Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Re: [SCRIPT] NetBIOS name and MAC query script

Re: [SCRIPT] NetBIOS name and MAC query script

From: DePriest, Jason R. <jrdepriest_at_gmail.com>
Date: Tue, 27 Mar 2007 21:58:17 -0600

If you would like more raw data to tweak your heuristics, I can run
nbtscan against a subnet or two of mixed hosts and send you the pcap
data and a key for what IPs are what.

If you want that, I'd rather just send it to you directly instead of
to the entire list.

-Jason

On 3/27/07, Brandon Enright <bmenrigh_at_ucsd.edu> wrote:
> Thank you, this was enough information to update the script (attached) to
> report the logged in username when NetBIOS actually reports the info [1].
>
> I don't know if this will work against Windows 9x/Me or not but it seems to
> work against 2k and XP boxes. Please let me know how it works.
>
> Brandon
>
>
> [1] NetBIOS doesn't seem to explicitly report computername vs domainname vs
> username etc. Oftentimes it doesn't even report the username. This script
> is using a best-guess heuristic to determine the computername and
> username. I think I've got it all correct but more testing/review is in
> order.
>
>
> On Tue, 27 Mar 2007 16:07:14 -0600
> "DePriest, Jason R." <jrdepriest_at_gmail.com> wrote:
>
> > On 3/27/07, Brandon Enright wrote:
> > > DePriest, Jason R. wrote:
> > > > I can give you detailed results from an nbtscan and a packet capture
> > > > of the traffic.
> > > >
> > > > Would that be sufficient to help out?
> > > >
> > > > -Jason
> > > >
> > >
> > > If you have a case where nbtscan was able to determine the remote user
> > > that was logged in that ouput and packet capture would be most useful.
> > > I suppose I could look at the nbtscan source code but I'd hate to run
> > > into odd legal/licensing problems in doing so.
> > >
> > > Brandon
> > >
> > >
> >
> > It looked like nbtstat provided more verbosity for the end-user, so I
> > used it instead.
> >
> > Nbtstat actually shows you the raw data received minus the tcp and
> > ethernet layer stuff.
> >
> > I am including the full packet capture data from a tshark dump as well.
> >
> > See the attachment for the pcap and txt files with the data.
> >
> > -Jason
>

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Mar 27 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]