Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Conficker Scan - ERROR: SMB: Couldn't find a NetBIOS name

From: Ron <ron () skullsecurity net>
Date: Wed, 01 Apr 2009 08:58:35 -0500
Stroller wrote:

Hi there,
I'm not too worried about this, but just as a FYI I've found an error / response which seems not to have been reported by anyone else. 

    Host 192.168.0.59 appears to be up ... good.
    Interesting ports on 192.168.0.59:
    PORT    STATE  SERVICE
    139/tcp open   netbios-ssn
    445/tcp closed microsoft-ds
    MAC Address: 00:12:3F:AF:AC:98 (Dell)
Host script results: 
    |  smb-check-vulns:
    |  MS08-067: NOT RUN
| Conficker: ERROR: SMB: Couldn't find a NetBIOS name that works for the server. Sorry! 
    |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
My knowledge of NetBIOS is pretty sketchy, but I'd have expected this machine to respond in a similar manner to all the others on the LAN as they're all on an MS domain managed by an SBS 2003 server. The only thing that's remarkable about this particular machine is that it's a laptop; there is at least one other laptop normally on the LAN, but this is the only one in the office at this time. I think that laptops are configured slightly differently by MS's domain management stuff, in that users may be assigned to a laptop to allow them to log in to the machine when the domain controller cannot be contacted, and the users are allowed to use offline caches of network file shares (which are synced when the user returns to the office). I don't know if this makes any difference.
Adjacent machines show either "Likely CLEAN" or "NT_STATUS_ACCESS_DENIED" (as per my other message). 

I've attached what diagnostics I can think of,

Stroller.


Hi Stroller,

That's a bit of a tricky question, but I'll try to answer it clearly.
There are two ports that can be used for talking SMB with Windows -- 139 and 445. 445 is considered "raw", you just get up and go. 139 is considered "SMB over NetBIOS", and requires a handshake.
That handshake requires the server's name. So if you have TESTBOX314, the handshake says "Hello, TESTBOX314!". Sometimes you can use a generic name. Iirc it's "*SMBSERVE", or something like that.
In my scripts, I first check port 445. If that fails (port is closed, firewalled, etc) I fall back to port 139. But before that, I send a NetBIOS name request (essentially, nbstat) on UDP/137 to get the server's name. Then, I try negotiating 139 with the name returned (if any), and generic names. If they all fail, I give up and print that messsage.
Some of our servers at work have locked-down profiles, and the exact same thing happens -- port 445 is closed, and port 139 refuses to talk no matter what name is chosen. 

Hopefully that helps!
Ron

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: