Sunday, November 06, 2011

Without fail…

Why does it seem -- without fail -- that when I am done taking the long-route though a complex and time-consuming process, I seem to only then find a tool that could do perfectly what I was doing in less than half-the time and effort?

In my “recent” GSD post, On the Hunt…I outlined how I was using a bat file to do a NBTSTAT -A process to collect valid IP address, Host names, and MAC addresses; and then how I was doing manual work to convert them into a tabular (CSV) format for importation into Excel.

This weekend I just found this free Windows CLI utility:

NBTScan. NetBIOS Name Network Scanner.

It has a cygwin1.dll component (949 kB) and the CLI executable nbtscan.exe (93 kB).  That’s it.

It seems to do all that I was doing, and then some. Nice.

The nbtscan.exe file alone worked perfectly on my Win 7 x64 system in testing against my home network IP ranges.  Super-fast and awesomely formatted output.

On the page are also a couple of “Gui” companions as well. One (Use42) had a component in the ZIP file that set off an AV alert with MS Security Essentials. I’m thinking it was because it was a potentially unwanted program (PUP) as it was part of a package for pen-testing work which included nbtscan. Use at your own discretion.

The “gui.exe” one looked nice and simple as well, but didn’t seem to offer access to the additional CLI argument options that nbtscan can use.

Those baked-in argument options with the tool are pretty powerful and useful, check out the page for more information.

post update: in the comments to this post, Mark Woan recommends as an alternative tool, Steve Friedl’s version nbtscan - NETBIOS nameserver scanner. It is a single tiny executable file and doesn’t require the cygwin1.dll component that NBTScan does.  In my tests it worked fine on my Win 7 x64 system, however I couldn’t get it to display the MAC information when I used the required argument. I didn’t have that issue with the first NBTScan tool. Probably just a Layer 8 issue…  Thanks Mark!

Bonus #1: Check out this new pen-test tool from the same developer: MagicTree

Bonus #2: recently updated their Top Network Security Tools list.


Claus V.


Chad Tilbury said...

Great find, Claus! Unfortunately a lot of attackers have also found NBTScan. I've seen evidence of it being used during several intrusion investigations. Unfortunately almost anything that can be used for good, can also be used for evil....

Anonymous said...

a lot of attackers have also found NBTScan

Don't have public-facing NetBIOS shares; they should only be accessible via LAN or VPN. If you've got an attacker on the LAN/VPN, you've got bigger problems than NetBIOS shares.

Mark Woan said...

Claus, personally I use this version of nbtscan, which does not have cgywin dependency: