Nmap Development mailing list archives

Re: [NSE] SMB authentication patch

From: David Fifield <david () bamsoftware com>
Date: Mon, 13 Oct 2008 23:10:17 -0600

On Mon, Oct 13, 2008 at 10:30:14PM -0500, Ron wrote:

Looking at the logs, it seems that you're automatically being logged in
as "GUEST". Normally that happens if your username wasn't found, which
is strange. Is there anything weird about your user accounts, or are you
part of a domain, or something like that?


Gosh, I don't know. I haven't set anything up specially so it should all
be whatever the default is.

Under "Microsoft Windows Network" I see "Mshome" and inside that is
"Mac-mini" (the name of the computer). The "Computer Name" tab in the
"System" control panel item says "Workgroup: MSHOME". If I click the
option to change to computer name there are two radio buttons: "Domain"
(unselected), and "Workgroup" (selected, filled in with "MSHOME").

Can you try adding a smbdomain argument, and try setting it to "MSHOME"
or "MAC-MINI"? (those are the two domains I've seen in your packet
caps), and running smb-enumusers.nse? If you're logged in properly, it
should display more information about the accounts (descriptions, full
names, etc).


./nmap --datadir=. --script=smb-enumusers 192.168.0.190 -F -d
Host script results:
|  MSRPC: List of user accounts:
|  Enum via LSA error: NT_STATUS_ACCESS_DENIED
|  Enum via SAMR error: NT_STATUS_ACCESS_DENIED
|_ Sorry, couldn't find any account names anonymously!

./nmap --datadir=. --script=smb-enumusers 192.168.0.190 -F -d --script-args smbdomain=MSHOME
Host script results:
|  MSRPC: List of user accounts:
|  Enum via LSA error: NT_STATUS_ACCESS_DENIED
|  Enum via SAMR error: NT_STATUS_ACCESS_DENIED
|_ Sorry, couldn't find any account names anonymously!

./nmap --datadir=. --script=smb-enumusers 192.168.0.190 -F -d --script-args smbdomain=MAC-MINI
Host script results:
|  MSRPC: List of user accounts:
|  Enum via LSA error: NT_STATUS_ACCESS_DENIED
|  Enum via SAMR error: NT_STATUS_ACCESS_DENIED
|_ Sorry, couldn't find any account names anonymously!

./nmap --datadir=. --script=smb-enumusers 192.168.0.190 -F -d --script-args smbusername=jrandom,smbpassword=jrandom
Host script results:
|  MSRPC: List of user accounts:
|  Enum via SAMR error: STATUS_ACCESS_DENIED (samr.opendomain)
|  ,\xE0J\xC0V
|    |_ Domain: MAC-MINI
|    |_ RID: 1010
|  Administrator
|    |_ Domain: MAC-MINI
|    |_ RID: 500
|  david
|    |_ Domain: MAC-MINI
|    |_ RID: 1003
|  Guest
|    |_ Domain: MAC-MINI
|    |_ RID: 501
|  HelpAssistant
|    |_ Domain: MAC-MINI
|    |_ RID: 1000
|  HelpServicesGroup
|    |_ Domain: MAC-MINI
|    |_ RID: 1001
|  jrandom
|    |_ Domain: MAC-MINI
|    |_ RID: 1019
|  Kurt G\xF6del
|    |_ Domain: MAC-MINI
|    |_ RID: 1018
|  SUPPORT_388945a0
|    |_ Domain: MAC-MINI
|_   |_ RID: 1002

./nmap --datadir=. --script=smb-enumusers 192.168.0.190 -F -d --script-args 
smbusername=jrandom,smbpassword=jrandom,smbdomain=MSHOME
Host script results:
|  MSRPC: List of user accounts:
|  Enum via SAMR error: STATUS_ACCESS_DENIED (samr.opendomain)
|  ,\xE0J\xC0V
|    |_ Domain: MAC-MINI
|    |_ RID: 1010
|  Administrator
|    |_ Domain: MAC-MINI
|    |_ RID: 500
|  david
|    |_ Domain: MAC-MINI
|    |_ RID: 1003
|  Guest
|    |_ Domain: MAC-MINI
|    |_ RID: 501
|  HelpAssistant
|    |_ Domain: MAC-MINI
|    |_ RID: 1000
|  HelpServicesGroup
|    |_ Domain: MAC-MINI
|    |_ RID: 1001
|  jrandom
|    |_ Domain: MAC-MINI
|    |_ RID: 1019
|  Kurt G\xF6del
|    |_ Domain: MAC-MINI
|    |_ RID: 1018
|  SUPPORT_388945a0
|    |_ Domain: MAC-MINI
|_   |_ RID: 1002

