[Samba] any reliable way to discover Windows hostname over SMB2+?

Jason Haar jason_haar at trimble.com
Thu Jul 13 08:40:23 UTC 2017

Hi there

The WannaCry drama has got us pushing forward plans to  turn off SMB1
globally. Great, well, errr....

Well not so great. I'm in the security team and we've relied on using
smbclient in debug mode to reliably discover the Windows hostname.
nmblookup sometime's doesn't work, and let's not even mention DNS PTR
records! "smbclient -L -N -d10 2>&1|grep AvNbComputerName" works a

>From what I can see, one of the changes that is in SMB2 is that it's a lot
less chatty and doesn't hand over the Windows hostname like SMB1 does, so
the days of this smbclient hack will soon be over.

So does anyone have ideas on how to discover Windows hostnames when all you
have is an IP address? Currently I'm moving to scraping the TLS data off
the RDP port - but that doesn't work if you're set for NLA, don't have it
enabled, etc. Has to be unauthenticated too (if all you have is an IP
address, you can't even guess at what random creds to throw at it).
Basically, is there a SMB2 trick to make the system give up it's hostname?



Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the samba mailing list