Nmap Development mailing list archives
Re: [NSE] SMB authentication patch
From: David Fifield <david () bamsoftware com>
Date: Mon, 13 Oct 2008 23:10:17 -0600
On Mon, Oct 13, 2008 at 10:30:14PM -0500, Ron wrote:
Looking at the logs, it seems that you're automatically being logged in as "GUEST". Normally that happens if your username wasn't found, which is strange. Is there anything weird about your user accounts, or are you part of a domain, or something like that?
Gosh, I don't know. I haven't set anything up specially so it should all be whatever the default is. Under "Microsoft Windows Network" I see "Mshome" and inside that is "Mac-mini" (the name of the computer). The "Computer Name" tab in the "System" control panel item says "Workgroup: MSHOME". If I click the option to change to computer name there are two radio buttons: "Domain" (unselected), and "Workgroup" (selected, filled in with "MSHOME").
Can you try adding a smbdomain argument, and try setting it to "MSHOME" or "MAC-MINI"? (those are the two domains I've seen in your packet caps), and running smb-enumusers.nse? If you're logged in properly, it should display more information about the accounts (descriptions, full names, etc).
./nmap --datadir=. --script=smb-enumusers 192.168.0.190 -F -d Host script results: | MSRPC: List of user accounts: | Enum via LSA error: NT_STATUS_ACCESS_DENIED | Enum via SAMR error: NT_STATUS_ACCESS_DENIED |_ Sorry, couldn't find any account names anonymously! ./nmap --datadir=. --script=smb-enumusers 192.168.0.190 -F -d --script-args smbdomain=MSHOME Host script results: | MSRPC: List of user accounts: | Enum via LSA error: NT_STATUS_ACCESS_DENIED | Enum via SAMR error: NT_STATUS_ACCESS_DENIED |_ Sorry, couldn't find any account names anonymously! ./nmap --datadir=. --script=smb-enumusers 192.168.0.190 -F -d --script-args smbdomain=MAC-MINI Host script results: | MSRPC: List of user accounts: | Enum via LSA error: NT_STATUS_ACCESS_DENIED | Enum via SAMR error: NT_STATUS_ACCESS_DENIED |_ Sorry, couldn't find any account names anonymously! ./nmap --datadir=. --script=smb-enumusers 192.168.0.190 -F -d --script-args smbusername=jrandom,smbpassword=jrandom Host script results: | MSRPC: List of user accounts: | Enum via SAMR error: STATUS_ACCESS_DENIED (samr.opendomain) | ,\xE0J\xC0V | |_ Domain: MAC-MINI | |_ RID: 1010 | Administrator | |_ Domain: MAC-MINI | |_ RID: 500 | david | |_ Domain: MAC-MINI | |_ RID: 1003 | Guest | |_ Domain: MAC-MINI | |_ RID: 501 | HelpAssistant | |_ Domain: MAC-MINI | |_ RID: 1000 | HelpServicesGroup | |_ Domain: MAC-MINI | |_ RID: 1001 | jrandom | |_ Domain: MAC-MINI | |_ RID: 1019 | Kurt G\xF6del | |_ Domain: MAC-MINI | |_ RID: 1018 | SUPPORT_388945a0 | |_ Domain: MAC-MINI |_ |_ RID: 1002 ./nmap --datadir=. --script=smb-enumusers 192.168.0.190 -F -d --script-args smbusername=jrandom,smbpassword=jrandom,smbdomain=MSHOME Host script results: | MSRPC: List of user accounts: | Enum via SAMR error: STATUS_ACCESS_DENIED (samr.opendomain) | ,\xE0J\xC0V | |_ Domain: MAC-MINI | |_ RID: 1010 | Administrator | |_ Domain: MAC-MINI | |_ RID: 500 | david | |_ Domain: MAC-MINI | |_ RID: 1003 | Guest | |_ Domain: MAC-MINI | |_ RID: 501 | HelpAssistant | |_ Domain: MAC-MINI | |_ RID: 1000 | HelpServicesGroup | |_ Domain: MAC-MINI | |_ RID: 1001 | jrandom | |_ Domain: MAC-MINI | |_ RID: 1019 | Kurt G\xF6del | |_ Domain: MAC-MINI | |_ RID: 1018 | SUPPORT_388945a0 | |_ Domain: MAC-MINI |_ |_ RID: 1002 ./nmap --datadir=. --script=smb-enumusers 192.168.0.190 -F -d --script-args smbusername=jrandom,smbpassword=jrandom,smbdomain=MAC-MINI Host