.\" Text automatically generated by txt2man .TH nbtscan 1 "13 Jan 2022" "nbtscan-1.7.2" "scan networks searching for NetBIOS information" .SH NAME \fBnbtscan \fP- scan networks for NetBIOS name information \fB .SH SYNOPSIS .nf .fam C \fBnbtscan\fP [\fB-v\fP] [\fB-d\fP] [\fB-e\fP] [\fB-l\fP] [\fB-t\fP \fItimeout\fP] [\fB-b\fP \fIbandwidth\fP] [\fB-r\fP] [\fB-q\fP] [\fB-s\fP \fIseparator\fP] [\fB-h\fP] [\fB-m\fP \fIretransmits\fP] [\fB-f\fP \fIfilename\fP | \fItarget\fP] .fam T .fi .fam T .fi .SH DESCRIPTION NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address (such as Ethernet). .PP NBTscan produces a report like that: .PP .nf .fam C IP address NetBIOS Name Server User MAC address ----------------------------------------------------------------------- 192.168.1.2 MYCOMPUTER JDOE 00-a0-c9-12-34-56 192.168.1.5 WIN98COMP RROE 00-a0-c9-78-90-00 192.168.1.123 DPTSERVER ADMINISTRATOR 08-00-09-12-34-56 .fam T .fi First column lists IP address of responded host. Second column is computer name. Third column indicates if this computer shares or is able to share files or printers. For NT machine it means that Server Service is running on this computer. For Windows 95 it means that "I want to be able to give others access to my files" or "I want to be able to allow others to print on my \fBprinter\fP(s)" checkbox is ticked (in Control Panel/Network/File and Print Sharing). Most often it means that this computer shares files. Third column shows user name. If no one is logged on from this computer it is same as computer name. Last column shows adapter MAC address. .PP If run with \fB-v\fP switch NBTscan lists whole NetBIOS name table for each responded address. The output looks like that: .PP .nf .fam C NetBIOS Name Table for Host 192.168.1.123: Name Service Type ---------------------------------------- DPTSERVER <00> UNIQUE DPTSERVER <20> UNIQUE DEPARTMENT <00> GROUP DEPARTMENT <1c> GROUP DEPARTMENT <1b> UNIQUE DEPARTMENT <1e> GROUP DPTSERVER <03> UNIQUE DEPARTMENT <1d> UNIQUE ??__MSBROWSE__? <01> GROUP INet~Services <1c> GROUP IS~DPTSERVER <00> UNIQUE DPTSERVER <01> UNIQUE Adapter address: 00-a0-c9-12-34-56 ---------------------------------------- .fam T .fi .SH OPTIONS A summary of options is included below. .TP .B \fB-v\fP Verbose output. Print all names received from each host. .TP .B \fB-d\fP Dump packets. Print whole packet contents. Cannot be used with \fB-v\fP, \fB-s\fP or \fB-h\fP options. .TP .B \fB-e\fP Format output in /etc/hosts format. .TP .B \fB-l\fP Format output in lmhosts format. .TP .B \fB-t\fP <\fItimeout\fP> Wait \fItimeout\fP seconds for response. Default 1. .TP .B \fB-b\fP <\fIbandwidth\fP> Output throttling. Slow down output so that it uses no more that \fIbandwidth\fP bps. Useful on slow links, so that outgoing queries don't get dropped. .TP .B \fB-r\fP Use local port 137 for scans. Win95 boxes respond to this only. You need to be root to use this option. .TP .B \fB-q\fP Suppress banners and error messages. .TP .B \fB-s\fP <\fIseparator\fP> Script-friendly output. Don't print column and record headers, separate fields with \fIseparator\fP. .TP .B \fB-h\fP Print human-readable names for services. Can only be used with \fB-v\fP option. .TP .B \fB-m\fP <\fIretransmits\fP> Number of \fIretransmits\fP. Default 0. .TP .B \fB-f\fP <\fIfilename\fP> Take IP addresses to scan from file "\fIfilename\fP" .TP .B \fItarget\fP NBTscan is a command-line tool. You have to supply at least one argument, the address range, in one of three forms: .RS .TP .B xxx.xxx.xxx.xxx Single IP in dotted-decimal notation. Example: 192.168.1.1 .TP .B xxx.xxx.xxx.xxx/xx