Nmap Development mailing list archives
Re: SMB related version detection updates
From: Tom Sellers <nmap () fadedcode net>
Date: Sat, 2 Apr 2016 00:37:59 -0500
I've just finished another pass at tuning the version detection for netbios-ns ( 137/udp ). The results should be more reliable and provide some additional detail. We can now tell if the target is an Active Directory / Domain controller. There are new match lines for Apple's SMB implementation. Also, I've addressed a couple of cases where the hostname and workgroup or domain name were switched. Once I've had a chance to test it against some really old clients ( Win XP ) I might be able to remove some of the legacy entries. The responses from modern Windows OSes ( Win 7+ ) are fairly consistent and none of them are triggering the older matchlines at the beginning of that section. Tom On 3/30/2016 9:12 AM, Daniel Miller wrote:
Tom, Thanks for these updates! We occasionally get service fingerprints for SMB, but it can be hard to tell which parts of the response are relevant to the service version. Solid empirical results like these are very valuable. Dan On Wed, Mar 30, 2016 at 5:38 AM, Tom Sellers <nmap () fadedcode net <mailto:nmap () fadedcode net>> wrote: FYI, Yesterday in commit 35748 I updated some SMB related match lines. The intent was to improve the scan results in preparation for dealing with Badlock. Fixed are certain matchlines that indicated a specific OS version such as 'Microsoft Windows NT netbios-ssn' that actually matched newer versions of Windows including 2012 R2. Matches that indicated Samba 3.x have been updated as they also match Samba 4.x as well. There are also a couple of new matchlines that help handle and capture data, particularly in cases where responses from Samba exactly match those from Windows. The changes were tested against Windows 7 and 8, Windows Server 2008, 2008 R2, 2012, 2012 R2 as well as Samba 3.6.x, 4.1.x, and Apple's current SMB fork. Tom _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: SMB related version detection updates Tom Sellers (Apr 01)