Nmap Development mailing list archives
Re: Updated SMB scripts
From: Ron <ron () skullsecurity net>
Date: Sun, 28 Dec 2008 13:48:05 -0600
David Fifield wrote:
It looks like you forgot to "svn add" the msrpcperformance module. I get SCRIPT ENGINE: './scripts/smb-enum-processes.nse' threw a run time error and could not be loaded. ./scripts/smb-enum-processes.nse:92: module 'msrpcperformance' not found:
Hmm, I could have sworn I did that. Ohwell! Did you take care of adding it?
There's a new script, smb-enum-processes.nse. Can you summarize the other changes? Or point me to a mailing list post (I haven't been following closely).
The changes have mostly been behind the scenes, that's why I didn't update CHANGELOG much. But basically, I changed how the RPC functions are called, added the ability to fragment/defragment packets, and took off the cap on how big messages could be. I know that sounds boring (and it is :) ), but because of it I could update the smb-enum-users functions to search for far more users at once without using any more outgoing bandwidth. Instead of checking for one user at a time, I can check for 10 (or 30, or 100). That saves a ton of traffic and can potentially find users that would have been missed before. Also, for the LSA bruteforcing, I added more intelligence about when to stop. So, nothing really major. I'm working on another script right now (related to that blowfish stuff) which is going to need some serious testing. I'll keep the list posted on that, when I'm done.
After copying msrpcperformance.nse from nmap-smb, 0 # nmap -p139,445 --script=smb-check-vulns,smb-enum-processes,smb-enum-shares,smb-os-discovery,smb-server-stats,smb-enum-domains,smb-enum-sessions,smb-enum-users,smb-security-mode,smb-system-info 192.168.0.190 Starting Nmap 4.76 ( http://nmap.org ) at 2008-12-28 11:52 MST Interesting ports on 192.168.0.190: PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:16:CB:AE:D4:AC (Apple Computer) Host script results: | smb-os-discovery: Windows XP | LAN Manager: Windows 2000 LAN Manager | Name: MSHOME\MAC-MINI |_ System time: 2008-12-28 11:52:20 UTC-7 | smb-security-mode: User-level authentication | SMB Security: Challenge/response passwords supported |_ SMB Security: Message signing not supported | smb-enum-users: |_ MAC-MINI\,\xE0J\xC0V, MAC-MINI\Administrator, MAC-MINI\david, MAC-MINI\Guest, MAC-MINI\HelpAssistant, MAC-MINI\HelpServicesGroup, MAC-MINI\jrandom, MAC-MINI\Kurt G\xF6del, MAC-MINI\None, MAC-MINI\SUPPORT_388945a0 | smb-enum-shares: | Anonymous shares: IPC$ |_ Restricted shares: print$, SharedDocs, My Pictures, david, ADMIN$, C$, Printer | smb-enum-sessions: | Users logged in: | |_ <nobody> |_ ERROR: Couldn't enumerate network sessions: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsessenum) Nmap done: 1 IP address (1 host up) scanned in 1.33 seconds Then with authentication, after disable guest-only authentication on Windows XP Pro: # nmap --datadir=. -p139,445 --script=smb-check-vulns,smb-enum-p rocesses,smb-enum-shares,smb-os-discovery,smb-server-stats,smb-enum-domains,smb- enum-sessions,smb-enum-users,smb-security-mode,smb-system-info --script-args smb user=jrandom,smbpass=jrandom 192.168.0.190 Starting Nmap 4.76 ( http://nmap.org ) at 2008-12-28 11:54 MST Interesting ports on 192.168.0.190: PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:16:CB:AE:D4:AC (Apple Computer) Host script results: | smb-system-info: | OS Details | |_ Microsoft Windows XP Service Pack 3 (WinNT 5.1 