Nmap Development mailing list archives
RE: smb-enum-shares.nse
From: "Rob Nicholls" <robert () robnicholls co uk>
Date: Mon, 19 Dec 2016 21:48:15 -0000
Hi Barry, Nmap’s SMB authentication library defaults to sending NTLMv1 only: https://nmap.org/nsedoc/lib/smbauth.html To use NTLMv2 instead you should be able to use script arguments to set the “smbtype” to “v2”, which sends LMv2 and NTLMv2. Ron has mentioned a limitation that he couldn’t get signatures to work on v2 protocols, so if you require signing (and I’m guessing you probably do if your environment requires NTLMv2) it may still fail. Rob From: dev [mailto:dev-bounces () nmap org] On Behalf Of Barry Dragoon Sent: 19 December 2016 19:15 To: dev () nmap org Subject: smb-enum-shares.nse I'm unable to use the subject script, "smb-enum-shares.nse" when I attempt to find the shares in our NTLMv2 environment. If I scan for open shares in our network, the "service account" I'm using will get "locked out" after 6 bad password attempts (due to group policy). I have included debugging info below. It looks to me that smbauth isn't able to convert the NTLMv1 hash to NTLMv2 and thus the bad password attempt. The command being used is: nmap -d2 -PS445 -p445 --script=smb-enum-shares --script-args=smbdomain=<ValidDomain>,smbuser=<ValidUserAccount>,smbpass='<ValidPassword>',smbnoguest <ValidComputerName>.<ValidDomainName>.<ValidName>.net The output is here: npcap service is already running. Winpcap present, dynamic linked to: Npcap version 0.10 r9, based on libpcap version 1.9.0-PRE-GIT Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-19 10:44 Pacific Standard Time Fetchfile found C:\Program Files (x86)\Nmap/nmap-services Fetchfile found C:\Program Files (x86)\Nmap/nmap.xsl The max # of sockets we are using is: 0 --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Using Lua 5.3. Fetchfile found C:\Program Files (x86)\Nmap/nse_main.lua Fetchfile found C:\Program Files (x86)\Nmap/nselib/lpeg-utility.lua Fetchfile found C:\Program Files (x86)\Nmap/nselib/stdnse.lua Fetchfile found C:\Program Files (x86)\Nmap/nselib/strict.lua Fetchfile found C:\Program Files (x86)\Nmap/scripts\script.db NSE: Arguments from CLI: smbdomain=<ValidDomainName>,smbuser=<ValidUserName>,smbpass=<ValidPassword>,smbnoguest NSE: Arguments parsed: smbdomain=<ValidDomainName>,smbuser=<ValidUserName>,smbpass=<ValidPassword>,smbnoguest NSE: { ["smbuser"] = "<ValidUserName>", [1] = "smbnoguest", ["smbpass"] = "<ValidPassword>", ["smbdomain"] = "<ValidDomainName>", } Fetchfile found C:\Program Files (x86)\Nmap/scripts\smb-enum-shares.nse NSE: Script smb-enum-shares.nse was selected by name. Fetchfile found C:\Program Files (x86)\Nmap/nselib/smb.lua Fetchfile found C:\Program Files (x86)\Nmap/nselib/asn1.lua Fetchfile found C:\Program Files (x86)\Nmap/nselib/bin.lua Fetchfile found C:\Program Files (x86)\Nmap/nselib/bit.lua Fetchfile found C:\Program Files (x86)\Nmap/nselib/match.lua Fetchfile found C:\Program Files (x86)\Nmap/nselib/netbios.lua Fetchfile found C:\Program Files (x86)\Nmap/nselib/dns.lua Fetchfile found C:\Program Files (x86)\Nmap/nselib/ipOps.lua Fetchfile found C:\Program Files (x86)\Nmap/nselib/unittest.lua Fetchfile found C:\Program Files (x86)\Nmap/nselib/nsedebug.lua Fetchfile found C:\Program Files (x86)\Nmap/nselib/listop.lua Fetchfile found C:\Program Files (x86)\Nmap/nselib/base32.lua Fetchfile found C:\Program Files (x86)\Nmap/nselib/smb<ValidDomainName>.lua Fetchfile found C:\Program Files (x86)\Nmap/nselib/unicode.lua NSE: <ValidUserScannerMachine>: the NTLMv1_hash NSE: Loaded 1 scripts for scanning. NSE: Loaded 'C:\Program Files (x86)\Nmap/scripts\smb-enum-shares.nse'. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 10:44 Completed NSE at 10:44, 0.00s elapsed Fetchfile found C:\Program Files (x86)\Nmap/nmap-payloads Initiating Ping Scan at 10:44 Scanning <ValidComputerName>.<ValidDomainName>.<ValidName>.net (<ValidIPv4-Target>) [1 port] Packet capture filter (device eth1): dst host <ValidIPv4-Scanner> and (icmp or icmp6 or ((tcp or udp or sctp) and (src host <ValidIPv4-Target>))) We got a TCP ping packet back from <ValidIPv4-Target> port 445 (trynum = 0) ultrascan_host_probe_update called for machine <ValidIPv4-Target> state UNKNOWN -> HOST_UP (trynum 0 time: 54000) Changing ping technique for <ValidIPv4-Target> to tcp to port 445; flags: S Changing global ping host to <ValidIPv4-Target>. Completed Ping Scan at 10:44, 0.29s elapsed (1 total hosts) Overall sending rates: 3.45 packets / s, 151.72 bytes / s. mass_rdns: Using DNS server <ValidIPv4-DNS1> mass_rdns: Using DNS server <ValidIPv4-DNS2> Interface {0dd26b35-ab75-11e6-a8c7-806e6f6e6963} is not known; ignoring its nameservers. Interface {1e00e11a-5c66-4923-b47b-6864509f776f} is not known; ignoring its nameservers. Interface {8718928d-cbeb-45ea-a621-800a9249001d} is not known; ignoring its nameservers. Interface {993f9855-aac8-4700-bd70-8af04b395390} is not known; ignoring its nameservers. Interface {c378405b-0d0e-47c4-8ce4-d113bfd08a00} is not known; ignoring its nameservers. Interface {d7e29e1e-98e4-4a93-a1f3-95ecb2f51054} is not known; ignoring its nameservers. Initiating Parallel DNS resolution of 1 host. at 10:44 mass_rdns: 1.10s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 10:44, 0.14s elapsed DNS resolution of 1 IPs took 1.16s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 10:44 Scanning <ValidComputerName>.<ValidDomainName>.