Nmblookup: NetBIOS Name Resolution in Action
When you’re dealing with older Windows environments or internal networks, NetBIOS name resolution can still be in play. One lightweight tool for this is nmblookup, which lets you perform NetBIOS queries to identify hosts, workgroups, and domain names—especially when DNS isn’t available or reliable.
This post breaks down:
- What
nmblookupis - How it works
- Key use cases in pentesting
- Example commands
What Is nmblookup?
nmblookup is part of the Samba suite and functions like a reverse DNS lookup, but for NetBIOS names instead of IP addresses. It queries over UDP port 137 and returns IPs associated with NetBIOS names on a local network.
In simple terms:
It lets you resolve Windows hostnames when DNS isn’t helping.
Why Use nmblookup as a Pentester?
You use it to:
- Identify hostnames in flat networks
- Discover NetBIOS names and workgroups/domains
- Confirm that NetBIOS resolution is working or exploitable
- Pre-enumerate before launching SMB-based attacks (e.g. with
enum4linuxorsmbclient) - Poison NetBIOS traffic (when used with tools like Responder)
Basic Usage
nmblookup <NetBIOS-name>
# Query NetBIOS name (like a hostname)
Example:
nmblookup WIN-SERVER01
If that host is on the same subnet and broadcasting NetBIOS traffic, you’ll get something like:
192.168.1.100 WIN-SERVER01<00>
Broadcast Query
You can use broadcast mode to discover nearby machines:
nmblookup -B 192.168.1.255 '*'
# Sends a broadcast query asking for all NetBIOS names
This will return something like:
192.168.1.10 <00> WORKGROUP
192.168.1.15 <03> USER-PC
192.168.1.20 <20> FILESERVER
Use this to enumerate potential SMB targets.
Interpret the Suffix Codes
NetBIOS names end with a suffix that tells you the type of service:
| Suffix | Meaning |
|---|---|
<00> | Hostname |
<03> | User |
<20> | File/Print Services |
<1D> | Master Browser |
<1B> | Domain Master Browser |
<1C> | Domain Controllers |
So if you see <20>, you’re probably looking at an SMB server.
Practical Pentest Workflow
After discovering a host with nmblookup:
- Enumerate shares:
smbclient -L //<ip> -N - Enumerate users:
enum4linux <ip> - Test credentials / access:
smbclient //<ip>/sharename -U username - Try NetBIOS spoofing attacks (e.g. with Responder or NBNSpoof)
Real-World Notes
- Works best on flat internal networks or legacy Windows systems.
- Rarely helpful externally or on hardened networks where NetBIOS is disabled.
- Combine with Wireshark or tcpdump to sniff for NetBIOS queries in live traffic.
Conclusion
While nmblookup isn’t flashy, it’s fast and can give you early recon on names and services that DNS won’t show. In older or poorly segmented networks, it’s a goldmine—especially when paired with SMB enumeration tools.