General Information
NBTscan is a program for scanning IP networks for NetBIOS name
information. It sends NetBIOS status query to each address in
supplied range and lists received information in human
readable form. For each responded host it lists IP address,
NetBIOS computer name, logged-in user name and MAC address.
Version 1.5 is now available. See Change Log
for changes since previous release.
NBTscan compiles and runs on Unix and Windows. I have tested it
on Windows NT 4.0, Windows 2000, FreeBSD 4.3, OpenBSD 2.8
and RedHat Linux 7.1 and 7.3. It should also compile and run on Solaris
and other Linuxes as well.
Steve Coleman (Steve (dot) Coleman (at) jhuapl (dot) edu) ported
previous versions of NBTscan to Solaris, HP-UX and OSF/1 and fixed
several bugs. He reports that NBTscan also runs on IRIX/SGI with
minor problems. I was also told that NBTscan runs on AIX
(Antonio Dell'elce) and SunOS 4.1.3_U1 (Joe Cline). Mohammad A. Haque
(mhaque (at) haque (dot) net) ported nbtscan to Darwin.
This program is a successor of a perl script with the same name
and does essentially the same thing, being much faster though.
NBTscan produces a report like that:
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.1.2 MYCOMPUTER JDOE 00-a0-c9-12-34-56
192.168.1.5 WIN98COMP <server> RROE 00-a0-c9-78-90-00
192.168.1.123 DPTSERVER <server> ADMINISTRATOR 08-00-09-12-34-56
First column lists IP address of responded host. Second column
is computer name. Third column indicates if this computer shares or
is able to share files or printers. For NT machine it means that
Server Service is running on this computer. For Windows 95 it means
that "I want to be able to give others access to my files" or "I want
to be able to allow others to print on my printer(s)" checkbox is ticked
(in Control Panel/Network/File and Print Sharing). Most often it means
that this computer shares files. Third column shows user name. If no
one is logged on from this computer it is same as computer name. Last
column shows adapter MAC address.
If run with -v switch NBTscan lists whole NetBIOS name table for
each responded address. The output looks like that:
NetBIOS Name Table for Host 192.168.1.123:
Name Service Type
----------------------------------------
DPTSERVER <00> UNIQUE
DPTSERVER <20> UNIQUE
DEPARTMENT <00> GROUP
DEPARTMENT <1c> GROUP
DEPARTMENT <1b> UNIQUE
DEPARTMENT <1e> GROUP
DPTSERVER <03> UNIQUE
DEPARTMENT <1d> UNIQUE
??__MSBROWSE__? <01> GROUP
INet~Services <1c> GROUP
IS~DPTSERVER <00> UNIQUE
DPTSERVER <01> UNIQUE
Adapter address: 00-a0-c9-12-34-56
----------------------------------------
FAQ
Where can I get NBTscan?
Download it from http://www.inetcat.net/software/nbtscan.html . I used
to have inetcat.org domain but it was grabbed by cybersquatters, so I
had to move to inetcat.net.
Is there source code available ?
Yes. Same as above.
NBTscan lists my Windows boxes just fine but does not list my unixes
or routers. Why?
That is the way it is supposed to work. NBTscan uses NetBIOS for scanning
and NetBIOS is only implemented by Windows (and some software on Unix such as
Samba)
I get some error message on a certain operating system while compiling
or running NBTscan. What can I do?
If you get errors compiling there is not much I can help you with. I
don't have every possible version of every possible OS, so I wouldn't be able
to reproduce your problem. Try to figure out what is going wrong, make a
patch and send it to me. :)
If you get unexpected results running nbtscan and you think it is a bug,
send me a bug report. Describe your environment (OS, version of nbtscan, how
big the network you are scanning is, are there any firewalls on the way) and
make a packet dump if possible. Comparing the results produced by nbtscan
with results of nbtstat -a (Windows utility) also helps to find the problem.
If you get same results from nbtscan and nbtstat, this probably means that
the problem is in the network setup, not in nbtscan.
Are there any docs in Russian?
No. I am too lazy to do translation. If you are willing to translate
docs to Russian or any other language for that matter, you are more
than welcome.
How do I write NBTscan output into a file?
Just like any other program:
nbtscan 123.45.67.89 > filename
Works on both Unix and Windows.
