Re: Updated SMB scripts

[Ron <ron () skullsecurity net>]

David Fifield wrote:
> It looks like you forgot to "svn add" the msrpcperformance module. I get
>
> SCRIPT ENGINE: './scripts/smb-enum-processes.nse' threw a run time error and could not be loaded.
> ./scripts/smb-enum-processes.nse:92: module 'msrpcperformance' not found:
Hmm, I could have sworn I did that. Ohwell!

Did you take care of adding it?

> There's a new script, smb-enum-processes.nse. Can you summarize the
> other changes? Or point me to a mailing list post (I haven't been
> following closely).
The changes have mostly been behind the scenes, that's why I didn't
update CHANGELOG much. But basically, I changed how the RPC functions
are called, added the ability to fragment/defragment packets, and took
off the cap on how big messages could be.

I know that sounds boring (and it is :) ), but because of it I could
update the smb-enum-users functions to search for far more users at once
without using any more outgoing bandwidth. Instead of checking for one
user at a time, I can check for 10 (or 30, or 100). That saves a ton of
traffic and can potentially find users that would have been missed before.

Also, for the LSA bruteforcing, I added more intelligence about when to
stop.

So, nothing really major. I'm working on another script right now
(related to that blowfish stuff) which is going to need some serious
testing. I'll keep the list posted on that, when I'm done.

