NBTScan. NetBIOS Name Network Scanner.

Download NBTscan sources | Download NBTscan binaries for Win32 | Previous version | This page in Romanian (Translation by Iulian Benea)

General Information

NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.

Version 1.5 is now available. See Change Log for changes since previous release.

NBTscan compiles and runs on Unix and Windows. I have tested it on Windows NT 4.0, Windows 2000, FreeBSD 4.3, OpenBSD 2.8 and RedHat Linux 7.1 and 7.3. It should also compile and run on Solaris and other Linuxes as well.

Steve Coleman (Steve (dot) Coleman (at) jhuapl (dot) edu) ported previous versions of NBTscan to Solaris, HP-UX and OSF/1 and fixed several bugs. He reports that NBTscan also runs on IRIX/SGI with minor problems. I was also told that NBTscan runs on AIX (Antonio Dell'elce) and SunOS 4.1.3_U1 (Joe Cline). Mohammad A. Haque (mhaque (at) haque (dot) net) ported nbtscan to Darwin.

This program is a successor of a perl script with the same name and does essentially the same thing, being much faster though. NBTscan produces a report like that:

IP address       NetBIOS Name     Server    User             MAC address
------------------------------------------------------------------------------
192.168.1.2      MYCOMPUTER                 JDOE             00-a0-c9-12-34-56
192.168.1.5      WIN98COMP        <server>  RROE             00-a0-c9-78-90-00
192.168.1.123    DPTSERVER        <server>  ADMINISTRATOR    08-00-09-12-34-56

First column lists IP address of responded host. Second column is computer name. Third column indicates if this computer shares or is able to share files or printers. For NT machine it means that Server Service is running on this computer. For Windows 95 it means that "I want to be able to give others access to my files" or "I want to be able to allow others to print on my printer(s)" checkbox is ticked (in Control Panel/Network/File and Print Sharing). Most often it means that this computer shares files. Third column shows user name. If no one is logged on from this computer it is same as computer name. Last column shows adapter MAC address.

If run with -v switch NBTscan lists whole NetBIOS name table for each responded address. The output looks like that:

NetBIOS Name Table for Host 192.168.1.123:

Name             Service          Type
----------------------------------------
DPTSERVER        <00>             UNIQUE
DPTSERVER        <20>             UNIQUE
DEPARTMENT       <00>             GROUP
DEPARTMENT       <1c>             GROUP
DEPARTMENT       <1b>             UNIQUE
DEPARTMENT       <1e>             GROUP
DPTSERVER        <03>             UNIQUE
DEPARTMENT       <1d>             UNIQUE
??__MSBROWSE__?  <01>             GROUP
INet~Services    <1c>             GROUP
IS~DPTSERVER     <00>             UNIQUE
DPTSERVER        <01>             UNIQUE

Adapter address: 00-a0-c9-12-34-56
----------------------------------------
  

FAQ

Where can I get NBTscan?

Download it from http://www.inetcat.org/software/nbtscan.html

Is there source code available ?

Yes. Same as above.

NBTscan lists my Windows boxes just fine but does not list my unixes or routers. Why?

That is the way it is supposed to work. NBTscan uses NetBIOS for scanning and NetBIOS is only implemented by Windows (and some software on Unix such as Samba)

I get some error message on a certain operating system while compiling or running NBTscan. What can I do?

If you get errors compiling there is not much I can help you with. I don't have every possible version of every possible OS, so I wouldn't be able to reproduce your problem. Try to figure out what is going wrong, make a patch and send it to me. :)

If you get unexpected results running nbtscan and you think it is a bug, send me a bug report. Describe your environment (OS, version of nbtscan, how big the network you are scanning is, are there any firewalls on the way) and make a packet dump if possible. Comparing the results produced by nbtscan with results of nbtstat -a (Windows utility) also helps to find the problem. If you get same results from nbtscan and nbtstat, this probably means that the problem is in the network setup, not in nbtscan.

Are there any docs in Russian?

No. I am too lazy to do translation. If you are willing to translate docs to Russian or any other language for that matter, you are more than welcome.

How do I write NBTscan output into a file?

Just like any other program:

nbtscan 123.45.67.89 > filename

Works on both Unix and Windows.

How do I make NBTscan write its output one screen at a time?

Just like any other program:

 nbtscan 123.45.67.89 | more 

Works on both Unix and Windows.

How do I export NBTscan output into an Excel file?

Run nbtscan with "-s ," option (script-friendly output, use comma as a field separator) and open the resulting file in Excel.

Why do I get "Connection reset by peer" errors on Windows 2000?

NBTscan uses port 137 UDP for sending queries. If the port is closed on destination host destination will reply with ICMP "Port unreachable" message. Most operating system will ignore this message. Windows 2000 reports it to the application as "Connection reset by peer" error. Just ignore it.

