NetBIOS Enumeration Wtih Nmap, NBTSan & Nbstat

NetBIOS Enumeration Wtih nmap & nbstat

NetBIOS Enumeration

With NetBIOS Enumeration we can scan a local area network or a specific target on the intranet and extract NetBIOS information from it like.

  • Devices that belong to a domain
  • Storage shares on the network
  • Domain policies and passwords
  • Printers on the network
  • Group information and users


Stands for Network Basic Input Output System and allows communication between different applications running on different systems within a LAN.

The service uses a 16 ASCII character string to identify a device on a local network.

The first 15th characters are for identifying devices, the last 16th character is to identify services.

Services and ports.

  • UDP/137 Name service
  • UDP/138 Datagram service
  • TCP/139 Session service

In this quick guide i am using nmap, nbtstat on Windows, and NBTScan on Kali Linux. NBTSan can be run on Windows to if you what to try it there.

You can find several tools on all platforms that you can use for NetBIOS Enumeration, if you wish to test some other tools.

DISCLAIMER: This software/tutorial is for educational purposes only. Please don’t use it for illegal activity. The author is not responsible for the use of the application or the users action.

Common NetBIOS Name Table (NBT) names

NetBIOS Code Type Information
<00> UNIQUE Hostname
<00> GROUP Domain name
<host name><03> UNIQUE Messenger service
<use rname><03> UNIQUE Logged-in user
<20> UNIQUE File Server Service
<21> UNIQUE RAS Client Service
<22> UNIQUE Microsoft Exchange
<1B> UNIQUE Domain Master Browser
<1C> GROUP Domain Controllers
<1D> GROUP Master Browser
<INet~Services> GROUP IIS


  • Kali Linux
  • NBTScan
  • Nmap
  • Windows AD
  • Windows client on the same LAN as the Windows AD

Step 1: NetBIOS Enumeration With nbtstat in Windows

Open a CMD in windows and type in the fallowing syntax.

nbtstat -A

Node IpAddress: [] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ONLINE-IT      <00>  GROUP       Registered
    SRV1           <00>  UNIQUE      Registered
    ONLINE-IT      <1C>  GROUP       Registered
    SRV1           <20>  UNIQUE      Registered
    ONLINE-IT      <1B>  UNIQUE      Registered

    MAC Address = 01:0c:29:3c:83:4e

Npcap Loopback Adapter:
Node IpAddress: [] Scope Id: []

    Host not found.


Step 2: NetBIOS Enumeration With NBTScan

NBTScan is by default installed on Kali Linux, but there is a Windows version as well.

NOTE: You need to open the tool in CMD for it to work in Windows.

We can use the tool to scan a whole network or just one target.


Doing NBT name scan for addresses from

IP address       NetBIOS Name     Server    User             MAC address
------------------------------------------------------------------------------   SRV1             <server>  <unknown>        01:0c:29:3c:83:4e   SRV2             <server>  <unknown>        01-0a-49-67-b8-01


Adding more arguments to the syntax to extract more information.

C:\NBTScan>nbtscan.exe -v

Doing NBT name scan for addresses from

NetBIOS Name Table for Host

Incomplete packet, 191 bytes long.
Name             Service          Type
ONLINE-IT        <00>              GROUP
SRV1             <00>             UNIQUE
ONLINE-IT        <1c>              GROUP
SRV1             <20>             UNIQUE
ONLINE-IT        <1b>             UNIQUE

Adapter address: 01:0c:29:3c:83:4e


You can find more arguments in NBTScan:s official documentation.

Step 3: NetBIOS Enumeration With Nmap Scripting Engine

To run the nbstat.nse script, open Nmap and run the following syntax.

nmap -sV --script nbstat.nse -v

Host script results:

| nbstat: NetBIOS name: SRV1, NetBIOS user: <unknown>, NetBIOS MAC: 01:0c:29:3c:83:4e (VMware)

| Names:

|   ONLINE-IT<00>        Flags: <group><active>

|   SRV1<00>             Flags: <unique><active>

|   ONLINE-IT<1c>        Flags: <group><active>

|   SRV1<20>             Flags: <unique><active>

|_  ONLINE-IT<1b>        Flags: <unique><active>

NSE: Script Post-scanning.

Initiating NSE at 17:50

Completed NSE at 17:50, 0.00s elapsed

Initiating NSE at 17:50

Completed NSE at 17:50, 0.00s elapsed

Read data files from: C:\Program Files (x86)\Nmap

Service detection performed. Please report any incorrect results at .

Nmap done: 1 IP address (1 host up) scanned in 141.97 seconds

           Raw packets sent: 1033 (45.436KB) | Rcvd: 1011 (41.756KB)


As we can see it easy to extract information with NetBIOS Enumeration techniques and tools.

We have used tools on both Windows and Linux and scanned an AD server on the domain.

To countermeasure NetBIOS enumeration you need to disable the service, however some old applications still relays on NetBIOS communication.

Check out the Ethical Hacking notes for more Kali Linux quick guides.