How do I make NBTscan write its output one screen at a time?
Just like any other program:
nbtscan 123.45.67.89 | more
Works on both Unix and Windows.
How do I export NBTscan output into an Excel file?
Run nbtscan with "-s ," option (script-friendly output, use comma as a
field separator) and open the resulting file in Excel.
Why do I get "Connection reset by peer" errors on Windows 2000?
NBTscan uses port 137 UDP for sending queries. If the port is closed
on destination host destination will reply with ICMP "Port unreachable"
message. Most operating system will ignore this message. Windows 2000
reports it to the application as "Connection reset by peer" error. Just
ignore it.
Is there a GUI for nbtscan?
Yes. There are a couple of different GUIs sent to me by different people
at different times. Warning: I got this software at different times
from different people. I didn't test it and I didn't read the source code.
I don't know if it works and what it does when it works, so don't blame me
if it does something completely awfull to you or your computer. You have
been warned.
- Use42 by Peter Feil (peter (dot) feil (at) one2many (dot) de)
Use42 is a GUI wrapper form enum (by Jordan Ritter BindViewRazor), nbtscan
(by me) and ipeye (by Arne Vidstrom). Runs on Windows.The author does not
provide any source code. You can
download it here.
- gui.exe was sent to me by r_i_c_h (at) btinternet (dot) com. It
is a Windows GUI for nbtscan. r_i_c_h said he got it from someone else but
lost the sources. You can download it here.
- xNBTscan was contributed by Brian (daten (at) dnetc (dot) org)
and is a GTK2-base GUI for X. You can get it from here.
Why nbtscan doesn't scan for shares? Are you going to add share scanning
to nbtscan?
No. NBTscan uses UDP for what it does. That makes it very fast. Share
scanning requires TCP. For one thing, it will make nbtscan more slow. Also
adding share scanning means adding a lot of new code to nbtscan. There is
a lot of good share scanners around, so I see no reason to duplicate that
work.
Why do I get 00-00-00-00-00-00 instead of MAC address when I scan a Samba box?
Because that's what Samba send in response to the query. Nbtscan just prints
out what it gets.
Usage
NBTscan is a command-line tool. You have to supply at least one argument -
address range in one of three forms:
| xxx.xxx.xxx.xxx |
Single IP in dotted-decimal notation. Example: 192.168.1.1. |
| xxx.xxx.xxx.xxx/xx |
Net address and subnet mask. Example: 192.168.1.0/24 |
| xxx.xxx.xxx.xxx-xxx |
Address range. Example: 192.168.1.1-127. This will scan all
addresses from 192.168.1.1 to 192.168.1.127.
|
It also understands the following switches:
>nbtscan -f my_ips.txt
<output depends on other options>
| Option |
Meaning |
Usage example |
| -v |
verbose output. Print all names received from each host |
>nbtscan -v 192.168.1.123
NetBIOS Name Table for Host 192.168.1.123:
Name Service Type
----------------------------------------
DPTSERVER <00> UNIQUE
DPTSERVER <20> UNIQUE
DEPARTMENT <00> GROUP
DPTSERVER <03> UNIQUE
DPTSERVER <01> UNIQUE
Adapter address: 00-a0-c9-12-34-56
----------------------------------------
|
| -d |
dump packets. Print whole packet contents. Cannot be used
with -v, -s or -h options. |
>nbtscan -d 192.168.1.123
Packet dump for Host 192.186.1.2:
Transaction ID: 0x02e9 (745)
Flags: 0x8400 (33792)
Question count: 0x0000 (0)
Answer count: 0x0001 (1)
Name service count: 0x0000 (0)
Additional record count: 0x0000 (0)
Question name: CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Question type: 0x0021 (33)
Question class: 0x0001 (1)
Time to live: 0x00000000 (0)
Rdata length: 0x0089 (137)
Number of names: 0x05 (5)
<skipped lots of data>
|
| -e |
Format output in /etc/hosts format. |
> ./nbtscan -e 192.168.75.0/28
192.168.75.2 M3I4W6
192.168.75.3 BOCKSTAEL
192.168.75.4 PCROGER
192.168.75.6 R392900055
192.168.75.12 SONY
192.168.75.13 DSNRVTWF
192.168.75.14 G8F8N7
192.168.75.15 VAIO
|
| -l |
Format output in lmhosts format. |
> ./nbtscan -e 192.168.75.0/28
192.168.75.2 M3I4W6 #PRE
192.168.75.3 BOCKSTAEL #PRE
192.168.75.4 PCROGER #PRE
192.168.75.6 R392900055 #PRE
192.168.75.12 SONY #PRE
192.168.75.13 DSNRVTWF #PRE
192.168.75.14 G8F8N7 #PRE
192.168.75.15 VAIO #PRE
|
| -t timeout |
wait timeout seconds for response. Default 1. |
>nbtscan -d 192.168.1.123
<output depends on other options>
|
| -b bandwidth |
Output throttling. Slow down packet output so that it
uses no more that bandwidth bps. Useful on slow links,
so that ougoing queries don't get dropped. |
>nbtscan -b 28800 192.168.1.123
<output depends on other options>
|
| -r |
use local port 137 for scans. Win95 boxes
respond to this only.
