1. Home
  2. Software
  3. NBTscan

NBTscan

NBTscan is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.[1][2][3][4]

ID: S0590
Type: TOOL
Platforms: Windows, Linux, macOS
Contributors: Daniyal Naeem, BT Security
Version: 1.0
Created: 17 March 2021
Last Modified: 24 April 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1046 Network Service Scanning

NBTscan can be used to scan IP networks.[1][2]
Enterprise T1040 Network Sniffing

NBTscan can dump and print whole packet content.[1][2]

Enterprise T1018 Remote System Discovery

NBTscan can list NetBIOS computer names.[1][2]

Enterprise T1016 System Network Configuration Discovery

NBTscan can be used to collect MAC addresses.[1][2]

Enterprise T1033 System Owner/User Discovery

NBTscan can list active users on the system.[1][2]

Groups That Use This Software

ID Name References
G0093 GALLIUM

[5]
G0087 APT39

[4]
G0027 Threat Group-3390

[6]
G0010 Turla

[3]
G0129 Mustang Panda

[7]
G0135 BackdoorDiplomacy

[8]
G0131 Tonto Team

[9]

References

  1. Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021.
  2. SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021.
  3. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  4. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  5. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  1. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  2. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  3. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  4. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.