NBTScan. NetBIOS Name Network Scanner.

Download NBTscan sources | Download NBTscan binaries for Win32 | Previous version | This page in Romanian (Translation by Iulian Benea)


General Information

NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.

Version 1.5 is now available. See Change Log for changes since previous release.

NBTscan compiles and runs on Unix and Windows. I have tested it on Windows NT 4.0, Windows 2000, FreeBSD 4.3, OpenBSD 2.8 and RedHat Linux 7.1 and 7.3. It should also compile and run on Solaris and other Linuxes as well.

Steve Coleman (Steve (dot) Coleman (at) jhuapl (dot) edu) ported previous versions of NBTscan to Solaris, HP-UX and OSF/1 and fixed several bugs. He reports that NBTscan also runs on IRIX/SGI with minor problems. I was also told that NBTscan runs on AIX (Antonio Dell'elce) and SunOS 4.1.3_U1 (Joe Cline). Mohammad A. Haque (mhaque (at) haque (dot) net) ported nbtscan to Darwin.

This program is a successor of a perl script with the same name and does essentially the same thing, being much faster though. NBTscan produces a report like that:


IP address       NetBIOS Name     Server    User             MAC address
------------------------------------------------------------------------------
192.168.1.2      MYCOMPUTER                 JDOE             00-a0-c9-12-34-56
192.168.1.5      WIN98COMP        <server>  RROE             00-a0-c9-78-90-00
192.168.1.123    DPTSERVER        <server>  ADMINISTRATOR    08-00-09-12-34-56

First column lists IP address of responded host. Second column is computer name. Third column indicates if this computer shares or is able to share files or printers. For NT machine it means that Server Service is running on this computer. For Windows 95 it means that "I want to be able to give others access to my files" or "I want to be able to allow others to print on my printer(s)" checkbox is ticked (in Control Panel/Network/File and Print Sharing). Most often it means that this computer shares files. Third column shows user name. If no one is logged on from this computer it is same as computer name. Last column shows adapter MAC address.

If run with -v switch NBTscan lists whole NetBIOS name table for each responded address. The output looks like that:


NetBIOS Name Table for Host 192.168.1.123:

Name             Service          Type
----------------------------------------
DPTSERVER        <00>             UNIQUE
DPTSERVER        <20>             UNIQUE
DEPARTMENT       <00>             GROUP
DEPARTMENT       <1c>             GROUP
DEPARTMENT       <1b>             UNIQUE
DEPARTMENT       <1e>             GROUP
DPTSERVER        <03>             UNIQUE
DEPARTMENT       <1d>             UNIQUE
??__MSBROWSE__?  <01>             GROUP
INet~Services    <1c>             GROUP
IS~DPTSERVER     <00>             UNIQUE
DPTSERVER        <01>             UNIQUE

Adapter address: 00-a0-c9-12-34-56
----------------------------------------
  

FAQ

Where can I get NBTscan?

Download it from http://www.inetcat.org/software/nbtscan.html

Is there source code available ?

Yes. Same as above.

NBTscan lists my Windows boxes just fine but does not list my unixes or routers. Why?

That is the way it is supposed to work. NBTscan uses NetBIOS for scanning and NetBIOS is only implemented by Windows (and some software on Unix such as Samba)

I get some error message on a certain operating system while compiling or running NBTscan. What can I do?

If you get errors compiling there is not much I can help you with. I don't have every possible version of every possible OS, so I wouldn't be able to reproduce your problem. Try to figure out what is going wrong, make a patch and send it to me. :)

If you get unexpected results running nbtscan and you think it is a bug, send me a bug report. Describe your environment (OS, version of nbtscan, how big the network you are scanning is, are there any firewalls on the way) and make a packet dump if possible. Comparing the results produced by nbtscan with results of nbtstat -a (Windows utility) also helps to find the problem. If you get same results from nbtscan and nbtstat, this probably means that the problem is in the network setup, not in nbtscan.

Are there any docs in Russian?

No. I am too lazy to do translation. If you are willing to translate docs to Russian or any other language for that matter, you are more than welcome.

