If you ever wondered if there is a quick way to find all the Windows host in your network with exact version information, you are in the right place! We are going to see a few tools that will aid us in this task by quering the CIFS service (also known as SMB / NetBIOS) which is run by all Windows host.
To get us started let’s see the nbtscan tool, we can give it network range in the form of a CIDR or just with two values separated with a dash. This will give us a nice list of all the Windows host on our network with their netbios names.
Example usage and output:
Oh, what about that exact version info you say? Don’t worry, that’s coming up right now thanks to the smb-os-discovery nmap script. To speed it up we will only scan the netbios port, as that is all we need for the script to kick in.
[root@bt ➜ ~] # nmap --script smb-os-discovery -p 445 192.168.1.1/24
Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-18 21:12 CEST
Nmap scan report for 192.168.1.4
Host is up (0.00014s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 10:BF:48:BB:E7:12 (Asustek Computer)
Host script results:
| smb-os-discovery:
| OS: Windows 7 Home Premium 7601 Service Pack 1 (Windows 7 Home Premium 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| NetBIOS computer name: MATU
| Workgroup: VIRTUAL
|_ System time: 2013-07-18T21:12:58+02:00
Nmap scan report for 192.168.1.10
Host is up (0.00051s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:1E:8C:CE:E7:51 (Asustek Computer)
Host script results:
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: ANIMAL
| NetBIOS computer name: ANIMAL
| Workgroup: VIRTUAL
|_ System time: 2013-07-18T21:13:38+02:00
Isn’t that nice? also you don’t need any credentials at all for this, lastly if you are a metasploit fan I also have something for you. There is a module that will give you similar results to the nmap script: auxiliary/scanner/smb/smb_version.
msf exploit(handler) > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > set rhosts 192.168.1.1/24
rhosts => 192.168.1.1/24
msf auxiliary(smb_version) > run
[] 192.168.1.4:445 is running Windows 7 Home Premium (Build 7601) (language: Unknown) (name:MATU) (domain:VIRTUAL)
[] 192.168.1.10:445 is running Windows XP Service Pack 3 (language: Spanish) (name:ANIMAL) (domain:ANIMAL)
[*] 192.168.1.15:445 is running Unix Samba 3.4.7 (language: Unknown) (name:BT) (domain:BT)
That should be enough to get you rolling on your windows box hunting adventure. I hope you find it useful!