Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE:SMB probe script

From: mike <dmciscobgp () hotmail com>
Date: Mon, 8 Sep 2008 21:24:04 +0000

hello
 
Ron. i looked into that script a bit more. i noticed that you are using a generic "nmap" for the OS identifier in the 
packet payload. is this wise? wouldn't that set off many a application/inspection tools people are using for payload/OS 
fingerprinting? why not set it to a simple "Windows 2k" or something that could actually be seen as legit? maybe this 
isn't a big deal to everyone so i will just mention it and move on
 
i also noticed the same thing i mentioned above when you call for the generic "Native LANman". is that even recognized 
as legit by the SMB server? i guess if it works, it works
i was wondering about 2 things i would hope you could include, since you have already gone so far into the kind of 
detail this SMB script already gives us:
 
would there be a way to dump the received hashes back to stdout (for cracking later)?
i beleive it is based on the SPNEGO that is used, correct?
 
lastly, i was watching the SMB tree requests and transactions in tshark and i saw alot of times when you were setting 
HOME and TEST as queries, my target would send me back "NT_STATUS_UNRECOGNIZED_NAME" failures. can i ask what the TEST 
and HOME references are for? is that for IPC logins? i always thought if you got back STATUS_FAILURES, then you would 
have the TID pulled you created and you would be disconnected. again, maybe you know alot more about this than i do. 
still interested in that patch addon for the stdout for LAN manager version
 
*do you ever think you will tackle the issues i brought up with trying to get payload established to port 138? did you 
read what i submitted about what could possibly be done? (forcing issued MASTERBROWSER announcements for response)
 
thank you
m|ke
_________________________________________________________________
Want to do more with Windows Live? Learn “10 hidden secrets” from Jamie.
http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: