of three forms:
|xxx.xxx.xxx.xxx||Single IP in dotted-decimal notation. Example: 192.168.1.1.|
|xxx.xxx.xxx.xxx/xx||Net address and subnet mask. Example: 192.168.1.0/24|
|xxx.xxx.xxx.xxx-xxx||Address range. Example: 192.168.1.1-127. This will scan all addresses from 192.168.1.1 to 192.168.1.127.|
It also understands the following switches:
|-v||verbose output. Print all names received from each host||
>nbtscan -v 192.168.1.123 NetBIOS Name Table for Host 192.168.1.123: Name Service Type ---------------------------------------- DPTSERVER <00> UNIQUE DPTSERVER <20> UNIQUE DEPARTMENT <00> GROUP DPTSERVER <03> UNIQUE DPTSERVER <01> UNIQUE Adapter address: 00-a0-c9-12-34-56 ----------------------------------------
|-d||dump packets. Print whole packet contents. Cannot be used with -v, -s or -h options.||
>nbtscan -d 192.168.1.123 Packet dump for Host 126.96.36.199: Transaction ID: 0x02e9 (745) Flags: 0x8400 (33792) Question count: 0x0000 (0) Answer count: 0x0001 (1) Name service count: 0x0000 (0) Additional record count: 0x0000 (0) Question name: CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Question type: 0x0021 (33) Question class: 0x0001 (1) Time to live: 0x00000000 (0) Rdata length: 0x0089 (137) Number of names: 0x05 (5) <skipped lots of data>
|-e||Format output in /etc/hosts format.|
> ./nbtscan -e 192.168.75.0/28 192.168.75.2 M3I4W6 192.168.75.3 BOCKSTAEL 192.168.75.4 PCROGER 192.168.75.6 R392900055 192.168.75.12 SONY 192.168.75.13 DSNRVTWF 192.168.75.14 G8F8N7 192.168.75.15 VAIO
|-l||Format output in lmhosts format.|
> ./nbtscan -e 192.168.75.0/28 192.168.75.2 M3I4W6 #PRE 192.168.75.3 BOCKSTAEL #PRE 192.168.75.4 PCROGER #PRE 192.168.75.6 R392900055 #PRE 192.168.75.12 SONY #PRE 192.168.75.13 DSNRVTWF #PRE 192.168.75.14 G8F8N7 #PRE 192.168.75.15 VAIO #PRE
|-t timeout||wait timeout seconds for response. Default 1.||
>nbtscan -d 192.168.1.123 <output depends on other options>
|-b bandwidth||Output throttling. Slow down packet output so that it uses no more that bandwidth bps. Useful on slow links, so that ougoing queries don't get dropped.||
>nbtscan -b 28800 192.168.1.123 <output depends on other options>
|-r||use local port 137 for scans. Win95 boxes respond to this only. You need to be root to use this option on Unix.||
>nbtscan -r 192.168.1.123 <output depends on other options>
|-q||Suppress banners and error messages||
>nbtscan -q 192.168.1.123 <output depends on other options>
|-s separator||Script-friendly output. Don't print column and record headers, separate fields with separator.||
>nbtscan -s : 192.168.1.1-24 192.168.1.1:DIRDY-BIRDY :<server>:JOED :00-a0-c9-12-34-56 192.168.1.4:MIGHTY :<server<:JPSMITH :00-aa-00-78-90-12 192.168.1.5:BUGS-BUNNY :<server<:OUR_ADMIN :00-aa-00-34-56-78 192.168.1.19:DEFENDER :<server<:PETERA :00-60-b0-90-12-34 >nbtscan -s : -v 192.168.1.1 188.8.131.52:DIRDY-BIRDY :00U 184.108.40.206:COMPANY__COM :00G 220.127.116.11:DIRDY-BIRDY :20U 18.104.22.168:DIRDY-BIRDY :03U 22.214.171.124:COMPANY__COM :1eG 126.96.36.199:JOED :03U 188.8.131.52:MAC:00-a0-c9-12-34-56
|-h||Print human-readble names for services. Can only be used with -v option.||
>nbtscan -s : -h -v 192.168.1.1 184.108.40.206:DIRDY-BIRDY :Workstation Service 220.127.116.11:COMPANY__COM :Domain Name 18.104.22.168:DIRDY-BIRDY :File Server Service 22.214.171.124:DIRDY-BIRDY :Messenger Service 126.96.36.199:COMPANY__COM :Browser Service Elections 188.8.131.52:JOED :Messenger Service 184.108.40.206:MAC:00-a0-c9-12-34-56
|-m retransmits||Number of retransmits. Default 0.||
>nbtscan -m 2 192.168.1.123 <output depends on other options>
|-f filename||Take IP addresses to scan from file filename>nbtscan -f my_ips.txt <output depends on other options>|
NBTscan was first written in Perl. It is much more slow then its C cousin, and has less options, but it has an advantage also: Windows Perl script is able to receive responses from Windows 95 sent to port 137. So if you really have to scan Windows 95 boxes from Windows you can download and use Perl NBTscan. There is also a IpInfo (Perl script too) which runs both on NT and Unix, and gives some additional info (such as DNS host name). It was created by Steve Coleman.
You can report bugs to the author (hey, that's me) alla (at) inetcat (dot) org. I am not promising to do anything about it, but I may well want to fix them. I shall also appreciate comments and suggestions. If you have somehow enhanced this program - send me a copy or a patch.
Download NBTscan sources | Download NBTscan binaries for Win32 | Previous version