Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Additional information for smb-os-discovery.nse

From: Patrik Karlsson <patrik () cqure net>
Date: Tue, 12 Jul 2011 07:46:06 +0200
Hi Chris,

Yes, line 175 was the line I had in question and that comment should be enough for now.

Thanks,
Patrik
On Jul 11, 2011, at 6:17 PM, Chris Woodbury wrote:


Patrik-

Thanks for the response. I'm assuming you're talking about the
comparison on line 175 of the patch, in
get_host_info_from_security_blob(security_blob). That is just doing
validation of the message, per the NTLM specification. According to
page 20 of MS-NLMP, the MessageType field "MUST" be set to 2. I'm not
sure what the other possible values could be for MessageType, but
apparently that's the only valid one for this situation.

I think a "-- Per MS-NLMP, this field must be 2 for an NTLM challenge
message" comment would clarify it. Or did you have something else in
mind?

-chris

On Sun, Jul 10, 2011 at 3:19 PM, Patrik Karlsson <patrik () cqure net> wrote:

Hi Chris,

I tried it out and it worked well for me. Regarding the code, the only question I have is whether the 0x2 in the 
following comparison could be made any clearer?
elseif ( message_type ~= 0x2 ) then

Other than that I think the code looks great. While it changes both the smb and smbauth libraries it shouldn't have 
any impact on the other scripts making use of them.
Unless anyone has any strong objections against doing so, I would like to commit this patch as I think it greatly 
improves the smb-os-discovery script.

//Patrik

On Jul 10, 2011, at 8:40 PM, Chris Woodbury wrote:


Did anyone else have a chance to look at this?

Rob, were you able to test it out? It worked on my systems, but I'd
like to know what other people's experiences were.

-chris


On Wed, Apr 20, 2011 at 4:21 PM, Rob Nicholls <robert () robnicholls co uk> wrote:

Hi Chris,

Personally, I think all of this information would be really useful and I'd
love to see the patch added to the existing script.

The only downside is I'd be using Patrik's fantastic MBEnun less often ;-)

Rob

-----Original Message-----
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org]
On Behalf Of Chris Woodbury
Sent: 20 April 2011 21:33
To: Nmap-Dev
Subject: [NSE] Additional information for smb-os-discovery.nse

I would like to propose some additions to the smb-os-discovery script,
namely the following:
* DNS host name
* DNS domain name
* DNS forest name
* FQDN

This information can be retrieved from the NTLMSSP data (a.k.a.
security blob) in a SMB_COM_SESSION_SETUP_ANDX response in extended-security
mode. The attached patch implements this with the following changes:
* A new "get_host_info_from_security_blob()" function in smbauth.lua, which
parses the information from the NTLMSSP data.
* A call to the new function in smb.start_session_extended().
* Changes to smb.get_os() to start an extended-security session to get the
new information (unfortunately, this requires a second session - the
hostname and domain name aren't returned in the SMB_COM_NEGOTIATE response
if the extended security flag is set).
* Changes to smb-os-discovery.nse to output the new information.
* There are a few variables where I needed to handle nils explicitly in
smb-os-discovery, so, for the sake of consistency, I removed the
stdnse.string_or_blank() calls in smb.get_os() and did all of the
nil-handling in the script. The only other script that uses
smb.get_os() is smb-brute, which needed a very small change to handle the
different output.
* I also made some small changes throughout smb.lua to add documentation
where I thought it would help, and to fix a couple typos that I noticed.

The output is now like so:
A domain member (Showing all available info, excluding workgroup of course):
|   OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows
Server (R) 2008 Standard 6.0)
|   Computer name: Sql2008
|   Domain name: lab.test.local
|   Forest name: test.local
|   FQDN: Sql2008.lab.test.local
|   NetBIOS computer name: SQL2008
|   NetBIOS domain name: LAB
|_  System time: 2011-04-20 15:11:20 UTC-5

A standalone system:
|   OS: Windows Server 2003 3790 Service Pack 2 (Windows Server 2003 5.2)
|   Computer name: win2003-server
|   NetBIOS computer name: WIN2003-SERVER
|   Workgroup: WORKGROUP
|_  System time: 2011-04-20 15:10:19 UTC-5

A domain controller (for some reason, the DC of the child domain doesn't
return the forest name, although members of the child domain do, and the
forest DC does):
|   OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows
Server (R) 2008 Standard 6.0)
|   Computer name: Lab-DC
|   Domain name: lab.test.local
|   FQDN: Lab-DC.lab.test.local
|   NetBIOS computer name: LAB-DC
|   NetBIOS domain name: LAB
|_  System time: 2011-04-20 15:10:38 UTC-7

A Windows 7 host (my Windows 7 systems return STATUS_NOT_SUPPORTED to
SMB_COM_SESSION_SETUP_ANDXs with extended security, so the additional info
isn't available):
|   OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
|   NetBIOS computer name: WIN7TEST
|   Workgroup: WORKGROUP
|_  System time: 2011-04-20 15:10:18 UTC-5


I think this adds some useful information to the script results. I hope I
haven't stepped on any toes. Please test out the changes and let me know
what you think.

Thanks
-chris




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77




--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: