Nmap Development mailing list archives

[NSE RFC] MS RPC libraries

From: Ron <ron () skullsecurity net>
Date: Sat, 27 Sep 2008 16:00:31 -0500

Hey all,

I've put a significant amount of work into my Nmap scripts, and I
finally have a new version to show for it. I added a whole bunch of
functionality for making RPC calls against Windows. Currently, it only
works against Windows 2000 (since only Windows 2000 allows NULL
sessions), but the next thing I'm going to work on is authentication.

Here is an example of scanning a Windows 2000 box with all the msrpc
plugins (some of it is repetitive, because some functions grab the data
in different ways):

--
$ ./nmap
--script=smb-msrpc-bruteusers.nse,smb-msrpc-enumdomains.nse,smb-msrpc-enumshares.nse,smb-msrpc-enumusers.nse
192.168.2.18

Starting Nmap 4.76 ( http://nmap.org ) at 2008-09-27 15:56 CDT
Interesting ports on 192.168.2.18:
Not shown: 996 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS

Host script results:
|_ MSRPC: NetShareEnumAll(): IPC$, ADMIN$, C$
|  MSRPC: List of user accounts:
|  Domain: 2KSP0
|  SID: S-1-5-21-602162358-1500820517-839522115
|  Users: Administrator, Guest
|_ Users: Ron
|  MSRPC: List of user accounts:
|_ Domain '2KSP0': Administrator, Guest, Ron
|  MSRPC: List of domains:
|  Domain: 2KSP0
|   |_ SID: S-1-5-21-602162358-1500820517-839522115
|   |_ Users: Administrator, Guest, Ron
|   |_ Creation time: 2008-07-29 13:30:38
|   |_ Min password length: 0 characters
|   |_ Max password age: 42 days
|   |_ Min password age: 0 days
|   |_ Password history length: 0 passwords
|   |_ Lockout threshold: 0 login attempts
|   |_ Lockout duration: 30 minutes
|   |_ Lockout window: 30 minutes
|   |_ Password properties:
|     |_  Password complexity requirements do not exist
|_    |_  Administrator account cannot be locked out
--

I've tested this against every Windows OS since 2000, and it "works"
against all of them (that is, it either runs or fails cleanly).

So, any questions or comments would be good, so I can fix them and
resume working on it. :)

Thanks!
Ron

PS: Here's hoping that .tgzs can be posted to the mailing list. :)

Attachment: nmap-smb.tgz
Description:


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

[NSE RFC] MS RPC libraries Ron (Sep 27)
- Re: [NSE RFC] MS RPC libraries David Fifield (Sep 30)
  - Re: [NSE RFC] MS RPC libraries Ron (Sep 30)