Nmap Development mailing list archives

smb-enum-shares.nse

From: Barry Dragoon <barry.dragoon () gmail com>
Date: Mon, 19 Dec 2016 11:14:34 -0800

I'm unable to use the subject script, "smb-enum-shares.nse" when I attempt
to find the shares in our NTLMv2 environment.  If I scan for open shares in
our network, the "service account" I'm using will get "locked out" after 6
bad password attempts (due to group policy).  I have included debugging
info below.  It looks to me that smbauth isn't able to convert the NTLMv1
hash to NTLMv2 and thus the bad password attempt.

The command being used is:
nmap -d2 -PS445 -p445 --script=smb-enum-shares
--script-args=smbdomain=<ValidDomain>,smbuser=<ValidUserAccount>,smbpass='<ValidPassword>',smbnoguest
<ValidComputerName>.<ValidDomainName>.<ValidName>.net

The output is here:
npcap service is already running.
Winpcap present, dynamic linked to: Npcap version 0.10 r9, based on libpcap
version 1.9.0-PRE-GIT

Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-19 10:44 Pacific
Standard Time
Fetchfile found C:\Program Files (x86)\Nmap/nmap-services
Fetchfile found C:\Program Files (x86)\Nmap/nmap.xsl
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
Fetchfile found C:\Program Files (x86)\Nmap/nse_main.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/lpeg-utility.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/stdnse.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/strict.lua
Fetchfile found C:\Program Files (x86)\Nmap/scripts\script.db
NSE: Arguments from CLI:
smbdomain=<ValidDomainName>,smbuser=<ValidUserName>,smbpass=<ValidPassword>,smbnoguest
NSE: Arguments parsed:
smbdomain=<ValidDomainName>,smbuser=<ValidUserName>,smbpass=<ValidPassword>,smbnoguest
NSE: {
["smbuser"] = "<ValidUserName>",
[1] = "smbnoguest",
["smbpass"] = "<ValidPassword>",
["smbdomain"] = "<ValidDomainName>",
}
Fetchfile found C:\Program Files (x86)\Nmap/scripts\smb-enum-shares.nse
NSE: Script smb-enum-shares.nse was selected by name.
Fetchfile found C:\Program Files (x86)\Nmap/nselib/smb.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/asn1.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/bin.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/bit.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/match.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/netbios.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/dns.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/ipOps.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/unittest.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/nsedebug.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/listop.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/base32.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/smb<ValidDomainName>.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/unicode.lua
NSE: <ValidUserScannerMachine>: the NTLMv1_hash
NSE: Loaded 1 scripts for scanning.
NSE: Loaded 'C:\Program Files (x86)\Nmap/scripts\smb-enum-shares.nse'.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 10:44
Completed NSE at 10:44, 0.00s elapsed
Fetchfile found C:\Program Files (x86)\Nmap/nmap-payloads
Initiating Ping Scan at 10:44
Scanning <ValidComputerName>.<ValidDomainName>.<ValidName>.net
(<ValidIPv4-Target>) [1 port]
Packet capture filter (device eth1): dst host <ValidIPv4-Scanner> and (icmp
or icmp6 or ((tcp or udp or sctp) and (src host <ValidIPv4-Target>)))
We got a TCP ping packet back from <ValidIPv4-Target> port 445 (trynum = 0)
ultrascan_host_probe_update called for machine <ValidIPv4-Target> state
UNKNOWN -> HOST_UP (trynum 0 time: 54000)
Changing ping technique for <ValidIPv4-Target> to tcp to port 445; flags: S
Changing global ping host to <ValidIPv4-Target>.
Completed Ping Scan at 10:44, 0.29s elapsed (1 total hosts)
Overall sending rates: 3.45 packets / s, 151.72 bytes / s.
mass_rdns: Using DNS server <ValidIPv4-DNS1>
mass_rdns: Using DNS server <ValidIPv4-DNS2>
Interface {0dd26b35-ab75-11e6-a8c7-806e6f6e6963} is not known; ignoring its
nameservers.
Interface {1e00e11a-5c66-4923-b47b-6864509f776f} is not known; ignoring its
nameservers.
Interface {8718928d-cbeb-45ea-a621-800a9249001d} is not known; ignoring its
nameservers.
Interface {993f9855-aac8-4700-bd70-8af04b395390} is not known; ignoring its
nameservers.
Interface {c378405b-0d0e-47c4-8ce4-d113bfd08a00} is not known; ignoring its
nameservers.
Interface {d7e29e1e-98e4-4a93-a1f3-95ecb2f51054} is not known; ignoring its
nameservers.
Initiating Parallel DNS resolution of 1 host. at 10:44
mass_rdns: 1.10s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 10:44, 0.14s elapsed
DNS resolution of 1 IPs took 1.16s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0,
SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 10:44
Scanning <ValidComputerName>.<ValidDomainName>.<ValidName>.net
(<ValidIPv4-Target>) [1 port]
Packet capture filter (device eth1): dst host <ValidIPv4-Scanner> and (icmp
or icmp6 or ((tcp or udp or sctp) and (src host <ValidIPv4-Target>)))
Discovered open port 445/tcp on <ValidIPv4-Target>
Changing global ping host to <ValidIPv4-Target>.
Completed SYN Stealth Scan at 10:44, 0.05s elapsed (1 total ports)