./nmap --datadir=. --script=smb-enumusers 192.168.0.190 -F -d --script-args 
smbusername=jrandom,smbpassword=jrandom,smbdomain=MAC-MINI
Host script results:
|  MSRPC: List of user accounts:
|  Enum via SAMR error: STATUS_ACCESS_DENIED (samr.opendomain)
|  ,\xE0J\xC0V
|    |_ Domain: MAC-MINI
|    |_ RID: 1010
|  Administrator
|    |_ Domain: MAC-MINI
|    |_ RID: 500
|  david
|    |_ Domain: MAC-MINI
|    |_ RID: 1003
|  Guest
|    |_ Domain: MAC-MINI
|    |_ RID: 501
|  HelpAssistant
|    |_ Domain: MAC-MINI
|    |_ RID: 1000
|  HelpServicesGroup
|    |_ Domain: MAC-MINI
|    |_ RID: 1001
|  jrandom
|    |_ Domain: MAC-MINI
|    |_ RID: 1019
|  Kurt G\xF6del
|    |_ Domain: MAC-MINI
|    |_ RID: 1018
|  SUPPORT_388945a0
|    |_ Domain: MAC-MINI
|_   |_ RID: 1002

./nmap --datadir=. --script=smb-enumusers 192.168.0.190 -F -d --script-args smbusername=david,smbdomain=MSHOME
Host script results:
|  MSRPC: List of user accounts:
|  Enum via SAMR error: STATUS_ACCESS_DENIED (samr.opendomain)
|  ,\xE0J\xC0V
|    |_ Domain: MAC-MINI
|    |_ RID: 1010
|  Administrator
|    |_ Domain: MAC-MINI
|    |_ RID: 500
|  david
|    |_ Domain: MAC-MINI
|    |_ RID: 1003
|  Guest
|    |_ Domain: MAC-MINI
|    |_ RID: 501
|  HelpAssistant
|    |_ Domain: MAC-MINI
|    |_ RID: 1000
|  HelpServicesGroup
|    |_ Domain: MAC-MINI
|    |_ RID: 1001
|  jrandom
|    |_ Domain: MAC-MINI
|    |_ RID: 1019
|  Kurt G\xF6del
|    |_ Domain: MAC-MINI
|    |_ RID: 1018
|  SUPPORT_388945a0
|    |_ Domain: MAC-MINI
|_   |_ RID: 1002

Maybe try disabling the 'GUEST' account on your system, see if that
makes a difference. If not, we need to figure out why it's forcing you
to GUEST instead of a full user -- can you try mounting a share on
that machine remotely, and getting a packet cap?


That's weird, it says the guest account is off. I turned it on and
Nmap's output looks identical. Whether the guest account is on or off I
see repeatedly in the output

SCRIPT ENGINE DEBUG: Login as MSHOME\jrandom failed, but Windows automatically logged you in as a guest

I'll get you a packet capture tomorrow.

On the plus side, this unintentionally made me realize that I wasn't
testing GUEST access, so I've added a GUEST account to my testing. The
other funny thing is that the information being returned is 100% stuff
that could be recovered without a user account. Scary, eh?


If I run without any script args I get no useful output (see the first
command in the long list above), whether the guest account is enabled or
not. I have to give it a user name (even a nonexistent one works), and
then I get the message "Login as ... failed, but Windows automatically
logged you in as a guest."

I've attached an updated patch as well as the new module (which gives
far more information to you, even as a GUEST, now). I'm also version
controlling my stuff in my own svn repository -- would that be easier
for your testing than using attachments?


smb-enumsessions.nse gives me this error:
SCRIPT ENGINE: ./scripts/smb-enumsessions.nse:241: bad argument #3 to 'format' (string expected, got nil)

Yes, if you've got your own version control that's easier.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Re: [NSE] SMB authentication patch, (continued)
- - Re: [NSE] SMB authentication patch Ron (Oct 10)
    - Re: [NSE] SMB authentication patch David Fifield (Oct 10)
    - Re: [NSE] SMB authentication patch Ron (Oct 10)
    - Re: [NSE] SMB authentication patch David Fifield (Oct 13)
    - Re: [NSE] SMB authentication patch Ron (Oct 13)
    - Re: [NSE] SMB authentication patch David Fifield (Oct 13)
    - Re: [NSE] SMB authentication patch Ron (Oct 10)
    - Re: [NSE] SMB authentication patch Ron (Oct 10)
    - Re: [NSE] SMB authentication patch David Fifield (Oct 13)
    - Re: [NSE] SMB authentication patch Ron (Oct 13)
    - Re: [NSE] SMB authentication patch David Fifield (Oct 13)