Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: nmap bug with authentication

From: Paulino Calderon <paulino () calderonpale com>
Date: Sat, 9 Apr 2016 14:38:53 -0400
Hello,

Would you mind telling me more about the environment you have? Can you send me the full script trace (--script-trace) 
output privately so I can take a look at it? I think I’ve seen this before.

Cheers.


On Apr 8, 2016, at 1:11 PM, Victor Manuel Ladino Garzon <vladino () heinsohn com co> wrote:


Hi,

we are testing the scripts :

- smb-os-discovery
- smb-enum-sessions.nse

we using the following command :

./nmap --script=/home/oracle/nmap-6.25/scripts/smb-os-discovery --script-args=smbuser=pepe,smbpass=xxx, -p445  
172.16.22.7 -d

the ouput is :

Starting Nmap 6.25 ( http://nmap.org <http://nmap.org/> ) at 2016-04-08 11:01 COT
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.2.
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating Ping Scan at 11:01
Scanning 172.16.22.7 [4 ports]
Packet capture filter (device Auto_eth2): dst host 197.0.2.124 and (icmp or icmp6 or ((tcp or udp or sctp) and (src 
host 172.16.22.7)))
We got a TCP ping packet back from 172.16.22.7 port 80 (trynum = 0)
Completed Ping Scan at 11:01, 0.01s elapsed (1 total hosts)
Overall sending rates: 374.29 packets / s, 14222.89 bytes / s.
mass_rdns: Using DNS server 197.0.6.18
mass_rdns: Using DNS server 197.0.6.19
Initiating Parallel DNS resolution of 1 host. at 11:01
mass_rdns: 0.00s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 11:01, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 11:01
Scanning po-3774-269v4.heinsohn.com.co <http://po-3774-269v4.heinsohn.com.co/> (172.16.22.7) [1 port]
Packet capture filter (device Auto_eth2): dst host 197.0.2.124 and (icmp or icmp6 or ((tcp or udp or sctp) and (src 
host 172.16.22.7)))
Discovered open port 445/tcp on 172.16.22.7
Completed SYN Stealth Scan at 11:01, 0.00s elapsed (1 total ports)
Overall sending rates: 214.68 packets / s, 9446.11 bytes / s.
NSE: Script scanning 172.16.22.7.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting smb-os-discovery against 172.16.22.7.
Initiating NSE at 11:01
NSE: SMB: Added account '' to account list
NSE: SMB: Added account 'guest' to account list
NSE: SMB: Added account 'pepe' to account list
NSE: SMB: Login as \pepe failed (NT_STATUS_LOGON_FAILURE)
NSE: SMB: Login as \guest failed (NT_STATUS_LOGON_FAILURE)
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: Finished smb-os-discovery against 172.16.22.7.
Completed NSE at 11:01, 0.01s elapsed
Nmap scan report for po-3774-269v4.heinsohn.com.co <http://po-3774-269v4.heinsohn.com.co/> (172.16.22.7)
Host is up, received reset (0.00083s latency).
Scanned at 2016-04-08 11:01:50 COT for 0s
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack

Host script results:
| smb-os-discovery:
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: PO-3774-269V4
|   NetBIOS computer name: PO-3774-269V4
|   Domain name: heinsohn.com.co <http://heinsohn.com.co/>
|   Forest name: heinsohn.com.co <http://heinsohn.com.co/>
|   FQDN: PO-3774-269V4.heinsohn.com.co <http://po-3774-269v4.heinsohn.com.co/>
|   NetBIOS domain name: HEINSOHN
|_  System time: 2016-04-08T11:02:00-05:00
Final times for host: srtt: 829 rttvar: 3858  to: 100000


in the script smb-enum-sessions.nse the error es the same:

Initiating NSE at 12:04
NSE: SMB: Added account '' to account list
NSE: SMB: Added account 'guest' to account list
NSE: SMB: Added account 'pepe' to account list
NSE: SMB: Extended login to 172.16.22.7 as HEINSOHN\pepe failed (NT_STATUS_LOGON_FAILURE)
NSE: SMB: Extended login to 172.16.22.7 as HEINSOHN\guest failed (NT_STATUS_LOGON_FAILURE)
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: SMB: Invalid NTLM challenge message: unexpected signature.
NSE: Finished smb-enum-sessions against 172.16.22.7.
Completed NSE at 12:04, 0.08s elapsed
Nmap scan report for po-3774-269v4.heinsohn.com.co <http://po-3774-269v4.heinsohn.com.co/> (172.16.22.7)
Host is up, received reset (0.00081s latency).
Scanned at 2016-04-08 12:04:08 COT for 0s
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack
Final times for host: srtt: 811 rttvar: 3903  to: 100000

we tested with different arguments :

--script-args=smbuser=pepe,smbpass=xxx,smbbasic=1,smbtype=v1
--script-args=smbuser=pepe,smbpass=xxx,smbtype=v1
--script-args=smbuser=pepe,smbpass=xxx,smbtype=v2

nothing has worked.

Please advice about

thanks

 
Cordialmente / Best regards,

      
Víctor Manuel Ladino Garzón
Administrador Base de datos Oracle
+571 6337070 Ext: 1902
vladino () heinsohn com co <mailto:vladino () heinsohn com co>
  <http://www.facebook.com/HeinsohnSabe>  <http://twitter.com/HeinsohnSabe>  
<http://www.linkedin.com/company/heinsohn-business-technology>  <http://www.youtube.com/GrupoEmpresarialHeinsohn> 
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev <https://nmap.org/mailman/listinfo/dev>
Archived at http://seclists.org/nmap-dev/ <http://seclists.org/nmap-dev/>

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: