Nmap Development mailing list archives
Re: [NSE] MSRPC Libraries (stable, I hope!)
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 29 Oct 2008 18:02:22 +0000
[crappy phone response, sorry]Windows XP and later restrict passwordless accounts to local logins only by default. You can turn this off with gpedit.msc but that's obvioulsy not a good idea.
Also, it looked below like the "Users:" output had some non-ASCII chars, probably from a bad parse.
BrandonSent from my phone. If you would like a digital signature for this email let me know and I will sign it later.
On Oct 29, 2008, at 17:34, David Fifield <david () bamsoftware com> wrote:
On Tue, Oct 28, 2008 at 10:19:13AM -0500, Ron wrote:I've tried hard to stabilize my SMB + MSRPC code, and it seems to beworking smoothly. I'm hoping to get Brandon (and anybody else) to testit one last time this week or early next week, then I can call it a version. I'm hoping to get as much feedback or bug reports as I can this week!Here are my results from running the scripts against Windows XP Profession SP3. Ron and I found out that this OS has a peculiarity: bydefault you can't log in as any real user; rather all logins, correct orincorrect, get redirected to the guest user. See http://technet.microsoft.com/en-us/library/cc786449.aspx.Here's how to change this setting: In the "Run" dialog, run "gpedit.msc".Navigate the tree down to "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Networkaccess: Sharing and security model for local accounts". Then change thesetting from "Guest only" to "Classic". I ran the tests in both "Guest only" and "Classic" modes. Here's with "Guest only".# ./nmap -F --script smb-enumdomains,smb-enumsessions,smb- enumshares,smb-enumusers,smb-os-discovery,smb-security-mode,smb- serverstats,smb-systeminfo 192.168.0.190Host script results: |_ MSRPC: List of domains: ERROR: NT_STATUS_ACCESS_DENIED |_ System info: ERROR: NT_STATUS_ACCESS_DENIED |_ MSRPC: Server statistics: NT_STATUS_ACCESS_DENIED | OS from SMB: Windows XP | LAN Manager: Windows 2000 LAN Manager | Name: MSHOME\MAC-MINI |_ System time: 2008-10-29 10:05:00 UTC-6 | SMB Security: User-level authentication | SMB Security: Challenge/response passwords supported |_ SMB Security: Message signing not supported | MSRPC: NetSessEnum(): | ERROR: Couldn't enumerate login sessions: NT_STATUS_ACCESS_DENIED |_ ERROR: Couldn't enumerate network sessions: NT_STATUS_ACCESS_DENIED | MSRPC: NetShareEnumAll(): | Couldn't enum all shares, checking for common ones (NT_STATUS_ACCESS_DENIED) | Anonymous shares: IPC$ |_ Restricted shares: ADMIN$, C$ | MSRPC: List of user accounts: | Enum via LSA error: NT_STATUS_ACCESS_DENIED | Enum via SAMR error: NT_STATUS_ACCESS_DENIED |_ Sorry, couldn't find any account names anonymously!# ./nmap -F --script smb-enumdomains,smb-enumsessions,smb- enumshares,smb-enumusers,smb-os-discovery,smb-security-mode,smb- serverstats,smb-systeminfo --script-args smbuser=anything 192.168.0.190 # ./nmap -F --script smb-enumdomains,smb-enumsessions,smb- enumshares,smb-enumusers,smb-os-discovery,smb-security-mode,smb- serverstats,smb-systeminfo --script-args smbguest=true 192.168.0.190Host script results: | OS from SMB: Windows XP | LAN Manager: Windows 2000 LAN Manager | Name: MSHOME\MAC-MINI |_ System time: 2008-10-29 10:11:04 UTC-6 | System info:|_ |_ Account being used was unable to probe for information, try using an administrative account |_ MSRPC: Server statistics: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netservergetstatistics)| SMB Security: User-level authentication | SMB Security: Challenge/response passwords supported |_ SMB Security: Message signing not supported|_ MSRPC: List of domains: ERROR: NT_STATUS_ACCESS_DENIED (samr.opendomain)| MSRPC: List of user accounts: | Enum via SAMR error: NT_STATUS_ACCESS_DENIED (samr.opendomain)|_ MAC-MINI\,\xE0J\xC0V, MAC-MINI\Administrator, MAC-MINI\david, MAC- MINI\Guest, MAC-MINI\HelpAssistant, MAC-MINI\HelpServicesGroup, MAC- MINI\jrandom, MAC-MINI\Kurt G\xF6del, MAC-MINI\SUPPORT_388945a0| MSRPC: NetShareEnumAll(): | Anonymous shares: IPC$, print$, SharedDocs, My Pictures, Printer |_ Restricted shares: ADMIN$, C$ | MSRPC: NetSessEnum(): | Users logged in: | |_ <nobody>|_ ERROR: Couldn't enumerate network sessions: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsessenum)(In this case if I run with -d I get the familiar "SCRIPT ENGINE DEBUG:Login as \anything failed, so Windows automatically logged you in as a guest (this may be due to an incorrect username, or the system policy may be set to only allow guest logins (Windows XP Professional does so by default)", just so you know what's happening.)My feeling is that this output is too verbose (I didn't use -v). Like in"MSRPC: List of user accounts" there was an error in one method of enumerating accounts, but I still got the whole list through another method. The error message should be hidden except in debug mode. Same with "System info", "MSRPC: Server statistics", "MSRPC: List ofdomains": they all show output that only shows that they failed to run.In "MSRPC: NetSessEnum()" it says nobody is logged in, but I was logged in at the time of the scan. Is it because of the NT_STATUS_WERR_ACCESS_DENIEDerror in the next line? If so, the script should avoid saying that nobody is logged in, if it's not known. I got a lot more information just by putting "--script-argssmbuser=anything", and it can be literally anything: a real user name, anonexistent one, even an empty string. Ron didn't mention it, but there's an "smbguest" script arg, which, if it's set to "true",automatically tries the guest account so you don't have to give a phonyuser name. The next tests are with the "Classic" login mode, which allows authenticating as a real user.If I give no script args, I get the same result as I did in "Guest only" mode (little information). The same thing happens if I give a real user name and the wrong password. If I give a nonexistent smbuser, I get thesame result as in "Guest only" mode (just guest information). Here's what happens if I use an administrator login.