{
	"id": "3b635f97-32e2-450d-a978-7cb4ed14b569",
	"created_at": "2026-04-06T00:06:29.514544Z",
	"updated_at": "2026-04-10T03:21:35.161245Z",
	"deleted_at": null,
	"sha1_hash": "301ace073bdff984cb48636ea7ca566904afca25",
	"title": "nbtscan(1) — nbtscan — Debian testing — Debian Manpages",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 96400,
	"plain_text": "nbtscan(1) — nbtscan — Debian testing — Debian Manpages\r\nBy AUTHOR¶\r\nArchived: 2026-04-05 15:58:35 UTC\r\nScroll to navigation\r\nNAME¶\r\nnbtscan - scan networks for NetBIOS name information\r\nSYNOPSIS¶\r\nnbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q]\r\n [-s separator] [-h] [-m retransmits] [-f filename | target]\r\nDESCRIPTION¶\r\nNBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to\r\neach address in supplied range and lists received information in human readable form. For each responded host it\r\nlists IP address, NetBIOS computer name, logged-in user name and MAC address (such as Ethernet).\r\nNBTscan produces a report like that:\r\n IP address NetBIOS Name Server User MAC address\r\n -----------------------------------------------------------------------\r\n 192.168.1.2 MYCOMPUTER JDOE 00-a0-c9-12-34-56\r\n 192.168.1.5 WIN98COMP \u003cserver\u003e RROE 00-a0-c9-78-90-00\r\nhttps://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html\r\nPage 1 of 8\n\n192.168.1.123 DPTSERVER \u003cserver\u003e ADMINISTRATOR 08-00-09-12-34-56\r\nFirst column lists IP address of responded host. Second column is computer name. Third column indicates if this\r\ncomputer shares or is able to share files or printers. For NT machine it means that Server Service is running on\r\nthis computer. For Windows 95 it means that \"I want to be able to give others access to my files\" or \"I want to be\r\nable to allow others to print on my printer(s)\" checkbox is ticked (in Control Panel/Network/File and Print\r\nSharing). Most often it means that this computer shares files. Third column shows user name. If no one is logged\r\non from this computer it is same as computer name. Last column shows adapter MAC address.\r\nIf run with -v switch NBTscan lists whole NetBIOS name table for each responded address. The output looks like\r\nthat:\r\n NetBIOS Name Table for Host 192.168.1.123:\r\n Name Service Type\r\n ----------------------------------------\r\n DPTSERVER \u003c00\u003e UNIQUE\r\n DPTSERVER \u003c20\u003e UNIQUE\r\n DEPARTMENT \u003c00\u003e GROUP\r\n DEPARTMENT \u003c1c\u003e GROUP\r\n DEPARTMENT \u003c1b\u003e UNIQUE\r\n DEPARTMENT \u003c1e\u003e GROUP\r\n DPTSERVER \u003c03\u003e UNIQUE\r\n DEPARTMENT \u003c1d\u003e UNIQUE\r\nhttps://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html\r\nPage 2 of 8\n\n??__MSBROWSE__? \u003c01\u003e GROUP\r\n INet~Services \u003c1c\u003e GROUP\r\n IS~DPTSERVER \u003c00\u003e UNIQUE\r\n DPTSERVER \u003c01\u003e UNIQUE\r\n Adapter address: 00-a0-c9-12-34-56\r\n ----------------------------------------\r\nOPTIONS¶\r\nA summary of options is included below.\r\n-v\r\nVerbose output. Print all names received from each host.\r\n-d\r\nDump packets. Print whole packet contents. Cannot be used with -v, -s or -h options.\r\n-e\r\nFormat output in /etc/hosts format.\r\n-l\r\nFormat output in lmhosts format.\r\n-t \u003ctimeout\u003e\r\nWait timeout seconds for response. Default 1.\r\n-b \u003cbandwidth\u003e\r\nOutput throttling. Slow down output so that it uses no more that bandwidth bps. Useful on slow links, so\r\nthat outgoing queries don't get dropped.\r\n-r\r\nUse local port 137 for scans. Win95 boxes respond to this only. You need to be root to use this option.\r\n-q\r\nSuppress banners and error messages.\r\n-s \u003cseparator\u003e\r\nScript-friendly output. Don't print column and record headers, separate fields with separator.\r\n-h\r\nPrint human-readable names for services. Can only be used with -v option.\r\nhttps://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html\r\nPage 3 of 8\n\n-m \u003cretransmits\u003e\r\nNumber of retransmits. Default 0.\r\n-f \u003cfilename\u003e\r\nTake IP addresses to scan from file \"filename\"\r\ntarget\r\nNBTscan is a command-line tool. You have to supply at least one argument, the address range, in one of\r\nthree forms:\r\nxxx.xxx.xxx.xxx\r\nSingle IP in dotted-decimal notation. Example: 192.168.1.1\r\nxxx.xxx.xxx.xxx/xx\r\nNet address and subnet mask. Example: 192.168.1.0/24\r\nxxx.xxx.xxx.xxx-xxx\r\nAddress range. Example: 192.168.1.1-127. This will scan all addresses from 192.168.1.1 to 192.168.1.127\r\nEXAMPLES¶\r\nScans the whole C-class network:\r\n nbtscan 192.168.1.0/24\r\nScans the whole C-class network, using port 137:\r\n nbtscan -r 192.168.1.0/24\r\nScans a range from 192.168.1.25 to 192.168.1.137:\r\n nbtscan 192.168.1.25-137\r\nScans C-class network. Prints results in script-friendly format using colon as field separator:\r\n nbtscan -v -s : 192.168.1.0/24\r\nThe last command produces output like that:\r\nhttps://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html\r\nPage 4 of 8\n\n192.168.0.1:NT_SERVER:00U\r\n 192.168.0.1:MY_DOMAIN:00G\r\n 192.168.0.1:ADMINISTRATOR:03U\r\n 192.168.0.2:OTHER_BOX:00U\r\n ...