During a reconnaissance phase, a penetration tester is using a tool to enumerate NetBIOS names on a target internal network. The tester issues the command 'nbtstat -A 192.168.1.100' on a Windows machine. What type of information is the tester most likely trying to obtain?
nbtstat -A retrieves the NetBIOS name table, which contains names associated with the system, useful for identifying roles and users.
Why this answer
The `nbtstat -A` command queries the NetBIOS name table of a remote system using its IP address. This table contains the computer name, logged-in users, and domain/workgroup information, which are critical for identifying targets and potential trust relationships during internal reconnaissance.
Exam trap
The trap here is that candidates confuse `nbtstat -A` with `nbtstat -a` (which uses a NetBIOS name instead of an IP) or assume it returns OS details, when in fact it only returns the NetBIOS name table entries.
How to eliminate wrong answers
Option A is wrong because `nbtstat -A` does not reveal OS version or patch level; that information is typically obtained via tools like `nmap` OS fingerprinting or SMB version queries. Option B is wrong because `nbtstat` operates at the NetBIOS layer (port 137-139) and does not enumerate open TCP ports; port scanning requires tools like `nmap` or `netstat`. Option C is wrong because while NetBIOS can sometimes reveal MAC addresses via the <00> or <03> entries in the name table, the primary purpose of `nbtstat -A` is to retrieve the full NetBIOS name table, not specifically the MAC address; ARP or `getmac` would be more direct for MAC address enumeration.