Home > Articles > Security > General Security and Privacy

  • Print
  • + Share This
This chapter is from the book


For historical reasons, Windows computers often use a protocol called NetBIOS. Although originally used only within LANs, NetBIOS has been extended so that it can run over TCP/IP, allowing organizations to provide Windows file- and print-sharing services across a WAN. A helpful command to identify a user over a network using NetBIOS is nbtstat. nbtstat is a standard component on all current Windows platforms, and a Linux version is also available.8

From your remote computer you can run this command against either the suspect's IP address:

nbtstat –a 123.456.789.000 
or against a specific machine name: 
nbtstat –A suspect.computer.com 

nbtstat displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP). If the remote computer is reachable over the network, you can receive the following information:

NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-s] [S] [interval]


(adapter status)

Lists the remote machine's name table given its name


(Adapter status)

Lists the remote machine's name table given its IP address.



Lists the remote name cache including the IP addresses



Lists local NetBIOS names.



Lists names resolved by broadcast and via WINS



Purges and reloads the remote cache name table



Lists sessions table with the destination IP addresses



Lists sessions table converting destination IP addresses to host names via the hosts file.


Remote host machine name.

IP address:

Dotted decimal representation of the IP address.


Redisplays selected statistics, pausing interval seconds between each display. Press Ctrl+C to stop redisplaying statistics.

If a user is logged into the computer, you receive output similar to that shown in Figure 2-17. As you can see, it provides the machine name, the Windows NT domain the computer is registered in (in this case, a domain named "security"), and the MAC address. Since the MAC address is unique, it is a positive method of identifying a computer after it has been seized. Unless the NIC is swapped out, you have a promising lead that this is the computer you're looking for. nbtstat is a handy command because it enables you to associate a user with an IP address and then copy and paste that information into a document that you can print.

Figure 2-17 nbtstat output

We mostly use the nbtstat command from within our network since nbtstat issues a User Datagram Protocol (UPD) request and is blocked by default on many firewalls. Don't be surprised if you can ping the system, but an nbtstat returns "host not found" on a computer you know to be a Windows platform.

  • + Share This
  • 🔖 Save To Your Account