Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] MSRPC Libraries (stable, I hope!)

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 29 Oct 2008 18:02:22 +0000
[crappy phone response, sorry]
Windows XP and later restrict passwordless accounts to local logins only by default. You can turn this off with gpedit.msc but that's obvioulsy not a good idea.
Also, it looked below like the "Users:" output had some non-ASCII chars, probably from a bad parse. 

Brandon
Sent from my phone. If you would like a digital signature for this email let me know and I will sign it later. 


On Oct 29, 2008, at 17:34, David Fifield <david () bamsoftware com> wrote:


On Tue, Oct 28, 2008 at 10:19:13AM -0500, Ron wrote:

I've tried hard to stabilize my SMB + MSRPC code, and it seems to be
working smoothly. I'm hoping to get Brandon (and anybody else) to test 
it one last time this week or early next week, then I can call it a
version.

I'm hoping to get as much feedback or bug reports as I can this week!


Here are my results from running the scripts against Windows XP
Profession SP3. Ron and I found out that this OS has a peculiarity: by
default you can't log in as any real user; rather all logins, correct or 
incorrect, get redirected to the guest user. See
http://technet.microsoft.com/en-us/library/cc786449.aspx.
Here's how to change this setting: In the "Run" dialog, run "gpedit.msc". 
Navigate the tree down to "Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security Options\Network
access: Sharing and security model for local accounts". Then change the 
setting from "Guest only" to "Classic".

I ran the tests in both "Guest only" and "Classic" modes. Here's with
"Guest only".
# ./nmap -F --script smb-enumdomains,smb-enumsessions,smb- enumshares,smb-enumusers,smb-os-discovery,smb-security-mode,smb- serverstats,smb-systeminfo 192.168.0.190 
Host script results:
|_ MSRPC: List of domains: ERROR: NT_STATUS_ACCESS_DENIED
|_ System info: ERROR: NT_STATUS_ACCESS_DENIED
|_ MSRPC: Server statistics: NT_STATUS_ACCESS_DENIED
|  OS from SMB: Windows XP
|  LAN Manager: Windows 2000 LAN Manager
|  Name: MSHOME\MAC-MINI
|_ System time: 2008-10-29 10:05:00 UTC-6
|  SMB Security: User-level authentication
|  SMB Security: Challenge/response passwords supported
|_ SMB Security: Message signing not supported
|  MSRPC: NetSessEnum():
|  ERROR: Couldn't enumerate login sessions: NT_STATUS_ACCESS_DENIED
|_ ERROR: Couldn't enumerate network sessions: NT_STATUS_ACCESS_DENIED
|  MSRPC: NetShareEnumAll():
|  Couldn't enum all shares, checking for common ones
(NT_STATUS_ACCESS_DENIED)
|  Anonymous shares: IPC$
|_ Restricted shares: ADMIN$, C$
|  MSRPC: List of user accounts:
|  Enum via LSA error: NT_STATUS_ACCESS_DENIED
|  Enum via SAMR error: NT_STATUS_ACCESS_DENIED
|_ Sorry, couldn't find any account names anonymously!
# ./nmap -F --script smb-enumdomains,smb-enumsessions,smb- enumshares,smb-enumusers,smb-os-discovery,smb-security-mode,smb- serverstats,smb-systeminfo --script-args smbuser=anything 192.168.0.190 # ./nmap -F --script smb-enumdomains,smb-enumsessions,smb- enumshares,smb-enumusers,smb-os-discovery,smb-security-mode,smb- serverstats,smb-systeminfo --script-args smbguest=true 192.168.0.190 
Host script results:
|  OS from SMB: Windows XP
|  LAN Manager: Windows 2000 LAN Manager
|  Name: MSHOME\MAC-MINI
|_ System time: 2008-10-29 10:11:04 UTC-6
|  System info:
|_ |_ Account being used was unable to probe for information, try using an administrative account |_ MSRPC: Server statistics: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netservergetstatistics) 
|  SMB Security: User-level authentication
|  SMB Security: Challenge/response passwords supported
|_ SMB Security: Message signing not supported
|_ MSRPC: List of domains: ERROR: NT_STATUS_ACCESS_DENIED (samr.opendomain) 
|  MSRPC: List of user accounts:
|  Enum via SAMR error: NT_STATUS_ACCESS_DENIED (samr.opendomain)
|_ MAC-MINI\,\xE0J\xC0V, MAC-MINI\Administrator, MAC-MINI\david, MAC- MINI\Guest, MAC-MINI\HelpAssistant, MAC-MINI\HelpServicesGroup, MAC- MINI\jrandom, MAC-MINI\Kurt G\xF6del, MAC-MINI\SUPPORT_388945a0 
|  MSRPC: NetShareEnumAll():
|  Anonymous shares: IPC$, print$, SharedDocs, My Pictures, Printer
|_ Restricted shares: ADMIN$, C$
|  MSRPC: NetSessEnum():
|  Users logged in:
|  |_ <nobody>
|_ ERROR: Couldn't enumerate network sessions: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsessenum)
(In this case if I run with -d I get the familiar "SCRIPT ENGINE DEBUG: 
Login as \anything failed, so Windows automatically logged you in as a
guest (this may be due to an incorrect username, or the system policy
may be set to only allow guest logins (Windows XP Professional does so
by default)", just so you know what's happening.)
My feeling is that this output is too verbose (I didn't use -v). Like in 
"MSRPC: List of user accounts" there was an error in one method of
enumerating accounts, but I still got the whole list through another
method. The error message should be hidden except in debug mode. Same
with "System info", "MSRPC: Server statistics", "MSRPC: List of
domains": they all show output that only shows that they failed to run.
In "MSRPC: NetSessEnum()" it says nobody is logged in, but I was logged in at the time of the scan. Is it because of the NT_STATUS_WERR_ACCESS_DENIED 
error in the next line? If so, the script should avoid saying that
nobody is logged in, if it's not known.

