Re: [NSE patch]

[Ron <ron () skullsecurity net>]

Fyodor wrote:
> On Mon, Aug 25, 2008 at 05:35:51PM -0500, Ron wrote:
> One problem is that when I use this in combination with version
> detection, the NSE script fails to get results:
>
> ./nmap -sV --script scripts/netbios-smb-os-discovery.nse 192.168.0.4
> [...]
> PORT    STATE SERVICE      VERSION
> 135/tcp open  msrpc        Microsoft Windows RPC
> 139/tcp open  netbios-ssn
> 445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
> MAC Address: 00:0C:29:FA:6E:BD (VMware)
> Service Info: OS: Windows
>
> Host script results:
> |  Discover OS Version over NetBIOS and SMB: OS version cannot be determined.
> |_ Never received a response to SMB Setup AndX Request
> |  Discover OS Version over NetBIOS and SMB: Windows XP
> |_ Discover system time over SMB: 2008-08-25 19:56:53 UTC-7
>
> I found that this problem occurs with the previous version too, so it
> isn't caused by your changes.
I noticed that as well, I'll take a look at it.

> I'm a little surprised that (when working) it doesn't provide the
> machine's SMB computer name and workgroup.  Should it?
It certainly can, although it gets a little complicated. Let me try to
explain it.

Port TCP/445 = SMB Raw, which can be used to dump the OS version, time, etc.
Port TCP/139 = SMB over NetBIOS, which can do the same thing as NetBIOS
raw, _except_ it requires the computer's name to do it
Port UDP/137 = NetBIOS Name service, which can provide the name.

So right now, my logic is:
If tcp/445 is open, query it directly.
Else, if tcp/139 is open, grab the name from udp/137 and use that

The name request is just a little UDP packet, it can be sent pretty
easily from anywhere. But, the question is, where *should* it be sent from?

My thought is making a nse library for NetBIOS that can include
functions like grabbing the NetBIOS name/workgroup. Other things it
could do is establish a NetBIOS session, send NetBIOS datagram messages,
and send other NetBIOS queries to try and provoke a response (trying to
register somebody else's name is a great way to see if they're paying
attention). I think I can make that nice, and clean up some of the smb
code with it.

Think that'd be something useful to write? I'm up for doing it if it's
going to be used.


> My only change is that I removed the verbosity conditional for system
> time.  I think that information is useful enough to print in any case.
> And its only one line.
Sure!

> I'm a little surprised that it didn't provide the NetBIOS name and
> workgroup, but maybe there is a good reason for that.
I guess the reason is that the NetBIOS name and workgroup come from a
different port (udp/137 instead of tcp/139 or tcp/445). That makes me
think it should be in a separate NetBIOS script rather than a SMB script.

If you think that makes enough sense to work, just say so and I'll make
it work nice. :)

> Thanks for making the improvements!
>
> Cheers,
> -F

No problem!
Ron

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org