build 2600) | |_ Installed on 2008-09-09 13:25:15 | |_ Registered to . (organization: ) | |_ Path: %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem | |_ Systemroot: C:\WINDOWS | |_ Page files: C:\pagefile.sys 1488 2976 (cleared at shutdown => 0) | Hardware | |_ CPU 0: Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz [1834mhz GenuineInt el] | |_ Identifier 0: x86 Family 6 Model 15 Stepping 2 | |_ CPU 1: Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz [1833mhz GenuineInt el] | |_ Identifier 1: x86 Family 6 Model 15 Stepping 2 | |_ Video driver: Mobile Intel(R) 945 Express Chipset Family | Browsers |_ |_ Internet Explorer 6.0000 | smb-security-mode: User-level authentication | SMB Security: Challenge/response passwords supported |_ SMB Security: Message signing not supported |_ smb-enum-processes: Idle, System, ALG, KbdMgr, SMSS, CSRSS, WINLOGON, SERVICES, LSASS, IRW, IGFXPERS, HKCMD, RUNDLL32, SPOOLSV, AppleOSSMgr, AppleTimeSrv, SVCHOST, STACSV, mmc, WinVNC, EXPLORER | smb-os-discovery: Windows XP | LAN Manager: Windows 2000 LAN Manager | Name: MSHOME\MAC-MINI |_ System time: 2008-12-28 11:54:53 UTC-7 | smb-enum-domains: | Domain: MAC-MINI | |_ SID: S-1-5-21-117609710-839522115-1177238915 | |_ Users: Administrator, david, Guest, HelpAssistant, jrandom, Kurt G\xF6del, SUPPORT_388945a0, ,\xE0J\xC0V | |_ Creation time: 2008-09-09 13:05:32 | |_ Passwords: min length: n/a; min age: n/a; max age: 42 days | |_ Account lockout disabled | Domain: Builtin | |_ SID: S-1-5-32 | |_ Creation time: 2008-09-09 13:05:32 | |_ Passwords: min length: n/a; min age: n/a; max age: 42 days |_ |_ Account lockout disabled | smb-server-stats: | Server statistics collected since 2008-12-28 18:33:06 (-398m48s): | |_ Traffic 462679 bytes (-19.37 b/s) sent, 477458 bytes (-19.98 b/s) received | |_ Failed logins: 0 | |_ Permission errors: 0, System errors: 0 | |_ Print jobs spooled: 0 |_ |_ Files opened (including pipes): 226 | smb-enum-shares: | Anonymous shares: IPC$ |_ Restricted shares: print$, SharedDocs, My Pictures, david, ADMIN$, C$, Printer | smb-enum-users: |_ MAC-MINI\,\xE0J\xC0V, MAC-MINI\Administrator, MAC-MINI\david, MAC-MINI\Guest, MAC-MINI\HelpAssistant, MAC-MINI\HelpServicesGroup, MAC-MINI\jrandom, MAC-MINI\Kurt G\xF6del, MAC-MINI\None, MAC-MINI\SUPPORT_388945a0 | smb-enum-sessions: | Users logged in: | |_ <nobody> | Active SMB Sessions: |_ |_ JRANDOM is connected from 192.168.0.21 for [just logged in, it's probably you], idle for [not idle] Nmap done: 1 IP address (1 host up) scanned in 7.62 seconds
Cool, looks like it's working nicely! Is smb-enum-sessions working properly? I had some suspicions about it recently, but haven't gotten around to verifying.
David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
-- Ron Bowes http://www.skullsecurity.org/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Updated SMB scripts Ron (Dec 23)
- Re: Updated SMB scripts Kris Katterjohn (Dec 24)
- Re: Updated SMB scripts Ron (Dec 24)
- Re: Updated SMB scripts Kris Katterjohn (Dec 24)
- Re: Updated SMB scripts Ron (Dec 24)
- Re: Updated SMB scripts Ron (Dec 24)
- Re: Updated SMB scripts Kris Katterjohn (Dec 24)
- Re: Updated SMB scripts Ron (Dec 24)
- Re: Updated SMB scripts Ron (Dec 24)
- Re: Updated SMB scripts Kris Katterjohn (Dec 24)
- Re: Updated SMB scripts Ron (Dec 28)
- Re: Updated SMB scripts David Fifield (Dec 28)
- Re: Updated SMB scripts David Fifield (Dec 29)
- Re: Updated SMB scripts Ron (Dec 29)
- Re: Updated SMB scripts jah (Dec 29)