Re: Getting system time from SMB (445 or 139)

[Ron <ron () skullsecurity net>]

Brandon Enright wrote:
> On Fri, 22 Aug 2008 22:17:04 -0500 or thereabouts Ron
> Well don't take the "packet construction" in those scripts as Gospel.
> They should be using pack/unpack but that wasn't available until
> recently.
>
> It sure would be nice to have SMB/NetBIOS fields documented somewhere
> too.  I always have to turn to the Wireshark dissector. Between
> pack/unpack and the new NSE doc system you could probably make your
> script a real good resource for others.  I still have to go back and
> doc a few scripts and convert them to pack/unpack.
>
> Brandon

This is the document I've been working from, besides Wireshark dissectors:
http://www.ubiqx.org/cifs/SMB.html

It's actually a fantastic book!

I'm currently working on a lot of SMB stuff in C, mostly for my own
education, and my ultimate goal is to write a SMB proxy for pen-testing.
But anything I pick up along the way that could apply to nmap I'll
definitely contribute.

My ultimate goal (from the nmap side) would be the ability to log in
(given (guessing?) a username/pass or an anonymous account) and probing
for interesting information (enumerating users would be cool, for example).

But my current goal is to see what lua looks like, and get the timestamp
back if I manage to retain my sanity. :)

I just did a quick packet dump from netbios-smb-os-discovery.nse, and it
looks like all the packets necessary to get the system time are being
sent, so it seems to me that life will be easy.

Ron

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org