NBTscan

NBTscan is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.[1][2][3][4]

ID: S0590
Type: TOOL
Platforms: Windows, Linux, macOS
Contributors: Daniyal Naeem, BT Security
Version: 1.0
Created: 17 March 2021
Last Modified: 24 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1046 Network Service Discovery

NBTscan can be used to scan IP networks.[1][2]

Enterprise T1040 Network Sniffing

NBTscan can dump and print whole packet content.[1][2]

Enterprise T1018 Remote System Discovery

NBTscan can list NetBIOS computer names.[1][2]

Enterprise T1016 System Network Configuration Discovery

NBTscan can be used to collect MAC addresses.[1][2]

Enterprise T1033 System Owner/User Discovery

NBTscan can list active users on the system.[1][2]

Groups That Use This Software

ID Name References
G0027 Threat Group-3390

[5][6]

G0135 BackdoorDiplomacy

[7]

G0131 Tonto Team

[8]

G0093 GALLIUM

[9]

G0087 APT39

[4]

G0010 Turla

[3]

G0129 Mustang Panda

[10]

References