nbtscan. Узнаем NETBIOS имена в локальной сети
В рамках тестирования на проникновение часто приходится искать что-то интересное в сети, особенно если мы находимся в сегменте рабочих станций. Например поискать АРМ конкретных пользователей, которые занимают должности подразумевающие повышенные привелегии. Зачем это делать? Например для проведения узконаправленной MITM атаки или поиска уязвимостей у конкретных рабочих станций или серверов.
В поисках нам могут помочь имена ПК. Узнать имена большинства ПК и других устройств можно с помощью протокола NETBIOS и утилиты nbtscan.
Использование утилиты очень простое:
nbtscan 192.168.1.0/24
где, 192.168.1.0/24 это интересующая нас подсеть.
На выходе мы получим список IP адресов и NETBIOS имен.
Так же есть пара полезных ключей:
-v подробный вывод всех найденных имен ПК с указанием сервиса, от которого было получено имя (Workstation Service, File Server Service, Master Browser, Browser Service Elections и т.д.)
-h написать читаемое имя сервиса (используется только с параметром -v)
Остальные ключи касаются формата вывода полученной информации и в основном нужны для формирования списков для дальнейшего использования и их можно посмотреть запустив nbtscan без параметров.
Например командой:
мы получим вывод через двоеточие.
А дальше уже каждый сам решит, какую информацию и в каком формате ему потребуется дальше использовать.
Заказать Аудит Безопасности или Пентест Вашей IT-инфраструктуры
Быть уверенным в своей IT-инфраструктуре – это быть уверенным в завтрашнем дне.
How to get the computer name (not its hostname)?
All the results of my searches end up having something to do with hostname or uname -n . I looked up the manual for both, looking for sneaky options, but no luck. I am trying to find an equivalent of OSX’s scutil —get ComputerName on Linux systems. On Mac OS X, the computer name is used as a human-readable identifier for the computer; it’s shown in various management screens (e.g. on inventory management, Bonjour-based remote access, . ) and serves as the default hostname (after filtering to handle spaces etc.).
I might be wrong, but defining the name of the computer as its network name means that it doesn’t have a fixed name, right? When you install a Linux or OSX on a machine, you usually choose a name for that computer (which is the default network name I assume). For example my laptop might be named «FooBar» but when I connect to a network at work I get a hostname such as «machine42.work.localnetwork».
@Sh3ljohn what purpose does computername is osx serve? I don’t think there’s any equivalent in linux system.
Did you give some name other than hostname when installing that computer? Try searching for that name in /etc: grep -ri ‘name’ /etc
@Bibek_G I would like to use this to identify the machine on which I am running from a software of mine. UUID is insufficient because there might be several OS’s installed on the same disk which in turn run on the same machine.
5 Answers 5
The closest equivalent to a human-readable (and human-chosen) name for any computer running Linux is the default hostname stored in /etc/hostname . On some (not all) Linux distributions, this name is entered during installation as the computee’s name (but with network hostname constraints, unlike macOS’s computer name). This can be namespaced, i.e. each UTS namespace can have a different hostname.
Systems running systemd distinguish three different hostnames, including a “pretty” human-readable name which is supposed to be descriptive in a similar fashion to macOS’s computer name; this can be set and retrieved using hostnamectl ’s —pretty option. The other two hostnames are the static hostname, which is the default hostname described above, and the transient hostname which reflects the current network configuration.
Systemd also supports a chassis type (e.g. “tablet”) and an icon for the host; see systemd-hostnamed.service .
But this file is often used to set hostname and uname -n , and @Sh3ljohn explicitly wanted to avoid the output of those two commands.
How to find a computer name in a LAN from the IP address?
My network includes machines running Linux and others running Windows. And my machine is running Linux.
The question is a bit unclear, which resulted in the varying — and good — answers below. Do you want to find the DNS name of a host? Do you want to find the WINS name? Do you want to search the network for all hosts found? All of these questions are answered — but the specific answer desired is unknown.
7 Answers 7
You can find your LAN subnet using ip addr command.
It will show all host name in LAN whether it is Linux or Windows. You also able to see mobile devices, if any present on LAN network. Here you need to make sure that you run command with sudo or root.
On Ubuntu 14.04 this says: «? (192.168.1.2) at 00:22:6b:f2:33:b3 [ether] on wlan0», giving me only info about my router (my laptop is connected to it via wifi, like about other 10 devices atm). Looking at man arp it says also «arp — manipulate the system ARP cache». How should this tool solve the original question?
Same here on Ubuntu 14.04, this just lists a bunch of ? (192.168.55.147) at ac:3a:7a:a4:01:d4 [ether] on eth0
Same here. I can only access the localhost by hostname, nothing else seems to advertise it’s hostname, even linux machines I have set up myself.
sudo aptitude install nmap nmap -sP xxx.xxx.xxx.xxx Starting Nmap 5.21 ( http://nmap.org ) at 2012-11-03 19:08 CET Nmap scan report for HOST.DOMAIN (xxx.xxx.xxx.xxx) Host is up (0.00052s latency). MAC Address: YY:YY:YY:YY:YY:YY (Manufactor) Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds Where HOST.DOMAIN is the DNS-name of the machine.
This shows all active IPs, but it only shows domains for machines which explicitly have custom domain configured in my local Bind server. It doesn’t show any local hostnames, which I think is what the OP is trying to accomplish.
-sP may have been changed to -sn depending on your version of nmap. From the nmap 7.12 manual: -sn (No port scan) In previous releases of Nmap, -sn was known as -sP.
Similar to the arp command, I believe this answer only works if you have a local DHCP server and DNS server/proxy that communicate with one another, so that the hostnames recorded with the DHCP leases can be resolved (or reverse-resolved, in this case) via DNS.
A Netbios name reverse lookup might accomplish what you want more than than «hostname» which is a function of DNS and tcp/ip. nmblookup with the -A parameter returns device names as well as mac address. Try something like this:
You can run it in windows
nbtstat -A xxx.xxx.xxx.xxx (where x is the ip address) on ubuntu you can install nbtscan. You can find more information here : http://www.unixwiz.net/tools/nbtscan.html
Thanks very much, but it seems that nbtscan detects machines running Windows only. I’ve 2 machines running Windows and another 2 running Linux. It detects the two running Windows only.
Sorry, I’ve read the tutorial but couldn’t figure out how to write the command that solves my problem. I can’t see options taking IP as input. Can you write the command for me please?
try nmblookup -A xxx.xxx.x.x where x is the ip address of the machine. So I would do nmblookup -A 192.168.1.6 and it would return the name of my machine. You will need to do that for each machine.
@Brett: (+1) you should convert your comment into an answer, as its the only method that worked for me (both windows and linux boxes). Thanks
it will show me the host name (usually the computer name)
nslookup does DNS searches, so for this to work you need the hosts to be registered in the DNS. If you have a regular Windows network, in a private IP range, without ActiveDirectory configured, it will not work. NetBios names, and DNS names are different beasts.
If your network is running a DHCP server, usually on the modem/router, chances are it will have a way for you to see the DHCP assigned addresses — often by a web page, and that often lists the computer names beside the allocated ip addresses.
To the best of my knowledge, there is no utility available to resolve an IP address into a NetBIOS name. I’d imagine that some sort of a network scoping program or a penetration testing program might be able to give you that sore of information though. However, all of the computers would have to be on the same domain and subnet.
I know this is old. and OP is using Linux, not Windows. but on Windows you can run nbtstat -A