I got a lot more information just by putting "--script-args
smbuser=anything", and it can be literally anything: a real user name, a 
nonexistent one, even an empty string. Ron didn't mention it, but
there's an "smbguest" script arg, which, if it's set to "true",
automatically tries the guest account so you don't have to give a phony 
user name.

The next tests are with the "Classic" login mode, which allows
authenticating as a real user.
If I give no script args, I get the same result as I did in "Guest only" mode (little information). The same thing happens if I give a real user name and the wrong password. If I give a nonexistent smbuser, I get the 
same result as in "Guest only" mode (just guest information).

Here's what happens if I use an administrator login.
# ./nmap -F --script smb-enumdomains,smb-enumsessions,smb- enumshares,smb-enumusers,smb-os-discovery,smb-security-mode,smb- serverstats,smb-systeminfo --script-args smbuser=jrandom,smbpass=jrandom 192.168.0.190 
Host script results:
|  OS from SMB: Windows XP
|  LAN Manager: Windows 2000 LAN Manager
|  Name: MSHOME\MAC-MINI
|_ System time: 2008-10-29 10:37:37 UTC-6
|  SMB Security: User-level authentication
|  SMB Security: Challenge/response passwords supported
|_ SMB Security: Message signing not supported
|  MSRPC: List of domains:
|  Domain: MAC-MINI
|   |_ SID: S-1-5-21-117609710-839522115-1177238915
| |_ Users: Administrator, david, Guest, HelpAssistant, jrandom, Kurt G\xF6del, SUPPORT_388945a0, ,\xE0J\xC0V 
|   |_ Creation time: 2008-09-09 13:05:32
|   |_ Passwords: min length: n/a; min age: n/a; max age: 42 days
|   |_ Account lockout disabled
|   |_ Password properties:
|     |_  Password complexity requirements do not exist
|     |_  Administrator account cannot be locked out
|  Domain: Builtin
|   |_ SID: S-1-5-32
|   |_ Users:
|   |_ Creation time: 2008-09-09 13:05:32
|   |_ Passwords: min length: n/a; min age: n/a; max age: 42 days
|   |_ Account lockout disabled
|   |_ Password properties:
|     |_  Password complexity requirements do not exist
|_    |_  Administrator account cannot be locked out
|  System info:
|  OS Details
|  |_ Microsoft Windows XP Service Pack 3 (WinNT 5.1 build 2600)
|  |_ Installed on 2008-09-09 13:25:15
|  |_ Registered to . (organization: )
| |_ Path: %SystemRoot%\system32;%SystemRoot%;%SystemRoot% \System32\Wbem 
|  |_ Systemroot: C:\WINDOWS
|  |_ Page files: C:\pagefile.sys 1488 2976 (cleared at shutdown => 0)
|  Hardware
| |_ CPU 0: Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz [1833mhz GenuineIntel] 
|  |_ Identifier 0: x86 Family 6 Model 15 Stepping 2
| |_ CPU 1: Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz [1833mhz GenuineIntel] 
|  |_ Identifier 1: x86 Family 6 Model 15 Stepping 2
|  |_ Video driver: Mobile Intel(R) 945 Express Chipset Family
|  Browsers
|_ |_ Internet Explorer 6.0000
|  MSRPC: Server statistics:
|  Server statistics collected since 2008-10-29 09:39:25 (58m12s):
| |_ Traffic 285603 bytes (81.79b/s) sent, 355314 bytes (101.75b/s) received 
|  |_ Failed logins: 10
|  |_ Permission errors: 48, System errors: 0
|  |_ Print jobs spooled: 0
|_ |_ Files opened (including pipes): 131
|  MSRPC: NetShareEnumAll():
|  Anonymous shares: IPC$, print$, SharedDocs, My Pictures, Printer
|_ Restricted shares: ADMIN$, C$
|  MSRPC: List of user accounts:
|_ MAC-MINI\,\xE0J\xC0V, MAC-MINI\Administrator, MAC-MINI\david, MAC- MINI\Guest, MAC-MINI\HelpAssistant, MAC-MINI\HelpServicesGroup, MAC- MINI\jrandom, MAC-MINI\Kurt G\xF6del, MAC-MINI\SUPPORT_388945a0 
|  MSRPC: NetSessEnum():
|  Users logged in:
|  |_ MAC-MINI\david since 2008-10-29 09:39:10
|  Active SMB Sessions:
|_ |_ JRANDOM is connected from 192.168.0.21 for [just logged in, it's probably you], idle for [not idle] 

Holy cow! That's an impressive amount of information. This is a faster
way to learn my CPU clock speed than logging in and looking for it in
the control panel.

I have an administrator account with no password. If I use smbuser and
not smbpass, it appears to try to use a blank password, but it doesn't
work. I see
SCRIPT ENGINE DEBUG: SMB: Couldn't determine which password to use, using a blank one SCRIPT ENGINE DEBUG: Login as \david failed, so Windows automatically logged you in as a guest (this may be due to an incorrect username, or the system policy may be set to only allow guest logins (Windows XP Professional does so by default) 

And then I get the limited guest user output. Is this expected? Do you
want a packet capture, or does Windows restrict passwordless accounts
like this?

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: