Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: smb-enum-shares.nse

From: "Rob Nicholls" <robert () robnicholls co uk>
Date: Mon, 19 Dec 2016 21:48:15 -0000
Hi Barry,

 

Nmap’s SMB authentication library defaults to sending NTLMv1 only:

 

https://nmap.org/nsedoc/lib/smbauth.html

 

To use NTLMv2 instead you should be able to use script arguments to set the “smbtype” to “v2”, which sends LMv2 and 
NTLMv2. Ron has mentioned a limitation that he couldn’t get signatures to work on v2 protocols, so if you require 
signing (and I’m guessing you probably do if your environment requires NTLMv2) it may still fail.

 

Rob

 

From: dev [mailto:dev-bounces () nmap org] On Behalf Of Barry Dragoon
Sent: 19 December 2016 19:15
To: dev () nmap org
Subject: smb-enum-shares.nse

 

I'm unable to use the subject script, "smb-enum-shares.nse" when I attempt to find the shares in our NTLMv2 
environment.  If I scan for open shares in our network, the "service account" I'm using will get "locked out" after 6 
bad password attempts (due to group policy).  I have included debugging info below.  It looks to me that smbauth isn't 
able to convert the NTLMv1 hash to NTLMv2 and thus the bad password attempt.

 

The command being used is:

nmap -d2 -PS445 -p445 --script=smb-enum-shares 
--script-args=smbdomain=<ValidDomain>,smbuser=<ValidUserAccount>,smbpass='<ValidPassword>',smbnoguest 
<ValidComputerName>.<ValidDomainName>.<ValidName>.net

 

The output is here:

npcap service is already running.

Winpcap present, dynamic linked to: Npcap version 0.10 r9, based on libpcap version 1.9.0-PRE-GIT

 

Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-19 10:44 Pacific Standard Time

Fetchfile found C:\Program Files (x86)\Nmap/nmap-services

Fetchfile found C:\Program Files (x86)\Nmap/nmap.xsl

The max # of sockets we are using is: 0

--------------- Timing report ---------------

  hostgroups: min 1, max 100000

  rtt-timeouts: init 1000, min 100, max 10000

  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000

  parallelism: min 0, max 0

  max-retries: 10, host-timeout: 0

  min-rate: 0, max-rate: 0

---------------------------------------------

NSE: Using Lua 5.3.

Fetchfile found C:\Program Files (x86)\Nmap/nse_main.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/lpeg-utility.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/stdnse.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/strict.lua

Fetchfile found C:\Program Files (x86)\Nmap/scripts\script.db

NSE: Arguments from CLI: smbdomain=<ValidDomainName>,smbuser=<ValidUserName>,smbpass=<ValidPassword>,smbnoguest

NSE: Arguments parsed: smbdomain=<ValidDomainName>,smbuser=<ValidUserName>,smbpass=<ValidPassword>,smbnoguest

NSE: {

            ["smbuser"] = "<ValidUserName>",

            [1] = "smbnoguest",

            ["smbpass"] = "<ValidPassword>",

            ["smbdomain"] = "<ValidDomainName>",

}

Fetchfile found C:\Program Files (x86)\Nmap/scripts\smb-enum-shares.nse

NSE: Script smb-enum-shares.nse was selected by name.

Fetchfile found C:\Program Files (x86)\Nmap/nselib/smb.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/asn1.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/bin.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/bit.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/match.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/netbios.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/dns.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/ipOps.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/unittest.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/nsedebug.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/listop.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/base32.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/smb<ValidDomainName>.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/unicode.lua

NSE: <ValidUserScannerMachine>: the NTLMv1_hash

NSE: Loaded 1 scripts for scanning.

NSE: Loaded 'C:\Program Files (x86)\Nmap/scripts\smb-enum-shares.nse'.

NSE: Script Pre-scanning.

NSE: Starting runlevel 1 (of 1) scan.

Initiating NSE at 10:44

Completed NSE at 10:44, 0.00s elapsed

Fetchfile found C:\Program Files (x86)\Nmap/nmap-payloads

Initiating Ping Scan at 10:44

Scanning <ValidComputerName>.<ValidDomainName>.<ValidName>.net (<ValidIPv4-Target>) [1 port]

Packet capture filter (device eth1): dst host <ValidIPv4-Scanner> and (icmp or icmp6 or ((tcp or udp or sctp) and (src 
host <ValidIPv4-Target>)))

We got a TCP ping packet back from <ValidIPv4-Target> port 445 (trynum = 0)

ultrascan_host_probe_update called for machine <ValidIPv4-Target> state UNKNOWN -> HOST_UP (trynum 0 time: 54000)

Changing ping technique for <ValidIPv4-Target> to tcp to port 445; flags: S

Changing global ping host to <ValidIPv4-Target>.

Completed Ping Scan at 10:44, 0.29s elapsed (1 total hosts)

Overall sending rates: 3.45 packets / s, 151.72 bytes / s.

mass_rdns: Using DNS server <ValidIPv4-DNS1>

mass_rdns: Using DNS server <ValidIPv4-DNS2>

Interface {0dd26b35-ab75-11e6-a8c7-806e6f6e6963} is not known; ignoring its nameservers.

Interface {1e00e11a-5c66-4923-b47b-6864509f776f} is not known; ignoring its nameservers.

Interface {8718928d-cbeb-45ea-a621-800a9249001d} is not known; ignoring its nameservers.

