Re: Updated SMB scripts

[David Fifield <david () bamsoftware com>]

On Tue, Dec 23, 2008 at 07:24:38PM -0600, Ron wrote:
> Brandon, Patrick, and myself have worked hard to update and stabilize
> the smb/msrpc scripts, and I think we've pulled it off. That being said,
> my tests are against a very limited network and Brandon's are
> unauthenticated. I'd feel a lot better if people would do their own
> tests, especially if you have accounts on the target systems.
>
> Since Brandon successfully tested the script against nearly 400,000
> hosts (granting that most of them are offline), I merged my changes into
> the main Nmap branch. If you want to test go ahead and grab them from
> there.

It looks like you forgot to "svn add" the msrpcperformance module. I get

SCRIPT ENGINE: './scripts/smb-enum-processes.nse' threw a run time error and could not be loaded.
./scripts/smb-enum-processes.nse:92: module 'msrpcperformance' not found:

There's a new script, smb-enum-processes.nse. Can you summarize the
other changes? Or point me to a mailing list post (I haven't been
following closely).

After copying msrpcperformance.nse from nmap-smb,

# nmap -p139,445 
--script=smb-check-vulns,smb-enum-processes,smb-enum-shares,smb-os-discovery,smb-server-stats,smb-enum-domains,smb-enum-sessions,smb-enum-users,smb-security-mode,smb-system-info
 192.168.0.190

Starting Nmap 4.76 ( http://nmap.org ) at 2008-12-28 11:52 MST
Interesting ports on 192.168.0.190:
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:16:CB:AE:D4:AC (Apple Computer)

Host script results:
|  smb-os-discovery: Windows XP
|  LAN Manager: Windows 2000 LAN Manager
|  Name: MSHOME\MAC-MINI
|_ System time: 2008-12-28 11:52:20 UTC-7
|  smb-security-mode: User-level authentication
|  SMB Security: Challenge/response passwords supported
|_ SMB Security: Message signing not supported
|  smb-enum-users:
|_ MAC-MINI\,\xE0J\xC0V, MAC-MINI\Administrator, MAC-MINI\david, MAC-MINI\Guest, MAC-MINI\HelpAssistant, 
MAC-MINI\HelpServicesGroup, MAC-MINI\jrandom, MAC-MINI\Kurt G\xF6del, MAC-MINI\None, MAC-MINI\SUPPORT_388945a0
|  smb-enum-shares:
|  Anonymous shares: IPC$
|_ Restricted shares: print$, SharedDocs, My Pictures, david, ADMIN$, C$, Printer
|  smb-enum-sessions:
|  Users logged in:
|  |_ <nobody>
|_ ERROR: Couldn't enumerate network sessions: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsessenum)

Nmap done: 1 IP address (1 host up) scanned in 1.33 seconds

Then with authentication, after disable guest-only authentication on
Windows XP Pro:

# nmap --datadir=. -p139,445 --script=smb-check-vulns,smb-enum-p
rocesses,smb-enum-shares,smb-os-discovery,smb-server-stats,smb-enum-domains,smb-
enum-sessions,smb-enum-users,smb-security-mode,smb-system-info --script-args smb
user=jrandom,smbpass=jrandom 192.168.0.190

Starting Nmap 4.76 ( http://nmap.org ) at 2008-12-28 11:54 MST
Interesting ports on 192.168.0.190:
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:16:CB:AE:D4:AC (Apple Computer)

Host script results:
|  smb-system-info:
|  OS Details
|  |_ Microsoft Windows XP Service Pack 3 (WinNT 5.1 build 2600)
|  |_ Installed on 2008-09-09 13:25:15
|  |_ Registered to . (organization: )
|  |_ Path: %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
|  |_ Systemroot: C:\WINDOWS
|  |_ Page files: C:\pagefile.sys 1488 2976 (cleared at shutdown => 0)
|  Hardware
|  |_ CPU 0: Intel(R) Core(TM)2 CPU         T5600  @ 1.83GHz [1834mhz GenuineInt
el]
|  |_ Identifier 0: x86 Family 6 Model 15 Stepping 2
|  |_ CPU 1: Intel(R) Core(TM)2 CPU         T5600  @ 1.83GHz [1833mhz GenuineInt
el]
|  |_ Identifier 1: x86 Family 6 Model 15 Stepping 2
|  |_ Video driver: Mobile Intel(R) 945 Express Chipset Family
|  Browsers
|_ |_ Internet Explorer 6.0000
|  smb-security-mode: User-level authentication
|  SMB Security: Challenge/response passwords supported
|_ SMB Security: Message signing not supported
|_ smb-enum-processes: Idle, System, ALG, KbdMgr, SMSS, CSRSS, WINLOGON, SERVICES, LSASS, IRW, IGFXPERS, HKCMD, 
RUNDLL32, SPOOLSV, AppleOSSMgr, AppleTimeSrv, SVCHOST, STACSV, mmc, WinVNC, EXPLORER
|  smb-os-discovery: Windows XP
|  LAN Manager: Windows 2000 LAN Manager
|  Name: MSHOME\MAC-MINI
|_ System time: 2008-12-28 11:54:53 UTC-7
|  smb-enum-domains:
|  Domain: MAC-MINI
|   |_ SID: S-1-5-21-117609710-839522115-1177238915
|   |_ Users: Administrator, david, Guest, HelpAssistant, jrandom, Kurt G\xF6del, SUPPORT_388945a0, ,\xE0J\xC0V
|   |_ Creation time: 2008-09-09 13:05:32
|   |_ Passwords: min length: n/a; min age: n/a; max age: 42 days
|   |_ Account lockout disabled
|  Domain: Builtin
|   |_ SID: S-1-5-32
|   |_ Creation time: 2008-09-09 13:05:32
|   |_ Passwords: min length: n/a; min age: n/a; max age: 42 days
|_  |_ Account lockout disabled
|  smb-server-stats:
|  Server statistics collected since 2008-12-28 18:33:06 (-398m48s):
|  |_ Traffic 462679 bytes (-19.37 b/s) sent, 477458 bytes (-19.98 b/s) received
|  |_ Failed logins: 0
|  |_ Permission errors: 0, System errors: 0
|  |_ Print jobs spooled: 0
|_ |_ Files opened (including pipes): 226
|  smb-enum-shares:
|  Anonymous shares: IPC$
|_ Restricted shares: print$, SharedDocs, My Pictures, david, ADMIN$, C$, Printer
|  smb-enum-users:
|_ MAC-MINI\,\xE0J\xC0V, MAC-MINI\Administrator, MAC-MINI\david, MAC-MINI\Guest, MAC-MINI\HelpAssistant, 
MAC-MINI\HelpServicesGroup, MAC-MINI\jrandom, MAC-MINI\Kurt G\xF6del, MAC-MINI\None, MAC-MINI\SUPPORT_388945a0
|  smb-enum-sessions:
|  Users logged in:
|  |_ <nobody>
|  Active SMB Sessions:
|_ |_ JRANDOM is connected from 192.168.0.21 for [just logged in, it's probably you], idle for [not idle]

Nmap done: 1 IP address (1 host up) scanned in 7.62 seconds

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org