EC EHE - Enum Tools
Nbtstat Utility
Source: https://docs.microsoft.com
Nbtstat is a Windows utility that helps in troubleshooting NETBIOS name resolution problems. The nbtstat command removes and corrects preloaded entries using several case-sensitive switches. Attackers use Nbtstat to enumerate information such as NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both local and remote computers, and the NetBIOS name cache.
The syntax of the nbtstat command is as follows:
nbtstat [-a RemoteName] [-A IP Address] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [Interval]
The table shown below lists various Nbtstat parameters and their respective functions.
|
Nbtstat Parameter |
Function |
|
-a RemoteName |
Displays the NetBIOS name table of a remote computer, where RemoteName is the NetBIOS computer name of the remote computer |
|
-A IP Address |
Displays the NetBIOS name table of a remote computer, specified by the IP address (in dotted decimal notation) of the remote computer |
|
-c |
Lists the contents of the NetBIOS name cache, the table of NetBIOS names and their resolved IP addresses |
|
-n |
Displays the names registered locally by NetBIOS applications such as the server and redirector |
|
-r |
Displays a count of all names resolved by a broadcast or WINS server |
|
-R |
Purges the name cache and reloads all #PRE-tagged entries from the Lmhosts file |
|
-RR |
Releases and re-registers all names with the name server |
|
-s |
Lists the NetBIOS sessions table converting destination IP addresses to computer NetBIOS names |
|
-S |
Lists the current NetBIOS sessions and their status with the IP addresses |
|
Interval |
Re-displays selected statistics, pausing at each display for the number of seconds specified in Interval |
Table 2.1: Nbtstat parameters and their respective functions
The following are some examples for nbtstat commands.
1. The nbtstat command “nbtstat –a <IP address of the remote machine>” can be executed to obtain the NetBIOS name table of a remote computer.
Figure 2.12: Nbtstat command to obtain the name table of a remote system
2. The nbtstat command “nbtstat –c” can be executed to obtain the contents of the NetBIOS name cache, the table of NetBIOS names, and their resolved IP addresses.
Figure 2.13: Nbtstat command to obtain the contents of the NetBIOS name table
NetBIOS Enumerator
Source: http://nbtenum.sourceforge.net
NetBIOS Enumerator is an enumeration tool that shows how to use remote network support and to deal with some other web protocols, such as SMB. As shown in the screenshot, attackers use NetBIOS Enumerator to enumerate details such as NetBIOS names, usernames, domain names, and media access control (MAC) addresses for a given range of IP addresses.
Figure 2.14: Screenshot of NetBIOS Enumerator
The following are some additional NetBIOS enumeration tools:
Global Network Inventory (http://www.magnetosoft.com)
Advanced IP Scanner (https://www.advanced-ip-scanner.com)
Hyena (https://www.systemtools.com)
Nsauditor Network Security Auditor (https://www.nsauditor.com)
Comments