\r\nScans IP addresses specified in file iplist:\r\n nbtscan -f iplist\r\nNETBIOS SUFFIXES¶\r\nNetBIOS Suffix, aka NetBIOS End Character (endchar), indicates service type for the registered name. The most\r\nknown codes are listed below. (U = Unique Name, G = Group Name)\r\n Name Number(h) Type Usage\r\n --------------------------------------------------------------------------\r\n \u003ccomputername\u003e 00 U Workstation Service\r\n \u003ccomputername\u003e 01 U Messenger Service\r\n \u003c\\--__MSBROWSE__\u003e 01 G Master Browser\r\n \u003ccomputername\u003e 03 U Messenger Service\r\nhttps://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html\r\nPage 5 of 8\n\n\u003ccomputername\u003e 06 U RAS Server Service\r\n \u003ccomputername\u003e 1F U NetDDE Service\r\n \u003ccomputername\u003e 20 U File Server Service\r\n \u003ccomputername\u003e 21 U RAS Client Service\r\n \u003ccomputername\u003e 22 U Exchange Interchange(MSMail Connector)\r\n \u003ccomputername\u003e 23 U Exchange Store\r\n \u003ccomputername\u003e 24 U Exchange Directory\r\n \u003ccomputername\u003e 30 U Modem Sharing Server Service\r\n \u003ccomputername\u003e 31 U Modem Sharing Client Service\r\n \u003ccomputername\u003e 43 U SMS Clients Remote Control\r\n \u003ccomputername\u003e 44 U SMS Administrators Remote Control Tool\r\n \u003ccomputername\u003e 45 U SMS Clients Remote Chat\r\n \u003ccomputername\u003e 46 U SMS Clients Remote Transfer\r\n \u003ccomputername\u003e 87 U Microsoft Exchange MTA\r\n \u003ccomputername\u003e 6A U Microsoft Exchange IMC\r\nhttps://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html\r\nPage 6 of 8\n\n\u003ccomputername\u003e BE U Network Monitor Agent\r\n \u003ccomputername\u003e BF U Network Monitor Application\r\n \u003cusername\u003e 03 U Messenger Service\r\n \u003cdomain\u003e 00 G Domain Name\r\n \u003cdomain\u003e 1B U Domain Master Browser\r\n \u003cdomain\u003e 1C G Domain Controllers\r\n \u003cdomain\u003e 1D U Master Browser\r\n \u003cdomain\u003e 1E G Browser Service Elections\r\n \u003cINet~Services\u003e 1C G IIS\r\n \u003cIS~computer name\u003e 00 U IIS\r\nFAQ¶\r\n1.\r\nNBTscan lists my Windows boxes just fine but does not list my Unixes or routers. Why?\r\nR: That is the way it is supposed to work. NBTscan uses NetBIOS for scanning and NetBIOS is only implemented\r\nby Windows (and some software on Unix such as Samba).\r\n2.\r\nWhy do I get \"Connection reset by peer\" errors on Windows 2000?\r\nR: NBTscan uses port 137 UDP for sending queries. If the port is closed on destination host destination will reply\r\nwith ICMP \"Port unreachable\" message. Most operating system will ignore this message. Windows 2000 reports it\r\nto the application as \"Connection reset by peer\" error. Just ignore it.\r\n3.\r\nWhy NBTscan doesn't scan for shares? Are you going to add share scanning to NBTscan?\r\nhttps://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html\r\nPage 7 of 8\n\nR: No. NBTscan uses UDP for what it does. That makes it very fast. Share scanning requires TCP. For one thing, it\r\nwill make nbtscan more slow. Also adding share scanning means adding a lot of new code to nbtscan. There is a\r\nlot of good share scanners around, so there is no reason to duplicate that work.\r\n4.\r\nWhy do I get 00-00-00-00-00-00 instead of MAC address when I scan a Samba box?\r\nR: Because that's what Samba send in response to the query. Nbtscan just prints out what it gets.\r\nNBTscan was created by Alla Bezroutchko \u003calla@inetcat.org\u003e. Currently is maintained by some volunteers at\r\nhttps://github.com/resurrecting-open-source-projects/nbtscan\r\nThis manual page was written for the first time by Ryszard Lach \u003crla@debian.org\u003e and rewritten, from scratch, by\r\nJoao Eriberto Mota Filho \u003ceriberto@debian.org\u003e for the Debian GNU/Linux system (but may be used by others).\r\nSource: https://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html\r\nhttps://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html"
	],
	"report_names": [
		"nbtscan.1.en.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433989,
	"ts_updated_at": 1775791295,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/301ace073bdff984cb48636ea7ca566904afca25.pdf",
		"text": "https://archive.orkl.eu/301ace073bdff984cb48636ea7ca566904afca25.txt",
		"img": "https://archive.orkl.eu/301ace073bdff984cb48636ea7ca566904afca25.jpg"
	}
}