Nmap Development mailing list archives
Re: Jiayi's Status Report - #3 of 17
From: Paulino Calderon Pale <paulino () calderonpale com>
Date: Mon, 18 May 2015 21:49:59 -0500
We had in mind something similar to our ms-sql scripts, we have both ms-sql-brute and ms-sql-empty-passwd. I will explain a use case that comes to mind: To find domain accounts with weak credentials I normally enumerate users from the AD and run a brute force attack. Current smb-enum-users is broken (Jiayi and I will look into this https://github.com/nmap/nmap/issues/107 <https://github.com/nmap/nmap/issues/107>) so you are forced to use other tools like enum4linux if you want to get the entire user list. Then you need to format the list and run nmap again. With smb-users-empty-passwd we can grab domain credentials with a single and simple command! With what we have now, even if the script worked correctly you would need to parse the users lists and pass it to smb-brute. What does everyone think? Useful? Should Jiayi add these improvements into our current smb scripts instead? I agree SMB2 will be very useful too. I just started reading about the internals of the SMB protocol when I filled that bug report, maybe Ron can help us with this one.
On May 18, 2015, at 9:12 PM, Daniel Miller <bonsaiviking () gmail com> wrote: On Mon, May 18, 2015 at 9:00 PM, Jiayi Ye <yejiayily () gmail com <mailto:yejiayily () gmail com>> wrote: * Discussed the script ideas with Paulino and decided to write smb-enum-users-empty-password next. Priorities: * Start to write smb-enum-users-empty-password ("A common activity for pentesters going for Active Directories is user enumeration of the domain controller. A script to automate the process of listing users and finding which have empty passwords would save us time.”) Jiayi, How is this different than the following? echo > blank.txt nmap -p445 --script smb-brute --script-args passdb=blank.txt $target I do think that smb-brute needs some work: SMB2 is not supported by NSE, and it would be nice to have script-args to support bruting discovered accounts (from smb-enum-users, etc) or for blank passwords or username==password checks. Dan [1] https://nmap.org/nsedoc/scripts/smb-brute.html <https://nmap.org/nsedoc/scripts/smb-brute.html>
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Jiayi's Status Report - #3 of 17 Jiayi Ye (May 18)
- Re: Jiayi's Status Report - #3 of 17 Daniel Miller (May 18)
- Re: Jiayi's Status Report - #3 of 17 Paulino Calderon Pale (May 18)
- Re: Jiayi's Status Report - #3 of 17 Daniel Miller (May 18)