[Samba] any reliable way to discover Windows hostname over SMB2+?

Giulio giulioo at gmail.com
Thu Jul 13 22:32:24 UTC 2017

- smbclient supports smb2/smb3 starting from samba-4x, and you need to
use -m smb2/smb3.
- starting from samba 4.7.0rc1 smbclient defaults to -m smb3_11 (no
need to use -m")
- samba-3.x  supports smb2  server side only (setting "max protocol"),
smbclient is smb1/nt1 only in 3.x.

I did some tests running smbclient against a win7 machine

smbclient 3.x (smb1 only)
  $ smbclient  -d 10 -L -N  2>&1|grep AvNb|wc -l
  8   <== info is present

smbclient 4.7.0rc1 smb1 mode:
  $ smbclient  -d 10 -L -N -m nt1 2>&1|grep AvNb|wc-l
  0   <== no more

smbclient 4.7.0rc1 smb2 mode:
  $ ./smbclient  -d 10 -L -N -m smb2 2>&1|grep AvNb|wc -l
  0   <== no more

It seems that kind of debug messages is gone even when using smb1 with
newer smbclient versions.


rpcclient 3.x
  $ rpcclient -U ""  -c srvinfo -N -d 10 2>&1|grep AvNb|wc -l

  $ rpcclient -U wrong%wrong  -c srvinfo -N -d 10 2>&1
|grep AvNb|wc -l
  8  <== works

rpcclient 4.7.0rc1 is like newer smbclient, the info is not there anymore.


If you need this, I'd investigate using some kind of LLMNR client,
since this is the "zeroconf" way to get Windows names: when you
disable smb1 on Windows, netbios name resolution gets disabled too,
and automatic name resolution is LLMNR only.

For instance, this https://nmap.org/nsedoc/scripts/llmnr-resolve.html
will do name-to-IP via LLMNR using nmap from command line.

To do the reverse lookup, I tried changing the script where it uses
"0x0001 Host address" to "0x000C "PTR" and asking for; the Windows PC will answer something but
the script output is garbled because it expects to print an IP, and I
don't know LUA to change the script to properly format the new answer,
however I can see the Windows PC name in the tcpdump output (in an UDP
packet coming from the Windows PC), so it's possible.

More information about the samba mailing list