Net address and subnet mask. Example: 192.168.1.0/24 .TP .B xxx.xxx.xxx.xxx-xxx Address range. Example: 192.168.1.1-127. This will scan all addresses from 192.168.1.1 to 192.168.1.127 .SH EXAMPLES Scans the whole C-class network: .PP .nf .fam C nbtscan 192.168.1.0/24 .fam T .fi Scans the whole C-class network, using port 137: .PP .nf .fam C nbtscan -r 192.168.1.0/24 .fam T .fi Scans a range from 192.168.1.25 to 192.168.1.137: .PP .nf .fam C nbtscan 192.168.1.25-137 .fam T .fi Scans C-class network. Prints results in script-friendly format using colon as field \fIseparator\fP: .PP .nf .fam C nbtscan -v -s : 192.168.1.0/24 .fam T .fi The last command produces output like that: .PP .nf .fam C 192.168.0.1:NT_SERVER:00U 192.168.0.1:MY_DOMAIN:00G 192.168.0.1:ADMINISTRATOR:03U 192.168.0.2:OTHER_BOX:00U \.\.\. .fam T .fi Scans IP addresses specified in file iplist: .PP .nf .fam C nbtscan -f iplist .fam T .fi .SH NETBIOS SUFFIXES NetBIOS Suffix, aka NetBIOS End Character (endchar), indicates service type for the registered name. The most known codes are listed below. (U = Unique Name, G = Group Name) .PP .nf .fam C Name Number(h) Type Usage -------------------------------------------------------------------------- 00 U Workstation Service 01 U Messenger Service <\\--__MSBROWSE__> 01 G Master Browser 03 U Messenger Service 06 U RAS Server Service 1F U NetDDE Service 20 U File Server Service 21 U RAS Client Service 22 U Exchange Interchange(MSMail Connector) 23 U Exchange Store 24 U Exchange Directory 30 U Modem Sharing Server Service 31 U Modem Sharing Client Service 43 U SMS Clients Remote Control 44 U SMS Administrators Remote Control Tool 45 U SMS Clients Remote Chat 46 U SMS Clients Remote Transfer 87 U Microsoft Exchange MTA 6A U Microsoft Exchange IMC BE U Network Monitor Agent BF U Network Monitor Application 03 U Messenger Service 00 G Domain Name 1B U Domain Master Browser 1C G Domain Controllers 1D U Master Browser 1E G Browser Service Elections 1C G IIS 00 U IIS .fam T .fi .SH FAQ .IP 1. 4 NBTscan lists my Windows boxes just fine but does not list my Unixes or routers. Why? .PP R: That is the way it is supposed to work. NBTscan uses NetBIOS for scanning and NetBIOS is only implemented by Windows (and some software on Unix such as Samba). .IP 2. 4 Why do I get "Connection reset by peer" errors on Windows 2000? .PP R: NBTscan uses port 137 UDP for sending queries. If the port is closed on destination host destination will reply with ICMP "Port unreachable" message. Most operating system will ignore this message. Windows 2000 reports it to the application as "Connection reset by peer" error. Just ignore it. .IP 3. 4 Why NBTscan doesn't scan for shares? Are you going to add share scanning to NBTscan? .PP R: No. NBTscan uses UDP for what it does. That makes it very fast. Share scanning requires TCP. For one thing, it will make \fBnbtscan\fP more slow. Also adding share scanning means adding a lot of new code to \fBnbtscan\fP. There is a lot of good share scanners around, so there is no reason to duplicate that work. .IP 4. 4 Why do I get 00-00-00-00-00-00 instead of MAC address when I scan a Samba box? .PP R: Because that's what Samba send in response to the query. Nbtscan just prints out what it gets. .SH AUTHOR NBTscan was created by Alla Bezroutchko . Currently is maintained by some volunteers at https://github.com/resurrecting-open-source-projects/\fBnbtscan\fP .PP This manual page was written for the first time by Ryszard Lach and rewritten, from scratch, by Joao Eriberto Mota Filho for the Debian GNU/Linux system (but may be used by others).