Command Line Parameters
When nbtscan is run without command-line arguments, it reports a short "help" listing that summarizes the options available, which are expanded on here.
--version
-V This simply shows the current version information, and I try to keep it updated on each rebuild. Version history is below.
-f This shows the full NBT resource record responses for each machine scanned, not just the one-line summary. This is recommended when studying one single machine, but it's much less useful when scanning a larger range.
-O outfile Send results to outfile rather than to the standard output.
-H Generate an HTTP header. During penetration testing, sometimes we are able to install the nbtscan.exe program on a remote IIS web server and run it with the "Unicode" exploit, but since the output is "regular" text, the output gets confused by the web server that thinks it's a broken CGI script. The -H option addes a simple Content-type: text/plain header with a blank line that makes the output show up correctly.
-P Generate Perl hashref output, which can be loaded into an existing program for easier processing. This is much easier than parsing text output.
-v This turns on some more verbose debugging, but this is really only meant for the developer's use and probably won't help an end-user that much. The code considered "verbose" changes from release to release as bugs are tracked down, and we make no effort to make this useful in the general case.
-n In a few reporting modes, the IP address of the remote machine is used as a key to look up the "inverse" name. This is normally helpful, but many nameservers are misconfigured in a way that make this appear to "hang", so -n turns off this inverse name lookup.
-p port This allows specification of a UDP port number to be used as the source in sending a query. Normally the program picks a random ephemeral port number, and this is entirely sufficient in most cases.
But some Windows 95 machines send their responses to port 137 no matter where the query came from (we consider this a bug), so using -p 137 will force nbtscan to bind to this port instead of the random one. In addition, some older versions of the ZoneAlarm personal firewall would incorrectly allow NETBIOS queries if the source port is 53 (DNS).
But note that you can't bind to a port that already is in use, and on Windows this usually means that port 137 is unavailable to you.
-m Include the MAC (aka "Ethernet") addresses in the response, which is already implied by the -f option.
-T secs When scanning a large range of addresses, it's not always clear when we are "finished". If we send out (say) five queries, we're clearly done when we get five responses, but if any machine does not respond, we have to rely on timeouts. The -T option controls how long we'll wait for any response, and the default is 2 seconds.
-w msecs Unless the local network is being scanned, we cannot typically blast many queries lest packets be lost on the way. We normally pause for a short time after each network write operation to allow things to clear out before sending another, and this allows the "tuning" of that time. It is specified in milliseconds, and the default is 10 milliseconds.
-t tries Try each address up to tries times, which is useful when dealing with a remote network that is (somehow) dropping packets. Once a given machine has responded, it won't be queried again. Default = 1.
-n Don't look up inverse DNS names in the full listing (show IP addresses).
-1 Force the use of Winsock version 1 (Windows only) rather than the default which is usually version 2. |
|