nmblookup meaning

Kioptrix nmblookup returns <00> and <20> records: interpreting service roles (and what to do next)

by
nmblookup <00> <20> meaning

Stop Paying the “Quiet Tax” on Your Kioptrix Notes

If your notes keep turning into โ€œSMB serverโ€ฆ probably?โ€ after one glance at nmblookup, youโ€™re arguing with your past self at 2:00 AM. The usual culprit? Translating <00> and <20> records into certainty. (If your pain point is more like โ€œI see names but share listing is dead,โ€ jump to nbtscan shows hostname but no shares and compare symptoms.)

The Report-Safe Truth: A NetBIOS suffix is merely a hint of what a host is advertising. Suffixes like <00> and <20> are useful signals, but they are not proof of SMB reachability or share access.

This post provides a tight, low-noise confirm loop:

  • โœ”๏ธ Classify: Separate unique vs. group names.
  • โœ”๏ธ Context: Treat workgroup labels as clues, not conclusions.
  • โœ”๏ธ Corroborate: Quick 139/445 checks + SMB negotiation.

Two tools. One minute. Notes you can defend.

Fast Answer (snippet-ready): When nmblookup shows <00> and <20>, youโ€™re seeing NetBIOS name suffixes that describe what the host is advertising. In most lab cases, <00> is a name registration (often workstation/service name or a workgroup/domain group name) and <20> commonly indicates SMB file service registration. Treat suffixes as clues, not proof. Confirm SMB with a quick port/service check (139/445) and a share attempt via smbclient or SMB-focused Nmap scripts before you log conclusions.
nmblookup <00> <20> meaning

Who this is for / not for

For you ifโ€ฆ

  • Youโ€™re doing Kioptrix-style SMB/NetBIOS enumeration and your notes keep becoming โ€œmaybe-a-fileserverโ€ soup.
  • You want defensible interpretations of <00>, <20>, and the common weird cases.
  • Youโ€™re trying to stay low-noise and lab-safe while still being precise.

Not for you ifโ€ฆ

  • Youโ€™re enumerating a modern environment where NetBIOS is disabled and discovery relies on other mechanisms.
  • You want exploitation steps. This stays firmly in enumeration + interpretation + confirmation.

Decode-first: what NetBIOS suffixes actually represent

The mental model: โ€œnames + suffixesโ€ are advertised roles

NetBIOS name service replies are basically little identity cards taped to a hostโ€™s forehead. They tell you what names a machine is willing to answer to, and the suffix (the 16th byte) hints at the โ€œrole flavorโ€ of that name. But hereโ€™s the trap: this is an advertisement, not a completed background check.

If youโ€™ve used Nmap, Samba tools, or Wireshark in CTF labs, youโ€™ve already seen this pattern: the network says โ€œI might be X,โ€ and your job is to turn โ€œmightโ€ into โ€œisโ€ (or โ€œis notโ€) with one additional test.

Show me the nerdy details

NetBIOS over TCP/IP is specified in RFC 1001/1002, and the โ€œsuffixโ€ concept is widely used by Windows networking protocols and implementations. The suffix is carried as part of the 16-byte NetBIOS name, where the last byte encodes the suffix value. In practice, tools present it as <00>, <20>, and so on.

<00> isnโ€™t โ€œthe serviceโ€; itโ€™s โ€œwhat name is being claimedโ€

<00> is the one that causes the most note-taking chaos because it can show up as:

  • A unique name tied to the host (often what you think of as the computer name).
  • A group name tied to a workgroup or domain-like label (less personally useful, more โ€œcrowd identityโ€).

Iโ€™ve personally wasted a clean 30 minutes once by treating a <00> group registration like a hostname, then wondering why my next command behaved like it had stage fright. Lesson learned: the same suffix can be attached to different kinds of names.

<20> is the loudest hint for SMB file service

In many Windows and Samba-adjacent situations, <20> strongly suggests the machine is registering a name for file and printer sharing style service. It often correlates with โ€œSMB server capability,โ€ but itโ€™s still not proof that you can actually negotiate SMB from your vantage point.

