Host Enumeration via NetBIOS
On Windows, we can get information about the hosts under a network by interacting with the NetBIOS protocol
We can use it to obtain the name table of a remote machine
nbtstat -a $hostname
nbtstat -a $IP
#Example output
...
Name Type Status
---------------------------------------------
WORKSTATION01 <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered #Default group
WORKSTATION01 <20> UNIQUE Registered
...We could compare it to other hosts to identify if they are from the same or related domains, and even if they could belong to an Active Directory
nbtstat -a $hostname
#Example output
...
Name Type Status
---------------------------------------------
WORKSTATION02 <00> UNIQUE Registered
DOMAIN <00> GROUP Registered #Custom domain
WORKSTATION02 <20> UNIQUE Registered
DOMAIN2 <00> GROUP Registered #Custom domain
...We could also generate a list of recently resolved NetBIOS names and their corresponding IP addresses, to build a custom routing table
nbtstat -c
#Example output
...
Name Type Host Address Life [sec]
--------------------------------------------------------
DOMAIN <00> GROUP 192.168.1.10 543
WORKGROUP <00> GROUP 192.168.1.255 340
...We could also check shared resources using the
net viewcommmand
net view \\$IP /ALL
#Example output
...
Share name Type Used as Comment
------------------------------------------
C$ Disk Default share
SharedDocs Disk Shared documents #Not default
...Last updated