You need to be root to use this option on Unix. |
>nbtscan -r 192.168.1.123
<output depends on other options>
|
| -q |
Suppress banners and error messages |
>nbtscan -q 192.168.1.123
<output depends on other options>
|
| -s separator |
Script-friendly output. Don't print
column and record headers, separate fields with separator. |
>nbtscan -s : 192.168.1.1-24
192.168.1.1:DIRDY-BIRDY :<server>:JOED :00-a0-c9-12-34-56
192.168.1.4:MIGHTY :<server<:JPSMITH :00-aa-00-78-90-12
192.168.1.5:BUGS-BUNNY :<server<:OUR_ADMIN :00-aa-00-34-56-78
192.168.1.19:DEFENDER :<server<:PETERA :00-60-b0-90-12-34
>nbtscan -s : -v 192.168.1.1
194.186.12.236:DIRDY-BIRDY :00U
194.186.12.236:COMPANY__COM :00G
194.186.12.236:DIRDY-BIRDY :20U
194.186.12.236:DIRDY-BIRDY :03U
194.186.12.236:COMPANY__COM :1eG
194.186.12.236:JOED :03U
194.186.12.236:MAC:00-a0-c9-12-34-56
|
| -h |
Print human-readble names for services. Can only be used with -v option. |
>nbtscan -s : -h -v 192.168.1.1
194.186.12.236:DIRDY-BIRDY :Workstation Service
194.186.12.236:COMPANY__COM :Domain Name
194.186.12.236:DIRDY-BIRDY :File Server Service
194.186.12.236:DIRDY-BIRDY :Messenger Service
194.186.12.236:COMPANY__COM :Browser Service Elections
194.186.12.236:JOED :Messenger Service
194.186.12.236:MAC:00-a0-c9-12-34-56
|
| -m retransmits |
Number of retransmits. Default 0. |
>nbtscan -m 2 192.168.1.123
<output depends on other options>
|
| -f filename |
Take IP addresses to scan from file filename |
Installation
Installing from Win32 binaries
- Download zip archive
- Unpack it
- Put nbtscan.exe and cygwin1.dll to directory in your PATH, such as winnt/system32
- That's all. Now you can run nbtscan from command prompt.
Installing from sources on Windows
- Download and install Cygwin from http://sources.redhat.com/cygwin/
- Start Cygwin shell and proceed from there as in Unix installation
Installing from sources under Unix
- Ungzip and untar sources
- Run ./configure script
- Run make and make install
- That's all.
Perl version of NBTscan
NBTscan was first written in Perl. It is much more slow then its C cousin,
and has less options, but it has an advantage also: Windows Perl script
is able to receive responses from Windows 95 sent to port 137. So if you
really have to scan Windows 95 boxes from Windows you can
download and use Perl NBTscan. There is also
a IpInfo (Perl script too) which runs both on
NT and Unix, and gives some additional info (such as DNS host name). It was
created by Steve Coleman.
Reporting bugs, sending comments, etc.
You can report bugs to the author (hey, that's me)
alla (at) inetcat (dot) org. I am not promising
to do anything about it, but I may well want to fix them. I shall also
appreciate comments and suggestions. If you have somehow enhanced this
program - send me a copy or a patch.
수안이의 컴퓨터 연구실
Leave your greetings.