Is there a GUI for nbtscan?

Yes. There are a couple of different GUIs sent to me by different people at different times. Warning: I got this software at different times from different people. I didn't test it and I didn't read the source code. I don't know if it works and what it does when it works, so don't blame me if it does something completely awfull to you or your computer. You have been warned.

• Use42 by Peter Feil (peter (dot) feil (at) one2many (dot) de) Use42 is a GUI wrapper form enum (by Jordan Ritter BindViewRazor), nbtscan (by me) and ipeye (by Arne Vidstrom). Runs on Windows.The author does not provide any source code. You can download it here.
• gui.exe was sent to me by r_i_c_h (at) btinternet (dot) com. It is a Windows GUI for nbtscan. r_i_c_h said he got it from someone else but lost the sources. You can download it here.
• xNBTscan was contributed by Brian (daten (at) dnetc (dot) org) and is a GTK2-base GUI for X. You can get it from here.

Why nbtscan doesn't scan for shares? Are you going to add share scanning to nbtscan?

No. NBTscan uses UDP for what it does. That makes it very fast. Share scanning requires TCP. For one thing, it will make nbtscan more slow. Also adding share scanning means adding a lot of new code to nbtscan. There is a lot of good share scanners around, so I see no reason to duplicate that work.

Why do I get 00-00-00-00-00-00 instead of MAC address when I scan a Samba box?

Because that's what Samba send in response to the query. Nbtscan just prints out what it gets.

Usage

NBTscan is a command-line tool. You have to supply at least one argument - address range in one of three forms:

It also understands the following switches:

>nbtscan -v 192.168.1.123
NetBIOS Name Table for Host 192.168.1.123:

Name             Service          Type
----------------------------------------
DPTSERVER        <00>             UNIQUE
DPTSERVER        <20>             UNIQUE
DEPARTMENT       <00>             GROUP
DPTSERVER        <03>             UNIQUE
DPTSERVER        <01>             UNIQUE

Adapter address: 00-a0-c9-12-34-56
----------------------------------------

>nbtscan -d 192.168.1.123

Packet dump for Host 192.186.1.2:

Transaction ID: 0x02e9 (745)
Flags: 0x8400 (33792)
Question count: 0x0000 (0)
Answer count: 0x0001 (1)
Name service count: 0x0000 (0)
Additional record count: 0x0000 (0)
Question name:  CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Question type: 0x0021 (33)
Question class: 0x0001 (1)
Time to live: 0x00000000 (0)
Rdata length: 0x0089 (137)
Number of names: 0x05 (5)
<skipped lots of data>
       

> ./nbtscan -e 192.168.75.0/28
192.168.75.2    M3I4W6
192.168.75.3    BOCKSTAEL
192.168.75.4    PCROGER
192.168.75.6    R392900055
192.168.75.12   SONY
192.168.75.13   DSNRVTWF
192.168.75.14   G8F8N7
192.168.75.15   VAIO

    

> ./nbtscan -e 192.168.75.0/28
192.168.75.2    M3I4W6       #PRE
192.168.75.3    BOCKSTAEL    #PRE
192.168.75.4    PCROGER      #PRE
192.168.75.6    R392900055   #PRE
192.168.75.12   SONY         #PRE
192.168.75.13   DSNRVTWF     #PRE
192.168.75.14   G8F8N7       #PRE
192.168.75.15   VAIO         #PRE

    

>nbtscan -d 192.168.1.123
<output depends on other options>
      

>nbtscan -b 28800 192.168.1.123
<output depends on other options>
      

>nbtscan -r 192.168.1.123
<output depends on other options>
      

>nbtscan -q 192.168.1.123
<output depends on other options>
      

>nbtscan -s : 192.168.1.1-24
192.168.1.1:DIRDY-BIRDY   :<server>:JOED          :00-a0-c9-12-34-56
192.168.1.4:MIGHTY        :<server<:JPSMITH       :00-aa-00-78-90-12
192.168.1.5:BUGS-BUNNY    :<server<:OUR_ADMIN     :00-aa-00-34-56-78
192.168.1.19:DEFENDER      :<server<:PETERA       :00-60-b0-90-12-34

>nbtscan -s : -v 192.168.1.1
194.186.12.236:DIRDY-BIRDY    :00U
194.186.12.236:COMPANY__COM   :00G
194.186.12.236:DIRDY-BIRDY    :20U
194.186.12.236:DIRDY-BIRDY    :03U
194.186.12.236:COMPANY__COM   :1eG
194.186.12.236:JOED           :03U
194.186.12.236:MAC:00-a0-c9-12-34-56
      

>nbtscan -s : -h -v 192.168.1.1
194.186.12.236:DIRDY-BIRDY    :Workstation Service
194.186.12.236:COMPANY__COM   :Domain Name
194.186.12.236:DIRDY-BIRDY    :File Server Service
194.186.12.236:DIRDY-BIRDY    :Messenger Service
194.186.12.236:COMPANY__COM   :Browser Service Elections
194.186.12.236:JOED           :Messenger Service
194.186.12.236:MAC:00-a0-c9-12-34-56
      

>nbtscan -m 2 192.168.1.123
<output depends on other options>
      

Installation

Installing from Win32 binaries

1. Download zip archive
2. Unpack it
3. Put nbtscan.exe and cygwin1.dll to directory in your PATH, such as winnt/system32
4. That's all. Now you can run nbtscan from command prompt.

