Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

smb-psexec failed(Attacker: Windows7, Victim: Windows XP SP3)

From: kaito <kaito834 () gmail com>
Date: Mon, 4 Apr 2011 00:02:18 +0900
Hello

This is kaito.

I failed to execute smb-psexec script for Nmap Script Engine(NSE).
I tried to Windows XP SP3 from Nmap 5.51 on Windows 7 and failed.
But, I tried to Windows XP SP3 from PsExec v1.98 on Windows 7
and succeeded.

An error is similar to one in http://seclists.org/nmap-dev/2010/q1/30.
Was the error of nmap-dev resolved?

I wrote output of Nmap and PsExec in this mail, and attached pcap files.

* Nmap result from Windows 7 to Windows XP SP3
--------------------------------
D:\Nmap>nmap -d --script=smb-psexec
--script-args=smbuser=user_admin,smbpass=admin -p 445 192.168.0.40
Winpcap present, dynamic linked to: WinPcap version 4.1.2 (packet.dll
version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b
(20091008)

Starting Nmap 5.51 ( http://nmap.org ) at 2011-04-03 23:00 東京 (標準時)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Loaded 1 scripts for scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating ARP Ping Scan at 23:00
Scanning 192.168.0.40 [1 port]
Packet capture filter (device eth6): arp and arp[18:4] = 0x000B97BE
and arp[22:2] = 0x858C
Completed ARP Ping Scan at 23:00, 0.56s elapsed (1 total hosts)
Overall sending rates: 1.78 packets / s, 74.87 bytes / s.
(snip)
Initiating SYN Stealth Scan at 23:00
Scanning 192.168.0.40 [1 port]
Packet capture filter (device eth6): dst host 192.168.0.108 and (icmp
or ((tcp or udp or sctp) and (src host 192.168.0.40)))
Discovered open port 445/tcp on 192.168.0.40
Completed SYN Stealth Scan at 23:00, 0.02s elapsed (1 total ports)
Overall sending rates: 45.45 packets / s, 2000.00 bytes / s.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting smb-psexec against 192.168.0.40.
NSE: Script scanning 192.168.0.40.
Initiating NSE at 23:00
NSE: smb-psexec: Looking for the service file: nmap_service or nmap_service.exe
NSE: smb-psexec: Attempting to find file: nmap_service
NSE: smb-psexec: Attempting to find file: default
NSE: smb-psexec: Attempting to load config file:
D:\Nmap\nselib/data/psexec/default.lua
NSE: SMB: Attempting to log into the system to enumerate shares
NSE: SMB: Added account '' to account list
NSE: SMB: Added account 'guest' to account list
NSE: SMB: Added account 'user_admin' to account list
NSE: SMB: Found 3 shares, will attempt to find more information
NSE: SMB: Trying a random share to see if server responds properly:
nmap-share-test
NSE: SMB: Getting information for share: ADMIN$
NSE: SMB: Checking if share ADMIN$ can be read by the current user
NSE: SMB: Checking if share ADMIN$ can be read by the anonymous user
NSE: SMB: Checking if share ADMIN$ can be written by the current user
NSE: SMB: Checking if share ADMIN$ can be written by the anonymous user
NSE: SMB: Getting information for share: C$
NSE: SMB: Checking if share C$ can be read by the current user
NSE: SMB: Checking if share C$ can be read by the anonymous user
NSE: SMB: Checking if share C$ can be written by the current user
NSE: SMB: Checking if share C$ can be written by the anonymous user
NSE: SMB: Getting information for share: IPC$
NSE: SMB: Checking if share IPC$ can be read by the current user
NSE: SMB: Checking if share IPC$ can be read by the anonymous user
NSE: SMB: Checking if share IPC$ can be written by the current user
NSE: SMB: Checking if share IPC$ can be written by the anonymous user
NSE: smb-psexec: Found usable share ADMIN$ (C:\WINDOWS) (all writable
shares: ADMIN$, C$)
NSE: smb-psexec: Generated static service name: e2cf2253
NSE: smb-psexec: Generated static service name: e2cf2253
