nmap · s0i37 · Dec 10, 2020 · Dec 24, 2020 · Dec 29, 2020
diff --git a/nselib/netbios.lua b/nselib/netbios.lua
@@ -445,7 +445,7 @@ function nbquery(host, nbname, options)
         return false, "ERROR: Response contained no answers"
       end
       local dname = string.char(#resp.output.answers[1].dname) .. resp.output.answers[1].dname
-      table.insert( results, { peer = resp.peer, name = name_decode(dname) } )
+      table.insert( results, { peer = resp.peer, name = name_decode(dname), data = resp.output.answers[1].data } )
     end
     return true, results
   else

diff --git a/scripts/netbios-interfaces.nse b/scripts/netbios-interfaces.nse
@@ -0,0 +1,57 @@
+local shortport = require "shortport"
+local netbios = require "netbios"
+local string = require "string"
+local stdnse = require "stdnse"
+
+description = [[
+Attempts to retrieve via NetBIOS the target's network interfaces.
+Additional network interfaces may reveal more information about target.
+In particular, it is very useful for finding paths to non-routed networks if target has more than one NIC.
+]]
+
+---
+-- @usage
+-- nmap -sU --script netbios-interfaces.nse -p 137 <host>
+--
+-- @output
+-- PORT    STATE SERVICE
+-- 137/udp open  netbios-ns
+-- | netbios-interfaces: 
+-- |   hostname: NOTEBOOK-NB3
+-- |   interfaces: 
+-- |     192.168.128.100
+-- |     172.24.80.1
+-- |     172.27.96.1
+-- MAC Address: 9C:7B:EF:AA:BB:CC (Hewlett Packard)
+
+
+author = {"Andrey Zhukov from USSC"}
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+
+categories = {"default", "discovery", "safe"}
+
+portrule = shortport.portnumber(137, "udp", {"open", "open|filtered"})
+
+get_ip = function(buf)
+  return table.concat({buf:byte(1, 4)}, ".")
+end
+
+action = function(host)
+  local output = stdnse.output_table()
+  local status, server_name = netbios.get_server_name(host)
+  if(not(status)) then
+    return output, "Failed to get hostname"
+  end
+  local status, result = netbios.nbquery(host, server_name, { multiple = true })
+  if(not(status)) then
+    return output, "Failed to get remote network interfaces"
+  end
+  output.hostname = server_name
+  output.interfaces = {}
+  for k, v in ipairs(result) do
+    for i=1,string.len(v.data),6 do
+      output.interfaces[#output.interfaces + 1] = get_ip(v.data:sub(i+2,i+2+4))
+    end
+  end
+  return output, ""
+end
diff --git a/scripts/script.db b/scripts/script.db
@@ -389,6 +389,7 @@ Entry { filename = "ndmp-fs-info.nse", categories = { "discovery", "safe", } }
 Entry { filename = "ndmp-version.nse", categories = { "version", } }
 Entry { filename = "nessus-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "nessus-xmlrpc-brute.nse", categories = { "brute", "intrusive", } }
+Entry { filename = "netbios-interfaces.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "netbus-auth-bypass.nse", categories = { "auth", "safe", "vuln", } }
 Entry { filename = "netbus-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "netbus-info.nse", categories = { "default", "discovery", "safe", } }