Installing from sources on Windows

1. Download and install Cygwin from
2. Start Cygwin shell and proceed from there as in Unix installation

Installing from sources under Unix

1. Ungzip and untar sources
2. Run ./configure script
3. Run make and make install
4. That's all.

Perl version of NBTscan

NBTscan was first written in Perl. It is much more slow then its C cousin, and has less options, but it has an advantage also: Windows Perl script is able to receive responses from Windows 95 sent to port 137. So if you really have to scan Windows 95 boxes from Windows you can download and use Perl NBTscan. There is also a IpInfo (Perl script too) which runs both on NT and Unix, and gives some additional info (such as DNS host name). It was created by Steve Coleman.

Reporting bugs, sending comments, etc.

You can report bugs to the author (hey, that's me) alla (at) inetcat (dot) org. I am not promising to do anything about it, but I may well want to fix them. I shall also appreciate comments and suggestions. If you have somehow enhanced this program - send me a copy or a patch.

ChangeLog

Version 1.5.1 - June 2003

• Fixed segmentation fault when using -f option (noticed by Brian Lovrin)
• Fixed printing ugliness (noticed by Darren Critchley)
• Changed version number :) (1.5 said that it is 1.0.3 - now it proudly says 1.5.1)

Version 1.5 - May 2002

• Fixed a bug in displaying of 15-character NetBIOS names (15th character wasn't displayed). Bug reported by Tom Kustner ([email protected]), Kenny Breck (KCBreck (at) NetZero (dot) net) and Richard IJzermans (richard (dot) ijzermans (at) lgphilips-displays (dot) com)
• Fixed a bug in interpreting netmask /32 and /0. Patch provided by Thomas Poindessous (thomas (at) poindessous (dot) com) for Debian Linux
• List of hosts to scan can now be read from stdin as well as from file. Suggested by Kevin Kadow (kadokev (at) msg (dot) net)
• Fixed a bug in timing. (nbtscan waited for two seconds after scanning not doing anything). Reported by Ceri Hopkins (ceri (at) sandc (dot) demon (dot) co (dot) uk)
• Nbtscan now works on Darwin. Patches provided by Mohammad A. Haque (mhaque (at) haque (dot) net)
• timeout option -t is now in milliseconds, not seconds
• Fixed some Solaris portability problems. Patches provided by Petter Reinholdtsen (pere (at) hungry (dot) com)

Version 1.0.3 - February 2002

• NBTscan now returns meaningful exit code (patch by James Troup for Debian Linux)
• Added /etc/hosts and lmhosts format output (suggested by Anahuac de Paula Gil and Sigmund Baginov)
• configure script now honours --prefix argument (patch by Petter Reinholdtsen)
• Error messages now include IP address that caused error
• NBTscan accepts a file with a list of IP addresses to scan (suggested by Omas Jakobsson)
• Service number is printed for unknown NetBIOS services in -h mode (suggested by Dan Wright)
• Fixed some compile-time warnings on Linux
• Corrected some typos

Version 1.0.2 - March 30, 2000

• Added retransmits (-m option) (Several people asked)
• Added output bandwidth throttling (-b option) (Suggested by Jason Garman)
• Rewrote sending queries and receiving answers part for more reliable scanning of large blocks of addresses. (Suggested by Jason Garman)
• Added script-friendly output option (-s) (Suggested by Patrick Heim )
• Added printing of human-readable NetBIOS service names (-h) (Suggested by Patrick Heim)
• Added -q command line option that suppresses printing banners and error messages. (Suggested by Sam Bayne)
• Rewrote parse_response completely. This allows for better parsing of Samba servers' responses. (Bug reported by Sam Bayne)
• Added -d command line option which makes whole packets get printed
• Various cosmetic improvements including fixing some spelling errors

Version 1.0.1 - May 5, 1999

• Fixed incorrect parsing of MAC address in parse_response() which made last byte of MAC addresses appear as 00. Bug pointed by Joseph Moon.
• Changed message saying "Warning: -r option not supported under NT." to more accurate saying: "Warning: -r option not supported under Windows."
• Corrected a typo in README.

Download NBTscan sources | Download NBTscan binaries for Win32 | Previous version