Host Enumeration via NetBIOS

On Windows, we can get information about the hosts under a network by interacting with the NetBIOS protocol

We can use it to obtain the name table of a remote machine

nbtstat -a $hostname
nbtstat -a $IP

#Example output
...
Name               Type         Status
---------------------------------------------
WORKSTATION01  <00>  UNIQUE      Registered
WORKGROUP      <00>  GROUP       Registered    #Default group
WORKSTATION01  <20>  UNIQUE      Registered
...

We could compare it to other hosts to identify if they are from the same or related domains, and even if they could belong to an Active Directory

nbtstat -a $hostname

#Example output
...
Name               Type         Status
---------------------------------------------
WORKSTATION02  <00>  UNIQUE      Registered
DOMAIN         <00>  GROUP       Registered    #Custom domain
WORKSTATION02  <20>  UNIQUE      Registered
DOMAIN2        <00>  GROUP       Registered    #Custom domain
...

We could also generate a list of recently resolved NetBIOS names and their corresponding IP addresses to build a custom routing table

nbtstat -c

#Example output
...
Name               Type       Host Address    Life [sec]
--------------------------------------------------------
DOMAIN        <00>  GROUP     192.168.1.10    543
WORKGROUP     <00>  GROUP     192.168.1.255   340
...

We could also check shared resources using the net view commmand

net view \\$IP /ALL

#Example output
...
Share name     Type   Used as  Comment
------------------------------------------
C$             Disk            Default share
SharedDocs     Disk            Shared documents     #Not default
...

PreviousBrute-force Subdomains NextTools and Utilities

Last updated 2 months ago