A Comprehensive Guide to SMB Enumeration using nbtscan and nmap

nbtscan and nmap nbtstat For SMB scanning

SMB network scans by nbtscan and nbtstat script in Nmap

nbtscan and nbtstat are free to network scanning software it is finding out vulnerability after scanning network. it generates scanning files, contains the IP Address and other information on the NetBIOS block. it is amazing network scanning tools in kali Linux used for network security auditing and finding out vulnerability. 

SMB  enumeration

SMB enumeration is a technique to get all entities related to NetBIOS, If the pentester is working at the windows environment then he reveals the NetBIOS information through the nbtscan.

nbtscan for Linux

The nbtscan tool will generate a report that contains the IP address, NetBIOS computer name, services available, logged in username, and MAC address of the corresponding machines. The NetBIOS name is useful if you want to access the service provided by the machine using the NetBIOS protocol that is connected to an open share. Be careful as using this tool will generate a lot of traffic and it may be logged by the target machines. (Kali Linux- Assuring Security by Penetration Testing – Allen, Lee)

Nbtscan Usages

To see the available options for nbtscan just type nbtscan –h in the command line console.

Following options are available with nbtscan

                -v     verbose output. Print all names received from each host

                -d     dump packets. Print whole packet contents.

                -e     Format output in /etc/hosts format.

                -l      Format output in lmhosts format. Cannot be used with -v, -s or -h options.

                -t timeout wait timeout milliseconds for the response. Default 1000.

                -b bandwidth     Output throttling. Slow down output, it uses no more than bandwidth bps. Useful on slow links, so that outgoing queries don’t get dropped.

                -r    use local port 137 for scans. Win95 boxes respond to this only. You need to be root to use this option on Unix.

                -q    Suppress banners and error messages,

                -s separator        Script-friendly output. Don’t print column and record headers, separate fields with separator.

                -h                      Print human-readable names for services. It can only be used with -v option.

                -m retransmits the Number of retransmits. Default 0.

                -f filename          Take IP addresses to scan from file filename. -f – makes nbtscan take IP addresses from stdin.

                <scan_range>   what to scan. Can either be single IP like or range of  addresses in one of two form  xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx.

Examples How to use nbtscan

nbtscan -r

                Scans the whole C-class network.


                Scans a range from to

nbtscan -v -s :

                Scans C-class network. Prints result in script-friendly format using a colon as field separator

nbtscan -f iplist

                Scans IP addresses specified in file iplist.

Enumerate smb by nbtstat script in nmap

User Summary

Attempts to retrieve the target’s NetBIOS names and MAC addresses.

By default, the script displays the name of the computer and the logged-in user; if the verbosity is turned up, it displays all names the system thinks it owns.

Example Usage

sudo nmap -sU –script nbstat.nse -p137 <host>

MODULE 6:- Enumeration

  1. Secure Socket Layer SSL analysis with sslstrip in Kali Linux
  2. SNMP Enumeration Kali by snmpwalk tool and snmpenum
  3. nbtscan and nmap “nbtstat -s” For SMB scanning

If you like our content, please consider buying us a coffee.
Thank you for your support!

Leave a Reply

Your email address will not be published. Required fields are marked *