Overall sending rates: 18.52 packets / s, 814.81 bytes / s.
NSE: Script scanning <ValidIPv4-Target>.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 10:44
NSE: Starting smb-enum-shares M:2EE3264 against
<ValidComputerName>.<ValidDomainName>.<ValidName>.net (<ValidIPv4-Target>).
Fetchfile found C:\Program Files (x86)\Nmap/nselib/msrpc.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/msrpctypes.lua
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Attempting to log
into the system to enumerate shares
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Starting SMB
session for  (<ValidIPv4-Target>)
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Added account ''
to account list
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>]
<ValidUserScannerMachine>: Print a debug message
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>]
<ValidUserScannerMachine>: Add the account if we get password
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Added account
'<ValidUserName>' to account list
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>]
<ValidUserScannerMachine>: Print a debug message
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending
SMB_COM_NEGOTIATE
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending
SMB_COM_SESSION_SETUP_ANDX
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] LM Password:
41494d2e484f542d3631
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>]
<ValidUserScannerMachine>: lm_create_hash
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Lanman hash:
cca986b122a0fc9797451cd302e7840b
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: NTLM   hash:
e6b87a4f30261741e73173c3d17317b9
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Creating NTLMv1
response
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Lanman response:
4574ba356120691a3378253c255e2dcba3472fa66d237456
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: NTLM   response:
4574ba356120691a3378253c255e2dcba3472fa66d237456
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending
SMB_COM_SESSION_SETUP_ANDX
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Extended login to
<ValidIPv4-Target> as <ValidDomainName>\<ValidUserName> failed
(NT_STATUS_LOGON_FAILURE)
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending
SMB_COM_SESSION_SETUP_ANDX
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] LM Password:
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>]
<ValidUserScannerMachine>: lm_create_hash
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Lanman hash:
aad3b435b51404eeaad3b435b51404ee
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: NTLM   hash:
31d6cfe0d16ae931b73c59d7e0c089c0
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Creating NTLMv1
response
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Lanman response:
812f2deaa7ab8e43601bc7f8726951b58bc4c3f5335dc25d
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: NTLM   response:
812f2deaa7ab8e43601bc7f8726951b58bc4c3f5335dc25d
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending
SMB_COM_SESSION_SETUP_ANDX
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Extended login to
<ValidIPv4-Target> as <ValidDomainName>\<blank> failed
(NT_STATUS_ACCESS_DENIED)
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending
SMB_COM_LOGOFF_ANDX
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Closing socket
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Enumerating shares
failed, guessing at common ones (No accounts left to try)
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Starting SMB
session for  (<ValidIPv4-Target>)
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending
SMB_COM_NEGOTIATE
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Closing socket
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Starting SMB
session for  (<ValidIPv4-Target>)
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending
SMB_COM_NEGOTIATE
NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Closing socket
NSE: Finished smb-enum-shares M:2EE3264 against
<ValidComputerName>.<ValidDomainName>.<ValidName>.net (<ValidIPv4-Target>).
Completed NSE at 10:44, 2.75s elapsed
Nmap scan report for <ValidComputerName>.<ValidDomainName>.<ValidName>.net
(<ValidIPv4-Target>)
Host is up, received syn-ack ttl 120 (0.054s latency).
Scanned at 2016-12-19 10:44:52 Pacific Standard Time for 4s
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack ttl 120

Host script results:
| smb-enum-shares:
|_  ERROR: Couldn't enumerate shares: No accounts left to try
Final times for host: srtt: 53875 rttvar: 40750  to: 216875

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 10:44
Completed NSE at 10:44, 0.00s elapsed
Read from C:\Program Files (x86)\Nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 5.20 seconds
           Raw packets sent: 2 (88B) | Rcvd: 2 (88B)


Can anyone offer an explanation for why the NTLMv2 hash isn't generated,
and workaround to resolve this issue?

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

smb-enum-shares.nse Barry Dragoon (Dec 19)
- RE: smb-enum-shares.nse Rob Nicholls (Dec 19)