Re: Getting system time from SMB (445 or 139)

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 22 Aug 2008 21:06:07 -0500 or thereabouts Ron
<ron () skullsecurity net> wrote:

> Hey guys,
>
> Has anybody written something to pull information from the reply to
> the initial SMB packet (raw or over NetBIOS) (NEGOTIATE PROTOCOL
> RESPONSE)?
>
> Some things it contains:
> - System's time
> - System's timezone offset
> - Highest SMB version supported
> - Security mode (which type of login it supports)
>
> I think the most useful would be the system's time/timezone offset,
> it's a high resolution timer (1/10 microseconds since 1601).
>
> It's pretty simple to ask the server for that stuff, it's a single
> static packet on TCP/445 (or two on TCP/139).
>
> If nobody's written it yet, I'm willing to take the initiative. If I
> do that, can somebody tell me how it would best be done (I'm guessing
> a nse script, but should I create one from scratch or glue this onto
> another?)
>
> Thanks!
> Ron Bowes

Hi Ron,

You should probably take a look at
"netbios-smb-os-discovery.nse" and "nbstat.nse" for an idea of how to
start.

Alternatively, if send me a packet capture (pcap please) for the query
on 445 and the queries on 139 I'd be willing to hack the script
together.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkivgCAACgkQqaGPzAsl94KzhwCfdIbswMxaMg66XjSOXfK2W30r
+YIAniBSWCPeXUWsPY9CHoWKcmPdddZA
=fP/Y
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org