Re: Updated SMB scripts

[jah <jah () zadkiel plus com>]

On 24/12/2008 01:24, Ron wrote:
> $ ./nmap -p139,445
> --script=smb-check-vulns,smb-enum-processes,smb-enum-shares,smb-os-discovery,smb-server-stats,smb-enum-domains,smb-enum-sessions,smb-enum-users,smb-security-mode,smb-system-info
> --script-args=smbuser=<username>,smbpass=<password> <host>
>
> We've been testing against all versions of Windows, Linux, Unix, Apple,
> and any other weird/embedded version that's living on Brandon's network,
> and it'll successfully scan them all (although some just return
> errors/useless information).
>
> Looking forward to hearing your results!
Here's some:

Against XP SP3 without credentials or whilst using Simple File Sharing
(as mentioned [1]):

Interesting ports on 192.168.1.11:
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0F:B5:47:78:79 (Netgear)

Host script results:
|  smb-os-discovery: Windows XP
|  LAN Manager: Windows 2000 LAN Manager
|  Name: INTERWEB\INTERWEB-PRO-01
|_ System time: 2008-12-29 19:19:38 UTC+0
|  smb-security-mode: User-level authentication
|  SMB Security: Challenge/response passwords supported
|_ SMB Security: Message signing not supported

That's all verified correct.
Against the same box with admin credentials:

Interesting ports on 192.168.1.11:
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0F:B5:47:78:79 (Netgear)

Host script results:
|_ smb-enum-processes: <snip>
|  smb-server-stats: 
|  Server statistics collected since 2008-12-29 19:00:15 (04m02s):
|  |_ Traffic 215170 bytes (889.13 b/s) sent, 53533 bytes (221.21 b/s)
received
|  |_ Failed logins: 2
|  |_ Permission errors: 0, System errors: 0
|  |_ Print jobs spooled: 0
|_ |_ Files opened (including pipes): 13
|  smb-os-discovery: Windows XP
|  LAN Manager: Windows 2000 LAN Manager
|  Name: INTERWEB\INTERWEB-PRO-01
|_ System time: 2008-12-29 19:04:21 UTC+0
|  smb-security-mode: User-level authentication
|  SMB Security: Challenge/response passwords supported
|_ SMB Security: Message signing not supported
|  smb-enum-domains: 
|  Domain: INTERWEB-PRO-01
|   |_ SID: S-1-5-21-746137067-515967899-682003330
|   |_ Users: <snip>
|   |_ Creation time: 2007-03-18 10:58:23
|   |_ Passwords: min length: n/a; min age: n/a; max age: 42 days
|   |_ Account lockout disabled
|  Domain: Builtin
|   |_ SID: S-1-5-32
|   |_ Creation time: 2007-03-18 10:58:23
|   |_ Passwords: min length: n/a; min age: n/a; max age: 42 days
|_  |_ Account lockout disabled
|  smb-system-info: 
|  OS Details
|  |_ Microsoft Windows XP Service Pack 3, v.3264 (WinNT 5.1 build 2600)
|  |_ Installed on 2007-03-18 11:17:43
|  |_ Registered to jah (organization: home)
|  |_ Path: <snip>\x00
|  |_ Systemroot: C:\WINDOWS
|  |_ Page files: C:\pagefile.sys 1536 3072 (cleared at shutdown => 0)
|  Hardware
|  |_ CPU 0: AMD Athlon(TM) XP 2000+ [1666mhz AuthenticAMD]
|  |_ Identifier 0: x86 Family 6 Model 6 Stepping 2
|  |_ Video driver: RADEON 9250
|  Browsers
|  |_ Internet Explorer 7.0000
|_ |_ Firefox 3.0.5 (en-GB)
|  smb-enum-shares: 
|  Anonymous shares: IPC$
|_ Restricted shares: W$, E$, D$, K$, Shared Music, F$, ADMIN$, H$, C$,
shared
|  smb-enum-users: 
|_ <snip>
|  smb-enum-sessions: 
|  Users logged in:
|  |_ <nobody>
|  Active SMB Sessions:
|_ |_ JAH is connected from 192.168.1.15 for [just logged in, it's
probably you], idle for [not idle]

Woweee!
I've snipped a bit of info:

Processes - most impressive and all correct!  I noticed that whilst I
had two instances of one process running and several instances of
svchost.exe running, the script output only one instance of each.  It
might be useful to show each instance (and perhaps the owner of each
process) running - this might be useful for when more than one user is
logged on (not applicable to domain environments).

smb-enum-domains correctly identified every user registered on the machine.

smb-enum-users also correctly identified every user registered on the
machine, but also included the __vmware__ , HelpServicesGroup and "None"
User Groups and omitted 8 other groups.

smb-system-info correctly showed the system environment variable "Path",
but I note that there was an extraneous "\x00" at the end of the output.

smb-enum-sessions showed that nobody was logged in when in fact I was
logged in at the console:
SCRIPT ENGINE DEBUG: MSRPC: Found 0 SIDs that might be logged in
I can't see a reason why this should have failed, but I reproduced the
failure on a different machine at which there were two users logged-in.

Overall, a really good collection of scripts providing really useful
info and quite possibly every sysadmins wet dream (well almost).
Nice work!

jah

[1] - http://seclists.org/nmap-dev/2008/q4/0326.html

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org