Nmap Development mailing list archives
Re: [NSE] Additional information for smb-os-discovery.nse
From: Patrik Karlsson <patrik () cqure net>
Date: Tue, 12 Jul 2011 07:46:06 +0200
Hi Chris, Yes, line 175 was the line I had in question and that comment should be enough for now. Thanks, Patrik On Jul 11, 2011, at 6:17 PM, Chris Woodbury wrote:
Patrik- Thanks for the response. I'm assuming you're talking about the comparison on line 175 of the patch, in get_host_info_from_security_blob(security_blob). That is just doing validation of the message, per the NTLM specification. According to page 20 of MS-NLMP, the MessageType field "MUST" be set to 2. I'm not sure what the other possible values could be for MessageType, but apparently that's the only valid one for this situation. I think a "-- Per MS-NLMP, this field must be 2 for an NTLM challenge message" comment would clarify it. Or did you have something else in mind? -chris On Sun, Jul 10, 2011 at 3:19 PM, Patrik Karlsson <patrik () cqure net> wrote:Hi Chris, I tried it out and it worked well for me. Regarding the code, the only question I have is whether the 0x2 in the following comparison could be made any clearer? elseif ( message_type ~= 0x2 ) then Other than that I think the code looks great. While it changes both the smb and smbauth libraries it shouldn't have any impact on the other scripts making use of them. Unless anyone has any strong objections against doing so, I would like to commit this patch as I think it greatly improves the smb-os-discovery script. //Patrik On Jul 10, 2011, at 8:40 PM, Chris Woodbury wrote:Did anyone else have a chance to look at this? Rob, were you able to test it out? It worked on my systems, but I'd like to know what other people's experiences were. -chris On Wed, Apr 20, 2011 at 4:21 PM, Rob Nicholls <robert () robnicholls co uk> wrote:Hi Chris, Personally, I think all of this information would be really useful and I'd love to see the patch added to the existing script. The only downside is I'd be using Patrik's fantastic MBEnun less often ;-) Rob -----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Chris Woodbury Sent: 20 April 2011 21:33 To: Nmap-Dev Subject: [NSE] Additional information for smb-os-discovery.nse I would like to propose some additions to the smb-os-discovery script, namely the following: * DNS host name * DNS domain name * DNS forest name * FQDN This information can be retrieved from the NTLMSSP data (a.k.a. security blob) in a SMB_COM_SESSION_SETUP_ANDX response in extended-security mode. The attached patch implements this with the following changes: * A new "get_host_info_from_security_blob()" function in smbauth.lua, which parses the information from the NTLMSSP data. * A call to the new function in smb.start_session_extended(). * Changes to smb.get_os() to start an extended-security session to get the new information (unfortunately, this requires a second session - the hostname and domain name aren't returned in the SMB_COM_NEGOTIATE response if the extended security flag is set). * Changes to smb-os-discovery.nse to output the new information. * There are a few variables where I needed to handle nils explicitly in smb-os-discovery, so, for the sake of consistency, I removed the stdnse.string_or_blank() calls in smb.get_os() and did all of the nil-handling in the script. The only other script that uses smb.get_os() is smb-brute, which needed a very small change to handle the different output. * I also made some small changes throughout smb.lua to add documentation where I thought it would help, and to fix a couple typos that I noticed. The output is now like so: A domain member (Showing all available info, excluding workgroup of course): | OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0) | Computer name: Sql2008 | Domain name: lab.test.local | Forest name: test.local | FQDN: Sql2008.lab.test.local | NetBIOS computer name: SQL2008 | NetBIOS domain name: LAB |_ System time: 2011-04-20 15:11:20 UTC-5 A standalone system: | OS: Windows Server 2003 3790 Service Pack 2 (Windows Server 2003 5.2) | Computer name: win2003-server | NetBIOS computer name: WIN2003-SERVER | Workgroup: WORKGROUP |_ System time: 2011-04-20 15:10:19 UTC-5 A domain controller (for some reason, the DC of the child domain doesn't return the forest name, although members of the child domain do, and the forest DC does): | OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0) | Computer name: Lab-DC | Domain name: lab.test.local | FQDN: Lab-DC.lab.test.local | NetBIOS computer name: LAB-DC | NetBIOS domain name: LAB |_ System time: 2011-04-20 15:10:38 UTC-7 A Windows 7 host (my Windows 7 systems return STATUS_NOT_SUPPORTED to SMB_COM_SESSION_SETUP_ANDXs with extended security, so the additional info isn't available): | OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1) | NetBIOS computer name: WIN7TEST | Workgroup: WORKGROUP |_ System time: 2011-04-20 15:10:18 UTC-5 I think this adds some useful information to the script results. I hope I haven't stepped on any toes. Please test out the changes and let me know what you think. Thanks -chris_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/-- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77
-- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] Additional information for smb-os-discovery.nse Chris Woodbury (Jul 10)
- Re: [NSE] Additional information for smb-os-discovery.nse Patrik Karlsson (Jul 10)
- Re: [NSE] Additional information for smb-os-discovery.nse Chris Woodbury (Jul 11)
- Re: [NSE] Additional information for smb-os-discovery.nse Patrik Karlsson (Jul 11)
- RE: [NSE] Additional information for smb-os-discovery.nse Rob Nicholls (Jul 11)
- Re: [NSE] Additional information for smb-os-discovery.nse Patrik Karlsson (Jul 11)
- Re: [NSE] Additional information for smb-os-discovery.nse Rob Nicholls (Jul 12)
- Re: [NSE] Additional information for smb-os-discovery.nse Patrik Karlsson (Jul 12)
- Re: [NSE] Additional information for smb-os-discovery.nse Chris Woodbury (Jul 12)
- Re: [NSE] Additional information for smb-os-discovery.nse Chris Woodbury (Jul 11)
- Re: [NSE] Additional information for smb-os-discovery.nse Patrik Karlsson (Jul 10)