How do I write NBTscan output into a file?

Just like any other program:

nbtscan 123.45.67.89 > filename

Works on both Unix and Windows.

How do I make NBTscan write its output one screen at a time?

Just like any other program:

 nbtscan 123.45.67.89 | more 

Works on both Unix and Windows.

How do I export NBTscan output into an Excel file?

Run nbtscan with "-s ," option (script-friendly output, use comma as a field separator) and open the resulting file in Excel.

Why do I get "Connection reset by peer" errors on Windows 2000?

NBTscan uses port 137 UDP for sending queries. If the port is closed on destination host destination will reply with ICMP "Port unreachable" message. Most operating system will ignore this message. Windows 2000 reports it to the application as "Connection reset by peer" error. Just ignore it.

Is there a GUI for nbtscan?

Yes. There are a couple of different GUIs sent to me by different people at different times. Warning: I got this software at different times from different people. I didn't test it and I didn't read the source code. I don't know if it works and what it does when it works, so don't blame me if it does something completely awfull to you or your computer. You have been warned.

Why nbtscan doesn't scan for shares? Are you going to add share scanning to nbtscan?

No. NBTscan uses UDP for what it does. That makes it very fast. Share scanning requires TCP. For one thing, it will make nbtscan more slow. Also adding share scanning means adding a lot of new code to nbtscan. There is a lot of good share scanners around, so I see no reason to duplicate that work.

Why do I get 00-00-00-00-00-00 instead of MAC address when I scan a Samba box?

Because that's what Samba send in response to the query. Nbtscan just prints out what it gets.

Usage

NBTscan is a command-line tool. You have to supply at least one argument - address range in one of three forms:

xxx.xxx.xxx.xxx Single IP in dotted-decimal notation. Example: 192.168.1.1.
xxx.xxx.xxx.xxx/xx Net address and subnet mask. Example: 192.168.1.0/24
xxx.xxx.xxx.xxx-xxx Address range. Example: 192.168.1.1-127. This will scan all addresses from 192.168.1.1 to 192.168.1.127.

It also understands the following switches:

>nbtscan -f my_ips.txt <output depends on other options>
Option Meaning Usage example
-v verbose output. Print all names received from each host
>nbtscan -v 192.168.1.123
NetBIOS Name Table for Host 192.168.1.123:

Name             Service          Type
----------------------------------------
DPTSERVER        <00>             UNIQUE
DPTSERVER        <20>             UNIQUE
DEPARTMENT       <00>             GROUP
DPTSERVER        <03>             UNIQUE
DPTSERVER        <01>             UNIQUE

Adapter address: 00-a0-c9-12-34-56
----------------------------------------
-d dump packets. Print whole packet contents. Cannot be used with -v, -s or -h options.
>nbtscan -d 192.168.1.123

Packet dump for Host 192.186.1.2:

Transaction ID: 0x02e9 (745)
Flags: 0x8400 (33792)
Question count: 0x0000 (0)
Answer count: 0x0001 (1)
Name service count: 0x0000 (0)
Additional record count: 0x0000 (0)
Question name:  CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Question type: 0x0021 (33)
Question class: 0x0001 (1)
Time to live: 0x00000000 (0)
Rdata length: 0x0089 (137)
Number of names: 0x05 (5)
<skipped lots of data>
       
-e Format output in /etc/hosts format.
> ./nbtscan -e 192.168.75.0/28
192.168.75.2    M3I4W6        
192.168.75.3    BOCKSTAEL     
192.168.75.4    PCROGER       
192.168.75.6    R392900055    
192.168.75.12   SONY          
192.168.75.13   DSNRVTWF      
192.168.75.14   G8F8N7        
192.168.75.15   VAIO          

    
-l Format output in lmhosts format.
> ./nbtscan -e 192.168.75.0/28
192.168.75.2    M3I4W6       #PRE 
192.168.75.3    BOCKSTAEL    #PRE 
192.168.75.4    PCROGER      #PRE 
192.168.75.6    R392900055   #PRE
192.168.75.12   SONY         #PRE 
192.168.75.13   DSNRVTWF     #PRE 
192.168.75.14   G8F8N7       #PRE
192.168.75.15   VAIO         #PRE 

