Re: [NSE RFC] SMB Probe

[Ron <ron () skullsecurity net>]

Hi,

Kris Katterjohn wrote:
> Hi,
>
>
> Just a little note, there's a Comm nselib designed for handling typical
> network exchanges.  Upon first glance your TCP socket gets transferred around
> throughout the functions, so that won't work, but your UDP code from
> netbios_do_nbstat() could be replaced with it if you're interested.
Sounds handy, I didn't know about that. I don't like the way the socket
is being passed around right, so finding another way would be good. I'll
definitely look into it.

> Also, your script can probably be used as a base for an SMB nselib as your
> functions seem to be separately fairly well already (like your name encode and
> decode functions, your functions to manipulate a header, etc).  I think moving
> code to nselibs is best, if they provide enough stand-alone functionality to
> warrant it (which your code seems to).
>
> All of this is just after an initial inspection, so I could be off-base.
That's the way I was planning on going with this, so we're on the same
page there. I don't have a clue how to write nselibs, but I'm a quick
learner. I just need to put a little thought into how to structure it.

As I've written this email, I think I've figured out how to do it. Stay
tuned!

> I think maybe combining lines (like "SMB Security") into one would be better,
> if they don't get incredibly long.  I'm not sure if this is what you meant by
> "an array of strings".
>
> I like all of your output as well, but it's best to use the verbosity level to
> gauge how much to print rather than printing it all by default.  Check some of
> the other scripts to see how their output is controlled by it.
I was a little concerned about line length, does anybody have a
definition of "incredibly long" for Nmap? Is going over the 80 column
mark generally ok, or frowned upon?

For the array, I was thinking of keeping the out put strings in an array
at the top of the file and reading it at the end. Currently, I build the
string as I go by adding 'response = response .. "whatever\n"'. That
doesn't have a good feeling to it, in my opinion, I might redo that bit.

> I thinking adding more to this script (or nselib..), and using it to replace
> the other scripts (as you mentioned), is best.  You seem to be already on your
> way with this, so it's just my two cents.
Thanks. :)

> Just to show, it works well for me on my Linux box after turning on Samba:
>
> Host script results:
> |  Probe SMB for information: (using port 139):
> |  SMB Security: User-level authentication
> |  SMB Security: Challenge/response passwords supported
> |  SMB Security: Message signing not supported
> |  System time from SMB: 2008-09-07 17:19:46 [UTC-5]
> |  Computer name from SMB: MSHOME\
> |  OS detection from SMB: Unix
> |  Null sessions enabled
> |_ Guest account enabled
Awesome, I was going to ask somebody to try on Samba! I notice that the
domain is populated but the computer isn't ("MSHOME\"), not sure if I'm
parsing something incorrectly or if Samba's sending back a blank string.
If it's not too much trouble, can you send me a packet capture of the
scan? I don't have a Samba server handy.

Thanks,

Ron


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org