Nmap Development mailing list archives
Re: Updated SMB scripts
From: jah <jah () zadkiel plus com>
Date: Mon, 29 Dec 2008 20:53:48 +0000
On 24/12/2008 01:24, Ron wrote:
$ ./nmap -p139,445 --script=smb-check-vulns,smb-enum-processes,smb-enum-shares,smb-os-discovery,smb-server-stats,smb-enum-domains,smb-enum-sessions,smb-enum-users,smb-security-mode,smb-system-info --script-args=smbuser=<username>,smbpass=<password> <host> We've been testing against all versions of Windows, Linux, Unix, Apple, and any other weird/embedded version that's living on Brandon's network, and it'll successfully scan them all (although some just return errors/useless information). Looking forward to hearing your results!
Here's some: Against XP SP3 without credentials or whilst using Simple File Sharing (as mentioned [1]): Interesting ports on 192.168.1.11: PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0F:B5:47:78:79 (Netgear) Host script results: | smb-os-discovery: Windows XP | LAN Manager: Windows 2000 LAN Manager | Name: INTERWEB\INTERWEB-PRO-01 |_ System time: 2008-12-29 19:19:38 UTC+0 | smb-security-mode: User-level authentication | SMB Security: Challenge/response passwords supported |_ SMB Security: Message signing not supported That's all verified correct. Against the same box with admin credentials: Interesting ports on 192.168.1.11: PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0F:B5:47:78:79 (Netgear) Host script results: |_ smb-enum-processes: <snip> | smb-server-stats: | Server statistics collected since 2008-12-29 19:00:15 (04m02s): | |_ Traffic 215170 bytes (889.13 b/s) sent, 53533 bytes (221.21 b/s) received | |_ Failed logins: 2 | |_ Permission errors: 0, System errors: 0 | |_ Print jobs spooled: 0 |_ |_ Files opened (including pipes): 13 | smb-os-discovery: Windows XP | LAN Manager: Windows 2000 LAN Manager | Name: INTERWEB\INTERWEB-PRO-01 |_ System time: 2008-12-29 19:04:21 UTC+0 | smb-security-mode: User-level authentication | SMB Security: Challenge/response passwords supported |_ SMB Security: Message signing not supported | smb-enum-domains: | Domain: INTERWEB-PRO-01 | |_ SID: S-1-5-21-746137067-515967899-682003330 | |_ Users: <snip> | |_ Creation time: 2007-03-18 10:58:23 | |_ Passwords: min length: n/a; min age: n/a; max age: 42 days | |_ Account lockout disabled | Domain: Builtin | |_ SID: S-1-5-32 | |_ Creation time: 2007-03-18 10:58:23 | |_ Passwords: min length: n/a; min age: n/a; max age: 42 days |_ |_ Account lockout disabled | smb-system-info: | OS Details | |_ Microsoft Windows XP Service Pack 3, v.3264 (WinNT 5.1 build 2600) | |_ Installed on 2007-03-18 11:17:43 | |_ Registered to jah (organization: home) | |_ Path: <snip>\x00 | |_ Systemroot: C:\WINDOWS | |_ Page files: C:\pagefile.sys 1536 3072 (cleared at shutdown => 0) | Hardware | |_ CPU 0: AMD Athlon(TM) XP 2000+ [1666mhz AuthenticAMD] | |_ Identifier 0: x86 Family 6 Model 6 Stepping 2 | |_ Video driver: RADEON 9250 | Browsers | |_ Internet Explorer 7.0000 |_ |_ Firefox 3.0.5 (en-GB) | smb-enum-shares: | Anonymous shares: IPC$ |_ Restricted shares: W$, E$, D$, K$, Shared Music, F$, ADMIN$, H$, C$, shared | smb-enum-users: |_ <snip> | smb-enum-sessions: | Users logged in: | |_ <nobody> | Active SMB Sessions: |_ |_ JAH is connected from 192.168.1.15 for [just logged in, it's probably you], idle for [not idle] Woweee! I've snipped a bit of info: Processes - most impressive and all correct! I noticed that whilst I had two instances of one process running and several instances of svchost.exe running, the script output only one instance of each. It might be useful to show each instance (and perhaps the owner of each process) running - this might be useful for when more than one user is logged on (not applicable to domain environments). smb-enum-domains correctly identified every user registered on the machine. smb-enum-users also correctly identified every user registered on the machine, but also included the __vmware__ , HelpServicesGroup and "None" User Groups and omitted 8 other groups. smb-system-info correctly showed the system environment variable "Path", but I note that there was an extraneous "\x00" at the end of the output. smb-enum-sessions showed that nobody was logged in when in fact I was logged in at the console: SCRIPT ENGINE DEBUG: MSRPC: Found 0 SIDs that might be logged in I can't see a reason why this should have failed, but I reproduced the failure on a different machine at which there were two users logged-in. Overall, a really good collection of scripts providing really useful info and quite possibly every sysadmins wet dream (well almost). Nice work! jah [1] - http://seclists.org/nmap-dev/2008/q4/0326.html _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: Updated SMB scripts, (continued)
- Re: Updated SMB scripts Ron (Dec 24)
- Re: Updated SMB scripts Kris Katterjohn (Dec 24)
- Re: Updated SMB scripts Ron (Dec 24)
- Re: Updated SMB scripts Ron (Dec 24)
- Re: Updated SMB scripts Kris Katterjohn (Dec 24)
- Re: Updated SMB scripts Ron (Dec 24)
- Re: Updated SMB scripts Ron (Dec 24)
- Re: Updated SMB scripts Ron (Dec 28)
- Re: Updated SMB scripts David Fifield (Dec 28)
- Re: Updated SMB scripts David Fifield (Dec 29)
- Re: Updated SMB scripts Ron (Dec 29)
- Re: Updated SMB scripts jah (Dec 29)