Think of <20> as the sign outside a shop. It says โ€œopen.โ€ It does not guarantee the door isnโ€™t locked, the lights arenโ€™t off, or you arenโ€™t standing at the wrong entrance.

Letโ€™s be honestโ€ฆ

If youโ€™ve ever written โ€œSMB enabledโ€ from a suffix alone, you didnโ€™t write a note. You wrote a future argument with yourself.

nmblookup <00> <20> meaning

Kioptrix reality check: why youโ€™re seeing both <00> and <20>

Typical lab topology: Samba/Linux acting โ€œWindows-ishโ€

Kioptrix-era labs love the aesthetic of old-school Windows networking, even when the host is actually Linux with Samba. Thatโ€™s why youโ€™ll often see NetBIOS broadcasts that look โ€œWindows-likeโ€ in form, even if the underlying OS is not.

A quick trust cue: Sambaโ€™s own documentation describes nmblookup as a NetBIOS name query tool used in NetBIOS-over-TCP/IP networks. Thatโ€™s exactly the behavior youโ€™re poking with these labs.

Workgroup noise: <00> group names muddy the water

Sometimes your <00> record is a workgroup identity, not the specific host identity you hoped for. In practical terms, it means: yes, something on that IP is participating in a named group, but it doesnโ€™t hand you a clean, unique hostname you can confidently use in follow-on commands.

Multiple interfaces and aliases: one host, many names

Labs can be quirky: multiple interfaces, NAT layers, VM snapshots, and โ€œhelpfulโ€ aliases. A single host can register multiple names, and your query method can surface more than one of them. Iโ€™ve seen a lab box register names that looked like they were typed by someone half-asleep, which felt oddly relatable.

Read the output like a prosecutor: three questions to answer

1) Is the <00> entry a unique name or a group name?

Your first job is classification. If the tool output indicates group vs unique, believe it. If it doesnโ€™t, look for contextual clues:

  • Group names often resemble workgroup/domain labels youโ€™ve seen before (short, โ€œorganizationalโ€ words).
  • Unique names tend to resemble a host/computer identity, even if padded or oddly formatted.

When youโ€™re unsure, donโ€™t force it. Treat <00> as โ€œa name registration existsโ€ and move on to a confirmation tool.

Takeaway: Before you interpret suffixes, decide whether youโ€™re looking at a host identity or a group label.
  • Unique name helps you pivot to SMB identity checks.
  • Group name tells you โ€œmembership,โ€ not โ€œcapability.โ€
  • Uncertain classification is a signal to verify with ports/scripts.

Apply in 60 seconds: Write โ€œunique vs group unknownโ€ in notes, then validate with 139/445 checks (and if you need the nuance, review SMB null session differences on port 139 vs 445).

2) Does the <20> align with open SMB ports?

This is where you stop guessing and start correlating. If you see <20>, your next move is not poetry. Itโ€™s a quick check for SMB presence on:

  • TCP 445 (direct SMB)
  • TCP 139 (SMB over NetBIOS session service)

If both ports are closed from your scanning position, <20> becomes โ€œinteresting but not actionable yet.โ€ (And if youโ€™re troubleshooting why your scan โ€œmissedโ€ a service, the pattern shows up in Nmap service detection false positives more often than people admit.)

3) Are you querying the right thing?

Thereโ€™s a practical difference between querying โ€œa nameโ€ versus doing a node status style query against an IP. In Samba tooling, this commonly shows up as the difference between a basic query and a query that dumps a table of names tied to that host.

In plain terms: if your output feels thin or confusing, switch to an approach that yields a host table rather than a single-answer reply.

Money Block: Evidence eligibility checklist (yes/no)

Can you safely write โ€œSMB server likelyโ€ from this?

  • Yes if: <20> appears and 139/445 are reachable from your host.
  • Yes if: you can run an SMB negotiation script (or equivalent) and get a response.
  • No if: only <00> appears and ports are closed or untested.
  • No if: your query method only returned one name and you didnโ€™t confirm itโ€™s unique.

Next step: If any โ€œNo,โ€ run a 1-minute SMB confirmation pass and update notes.

Confirm SMB the quiet way: minimal commands, maximum certainty

Nmap confirmation pass (service presence, not guesses)

If you want high signal with low drama, Nmapโ€™s SMB NSE scripts are built for this moment. For example, the SMB OS discovery script is designed to attempt OS/workgroup/computer-name discovery over SMB on ports 445 or 139. Thatโ€™s not a suffix hint. Thatโ€™s an actual SMB conversation attempt.

My own workflow when Iโ€™m trying to stay disciplined in a lab: I do one fast scan to confirm ports, then one SMB script that forces a negotiation. If the script speaks and the target answers, your notes get to level up from โ€œmaybeโ€ to โ€œevidence.โ€ (If your scan style is inconsistent, itโ€™s worth re-grounding on Nmap -Pn vs -sn so you donโ€™t accidentally โ€œproveโ€ a host is down.)

smbclient reality check (shares tell the truth)

If you can list shares, youโ€™re done arguing with yourself. A successful share list means:

  • SMB is reachable from your position.
  • The target is willing to negotiate at least some level of session.
  • Your <20> interpretation now has a witness statement.

Small anecdote: I once had <20> and open 445, but my share listing failed because I used the wrong target name format and accidentally asked the wrong โ€œidentity.โ€ It looked like โ€œSMB is broken,โ€ but really it was my syntax doing interpretive dance. If that specific pain hits you, the two common rabbit holes are: smbclient tree connect failed and smbclient list without access.

Hereโ€™s what no one tells youโ€ฆ

The best NetBIOS interpretation is the one you can back with a second tool in under 60 seconds. Anything longer invites overthinking, and overthinking is just โ€œtime theftโ€ wearing a trench coat.

Money Block: 60-second โ€œcertaintyโ€ mini calculator

Inputs (pick 3):

  • Ports reachable? (0 or 1)
  • SMB script responds? (0 or 1)
  • Share list succeeds? (0 or 1)

Output: Add them up.

  • 0โ€“1: โ€œNetBIOS hint only.โ€ Log as clue, not conclusion.
  • 2: โ€œSMB likely reachable.โ€ Log as likely with the tests you ran.
  • 3: โ€œSMB confirmed.โ€ Log as confirmed with evidence (ports + negotiation + shares).

Neutral action: Choose one missing input and run it next.

The <00> trapdoor: host name vs workgroup vs โ€œitโ€™s complicatedโ€

When <00> is the workstation/service name (unique)

If your <00> entry is a unique name, you can usually treat it as a workable identity hint. What you can safely infer:

  • A host on that IP is registering a name that behaves like a machine identity.
  • NetBIOS name service is reachable enough to answer queries.

What you cannot safely infer from <00> alone:

  • The OS type with certainty.
  • That SMB is reachable (thatโ€™s what ports/scripts are for).
  • That the name maps cleanly to DNS or to a single interface.

When <00> is the workgroup/domain (group)

This is the โ€œcrowd identity.โ€ Itโ€™s common. Itโ€™s often unhelpful for direct pivoting. But it can still guide your mental model:

  • It hints at the naming environment the host participates in.
  • It can explain why you see more than one name in tables and status replies.

I like to treat this as context for later, not as a foothold. In other words: I note it, then I move on to SMB negotiation and share discovery.

The โ€œwhy do I see TWO <00>s?โ€ puzzle

Hereโ€™s a short decision tree that usually resolves the mystery without hand-waving:

  • Case A: One is unique, one is group. This is normal. Host identity plus workgroup identity.
  • Case B: Both appear unique. Suspect aliases, multiple services registering names, or multiple interfaces.
  • Case C: Output differs between query methods. Suspect you changed modes (single-name query vs status table).

If you still canโ€™t classify them, stop trying to โ€œsolve the name.โ€ Confirm SMB directly and treat the names as labeling artifacts until you have stronger identity data.

The <20> clue: what it suggests about the targetโ€™s SMB posture

<20> plus 139/445 open: likely SMB server capability

This is the clean path. You have:

  • a NetBIOS registration that commonly aligns with file service identity,
  • and a reachable SMB port that can carry a negotiation.

Practical implication: prioritize SMB enumeration next. In lab environments, this is often where you quickly uncover shares, misconfigurations, or credentials you can reuse ethically in-scope.