script results: | MSRPC: List of user accounts: | Enum via SAMR error: STATUS_ACCESS_DENIED (samr.opendomain) | ,\xE0J\xC0V | |_ Domain: MAC-MINI | |_ RID: 1010 | Administrator | |_ Domain: MAC-MINI | |_ RID: 500 | david | |_ Domain: MAC-MINI | |_ RID: 1003 | Guest | |_ Domain: MAC-MINI | |_ RID: 501 | HelpAssistant | |_ Domain: MAC-MINI | |_ RID: 1000 | HelpServicesGroup | |_ Domain: MAC-MINI | |_ RID: 1001 | jrandom | |_ Domain: MAC-MINI | |_ RID: 1019 | Kurt G\xF6del | |_ Domain: MAC-MINI | |_ RID: 1018 | SUPPORT_388945a0 | |_ Domain: MAC-MINI |_ |_ RID: 1002 ./nmap --datadir=. --script=smb-enumusers 192.168.0.190 -F -d --script-args smbusername=david,smbdomain=MSHOME Host script results: | MSRPC: List of user accounts: | Enum via SAMR error: STATUS_ACCESS_DENIED (samr.opendomain) | ,\xE0J\xC0V | |_ Domain: MAC-MINI | |_ RID: 1010 | Administrator | |_ Domain: MAC-MINI | |_ RID: 500 | david | |_ Domain: MAC-MINI | |_ RID: 1003 | Guest | |_ Domain: MAC-MINI | |_ RID: 501 | HelpAssistant | |_ Domain: MAC-MINI | |_ RID: 1000 | HelpServicesGroup | |_ Domain: MAC-MINI | |_ RID: 1001 | jrandom | |_ Domain: MAC-MINI | |_ RID: 1019 | Kurt G\xF6del | |_ Domain: MAC-MINI | |_ RID: 1018 | SUPPORT_388945a0 | |_ Domain: MAC-MINI |_ |_ RID: 1002
Maybe try disabling the 'GUEST' account on your system, see if that makes a difference. If not, we need to figure out why it's forcing you to GUEST instead of a full user -- can you try mounting a share on that machine remotely, and getting a packet cap?
That's weird, it says the guest account is off. I turned it on and Nmap's output looks identical. Whether the guest account is on or off I see repeatedly in the output SCRIPT ENGINE DEBUG: Login as MSHOME\jrandom failed, but Windows automatically logged you in as a guest I'll get you a packet capture tomorrow.
On the plus side, this unintentionally made me realize that I wasn't testing GUEST access, so I've added a GUEST account to my testing. The other funny thing is that the information being returned is 100% stuff that could be recovered without a user account. Scary, eh?
If I run without any script args I get no useful output (see the first command in the long list above), whether the guest account is enabled or not. I have to give it a user name (even a nonexistent one works), and then I get the message "Login as ... failed, but Windows automatically logged you in as a guest."
I've attached an updated patch as well as the new module (which gives far more information to you, even as a GUEST, now). I'm also version controlling my stuff in my own svn repository -- would that be easier for your testing than using attachments?
smb-enumsessions.nse gives me this error: SCRIPT ENGINE: ./scripts/smb-enumsessions.nse:241: bad argument #3 to 'format' (string expected, got nil) Yes, if you've got your own version control that's easier. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: [NSE] SMB authentication patch, (continued)
- Re: [NSE] SMB authentication patch Ron (Oct 10)
- Re: [NSE] SMB authentication patch David Fifield (Oct 10)
- Re: [NSE] SMB authentication patch Ron (Oct 10)
- Re: [NSE] SMB authentication patch David Fifield (Oct 13)
- Re: [NSE] SMB authentication patch Ron (Oct 13)
- Re: [NSE] SMB authentication patch David Fifield (Oct 13)
- Re: [NSE] SMB authentication patch Ron (Oct 10)
- Re: [NSE] SMB authentication patch Ron (Oct 10)
- Re: [NSE] SMB authentication patch Ron (Oct 10)
- Re: [NSE] SMB authentication patch David Fifield (Oct 13)
- Re: [NSE] SMB authentication patch Ron (Oct 13)
- Re: [NSE] SMB authentication patch David Fifield (Oct 13)