NetBIOS Name

Welcome Forums General PowerShell Q&A NetBIOS Name

This topic contains 9 replies, has 6 voices, and was last updated by

 
Participant
8 months, 1 week ago.

  • Author
    Posts
  • #25617

    Participant
    Points: -19
    Rank: Member

    Hello All!

    I have faced with the problem, and I do not have idea how to find a solution.
    Here is the situation: I have a domain A that domain has few external trusts (one direction) i have no admin access to this domain A , now i have a list of servers that responding as xxxxx.A.net but do not exist in that domain (i believe these servers are just added to DNS) i know that real objects exist in external domain B (separate forest) but pings like a servers from domain A.

    my question is there any possibility to verify (via PS) real netbios name of real domain where that server exists?

    Thank You!

  • #25622

    Participant
    Points: 0
    Rank: Member

    If you only want to know the domain a computer is a member of you can use WMI to query the class Win32_ComputerSystem
    Example:

    $DNSForestName = (Get-WmiObject -Class Win32_ComputerSystem).Domain
    

    If you want the netbois name of the domain, query the Class Win32_NTDomain and filter on DnsForestName
    Example:

    $DNSForestName = (Get-WmiObject -Class Win32_ComputerSystem).Domain
    $DomainNetbios = (Get-WmiObject -Class Win32_NTDomain -Filter "DnsForestName = '$DNSForestName'").DomainName
    
  • #25703

    Participant
    Points: 1
    Rank: Member

    If you open the TCP settings on a computer it might have a list of DNS Suffixes under the DNS portion of the IPv4 TCP/IP settings.

    A Windows machine will respond with it's FQDN regardless of whether or not its a member of the AD Domain by the same name. The dns suffix list makes it respond with that FQDN.

    Good luck finding those machines. Don't forget ARP will return MAC Addresses and those MACs can be used by a network engineer to trace it back to a switch port. From there you trace the patch cable back to the physical device.

    • #97971

      Participant
      Points: 1
      Rank: Member

      This last statement is not really correct.

      If you open the TCP settings on a computer it might have a list of DNS Suffixes under the DNS portion of the IPv4 TCP/IP settings.

      It is possible to have a DNS suffix list that does not include the name of the domain the workstation is a part of.

      Windows machine will respond with it's FQDN regardless of whether or not its a member of the AD Domain by the same name. The dns suffix list makes it respond with that FQDN.

      This is not necessarily correct. If a Windows machine is on a different IP segment, and doesn't have permissions to register in a dynamic DNS server (and the DHCP server is also not doing the registration), then trying to find a host by it's fully qualified name won't work.

      ARP only finds MAC addresses to IP addresses, and really has nothing to do with name resolution.

  • #25705

    Participant
    Points: 60
    Rank: Member

    Hey Gsky,

    You don't need an admin account to be able to list user or computer objects, you can do this from a standard domain account with an LDAP query. Ask for a standard user account for the other domain, use an LDAP query with a search and grab the DistinguishedName cut of the domain suffix, and you'll have your NETBIOS name.

    If querying has been locked down for whatever reason so you can't use a standard account, ask for delegated rights to the OU with the computers in with list permissions (can't recall the exact property name required), and you will then be able to use your LDAP query.

    cheers,

    Tim

    • #97972

      Participant
      Points: 1
      Rank: Member

      If you use DNS as you way of doing your investigation, you don't really even need an account in the domain, or any of it's trusted domains. DNS lookups generally don't have permissions (although there are exceptions in a poorly configured DNS server).

      However, the problem still remains:

      [...] with an LDAP query. Ask for a standard user account for the other domain, use an LDAP query with a search and grab the DistinguishedName cut of the domain suffix, and you'll have your NETBIOS name.

      This only works if the Distinguished domain name is the same as the NetBIOS domain (ie: If you assume AD.Mycorp.local has a DN of 'AD' however, this is not really a valid test because who ever created the domain may have given AD.Mycorp.local a NetBIOS name of 'Root'). So while this may work, it's relying on luck more then anything else. It also assume you allow anonymous look ups against the target domain (which is very often turned off as a security precaution).

      Finally:

      If querying has been locked down for whatever reason so you can't use a standard account, ask for delegated rights to the OU with the computers in with list permissions (can't recall the exact property name required), and you will then be able to use your LDAP query.

      First step, make sure your doing a BIND against the LDAP server WITH credentials. List permissions to the domain are almost always granted to authenticated users so that workstations can find their place before they are logged in, and so users can be located before authenticated so that the ID in question can be authenticated. If your workstation can't find your ID, it has no way of knowing what policies need to be applied to that ID (as in what OU is your account a member of).

  • #25707

    Member
    Points: 0
    Rank: Member

    Another option is to use nbtstat -A $ipAddress, and look for the line that has a suffix of and type GROUP. In PowerShell, that might look something like this:

    $ipaddress = '1.2.3.4'
    
    $nbtstat = nbtstat.exe -A $ipaddress
    
    $domainOrWorkgroup = $nbtstat | Where { $_ -match '^\s*(\S+)\s*\s*GROUP' } | ForEach { $matches[1] }
    
    • #97975

      Participant
      Points: 1
      Rank: Member

      This assumes you elevated have permissions to the target machine. Even going against your local machine, this may not work.

  • #25824

    Participant
    Points: -19
    Rank: Member

    Thank you all,

    @dave – unfortunately nbastat does not work here (returns 0.0.0.0)

    The solution to my problem was Win32_computerSystem given by @simon,

    If you only want to know the domain a computer is a member of you can use WMI to query the class Win32_ComputerSystem

    this works perfectly on servers with WMI services, I can check real domain name where Server object exists. Knowing this have created simple query using get-adcomputer to verify object on domain (if no object then script checks win32_computerSystem).

    but what about with non windows servers (NAS fillers etc) is there any option to verify domain name form comes that object?

  • #97977

    Participant
    Points: 1
    Rank: Member

    Wow, everyone seems to be making this so difficult.

    For your local workstation, from a CMD prompt, do a set user.

    The results should look like (in my case):
    C:\Users\abc123>set user
    USERDNSDOMAIN=AD.ADROOT.COM
    USERDOMAIN=ADNetbios

    This gives you the DNS domain name, and the NetBIOS name of the domain you are logged into.

The topic ‘NetBIOS Name’ is closed to new replies.