Interface {993f9855-aac8-4700-bd70-8af04b395390} is not known; ignoring its nameservers.

Interface {c378405b-0d0e-47c4-8ce4-d113bfd08a00} is not known; ignoring its nameservers.

Interface {d7e29e1e-98e4-4a93-a1f3-95ecb2f51054} is not known; ignoring its nameservers.

Initiating Parallel DNS resolution of 1 host. at 10:44

mass_rdns: 1.10s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]

Completed Parallel DNS resolution of 1 host. at 10:44, 0.14s elapsed

DNS resolution of 1 IPs took 1.16s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]

Initiating SYN Stealth Scan at 10:44

Scanning <ValidComputerName>.<ValidDomainName>.<ValidName>.net (<ValidIPv4-Target>) [1 port]

Packet capture filter (device eth1): dst host <ValidIPv4-Scanner> and (icmp or icmp6 or ((tcp or udp or sctp) and (src 
host <ValidIPv4-Target>)))

Discovered open port 445/tcp on <ValidIPv4-Target>

Changing global ping host to <ValidIPv4-Target>.

Completed SYN Stealth Scan at 10:44, 0.05s elapsed (1 total ports)

Overall sending rates: 18.52 packets / s, 814.81 bytes / s.

NSE: Script scanning <ValidIPv4-Target>.

NSE: Starting runlevel 1 (of 1) scan.

Initiating NSE at 10:44

NSE: Starting smb-enum-shares M:2EE3264 against <ValidComputerName>.<ValidDomainName>.<ValidName>.net 
(<ValidIPv4-Target>).

Fetchfile found C:\Program Files (x86)\Nmap/nselib/msrpc.lua

Fetchfile found C:\Program Files (x86)\Nmap/nselib/msrpctypes.lua

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Attempting to log into the system to enumerate shares

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Starting SMB session for  (<ValidIPv4-Target>)

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Added account '' to account list

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] <ValidUserScannerMachine>: Print a debug message

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] <ValidUserScannerMachine>: Add the account if we get password

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Added account '<ValidUserName>' to account list

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] <ValidUserScannerMachine>: Print a debug message

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending SMB_COM_NEGOTIATE

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending SMB_COM_SESSION_SETUP_ANDX

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] LM Password: 41494d2e484f542d3631

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] <ValidUserScannerMachine>: lm_create_hash

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Lanman hash: cca986b122a0fc9797451cd302e7840b

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: NTLM   hash: e6b87a4f30261741e73173c3d17317b9

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Creating NTLMv1 response

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Lanman response: 
4574ba356120691a3378253c255e2dcba3472fa66d237456

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: NTLM   response: 
4574ba356120691a3378253c255e2dcba3472fa66d237456

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending SMB_COM_SESSION_SETUP_ANDX

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Extended login to <ValidIPv4-Target> as 
<ValidDomainName>\<ValidUserName> failed (NT_STATUS_LOGON_FAILURE)

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending SMB_COM_SESSION_SETUP_ANDX

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] LM Password: 

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] <ValidUserScannerMachine>: lm_create_hash

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Lanman hash: aad3b435b51404eeaad3b435b51404ee

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: NTLM   hash: 31d6cfe0d16ae931b73c59d7e0c089c0

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Creating NTLMv1 response

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Lanman response: 
812f2deaa7ab8e43601bc7f8726951b58bc4c3f5335dc25d

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: NTLM   response: 
812f2deaa7ab8e43601bc7f8726951b58bc4c3f5335dc25d

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending SMB_COM_SESSION_SETUP_ANDX

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Extended login to <ValidIPv4-Target> as 
<ValidDomainName>\<blank> failed (NT_STATUS_ACCESS_DENIED)

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending SMB_COM_LOGOFF_ANDX

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Closing socket

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Enumerating shares failed, guessing at common ones (No 
accounts left to try)

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Starting SMB session for  (<ValidIPv4-Target>)

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending SMB_COM_NEGOTIATE

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Closing socket

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Starting SMB session for  (<ValidIPv4-Target>)

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending SMB_COM_NEGOTIATE

NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Closing socket

NSE: Finished smb-enum-shares M:2EE3264 against <ValidComputerName>.<ValidDomainName>.<ValidName>.net 
(<ValidIPv4-Target>).

Completed NSE at 10:44, 2.75s elapsed

Nmap scan report for <ValidComputerName>.<ValidDomainName>.<ValidName>.net (<ValidIPv4-Target>)

Host is up, received syn-ack ttl 120 (0.054s latency).

Scanned at 2016-12-19 10:44:52 Pacific Standard Time for 4s

PORT    STATE SERVICE      REASON

445/tcp open  microsoft-ds syn-ack ttl 120

 

Host script results:

| smb-enum-shares: 

|_  ERROR: Couldn't enumerate shares: No accounts left to try

Final times for host: srtt: 53875 rttvar: 40750  to: 216875

 

NSE: Script Post-scanning.

NSE: Starting runlevel 1 (of 1) scan.

Initiating NSE at 10:44

Completed NSE at 10:44, 0.00s elapsed

Read from C:\Program Files (x86)\Nmap: nmap-payloads nmap-services.

Nmap done: 1 IP address (1 host up) scanned in 5.20 seconds

           Raw packets sent: 2 (88B) | Rcvd: 2 (88B)

 

 

Can anyone offer an explanation for why the NTLMv2 hash isn't generated, and workaround to resolve this issue?

 

 


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: