├── README.md
├── .gitattributes
├── SharpNBTScan
    ├── app.config
    ├── Properties
    │   └── AssemblyInfo.cs
    ├── SharpNBTScan.csproj
    └── Program.cs
└── SharpNBTScan.sln


/README.md:
--------------------------------------------------------------------------------
1 | # SharpNBTScan
2 |  
3 | SharpNBTScan.exe TargetIP
4 | 


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 | 


--------------------------------------------------------------------------------
/SharpNBTScan/app.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <configuration>
3 | <startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/></startup></configuration>
4 | 


--------------------------------------------------------------------------------
/SharpNBTScan.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.30413.136
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpNBTScan", "SharpNBTScan\SharpNBTScan.csproj", "{A129DAFB-020A-4F0C-8D79-7B3C47E437A3}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|Any CPU = Debug|Any CPU
11 | 		Release|Any CPU = Release|Any CPU
12 | 	EndGlobalSection
13 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | 		{A129DAFB-020A-4F0C-8D79-7B3C47E437A3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | 		{A129DAFB-020A-4F0C-8D79-7B3C47E437A3}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | 		{A129DAFB-020A-4F0C-8D79-7B3C47E437A3}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | 		{A129DAFB-020A-4F0C-8D79-7B3C47E437A3}.Release|Any CPU.Build.0 = Release|Any CPU
18 | 	EndGlobalSection
19 | 	GlobalSection(SolutionProperties) = preSolution
20 | 		HideSolutionNode = FALSE
21 | 	EndGlobalSection
22 | 	GlobalSection(ExtensibilityGlobals) = postSolution
23 | 		SolutionGuid = {79728E1F-311D-4CE1-88BE-9A1BC3B1C81D}
24 | 	EndGlobalSection
25 | EndGlobal
26 | 


--------------------------------------------------------------------------------
/SharpNBTScan/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | using System.Reflection;
 2 | using System.Runtime.CompilerServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | // General Information about an assembly is controlled through the following
 6 | // set of attributes. Change these attribute values to modify the information
 7 | // associated with an assembly.
 8 | [assembly: AssemblyTitle("SharpNBTScan")]
 9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("SharpNBTScan")]
13 | [assembly: AssemblyCopyright("Copyright ©  2020")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 | 
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components.  If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 | 
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("a129dafb-020a-4f0c-8d79-7b3c47e437a3")]
24 | 
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | //      Major Version
28 | //      Minor Version
29 | //      Build Number
30 | //      Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 | 


--------------------------------------------------------------------------------
/SharpNBTScan/SharpNBTScan.csproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
 4 |   <PropertyGroup>
 5 |     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
 6 |     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
 7 |     <ProjectGuid>{A129DAFB-020A-4F0C-8D79-7B3C47E437A3}</ProjectGuid>
 8 |     <OutputType>Exe</OutputType>
 9 |     <RootNamespace>SharpNBTScan</RootNamespace>
10 |     <AssemblyName>SharpNBTScan</AssemblyName>
11 |     <TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
12 |     <FileAlignment>512</FileAlignment>
13 |     <Deterministic>true</Deterministic>
14 |     <TargetFrameworkProfile />
15 |   </PropertyGroup>
16 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
17 |     <PlatformTarget>AnyCPU</PlatformTarget>
18 |     <DebugSymbols>true</DebugSymbols>
19 |     <DebugType>full</DebugType>
20 |     <Optimize>false</Optimize>
21 |     <OutputPath>bin\Debug\</OutputPath>
22 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
23 |     <ErrorReport>prompt</ErrorReport>
24 |     <WarningLevel>4</WarningLevel>
25 |   </PropertyGroup>
26 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
27 |     <PlatformTarget>AnyCPU</PlatformTarget>
28 |     <DebugType>pdbonly</DebugType>
29 |     <Optimize>true</Optimize>
30 |     <OutputPath>bin\Release\</OutputPath>
31 |     <DefineConstants>TRACE</DefineConstants>
32 |     <ErrorReport>prompt</ErrorReport>
33 |     <WarningLevel>4</WarningLevel>
34 |   </PropertyGroup>
35 |   <ItemGroup>
36 |     <Reference Include="System" />
37 |     <Reference Include="System.Core" />
38 |     <Reference Include="System.Net" />
39 |     <Reference Include="System.Xml.Linq" />
40 |     <Reference Include="System.Data.DataSetExtensions" />
41 |     <Reference Include="Microsoft.CSharp" />
42 |     <Reference Include="System.Data" />
43 |     <Reference Include="System.Xml" />
44 |   </ItemGroup>
45 |   <ItemGroup>
46 |     <Compile Include="Program.cs" />
47 |     <Compile Include="Properties\AssemblyInfo.cs" />
48 |   </ItemGroup>
49 |   <ItemGroup>
50 |     <None Include="app.config" />
51 |   </ItemGroup>
52 |   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
53 | </Project>


--------------------------------------------------------------------------------
/SharpNBTScan/Program.cs:
--------------------------------------------------------------------------------
  1 | using System;
  2 | using System.Net;
  3 | using System.Linq;
  4 | using System.Text;
  5 | using System.Net.Sockets;
  6 | using System.Collections;
  7 | using System.Globalization;
  8 | 
  9 | namespace SharpNBTScan
 10 | {
 11 |     class Program
 12 |     {
 13 |         private static byte[] nbtstat = new byte[] {
 14 |             0xee, 0x33, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
 15 |             0x00, 0x00, 0x00, 0x00, 0x20, 0x43, 0x4b, 0x41,
 16 |             0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
 17 |             0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
 18 |             0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
 19 |             0x41, 0x41, 0x41, 0x41, 0x41, 0x00, 0x00, 0x21,
 20 |             0x00, 0x01 
 21 |             };
 22 | 
 23 |         /// <summary>
 24 |         /// 16 进制转 byte[] 数组
 25 |         /// </summary>
 26 |         private static byte[] Hex2Byte(String hexContent)
 27 |         {
 28 |             // 需要将 hex 转换成 byte 数组。 
 29 |             byte[] bytes = new byte[hexContent.Length / 2];
 30 |             for (int i = 0; i < bytes.Length; i++)
 31 |             {
 32 |                 // 每两个字符是一个 byte。 
 33 |                 bytes[i] = byte.Parse(hexContent.Substring(i * 2, 2), NumberStyles.HexNumber);
 34 |             }
 35 |             return bytes;
 36 |         }
 37 | 
 38 |         private static string Conversion(String SourceString, int left, int right)
 39 |         {
 40 |             return Encoding.Default.GetString(Hex2Byte(SourceString.Substring(left, right)));
 41 |         }
 42 | 
 43 |         /// <summary>
 44 |         /// 以固定长度拆分字符串
 45 |         /// </summary>
 46 |         private static ArrayList SplitLength(string SourceString, int Length)
 47 |         {
 48 |             ArrayList list = new ArrayList();
 49 |             for (int i = 0; i < SourceString.Trim().Length; i += Length)
 50 |             {
 51 |                 if ((SourceString.Trim().Length - i) >= Length)
 52 |                     list.Add(SourceString.Trim().Substring(i, Length));
 53 |                 else
 54 |                     list.Add(SourceString.Trim().Substring(i, SourceString.Trim().Length - i));
 55 |             }
 56 |             return list;
 57 |         }
 58 | 
 59 |         /// <summary>
 60 |         /// 主功能函数
 61 |         /// </summary>
 62 |         private static void DetectionNBTscan(String host)
 63 |         {
 64 |             String response = String.Empty;
 65 | 
 66 |             IPAddress ipAddress = IPAddress.Parse(host);
 67 |             IPEndPoint remoteEP = new IPEndPoint(ipAddress, 137);
 68 | 
 69 |             response = String.Format("\n[*] Detecting Remote Computer of {0}\n", host);
 70 |             try
 71 |             {
 72 |                 byte[] response_v0 = new byte[1024];
 73 |                 using (var sock = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp))
 74 |                 {
 75 |                     sock.SetSocketOption(SocketOptionLevel.Socket, SocketOptionName.ReceiveTimeout, 3000);
 76 |                     sock.Connect(remoteEP);
 77 | 
 78 |                     sock.Send(nbtstat);
 79 |                     sock.Receive(response_v0);
 80 |                 }
 81 | 
 82 |                 string NumberName = Convert.ToString(response_v0[56], 10);
 83 | 
 84 |                 response += String.Format("  [+] Data length: {0}\n  [+] Number of Names: {1}", Convert.ToString(response_v0[55], 10), NumberName);
 85 | 
 86 | 
 87 |                 // 开始处理数据内容(这种解析方式属于取巧，不耐用)：每个 Name 都是 18 个字节数组，如果转为 String 则为 36 个字符
 88 |                 string[] response_v1 = BitConverter.ToString(response_v0.Skip(57).ToArray()).Replace("-", "").Split(new String[] { "00000000" }, StringSplitOptions.RemoveEmptyEntries);
 89 |                 ArrayList strList = SplitLength(response_v1[0], 36);
 90 |                 foreach (string str in strList)
 91 |                 {
 92 |                     String Flags = str.Substring(str.Length - 6, 2);
 93 |                     String NameFlags = str.Substring(str.Length - 4);
 94 | 
 95 |                     if (Flags == "00" && NameFlags == "0400")
 96 |                     {
 97 |                         response += String.Format("\n    [>] Name type: Unique name -> (Workstation/Redirector) -> Name: {0}<{1}>", Conversion(str, 0, 30), Flags);
 98 |                     }
 99 |                     else if (Flags == "00" && NameFlags == "8400")
100 |                     {
101 |                         response += String.Format("\n    [>] Name type: Group name -> (Workstation/Redirector) -> Name: {0}<{1}>", Conversion(str, 0, 30), Flags);
102 |                     }
103 |                     else if (Flags == "1C" && NameFlags == "8400")
104 |                     {
105 |                         response += String.Format("\n    [>] Name type: Group name -> (Domain Controllers) -> Name: {0}<{1}>", Conversion(str, 0, 30), Flags);
106 |                     }
107 |                     else if (Flags == "20" && NameFlags == "0400")
108 |                     {
109 |                         response += String.Format("\n    [>] Name type: Unique name -> (Server service) -> Name: {0}<{1}>", Conversion(str, 0, 30), Flags);
110 |                     }
111 |                     else if (Flags == "1B" && NameFlags == "0400")
112 |                     {
113 |                         response += String.Format("\n    [>] Name type: Unique name -> (Domain Master Browser) -> Name: {0}<{1}>", Conversion(str, 0, 30), Flags);
114 |                     }
115 |                     else if (Flags == "1E" && NameFlags == "8400")
116 |                     {
117 |                         response += String.Format("\n    [>] Name type: Group name -> (Browser Election Service) -> Name: {0}<{1}>", Conversion(str, 0, 30), Flags);
118 |                     }
119 |                     else if (Flags == "1D" && NameFlags == "0400")
120 |                     {
121 |                         response += String.Format("\n    [>] Name type: Unique name -> (Local Master Browser) -> Name: {0}<{1}>", Conversion(str, 0, 30), Flags);
122 |                     }
123 |                     else if (str.Substring(0, 4) == "0102" && NameFlags == "8400")
124 |                     {
125 |                         response += String.Format("\n    [>] Name type: Unique name -> (Browser) -> Name: {0}<{1}>", Conversion(str, 4, 25), Flags);
126 |                     }
127 |                     else if (str.Length == 12)
128 |                     {
129 |                         String uintid = String.Empty;
130 |                         for (int i = 0; i < str.Length / 2; i++)
131 |                         {
132 |                             uintid += str.Substring(i * 2, 2) + "-";
133 |                         }
134 |                         response += String.Format("\n    [>] Uint ID(MAC Address): {0}", uintid.Substring(0, uintid.LastIndexOf('-')));
135 |                     }
136 |                 }
137 | 
138 |                 Console.WriteLine(response);
139 |             }
140 |             catch (Exception ex)
141 |             {
142 |                 Console.WriteLine("[!] Error: {0}", ex.Message);
143 |             }
144 |         }
145 | 
146 |         static void Main(string[] args)
147 |         {
148 | 
149 |             string host = args[0];
150 |             /*
151 |              * 多线程（线程池）处理
152 |              */
153 |             DetectionNBTscan(host);
154 |         }
155 |     }
156 | }
157 | 


--------------------------------------------------------------------------------