Nmap Development mailing list archives
Re: SMB probe script
From: Ron <ron () skullsecurity net>
Date: Mon, 08 Sep 2008 17:42:04 -0500
Hey Mike, mike wrote:
Ron. i looked into that script a bit more. i noticed that you are using a generic "nmap" for the OS identifier in the packet payload. is this wise? wouldn't that set off many a application/inspection tools people are using for payload/OS fingerprinting? why not set it to a simple "Windows 2k" or something that could actually be seen as legit? maybe this isn't a big deal to everyone so i will just mention it and move on
I wasn't really sure about that. As the security guy in a company, I like the idea of leaving things that are easily detectable, but I can see the argument not to. I'll think about it, but ultimately will probably make it configurable.
i also noticed the same thing i mentioned above when you call for the generic "Native LANman". is that even recognized as legit by the SMB server? i guess if it works, it works
I believe I copied that from a legit server, but I'm not positive.
i was wondering about 2 things i would hope you could include, since you have already gone so far into the kind of detail this SMB script already gives us: would there be a way to dump the received hashes back to stdout (for cracking later)? i beleive it is based on the SPNEGO that is used, correct?
No password hashes are actually received. The only thing we receive is the server challenge, which is random, not based on the password hash at all.
lastly, i was watching the SMB tree requests and transactions in tshark and i saw alot of times when you were setting HOME and TEST as queries, my target would send me back "NT_STATUS_UNRECOGNIZED_NAME" failures. can i ask what the TEST and HOME references are for? is that for IPC logins? i always thought if you got back STATUS_FAILURES, then you would have the TID pulled you created and you would be disconnected. again, maybe you know alot more about this than i do. still interested in that patch addon for the stdout for LAN manager version
At the top of the script, I made an array of names to check including those ones. It's mostly for testing at the moment, I'll probably do proper bruteforcing later.
*do you ever think you will tackle the issues i brought up with trying to get payload established to port 138? did you read what i submitted about what could possibly be done? (forcing issued MASTERBROWSER announcements for response)
Sure, when I get around to reading the next chapter in the book. It might be awhile, though, no promises! :) Ron _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- RE:SMB probe script mike (Sep 08)
- Re: SMB probe script Ron (Sep 08)