Nmap Development mailing list archives
smb-psexec and Windows XP
From: Ron <ron () skullsecurity net>
Date: Tue, 05 Jan 2010 21:25:23 -0600
If any of you followed my SMB development closely, you'll know I could never get the smb-psexec script (previously known as smb-pwdump) working against Windows XP. Nothing I did worked, and I tried every logical and even most illogical fixes. Today, though, somebody brought it up again and I decided to do whatever it took to fix it. My plan was to take a packet dump of Metasploit's windows/smb/psexec module and a packet dump of mine, side by side, and make every single field in mine identical to HDMoore's till it worked. I basically did that already, months ago, but I only updated fields that might possibly be remotely relevant. This time, though, I was going to change 100% of everything till it worked. Well, as luck would have it, the second field I changed (after flags2) was pid, or "ProcessID". From Implementing CIFS: == PID: The "Process ID". This value is set by the client, and is intended as an identifier for the process sending the SMB request. The most important thing to note regarding the PID is that file locking and access modes are maintained relative to the value in this field. == So, it's a totally irrelevant field. I always set it to 0. Turns out, setting it to anything *except* 0 totally fixes the problem. I strongly suspect that this is a Windows bug -- it's trying to use the ProcessID handle for an identifier somewhere that it shouldn't, and it's failing as a result. I could be wrong, though. Anyway, it's a great relief to get this working after many months of having it eat away at my soul. :) Ron -- Ron Bowes http://www.skullsecurity.org/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- smb-psexec and Windows XP Ron (Jan 05)