<20> but ports closed: what could be going on?

When <20> exists but 139/445 are closed (from you), youโ€™re looking at one of these realities:

  • Firewalling or filtering between your host and the target.
  • Host-based restrictions that allow NetBIOS name responses but block SMB session traffic.
  • Lab topology quirks where youโ€™re querying one interface but scanning another route.

Anecdote: Iโ€™ve watched a lab VM โ€œchange personalityโ€ after a snapshot revert, where NetBIOS replies persisted but SMB ports flipped due to a service not starting. Nothing teaches humility faster than a virtual machine that wakes up grumpy.

When <20> is present but shares arenโ€™t

This is the classic illusion: the sign says โ€œfile service,โ€ the door says โ€œno.โ€ Common reasons include:

  • Authentication restrictions (no guest, no null sessions).
  • Signing requirements or policy constraints that block your tooling assumptions (run a fast
    SMB signing check before you spiral).
  • Permission hardening that allows negotiation but denies enumeration calls.

The right posture here is calm: you donโ€™t need to โ€œforceโ€ shares. You just need to document which layer failed (ports, negotiation, auth, enumeration). If your tooling shifts from โ€œcanโ€™t listโ€ to explicit auth errors, correlate with SMBMap NT_STATUS_LOGON_FAILURE and SMBMap access denied to label the failure correctly.

Common mistakes that waste hours (and how to avoid them)

Mistake #1: Treating <00> and <20> as definitive service proofs

Fix: always pair suffix interpretation with a quick port/service check. A suffix is a claim; a port is a door. You need both if you want to walk through without embarrassment.

Mistake #2: Logging โ€œdomain controllerโ€ vibes from random suffix noise

Fix: only assert directory-service roles after confirming with the protocols that actually represent them (think LDAP/Kerberos/AD-specific checks). If you donโ€™t have that evidence, write โ€œworkgroup/domain label observedโ€ and move on.

Mistake #3: Querying the wrong address or wrong name mode

Fix: pick one consistent workflow and stick to it. If you want host tables, use the tool mode that yields host tables. If you want single answers, use the single-answer mode. Mixing them mid-stream creates fake contradictions.

Also, a quick reality check: multiple tools can disagree because theyโ€™re asking different questions. Thatโ€™s not a failure. Thatโ€™s you learning which question matters.

Donโ€™t do this: report notes that future-you will hate

โ€œSMB enabledโ€ without ports, dialects, or share evidence

Replace it with something like:

  • Better: โ€œNetBIOS indicates file service registration (<20> observed). SMB ports 445/139 were checked; SMB negotiation was attempted via tooling, results recorded below.โ€

โ€œHost is FILESERVERโ€ because <20> showed up

Replace it with language that reflects uncertainty appropriately:

  • Better: โ€œ<20> registration suggests SMB server capability; confirmation pending (ports and share enumeration).โ€

The one sentence that keeps your report defensible

Use this plug-and-play phrasing when environments are weird:

โ€œNetBIOS name service responses indicate file service registration, but SMB conclusions are based on corroborating evidence (port reachability and SMB negotiation results), not suffixes alone.โ€

Money Block: Decision card (When A vs B)

When to trust NetBIOS hints vs when to escalate to SMB verification

  • Use NetBIOS hints when you need fast triage across many hosts and youโ€™ll verify later.
  • Escalate to SMB verification when youโ€™re about to spend more than 10 minutes on SMB paths or write report statements.
  • Time trade-off: NetBIOS interpretation is seconds; SMB confirmation is usually 30โ€“90 seconds.

Neutral action: Pick one host and run the confirm loop before expanding scope.

Short Story: from suffix soup to signal

Short Story: A few years ago in a lab that looked suspiciously Kioptrix-adjacent, I saw <00> and <20> and wrote, confidently, โ€œSMB server confirmed.โ€ Then I tried to list shares and got nothing. I tried again. Still nothing. I changed flags. Still nothing. I started narrating my life choices to the terminal like it was a therapist.

