How to Retrieve NetBIOS Names from Network Computers Using Linux: A Comprehensive Nmap Scripting Solution


2 views

When performing network inventory scans in Linux environments, obtaining NetBIOS names alongside IP addresses, MAC addresses, and operating system information presents a unique challenge. While tools like nmap excel at gathering most network information, NetBIOS name resolution requires specific approaches.

We'll leverage these Linux utilities:

  • nmap - Primary scanning tool
  • nbtscan - Specialized NetBIOS scanner
  • smbclient - SMB protocol utility
  • nmblookup - NetBIOS name resolver

Here's a robust script that combines these tools:

#!/bin/bash

# Define network range (adjust accordingly)
NETWORK="192.168.1.0/24"

# Perform initial nmap scan
echo "Starting network scan..."
nmap -sn $NETWORK -oG scan.gnmap > /dev/null

# Extract live hosts
grep "Up" scan.gnmap | cut -d " " -f 2 > live_hosts.txt

# Process each live host
echo "IP Address,MAC Address,OS Guess,NetBIOS Name" > network_inventory.csv

while read -r ip; do
    # Get MAC address
    mac=$(grep -A1 "$ip" scan.gnmap | grep "MAC" | cut -d " " -f 3)
    
    # Get OS guess
    os=$(nmap -O --osscan-guess $ip | grep "Aggressive OS guesses" | cut -d ":" -f 2 | sed 's/^ *//g')
    
    # Get NetBIOS name (using multiple methods)
    netbios=""
    
    # Method 1: nbtscan
    if command -v nbtscan &> /dev/null; then
        netbios=$(nbtscan -r $ip | grep -v "name_service" | awk '{print $2}' | head -n 1)
    fi
    
    # Method 2: nmblookup fallback
    if [ -z "$netbios" ] && command -v nmblookup &> /dev/null; then
        netbios=$(nmblookup -A $ip | grep "<00>" | grep -v "GROUP" | awk '{print $1}' | head -n 1)
    fi
    
    # Method 3: smbclient fallback
    if [ -z "$netbios" ] && command -v smbclient &> /dev/null; then
        netbios=$(smbclient -L $ip -N 2>/dev/null | grep "Server" | cut -d " " -f 2)
    fi
    
    # Clean NetBIOS name if found
    if [ -n "$netbios" ]; then
        netbios=$(echo $netbios | tr -d '[:space:]' | sed 's/\\//g')
    else
        netbios="Not Found"
    fi
    
    # Output results
    echo "$ip,$mac,\"$os\",$netbios" >> network_inventory.csv
    
done < live_hosts.txt

echo "Scan completed. Results saved to network_inventory.csv"

Consider these enhancements for production use:

# Add parallel processing for large networks
parallel -j 10 "nbtscan -r {} | grep -v 'name_service'" ::: $(cat live_hosts.txt)

# Add error handling for individual hosts
function get_netbios() {
    ip=$1
    # Implementation here
    # Return NetBIOS name or empty string
}

# Cache results for repeated scans
if [ -f "netbios_cache.txt" ]; then
    cached=$(grep "^$ip " netbios_cache.txt | awk '{print $2}')
    if [ -n "$cached" ]; then
        echo $cached
        return 0
    fi
fi

For environments where installing additional tools isn't possible:

# Using native Windows commands via wine
if command -v wine &> /dev/null; then
    netbios=$(wine cmd /c "nbtstat -A $ip 2>NUL" | grep "UNIQUE" | awk '{print $1}')
fi

# Pure nmap NSE script method
nmap --script nbstat.nse -p 137,139 $ip
  • Firewall blocks: Ensure UDP ports 137-139 are accessible
  • Name conflicts: Multiple systems may respond to the same NetBIOS name
  • IPv6 networks: NetBIOS primarily works with IPv4
  • Windows 10+ systems: May have NetBIOS disabled by default

When performing network scanning in Linux environments, obtaining NetBIOS names alongside IP addresses, MAC addresses, and OS information presents a unique challenge. While nmap excels at most network discovery tasks, extracting NetBIOS names requires additional tools and techniques.

The complete solution requires these components:

  • nmap (for basic network scanning)
  • nbtscan (specifically for NetBIOS name resolution)
  • awk/sed (for text processing)
  • Bash scripting (to tie everything together)

First ensure all necessary tools are installed:


sudo apt-get install nmap nbtscan   # For Debian/Ubuntu
sudo yum install nmap nbtscan       # For RHEL/CentOS

Here's a robust bash script that combines nmap and nbtscan:


#!/bin/bash

# Define network range
NETWORK="192.168.1.0/24"

# Temporary files
NMAP_OUTPUT="/tmp/nmap_scan.txt"
NBTSCAN_OUTPUT="/tmp/nbtscan.txt"
FINAL_OUTPUT="network_inventory_$(date +%Y%m%d).csv"

# Perform nmap scan
echo "Running nmap scan..."
nmap -sn $NETWORK -oG $NMAP_OUTPUT > /dev/null

# Extract live IPs
LIVE_IPS=$(grep "Up" $NMAP_OUTPUT | awk '{print $2}')

# Perform nbtscan on live hosts
echo "Running nbtscan..."
nbtscan -r $NETWORK > $NBTSCAN_OUTPUT

# Process and combine results
echo "IP Address,MAC Address,Hostname,NetBIOS Name,OS Guess" > $FINAL_OUTPUT

for ip in $LIVE_IPS; do
    # Get MAC address
    MAC=$(grep -A 1 "$ip" $NMAP_OUTPUT | grep "MAC" | awk '{print $3}')
    
    # Get hostname
    HOSTNAME=$(grep "$ip" $NMAP_OUTPUT | awk '{print $3}' | sed 's/(//g;s/)//g')
    
    # Get NetBIOS name
    NETBIOS=$(grep "$ip" $NBTSCAN_OUTPUT | awk '{print $2}' | head -1)
    
    # Get OS guess (requires sudo/root privileges for -O flag)
    OS=$(grep "$ip" $NMAP_OUTPUT -A 3 | grep "OS:" | sed 's/OS: //g')
    
    # Output to CSV
    echo "$ip,$MAC,$HOSTNAME,$NETBIOS,$OS" >> $FINAL_OUTPUT
done

echo "Scan complete. Results saved to $FINAL_OUTPUT"

For more accurate OS detection and NetBIOS resolution:


# Enhanced OS detection (requires root)
sudo nmap -O --osscan-guess $NETWORK -oG $NMAP_OUTPUT

# Alternative NetBIOS name resolution
sudo nmap -sU -p 137 --script nbstat.nse $NETWORK

To run this scan periodically (e.g., daily at 2 AM):


0 2 * * * /path/to/your/script.sh
  • Firewall blocking: Ensure NetBIOS ports (137-139) are not blocked
  • Permission issues: Some nmap features require root privileges
  • Network segmentation: Adjust script for VLANs or complex networks