    
-t timeout wait timeout seconds for response. Default 1.
>nbtscan -d 192.168.1.123
<output depends on other options>
      
-b bandwidth Output throttling. Slow down packet output so that it uses no more that bandwidth bps. Useful on slow links, so that ougoing queries don't get dropped.
>nbtscan -b 28800 192.168.1.123
<output depends on other options>
      
-r use local port 137 for scans. Win95 boxes respond to this only. You need to be root to use this option on Unix.
>nbtscan -r 192.168.1.123
<output depends on other options>
      
-q Suppress banners and error messages
>nbtscan -q 192.168.1.123
<output depends on other options>
      
-s separator Script-friendly output. Don't print column and record headers, separate fields with separator.
>nbtscan -s : 192.168.1.1-24
192.168.1.1:DIRDY-BIRDY   :<server>:JOED          :00-a0-c9-12-34-56
192.168.1.4:MIGHTY        :<server<:JPSMITH       :00-aa-00-78-90-12
192.168.1.5:BUGS-BUNNY    :<server<:OUR_ADMIN     :00-aa-00-34-56-78
192.168.1.19:DEFENDER      :<server<:PETERA       :00-60-b0-90-12-34

>nbtscan -s : -v 192.168.1.1
194.186.12.236:DIRDY-BIRDY    :00U
194.186.12.236:COMPANY__COM   :00G
194.186.12.236:DIRDY-BIRDY    :20U
194.186.12.236:DIRDY-BIRDY    :03U
194.186.12.236:COMPANY__COM   :1eG
194.186.12.236:JOED           :03U
194.186.12.236:MAC:00-a0-c9-12-34-56
      
-h Print human-readble names for services. Can only be used with -v option.
>nbtscan -s : -h -v 192.168.1.1
194.186.12.236:DIRDY-BIRDY    :Workstation Service
194.186.12.236:COMPANY__COM   :Domain Name
194.186.12.236:DIRDY-BIRDY    :File Server Service
194.186.12.236:DIRDY-BIRDY    :Messenger Service
194.186.12.236:COMPANY__COM   :Browser Service Elections
194.186.12.236:JOED           :Messenger Service
194.186.12.236:MAC:00-a0-c9-12-34-56
      
-m retransmits Number of retransmits. Default 0.
>nbtscan -m 2 192.168.1.123
<output depends on other options>
      
-f filename Take IP addresses to scan from file filename

Installation

Installing from Win32 binaries

  1. Download zip archive
  2. Unpack it
  3. Put nbtscan.exe and cygwin1.dll to directory in your PATH, such as winnt/system32
  4. That's all. Now you can run nbtscan from command prompt.

Installing from sources on Windows

  1. Download and install Cygwin from http://sources.redhat.com/cygwin/
  2. Start Cygwin shell and proceed from there as in Unix installation

Installing from sources under Unix

  1. Ungzip and untar sources
  2. Run ./configure script
  3. Run make and make install
  4. That's all.

Perl version of NBTscan

NBTscan was first written in Perl. It is much more slow then its C cousin, and has less options, but it has an advantage also: Windows Perl script is able to receive responses from Windows 95 sent to port 137. So if you really have to scan Windows 95 boxes from Windows you can download and use Perl NBTscan. There is also a IpInfo (Perl script too) which runs both on NT and Unix, and gives some additional info (such as DNS host name). It was created by Steve Coleman.

Reporting bugs, sending comments, etc.

You can report bugs to the author (hey, that's me) alla (at) inetcat (dot) org. I am not promising to do anything about it, but I may well want to fix them. I shall also appreciate comments and suggestions. If you have somehow enhanced this program - send me a copy or a patch.

ChangeLog

Version 1.5.1 - June 2003

Version 1.5 - May 2002

Version 1.0.3 - February 2002

Version 1.0.2 - March 30, 2000

Version 1.0.1 - May 5, 1999


Download NBTscan sources | Download NBTscan binaries for Win32 | Previous version