# ./nmap -F --script smb-enumdomains,smb-enumsessions,smb- enumshares,smb-enumusers,smb-os-discovery,smb-security-mode,smb- serverstats,smb-systeminfo --script-args smbuser=jrandom,smbpass=jrandom 192.168.0.190Host script results: | OS from SMB: Windows XP | LAN Manager: Windows 2000 LAN Manager | Name: MSHOME\MAC-MINI |_ System time: 2008-10-29 10:37:37 UTC-6 | SMB Security: User-level authentication | SMB Security: Challenge/response passwords supported |_ SMB Security: Message signing not supported | MSRPC: List of domains: | Domain: MAC-MINI | |_ SID: S-1-5-21-117609710-839522115-1177238915| |_ Users: Administrator, david, Guest, HelpAssistant, jrandom, Kurt G\xF6del, SUPPORT_388945a0, ,\xE0J\xC0V| |_ Creation time: 2008-09-09 13:05:32 | |_ Passwords: min length: n/a; min age: n/a; max age: 42 days | |_ Account lockout disabled | |_ Password properties: | |_ Password complexity requirements do not exist | |_ Administrator account cannot be locked out | Domain: Builtin | |_ SID: S-1-5-32 | |_ Users: | |_ Creation time: 2008-09-09 13:05:32 | |_ Passwords: min length: n/a; min age: n/a; max age: 42 days | |_ Account lockout disabled | |_ Password properties: | |_ Password complexity requirements do not exist |_ |_ Administrator account cannot be locked out | System info: | OS Details | |_ Microsoft Windows XP Service Pack 3 (WinNT 5.1 build 2600) | |_ Installed on 2008-09-09 13:25:15 | |_ Registered to . (organization: )| |_ Path: %SystemRoot%\system32;%SystemRoot%;%SystemRoot% \System32\Wbem| |_ Systemroot: C:\WINDOWS | |_ Page files: C:\pagefile.sys 1488 2976 (cleared at shutdown => 0) | Hardware| |_ CPU 0: Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz [1833mhz GenuineIntel]| |_ Identifier 0: x86 Family 6 Model 15 Stepping 2| |_ CPU 1: Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz [1833mhz GenuineIntel]| |_ Identifier 1: x86 Family 6 Model 15 Stepping 2 | |_ Video driver: Mobile Intel(R) 945 Express Chipset Family | Browsers |_ |_ Internet Explorer 6.0000 | MSRPC: Server statistics: | Server statistics collected since 2008-10-29 09:39:25 (58m12s):| |_ Traffic 285603 bytes (81.79b/s) sent, 355314 bytes (101.75b/s) received| |_ Failed logins: 10 | |_ Permission errors: 48, System errors: 0 | |_ Print jobs spooled: 0 |_ |_ Files opened (including pipes): 131 | MSRPC: NetShareEnumAll(): | Anonymous shares: IPC$, print$, SharedDocs, My Pictures, Printer |_ Restricted shares: ADMIN$, C$ | MSRPC: List of user accounts:|_ MAC-MINI\,\xE0J\xC0V, MAC-MINI\Administrator, MAC-MINI\david, MAC- MINI\Guest, MAC-MINI\HelpAssistant, MAC-MINI\HelpServicesGroup, MAC- MINI\jrandom, MAC-MINI\Kurt G\xF6del, MAC-MINI\SUPPORT_388945a0| MSRPC: NetSessEnum(): | Users logged in: | |_ MAC-MINI\david since 2008-10-29 09:39:10 | Active SMB Sessions:|_ |_ JRANDOM is connected from 192.168.0.21 for [just logged in, it's probably you], idle for [not idle]Holy cow! That's an impressive amount of information. This is a faster way to learn my CPU clock speed than logging in and looking for it in the control panel. I have an administrator account with no password. If I use smbuser and not smbpass, it appears to try to use a blank password, but it doesn't work. I seeSCRIPT ENGINE DEBUG: SMB: Couldn't determine which password to use, using a blank one SCRIPT ENGINE DEBUG: Login as \david failed, so Windows automatically logged you in as a guest (this may be due to an incorrect username, or the system policy may be set to only allow guest logins (Windows XP Professional does so by default)And then I get the limited guest user output. Is this expected? Do you want a packet capture, or does Windows restrict passwordless accounts like this? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE] MSRPC Libraries (stable, I hope!) Ron (Oct 28)
- Re: [NSE] MSRPC Libraries (stable, I hope!) David Fifield (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) Brandon Enright (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) David Fifield (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) Ron (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) David Fifield (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) Ron (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) Brandon Enright (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) David Fifield (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) Fyodor (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) Ron (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) David Fifield (Nov 03)
- Re: [NSE] MSRPC Libraries (stable, I hope!) Ron (Nov 03)