Re: Updated SMB scripts

[Ron <ron () skullsecurity net>]

jah wrote:
> Here's some:
>
> Against XP SP3 without credentials or whilst using Simple File Sharing
> (as mentioned [1]):
>
> Interesting ports on 192.168.1.11:
> PORT    STATE SERVICE
> 139/tcp open  netbios-ssn
> 445/tcp open  microsoft-ds
> MAC Address: 00:0F:B5:47:78:79 (Netgear)
>
> Host script results:
> |  smb-os-discovery: Windows XP
> |  LAN Manager: Windows 2000 LAN Manager
> |  Name: INTERWEB\INTERWEB-PRO-01
> |_ System time: 2008-12-29 19:19:38 UTC+0
> |  smb-security-mode: User-level authentication
> |  SMB Security: Challenge/response passwords supported
> |_ SMB Security: Message signing not supported
>
> That's all verified correct.
> Against the same box with admin credentials:
>
> Interesting ports on 192.168.1.11:
> PORT    STATE SERVICE
> 139/tcp open  netbios-ssn
> 445/tcp open  microsoft-ds
> MAC Address: 00:0F:B5:47:78:79 (Netgear)
>
> Host script results:
> |_ smb-enum-processes: <snip>
> |  smb-server-stats: 
> |  Server statistics collected since 2008-12-29 19:00:15 (04m02s):
> |  |_ Traffic 215170 bytes (889.13 b/s) sent, 53533 bytes (221.21 b/s)
> received
> |  |_ Failed logins: 2
> |  |_ Permission errors: 0, System errors: 0
> |  |_ Print jobs spooled: 0
> |_ |_ Files opened (including pipes): 13
> |  smb-os-discovery: Windows XP
> |  LAN Manager: Windows 2000 LAN Manager
> |  Name: INTERWEB\INTERWEB-PRO-01
> |_ System time: 2008-12-29 19:04:21 UTC+0
> |  smb-security-mode: User-level authentication
> |  SMB Security: Challenge/response passwords supported
> |_ SMB Security: Message signing not supported
> |  smb-enum-domains: 
> |  Domain: INTERWEB-PRO-01
> |   |_ SID: S-1-5-21-746137067-515967899-682003330
> |   |_ Users: <snip>
> |   |_ Creation time: 2007-03-18 10:58:23
> |   |_ Passwords: min length: n/a; min age: n/a; max age: 42 days
> |   |_ Account lockout disabled
> |  Domain: Builtin
> |   |_ SID: S-1-5-32
> |   |_ Creation time: 2007-03-18 10:58:23
> |   |_ Passwords: min length: n/a; min age: n/a; max age: 42 days
> |_  |_ Account lockout disabled
> |  smb-system-info: 
> |  OS Details
> |  |_ Microsoft Windows XP Service Pack 3, v.3264 (WinNT 5.1 build 2600)
> |  |_ Installed on 2007-03-18 11:17:43
> |  |_ Registered to jah (organization: home)
> |  |_ Path: <snip>\x00
> |  |_ Systemroot: C:\WINDOWS
> |  |_ Page files: C:\pagefile.sys 1536 3072 (cleared at shutdown => 0)
> |  Hardware
> |  |_ CPU 0: AMD Athlon(TM) XP 2000+ [1666mhz AuthenticAMD]
> |  |_ Identifier 0: x86 Family 6 Model 6 Stepping 2
> |  |_ Video driver: RADEON 9250
> |  Browsers
> |  |_ Internet Explorer 7.0000
> |_ |_ Firefox 3.0.5 (en-GB)
> |  smb-enum-shares: 
> |  Anonymous shares: IPC$
> |_ Restricted shares: W$, E$, D$, K$, Shared Music, F$, ADMIN$, H$, C$,
> shared
> |  smb-enum-users: 
> |_ <snip>
> |  smb-enum-sessions: 
> |  Users logged in:
> |  |_ <nobody>
> |  Active SMB Sessions:
> |_ |_ JAH is connected from 192.168.1.15 for [just logged in, it's
> probably you], idle for [not idle]
>
> Woweee!
> I've snipped a bit of info:
>
> Processes - most impressive and all correct!  I noticed that whilst I
> had two instances of one process running and several instances of
> svchost.exe running, the script output only one instance of each.  It
> might be useful to show each instance (and perhaps the owner of each
> process) running - this might be useful for when more than one user is
> logged on (not applicable to domain environments).
Glad everything's working!

The processes is new, and I tasked my friend with re-writing the output 
bits. Can you give it a try with -vv, -v, and no verbose and tell me 
which you prefer? We were kind of experimenting.

> smb-enum-domains correctly identified every user registered on the machine.
>
> smb-enum-users also correctly identified every user registered on the
> machine, but also included the __vmware__ , HelpServicesGroup and "None"
> User Groups and omitted 8 other groups.
That's an interesting result, I might need to tweak it a bit. Finding 
groups is pretty hit or miss.

> smb-system-info correctly showed the system environment variable "Path",
> but I note that there was an extraneous "\x00" at the end of the output.
Cool, that happens a lot. No problem to fix.

> smb-enum-sessions showed that nobody was logged in when in fact I was
> logged in at the console:
> SCRIPT ENGINE DEBUG: MSRPC: Found 0 SIDs that might be logged in
> I can't see a reason why this should have failed, but I reproduced the
> failure on a different machine at which there were two users logged-in.
Ah, I suspected there was an issue there but haven't tracked it down 
yet. There are a lot of reasons it could happen, I'll have to track it 
down.

> Overall, a really good collection of scripts providing really useful
> info and quite possibly every sysadmins wet dream (well almost).
> Nice work!
Thanks!

> jah
>
> [1] - http://seclists.org/nmap-dev/2008/q4/0326.html

Ron


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org