NSE: smb-psexec: Generated static service filename: 467dffff.out.tmp
NSE: smb-psexec: Generated static output filename: 9e4467fe.out
NSE: smb-psexec: Verifying uploadable executables exist
NSE: smb-psexec: Timeout waiting for a response is 38 seconds
NSE: smb-psexec: Replacing variables in the modules' fields
NSE: smb-psexec: Entering cleanup() -- errors here can generally be ignored
NSE: Stopping service: e2cf2253
NSE: smb-psexec: [cleanup] Couldn't stop service:
NT_STATUS_SERVICE_DOES_NOT_EXIST (svcctl.openservicew)
NSE: Deleting service: e2cf2253
NSE: smb-psexec: [cleanup] Couldn't delete service:
NT_STATUS_SERVICE_DOES_NOT_EXIST (svcctl.openservicew)
NSE: SMB: Couldn't delete ADMIN$\9e4452be.txt: NT_STATUS_OBJECT_NAME_NOT_FOUND
NSE: SMB: Couldn't delete ADMIN$\9e4467fe.out: NT_STATUS_OBJECT_NAME_NOT_FOUND
NSE: SMB: Couldn't delete ADMIN$\467dffff.out.tmp:
NT_STATUS_OBJECT_NAME_NOT_FOUND
NSE: SMB: Couldn't delete C$\9e4452be.txt: NT_STATUS_OBJECT_NAME_NOT_FOUND
NSE: SMB: Couldn't delete C$\9e4467fe.out: NT_STATUS_OBJECT_NAME_NOT_FOUND
NSE: SMB: Couldn't delete C$\467dffff.out.tmp: NT_STATUS_OBJECT_NAME_NOT_FOUND
NSE: smb-psexec: Leaving cleanup()
NSE: smb-psexec: Uploading:
D:\Nmap\nselib/data/psexec/nmap_service.exe => \\ADMIN$\9e4452be.txt
NSE: smb-psexec: Service file successfully uploaded!
NSE: smb-psexec: Attempting to upload the modules
NSE: smb-psexec: Modules successfully uploaded!
NSE: Creating service: e2cf2253 (C:\WINDOWS\9e4452be.txt)
NSE: Starting service: e2cf2253
NSE: Opening the remote service manager
NSE: smb-psexec: Couldn't start the service:
NT_STATUS_WERR_ACCESS_DENIED (svcctl.startservicew)
NSE: smb-psexec: Entering cleanup() -- errors here can generally be ignored
NSE: Stopping service: e2cf2253
NSE: smb-psexec: [cleanup] Couldn't stop service:
NT_STATUS_SERVICE_NOT_ACTIVE (svcctl.controlservice)
NSE: Deleting service: e2cf2253
NSE: SMB: Couldn't delete ADMIN$\9e4467fe.out: NT_STATUS_OBJECT_NAME_NOT_FOUND
NSE: SMB: Couldn't delete ADMIN$\467dffff.out.tmp:
NT_STATUS_OBJECT_NAME_NOT_FOUND
NSE: SMB: Couldn't delete C$\9e4452be.txt: NT_STATUS_OBJECT_NAME_NOT_FOUND
NSE: SMB: Couldn't delete C$\9e4467fe.out: NT_STATUS_OBJECT_NAME_NOT_FOUND
NSE: SMB: Couldn't delete C$\467dffff.out.tmp: NT_STATUS_OBJECT_NAME_NOT_FOUND
NSE: smb-psexec: Leaving cleanup()
NSE: Finished smb-psexec against 192.168.0.40.
Completed NSE at 23:00, 1.20s elapsed
Nmap scan report for 192.168.0.40
Host is up, received arp-response (0.0014s latency).
Scanned at 2011-04-03 23:00:06 東京 (標準時) for 2s
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack
MAC Address: 00:0C:29:F3:E8:6B (VMware)

Host script results:
| smb-psexec:
|_  ERROR: Couldn't start the service on the remote machine:
NT_STATUS_WERR_ACCESS_DENIED (svcctl.startservicew)
Final times for host: srtt: 1375 rttvar: 4500  to: 100000

NSE: Starting runlevel 1 (of 1) scan.
Read from D:\Nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 3.37 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
--------------------------------

* PsExec result from Windows 7 to Windows XP SP3
--------------------------------
D:\PsTools>psexec \\192.168.0.40 -u user_admin -p admin ipconfig

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

Windows IP Configuration

Ethernet adapter ローカル エリア接続:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.0.40
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.0.1
ipconfig exited on 192.168.0.40 with error code 0.
--------------------------------


-- 
kaito<kaito834 () gmail com>
Blog: http://d.hatena.ne.jp/kaito834/
Twitter: http://twitter.com/kaito834/

Attachment: smb-psexec_failed_ToXPSP3.zip
Description: 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: