Nmap Development mailing list archives
[NSE RFC] MS RPC libraries
From: Ron <ron () skullsecurity net>
Date: Sat, 27 Sep 2008 16:00:31 -0500
Hey all, I've put a significant amount of work into my Nmap scripts, and I finally have a new version to show for it. I added a whole bunch of functionality for making RPC calls against Windows. Currently, it only works against Windows 2000 (since only Windows 2000 allows NULL sessions), but the next thing I'm going to work on is authentication. Here is an example of scanning a Windows 2000 box with all the msrpc plugins (some of it is repetitive, because some functions grab the data in different ways): -- $ ./nmap --script=smb-msrpc-bruteusers.nse,smb-msrpc-enumdomains.nse,smb-msrpc-enumshares.nse,smb-msrpc-enumusers.nse 192.168.2.18 Starting Nmap 4.76 ( http://nmap.org ) at 2008-09-27 15:56 CDT Interesting ports on 192.168.2.18: Not shown: 996 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS Host script results: |_ MSRPC: NetShareEnumAll(): IPC$, ADMIN$, C$ | MSRPC: List of user accounts: | Domain: 2KSP0 | SID: S-1-5-21-602162358-1500820517-839522115 | Users: Administrator, Guest |_ Users: Ron | MSRPC: List of user accounts: |_ Domain '2KSP0': Administrator, Guest, Ron | MSRPC: List of domains: | Domain: 2KSP0 | |_ SID: S-1-5-21-602162358-1500820517-839522115 | |_ Users: Administrator, Guest, Ron | |_ Creation time: 2008-07-29 13:30:38 | |_ Min password length: 0 characters | |_ Max password age: 42 days | |_ Min password age: 0 days | |_ Password history length: 0 passwords | |_ Lockout threshold: 0 login attempts | |_ Lockout duration: 30 minutes | |_ Lockout window: 30 minutes | |_ Password properties: | |_ Password complexity requirements do not exist |_ |_ Administrator account cannot be locked out -- I've tested this against every Windows OS since 2000, and it "works" against all of them (that is, it either runs or fails cleanly). So, any questions or comments would be good, so I can fix them and resume working on it. :) Thanks! Ron PS: Here's hoping that .tgzs can be posted to the mailing list. :)
Attachment:
nmap-smb.tgz
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE RFC] MS RPC libraries Ron (Sep 27)
- Re: [NSE RFC] MS RPC libraries David Fifield (Sep 30)
- Re: [NSE RFC] MS RPC libraries Ron (Sep 30)
- Re: [NSE RFC] MS RPC libraries David Fifield (Sep 30)