Library netbios
Creates and parses NetBIOS traffic. The primary use for this is to send NetBIOS name requests.
Author:
Copyright © Same as Nmap--See https://nmap.org/book/man-legal.html
Source: https://svn.nmap.org/nmap/nselib/netbios.lua
Functions
- do_nbstat (host)
- This is the function that actually handles the UDP query to retrieve the NBSTAT information. 
- flags_to_string (flags)
- Convert the 16-bit flags field to a string. 
- get_names (host, prefix)
- Sends out a UDP probe on port 137 to get a human-readable list of names the the system is using. 
- get_server_name (host, names)
- Sends out a UDP probe on port 137 to get the server's name (that is, the entry in its NBSTAT table with a 0x20 suffix). 
- get_user_name (host, names)
- Sends out a UDP probe on port 137 to get the user's name 
- get_workstation_name (host, names)
- Sends out a UDP probe on port 137 to get the workstation's name (that is, the unique entry in its NBSTAT table with a 0x00 suffix). 
- name_decode (encoded_name)
- Converts an encoded name to the string representation. 
- name_encode (name, scope)
- Encode a NetBIOS name for transport. 
Functions
- do_nbstat (host)
- 
This is the function that actually handles the UDP query to retrieve the NBSTAT information. We make use of the Nmap registry here, so if another script has already performed a nbstat query, the result can be re-used. The NetBIOS request's header looks like this: -------------------------------------------------- | 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 | | NAME_TRN_ID | | R | OPCODE | NM_FLAGS | RCODE | (FLAGS) | QDCOUNT | | ANCOUNT | | NSCOUNT | | ARCOUNT | -------------------------------------------------- In this case, the TRN_ID is a constant (0x1337, what else?), the flags are 0, and we have one question. All fields are network byte order. The body of the packet is a list of names to check for in the following format: - (ntstring) encoded name
- (2 bytes) query type (0x0021 = NBSTAT)
- (2 bytes) query class (0x0001 = IN)
 The response header is the exact same, except it'll have some flags set (0x8000 for sure, since it's a response), and ANCOUNT will be 1. The format of the answer is: - (ntstring) requested name
- (2 bytes) query type
- (2 bytes) query class
- (2 bytes) time to live
- (2 bytes) record length
- (1 byte) number of names
- [for each name]
- (16 bytes) padded name, with a 1-byte suffix
- (2 bytes) flags
- (variable) statistics (usually mac address)
 Parameters- host
- The IP or hostname of the system.
 Return value:(status, names, statistics) If status is true, then the servers names are returned as a table containing 'name', 'suffix', and 'flags'. Otherwise, names is an error message and statistics is undefined.
- flags_to_string (flags)
- 
Convert the 16-bit flags field to a string. Parameters- flags
- The 16-bit flags field
 Return value:A string representing the flags
- get_names (host, prefix)
- 
Sends out a UDP probe on port 137 to get a human-readable list of names the the system is using. Parameters- host
- The IP or hostname to check.
- prefix
- [optional] The prefix to put on each line when it's returned.
 Return value:(status, result) If status is true, the result is a human-readable list of names. Otherwise, result is an error message.
- get_server_name (host, names)
- 
Sends out a UDP probe on port 137 to get the server's name (that is, the entry in its NBSTAT table with a 0x20 suffix). Parameters- host
- The IP or hostname of the server.
- names
- [optional] The names to use, from do_nbstat.
 Return value:(status, result) If status is true, the result is the NetBIOS name. otherwise, result is an error message.
- get_user_name (host, names)
- 
Sends out a UDP probe on port 137 to get the user's name User name is the entry in its NBSTAT table with a 0x03 suffix, that isn't the same as the server's name. If the username can't be determined, which is frequently the case, nil is returned. Parameters- host
- The IP or hostname of the server.
- names
- [optional] The names to use, from do_nbstat.
 Return value:(status, result) If status is true, the result is the NetBIOS name or nil. otherwise, result is an error message.
- get_workstation_name (host, names)
- 
Sends out a UDP probe on port 137 to get the workstation's name (that is, the unique entry in its NBSTAT table with a 0x00 suffix). Parameters- host
- The IP or hostname of the server.
- names
- [optional] The names to use, from do_nbstat.
 Return value:(status, result) If status is true, the result is the NetBIOS name. otherwise, result is an error message.
- name_decode (encoded_name)
- 
Converts an encoded name to the string representation. If the encoding is invalid, it will still attempt to decode the string as best as possible. Parameters- encoded_name
- The L2-encoded name
 Return value:the decoded name and the scope. The name will still be padded, and the scope will never be nil (empty string is returned if no scope is present)
- name_encode (name, scope)
- 
Encode a NetBIOS name for transport. Most packets that use the NetBIOS name require this encoding to happen first. It takes a name containing any possible character, and converted it to all uppercase characters (so it can, for example, pass case-sensitive data in a case-insensitive way) There are two levels of encoding performed: - L1: Pad the string to 16 characters withs spaces (or NULLs if it's the wildcard "*") and replace each byte with two bytes representing each of its nibbles, plus 0x41.
- L2: Prepend the length to the string, and to each substring in the scope (separated by periods).
 Parameters- name
- The name that will be encoded (eg. "TEST1").
- scope
- [optional] The scope to encode it with. I've never seen scopes used in the real world (eg, "insecure.org").
 Return value:The L2-encoded name and scope (eg. "\x20FEEFFDFEDBCACACACACACACACACAAA\x08insecure\x03org")