Ten minutes later, I realized I hadnโ€™t actually confirmed ports from my current network position. The lab had a tiny routing quirk: NetBIOS name replies reached me, SMB session traffic didnโ€™t. The host was advertising a role, but I was standing outside the building. The fix took 30 seconds: verify reachability, then negotiate SMB with a script, then attempt shares. The lesson wasnโ€™t โ€œNetBIOS is useless.โ€ The lesson was โ€œNetBIOS is a clue you earn the right to trust.โ€

Next step: one concrete action

Run a 2-tool confirmation loop (60 seconds)

Your goal is simple: convert โ€œNetBIOS hintsโ€ into evidence-backed statements. Hereโ€™s the loop:

  1. Verify ports (139/445) are reachable from your scanning host.
  2. Attempt SMB share enumeration with the lightest tool you trust.

If the loop succeeds, your note becomes: โ€œSMB confirmed (ports reachable + share attempt evidence).โ€
If it fails, your note becomes: โ€œNetBIOS suggests SMB registration; SMB not confirmed from current position (document which step failed).โ€

Takeaway: Your notes should reflect the strongest layer you actually tested.
  • Suffixes are clues.
  • Ports are reachability evidence.
  • Negotiation/shares are the confirmation level.

Apply in 60 seconds: Run one SMB script or one share attempt on the single host you care about most.

Infographic: the NetBIOS-to-SMB evidence ladder

Level 1: NetBIOS suffix clue (<00>, <20>)
Write: โ€œregistration observedโ€
Level 2: Port reachability (TCP 139/445)
Write: โ€œreachable from scannerโ€
Level 3: SMB negotiation (script/tool handshake)
Write: โ€œSMB respondedโ€
Level 4: Shares enumerated (or access denied with clear reason)
Write: โ€œSMB confirmed; enumeration outcome recordedโ€
nmblookup <00> <20> meaning

FAQ

1) What does <00> mean in nmblookup results?

Itโ€™s a NetBIOS suffix attached to a registered name. In labs, it often shows a host-style name or a workgroup-style group name. The key is not the suffix alone, but whether the name is unique or group and how it correlates with other evidence (ports, SMB negotiation).

2) Does <20> always mean SMB is running?

No. It commonly suggests file service registration, but SMB reachability still depends on whether 139/445 are accessible and whether SMB negotiation succeeds from your position. Treat it as a strong clue, then confirm.

3) Why do I see multiple <00> records for the same IP?

Often because one is a unique host-style registration and another is a group/workgroup registration, or because the host has aliases or multiple registrations surfaced by different query modes. Classify unique vs group, then validate with SMB evidence.

4) Whatโ€™s the difference between NetBIOS name service and SMB service?

NetBIOS name service is about name registration and resolution (who answers to which names). SMB service is the file-sharing protocol itself (negotiation, authentication, share access). Name clues help you prioritize, but SMB tests confirm reality.

5) If I see <20>, should I scan 139 and 445 next?

Yes, as a practical next step. Those ports are the most direct โ€œis this reachable?โ€ check that upgrades your interpretation from a hint to evidence.

6) Can Linux/Samba hosts show <00> and <20> like Windows?

Yes. Samba can participate in NetBIOS naming behavior and register names that look very Windows-ish, which is why these suffixes show up frequently in Kioptrix-style labs.

7) What should I write in a pentest report based on <00>/<20>?

Write what you can support: โ€œNetBIOS registration indicatesโ€ฆโ€ and then include the confirmation step you performed (ports, SMB negotiation, share enumeration). Avoid definitive service claims unless you actually tested the service. If you want the phrasing to match professional report expectations, align it with your reporting structure (for example, the โ€œevidence-firstโ€ style used in how to read a penetration test report).

Conclusion

Letโ€™s close the loop from the hook: <00> and <20> arenโ€™t answers. Theyโ€™re invitations. In Kioptrix-style labs, that invitation is usually worth following, but only with the discipline of one more check. If you remember nothing else, remember this: suffixes are claims; ports and negotiation are evidence.

Your next move, within the next 15 minutes: pick the one host you care about most, run the 2-tool confirmation loop, and rewrite your notes into one defensible sentence that names what you tested. Your future self will thank you, quietly, while deleting an unnecessary screenshot.

Last reviewed: 2026-MM-DD.