nmap -v -p 139,445 -oG smb.txt 192.168.50.1-254 kali@kali:~$
cat smb.txt # Nmap 7.92 scan initiated Thu Mar 17 06:03:12 2022 as: nmap -v -p 139,445 -oG smb.txt
192.168.50.1-254
# Ports scanned: TCP(2;139,445) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 192.168.50.1 () Status: Down
...
Host: 192.168.50.21 () Status: Up
Host: 192.168.50.21 () Ports: 139/closed/tcp//netbios-ssn///,
445/closed/tcp//microsoft-ds///
...
Host: 192.168.50.217 () Status: Up
Host: 192.168.50.217 () Ports: 139/closed/tcp//netbios-ssn///,
445/closed/tcp//microsoft-ds///
# Nmap done at Thu Mar 17 06:03:18 2022 -- 254 IP addresses (15 hosts up) scanned in
6.17 seconds
Listing 73 - Using nmap to scan for the NetBIOS service We saved the scan output into a text file, which revealed hosts with ports 139 and 445 open.
There are other, more specialized tools for specifically identifying NetBIOS information, such as
nbtscan
. We can use this to query the NetBIOS name service for valid NetBIOS names, specifying
the originating UDP port as 137 with the -r option.
kali@kali:~$
sudo nbtscan -r 192.168.50.0/24 Doing NBT name scan for addresses from 192.168.50.0/24
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.50.124 SAMBA SAMBA 00:00:00:00:00:00
192.168.50.134 SAMBAWEB SAMBAWEB 00:00:00:00:00:00
...
Listing 74 - Using nbtscan to collect additional NetBIOS information The scan revealed two NetBIOS names belonging to two hosts. This kind of information can be
used to further improve the context of the scanned hosts, as NetBIOS names are often very
descriptive about the role of the host within the organization. This data can feed our information-
gathering cycle by leading to further disclosures.
Nmap also offers many useful NSE scripts that we can use to discover and enumerate SMB
services. We’ll find these scripts in the /usr/share/nmap/scripts directory.
kali@kali:~$