<ValidName>.net (<ValidIPv4-Target>) [1 port] Packet capture filter (device eth1): dst host <ValidIPv4-Scanner> and (icmp or icmp6 or ((tcp or udp or sctp) and (src host <ValidIPv4-Target>))) Discovered open port 445/tcp on <ValidIPv4-Target> Changing global ping host to <ValidIPv4-Target>. Completed SYN Stealth Scan at 10:44, 0.05s elapsed (1 total ports) Overall sending rates: 18.52 packets / s, 814.81 bytes / s. NSE: Script scanning <ValidIPv4-Target>. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 10:44 NSE: Starting smb-enum-shares M:2EE3264 against <ValidComputerName>.<ValidDomainName>.<ValidName>.net (<ValidIPv4-Target>). Fetchfile found C:\Program Files (x86)\Nmap/nselib/msrpc.lua Fetchfile found C:\Program Files (x86)\Nmap/nselib/msrpctypes.lua NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Attempting to log into the system to enumerate shares NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Starting SMB session for (<ValidIPv4-Target>) NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Added account '' to account list NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] <ValidUserScannerMachine>: Print a debug message NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] <ValidUserScannerMachine>: Add the account if we get password NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Added account '<ValidUserName>' to account list NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] <ValidUserScannerMachine>: Print a debug message NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending SMB_COM_NEGOTIATE NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending SMB_COM_SESSION_SETUP_ANDX NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] LM Password: 41494d2e484f542d3631 NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] <ValidUserScannerMachine>: lm_create_hash NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Lanman hash: cca986b122a0fc9797451cd302e7840b NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: NTLM hash: e6b87a4f30261741e73173c3d17317b9 NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Creating NTLMv1 response NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Lanman response: 4574ba356120691a3378253c255e2dcba3472fa66d237456 NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: NTLM response: 4574ba356120691a3378253c255e2dcba3472fa66d237456 NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending SMB_COM_SESSION_SETUP_ANDX NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Extended login to <ValidIPv4-Target> as <ValidDomainName>\<ValidUserName> failed (NT_STATUS_LOGON_FAILURE) NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending SMB_COM_SESSION_SETUP_ANDX NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] LM Password: NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] <ValidUserScannerMachine>: lm_create_hash NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Lanman hash: aad3b435b51404eeaad3b435b51404ee NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: NTLM hash: 31d6cfe0d16ae931b73c59d7e0c089c0 NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Creating NTLMv1 response NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Lanman response: 812f2deaa7ab8e43601bc7f8726951b58bc4c3f5335dc25d NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: NTLM response: 812f2deaa7ab8e43601bc7f8726951b58bc4c3f5335dc25d NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending SMB_COM_SESSION_SETUP_ANDX NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Extended login to <ValidIPv4-Target> as <ValidDomainName>\<blank> failed (NT_STATUS_ACCESS_DENIED) NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending SMB_COM_LOGOFF_ANDX NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Closing socket NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Enumerating shares failed, guessing at common ones (No accounts left to try) NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Starting SMB session for (<ValidIPv4-Target>) NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending SMB_COM_NEGOTIATE NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Closing socket NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Starting SMB session for (<ValidIPv4-Target>) NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Sending SMB_COM_NEGOTIATE NSE: [smb-enum-shares M:2EE3264 <ValidIPv4-Target>] SMB: Closing socket NSE: Finished smb-enum-shares M:2EE3264 against <ValidComputerName>.<ValidDomainName>.<ValidName>.net (<ValidIPv4-Target>). Completed NSE at 10:44, 2.75s elapsed Nmap scan report for <ValidComputerName>.<ValidDomainName>.<ValidName>.net (<ValidIPv4-Target>) Host is up, received syn-ack ttl 120 (0.054s latency). Scanned at 2016-12-19 10:44:52 Pacific Standard Time for 4s PORT STATE SERVICE REASON 445/tcp open microsoft-ds syn-ack ttl 120 Host script results: | smb-enum-shares: |_ ERROR: Couldn't enumerate shares: No accounts left to try Final times for host: srtt: 53875 rttvar: 40750 to: 216875 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 10:44 Completed NSE at 10:44, 0.00s elapsed Read from C:\Program Files (x86)\Nmap: nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 5.20 seconds Raw packets sent: 2 (88B) | Rcvd: 2 (88B) Can anyone offer an explanation for why the NTLMv2 hash isn't generated, and workaround to resolve this issue?
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- smb-enum-shares.nse Barry Dragoon (Dec 19)
- RE: smb-enum-shares.nse Rob Nicholls (Dec 19)