Nmap Development mailing list archives
[NSE] Additional information for smb-os-discovery.nse
From: Chris Woodbury <woodbusy () gmail com>
Date: Wed, 20 Apr 2011 15:32:48 -0500
I would like to propose some additions to the smb-os-discovery script, namely the following: * DNS host name * DNS domain name * DNS forest name * FQDN This information can be retrieved from the NTLMSSP data (a.k.a. security blob) in a SMB_COM_SESSION_SETUP_ANDX response in extended-security mode. The attached patch implements this with the following changes: * A new "get_host_info_from_security_blob()" function in smbauth.lua, which parses the information from the NTLMSSP data. * A call to the new function in smb.start_session_extended(). * Changes to smb.get_os() to start an extended-security session to get the new information (unfortunately, this requires a second session - the hostname and domain name aren't returned in the SMB_COM_NEGOTIATE response if the extended security flag is set). * Changes to smb-os-discovery.nse to output the new information. * There are a few variables where I needed to handle nils explicitly in smb-os-discovery, so, for the sake of consistency, I removed the stdnse.string_or_blank() calls in smb.get_os() and did all of the nil-handling in the script. The only other script that uses smb.get_os() is smb-brute, which needed a very small change to handle the different output. * I also made some small changes throughout smb.lua to add documentation where I thought it would help, and to fix a couple typos that I noticed. The output is now like so: A domain member (Showing all available info, excluding workgroup of course): | OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0) | Computer name: Sql2008 | Domain name: lab.test.local | Forest name: test.local | FQDN: Sql2008.lab.test.local | NetBIOS computer name: SQL2008 | NetBIOS domain name: LAB |_ System time: 2011-04-20 15:11:20 UTC-5 A standalone system: | OS: Windows Server 2003 3790 Service Pack 2 (Windows Server 2003 5.2) | Computer name: win2003-server | NetBIOS computer name: WIN2003-SERVER | Workgroup: WORKGROUP |_ System time: 2011-04-20 15:10:19 UTC-5 A domain controller (for some reason, the DC of the child domain doesn't return the forest name, although members of the child domain do, and the forest DC does): | OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0) | Computer name: Lab-DC | Domain name: lab.test.local | FQDN: Lab-DC.lab.test.local | NetBIOS computer name: LAB-DC | NetBIOS domain name: LAB |_ System time: 2011-04-20 15:10:38 UTC-7 A Windows 7 host (my Windows 7 systems return STATUS_NOT_SUPPORTED to SMB_COM_SESSION_SETUP_ANDXs with extended security, so the additional info isn't available): | OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1) | NetBIOS computer name: WIN7TEST | Workgroup: WORKGROUP |_ System time: 2011-04-20 15:10:18 UTC-5 I think this adds some useful information to the script results. I hope I haven't stepped on any toes. Please test out the changes and let me know what you think. Thanks -chris
Attachment:
smb_os_discovery.patch
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Additional information for smb-os-discovery.nse Chris Woodbury (Apr 20)
- RE: [NSE] Additional information for smb-os-discovery.nse Rob Nicholls (Apr 20)