Tuesday, October 6, 2015

Dumping the NetBIOS Name Table with Nbtstat and Nbtscan

      Another great built-in tool is nbtstat, which calls up the NetBIOS Name Table from a
remote system. The Name Table contains a great deal of information, as shown in the
following example:
C:\>nbtstat -A
Local Area Connection:
Node IpAddress: [] Scope Id: []
NetBIOS Remote Machine Name Table
Name            Type         Status
CAESARS  <00> UNIQUE  Registered
VEGAS2   <00> GROUP    Registered
VEGAS2  <1C> GROUP   Registered
CAESARS <20> UNIQUE Registered
VEGAS2 <1B> UNIQUE Registered
VEGAS2 <1E> GROUP   Registered
VEGAS2 <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
MAC Address = 00-01-03-27-93-8F

       As illustrated, nbtstat extracts the system name (CAESARS), the domain or workgroup
it’s in (VEGAS2), and the Media Access Control (MAC) address.
 These entities can beidentified by their NetBIOS suffixes (the two-digit hexadecimal number to the right of the name), Older versions of Windows would cough up information about any logged-on users in nbtstat output.
 By default on newer versions of Windows, the Messenger service is disabled, thus nbtstat output no longer contains this information.
 logged-on users would normally have an entry in the NetBIOS Name Table for the
Messenger service (see the row beginning with <username>).
Since this service is off by default in newer versions of Windows, the NetBIOS Name Table cannot be used to identify valid account names on the server.

No comments:

Post a Comment