Nmap Development mailing list archives
Re: [NSE patch]
From: Ron <ron () skullsecurity net>
Date: Mon, 25 Aug 2008 22:50:14 -0500
Fyodor wrote:
On Mon, Aug 25, 2008 at 05:35:51PM -0500, Ron wrote: One problem is that when I use this in combination with version detection, the NSE script fails to get results: ./nmap -sV --script scripts/netbios-smb-os-discovery.nse 192.168.0.4 [...] PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds MAC Address: 00:0C:29:FA:6E:BD (VMware) Service Info: OS: Windows Host script results: | Discover OS Version over NetBIOS and SMB: OS version cannot be determined. |_ Never received a response to SMB Setup AndX Request | Discover OS Version over NetBIOS and SMB: Windows XP |_ Discover system time over SMB: 2008-08-25 19:56:53 UTC-7 I found that this problem occurs with the previous version too, so it isn't caused by your changes.
I noticed that as well, I'll take a look at it.
I'm a little surprised that (when working) it doesn't provide the machine's SMB computer name and workgroup. Should it?
It certainly can, although it gets a little complicated. Let me try to explain it. Port TCP/445 = SMB Raw, which can be used to dump the OS version, time, etc. Port TCP/139 = SMB over NetBIOS, which can do the same thing as NetBIOS raw, _except_ it requires the computer's name to do it Port UDP/137 = NetBIOS Name service, which can provide the name. So right now, my logic is: If tcp/445 is open, query it directly. Else, if tcp/139 is open, grab the name from udp/137 and use that The name request is just a little UDP packet, it can be sent pretty easily from anywhere. But, the question is, where *should* it be sent from? My thought is making a nse library for NetBIOS that can include functions like grabbing the NetBIOS name/workgroup. Other things it could do is establish a NetBIOS session, send NetBIOS datagram messages, and send other NetBIOS queries to try and provoke a response (trying to register somebody else's name is a great way to see if they're paying attention). I think I can make that nice, and clean up some of the smb code with it. Think that'd be something useful to write? I'm up for doing it if it's going to be used.
My only change is that I removed the verbosity conditional for system time. I think that information is useful enough to print in any case. And its only one line.
Sure!
I'm a little surprised that it didn't provide the NetBIOS name and workgroup, but maybe there is a good reason for that.
I guess the reason is that the NetBIOS name and workgroup come from a different port (udp/137 instead of tcp/139 or tcp/445). That makes me think it should be in a separate NetBIOS script rather than a SMB script. If you think that makes enough sense to work, just say so and I'll make it work nice. :)
Thanks for making the improvements! Cheers, -F
No problem! Ron _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE patch] Ron (Aug 25)
- Re: [NSE patch] Fyodor (Aug 25)
- Re: [NSE patch] Ron (Aug 25)
- Re: [NSE patch] Fyodor (Aug 26)
- Re: [NSE patch] Ron (Aug 26)
- Re: [NSE patch] Ron (Aug 25)
- Re: [NSE patch] jah (Aug 26)
- Re: [NSE patch] David Fifield (Sep 14)
- Re: [NSE patch] Ron (Sep 15)
- Re: [NSE patch] Fyodor (Aug 25)