[NSE] Additional information for smb-os-discovery.nse

[Chris Woodbury <woodbusy () gmail com>]

I would like to propose some additions to the smb-os-discovery script,
namely the following:
* DNS host name
* DNS domain name
* DNS forest name
* FQDN

This information can be retrieved from the NTLMSSP data (a.k.a.
security blob) in a SMB_COM_SESSION_SETUP_ANDX response in
extended-security mode. The attached patch implements this with the
following changes:
* A new "get_host_info_from_security_blob()" function in smbauth.lua,
which parses the information from the NTLMSSP data.
* A call to the new function in smb.start_session_extended().
* Changes to smb.get_os() to start an extended-security session to get
the new information (unfortunately, this requires a second session -
the hostname and domain name aren't returned in the SMB_COM_NEGOTIATE
response if the extended security flag is set).
* Changes to smb-os-discovery.nse to output the new information.
* There are a few variables where I needed to handle nils explicitly
in smb-os-discovery, so, for the sake of consistency, I removed the
stdnse.string_or_blank() calls in smb.get_os() and did all of the
nil-handling in the script. The only other script that uses
smb.get_os() is smb-brute, which needed a very small change to handle
the different output.
* I also made some small changes throughout smb.lua to add
documentation where I thought it would help, and to fix a couple typos
that I noticed.

The output is now like so:
A domain member (Showing all available info, excluding workgroup of course):
|   OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows
Server (R) 2008 Standard 6.0)
|   Computer name: Sql2008
|   Domain name: lab.test.local
|   Forest name: test.local
|   FQDN: Sql2008.lab.test.local
|   NetBIOS computer name: SQL2008
|   NetBIOS domain name: LAB
|_  System time: 2011-04-20 15:11:20 UTC-5

A standalone system:
|   OS: Windows Server 2003 3790 Service Pack 2 (Windows Server 2003 5.2)
|   Computer name: win2003-server
|   NetBIOS computer name: WIN2003-SERVER
|   Workgroup: WORKGROUP
|_  System time: 2011-04-20 15:10:19 UTC-5

A domain controller (for some reason, the DC of the child domain
doesn't return the forest name, although members of the child domain
do, and the forest DC does):
|   OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows
Server (R) 2008 Standard 6.0)
|   Computer name: Lab-DC
|   Domain name: lab.test.local
|   FQDN: Lab-DC.lab.test.local
|   NetBIOS computer name: LAB-DC
|   NetBIOS domain name: LAB
|_  System time: 2011-04-20 15:10:38 UTC-7

A Windows 7 host (my Windows 7 systems return STATUS_NOT_SUPPORTED to
SMB_COM_SESSION_SETUP_ANDXs with extended security, so the additional
info isn't available):
|   OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
|   NetBIOS computer name: WIN7TEST
|   Workgroup: WORKGROUP
|_  System time: 2011-04-20 15:10:18 UTC-5


I think this adds some useful information to the script results. I
hope I haven't stepped on any toes. Please test out the changes and
let me know what you think.

Thanks
-chris

Attachment: smb_os_discovery.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/