> After copying msrpcperformance.nse from nmap-smb,
> 0
> # nmap -p139,445 
> --script=smb-check-vulns,smb-enum-processes,smb-enum-shares,smb-os-discovery,smb-server-stats,smb-enum-domains,smb-enum-sessions,smb-enum-users,smb-security-mode,smb-system-info
>  192.168.0.190
>
> Starting Nmap 4.76 ( http://nmap.org ) at 2008-12-28 11:52 MST
> Interesting ports on 192.168.0.190:
> PORT    STATE SERVICE
> 139/tcp open  netbios-ssn
> 445/tcp open  microsoft-ds
> MAC Address: 00:16:CB:AE:D4:AC (Apple Computer)
>
> Host script results:
> |  smb-os-discovery: Windows XP
> |  LAN Manager: Windows 2000 LAN Manager
> |  Name: MSHOME\MAC-MINI
> |_ System time: 2008-12-28 11:52:20 UTC-7
> |  smb-security-mode: User-level authentication
> |  SMB Security: Challenge/response passwords supported
> |_ SMB Security: Message signing not supported
> |  smb-enum-users:
> |_ MAC-MINI\,\xE0J\xC0V, MAC-MINI\Administrator, MAC-MINI\david, MAC-MINI\Guest, MAC-MINI\HelpAssistant, 
> MAC-MINI\HelpServicesGroup, MAC-MINI\jrandom, MAC-MINI\Kurt G\xF6del, MAC-MINI\None, MAC-MINI\SUPPORT_388945a0
> |  smb-enum-shares:
> |  Anonymous shares: IPC$
> |_ Restricted shares: print$, SharedDocs, My Pictures, david, ADMIN$, C$, Printer
> |  smb-enum-sessions:
> |  Users logged in:
> |  |_ <nobody>
> |_ ERROR: Couldn't enumerate network sessions: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsessenum)
>
> Nmap done: 1 IP address (1 host up) scanned in 1.33 seconds
>
> Then with authentication, after disable guest-only authentication on
> Windows XP Pro:
>
> # nmap --datadir=. -p139,445 --script=smb-check-vulns,smb-enum-p
> rocesses,smb-enum-shares,smb-os-discovery,smb-server-stats,smb-enum-domains,smb-
> enum-sessions,smb-enum-users,smb-security-mode,smb-system-info --script-args smb
> user=jrandom,smbpass=jrandom 192.168.0.190
>
> Starting Nmap 4.76 ( http://nmap.org ) at 2008-12-28 11:54 MST
> Interesting ports on 192.168.0.190:
> PORT    STATE SERVICE
> 139/tcp open  netbios-ssn
> 445/tcp open  microsoft-ds
> MAC Address: 00:16:CB:AE:D4:AC (Apple Computer)
>
> Host script results:
> |  smb-system-info:
> |  OS Details
> |  |_ Microsoft Windows XP Service Pack 3 (WinNT 5.1 build 2600)
> |  |_ Installed on 2008-09-09 13:25:15
> |  |_ Registered to . (organization: )
> |  |_ Path: %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
> |  |_ Systemroot: C:\WINDOWS
> |  |_ Page files: C:\pagefile.sys 1488 2976 (cleared at shutdown => 0)
> |  Hardware
> |  |_ CPU 0: Intel(R) Core(TM)2 CPU         T5600  @ 1.83GHz [1834mhz GenuineInt
> el]
> |  |_ Identifier 0: x86 Family 6 Model 15 Stepping 2
> |  |_ CPU 1: Intel(R) Core(TM)2 CPU         T5600  @ 1.83GHz [1833mhz GenuineInt
> el]
> |  |_ Identifier 1: x86 Family 6 Model 15 Stepping 2
> |  |_ Video driver: Mobile Intel(R) 945 Express Chipset Family
> |  Browsers
> |_ |_ Internet Explorer 6.0000
> |  smb-security-mode: User-level authentication
> |  SMB Security: Challenge/response passwords supported
> |_ SMB Security: Message signing not supported
> |_ smb-enum-processes: Idle, System, ALG, KbdMgr, SMSS, CSRSS, WINLOGON, SERVICES, LSASS, IRW, IGFXPERS, HKCMD, 
> RUNDLL32, SPOOLSV, AppleOSSMgr, AppleTimeSrv, SVCHOST, STACSV, mmc, WinVNC, EXPLORER
> |  smb-os-discovery: Windows XP
> |  LAN Manager: Windows 2000 LAN Manager
> |  Name: MSHOME\MAC-MINI
> |_ System time: 2008-12-28 11:54:53 UTC-7
> |  smb-enum-domains:
> |  Domain: MAC-MINI
> |   |_ SID: S-1-5-21-117609710-839522115-1177238915
> |   |_ Users: Administrator, david, Guest, HelpAssistant, jrandom, Kurt G\xF6del, SUPPORT_388945a0, ,\xE0J\xC0V
> |   |_ Creation time: 2008-09-09 13:05:32
> |   |_ Passwords: min length: n/a; min age: n/a; max age: 42 days
> |   |_ Account lockout disabled
> |  Domain: Builtin
> |   |_ SID: S-1-5-32
> |   |_ Creation time: 2008-09-09 13:05:32
> |   |_ Passwords: min length: n/a; min age: n/a; max age: 42 days
> |_  |_ Account lockout disabled
> |  smb-server-stats:
> |  Server statistics collected since 2008-12-28 18:33:06 (-398m48s):
> |  |_ Traffic 462679 bytes (-19.37 b/s) sent, 477458 bytes (-19.98 b/s) received
> |  |_ Failed logins: 0
> |  |_ Permission errors: 0, System errors: 0
> |  |_ Print jobs spooled: 0
> |_ |_ Files opened (including pipes): 226
> |  smb-enum-shares:
> |  Anonymous shares: IPC$
> |_ Restricted shares: print$, SharedDocs, My Pictures, david, ADMIN$, C$, Printer
> |  smb-enum-users:
> |_ MAC-MINI\,\xE0J\xC0V, MAC-MINI\Administrator, MAC-MINI\david, MAC-MINI\Guest, MAC-MINI\HelpAssistant, 
> MAC-MINI\HelpServicesGroup, MAC-MINI\jrandom, MAC-MINI\Kurt G\xF6del, MAC-MINI\None, MAC-MINI\SUPPORT_388945a0
> |  smb-enum-sessions:
> |  Users logged in:
> |  |_ <nobody>
> |  Active SMB Sessions:
> |_ |_ JRANDOM is connected from 192.168.0.21 for [just logged in, it's probably you], idle for [not idle]
>
> Nmap done: 1 IP address (1 host up) scanned in 7.62 seconds

Cool, looks like it's working nicely!

Is smb-enum-sessions working properly? I had some suspicions about it
recently, but haven't gotten around to verifying.


> David Fifield
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org


-- 
Ron Bowes
http://www.skullsecurity.org/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org