nbtscan is a command line tool that finds exposed NETBIOS nameservers, it’s a good first step for finding open shares.

Don't use the version of nbtscan that ships with KALI

Grab nbtscan from the above link and build it from source, this version tends to find more information

Compile nbtscan on KALI

root@kali:~/nbtscan# wget http://www.unixwiz.net/tools/nbtscan-source-1.0.35.tgz
root@kali:~/nbtscan# tar -xvzf nbtscan-source-1.0.35.tgz
root@kali:~/nbtscan# make
root@kali:~/nbtscan# ./nbtscan
nbtscan 1.0.35 - 2008-04-08 - http://www.unixwiz.net/tools/

usage: ./nbtscan [options] target [targets...]

   Targets are lists of IP addresses, DNS names, or address
   ranges. Ranges can be in /nbits notation ("")
   or with a range in the last octet ("")

nbtscan Cheat Sheet

Command Description

nbtscan -v

Displays the nbtscan version

nbtscan -f target(s)

This shows the full NBT resource record responses for each machine scanned, not a one line summary, use this options when scanning a single host

nbtscan -O file-name.txt target(s)

Sends output to a file

nbtscan -H

Generate an HTTP header

nbtscan -P

Generate Perl hashref output, which can be loaded into an existing program for easier processing, much easier than parsing text output

nbtscan -V

Enable verbose mode

nbtscan -n

Turns off this inverse name lookup, for hanging resolution

nbtscan -p PORT target(s)

This allows specification of a UDP port number to be used as the source in sending a query

nbtscan -m

Include the MAC (aka "Ethernet") addresses in the response, which is already implied by the -f option.