Nmap Development mailing list archives
Re: [NSE]smb-psexec failed(Attacker: Windows 7, Victim: Windows 7)
From: kaito <kaito834 () gmail com>
Date: Wed, 6 Apr 2011 00:49:48 +0900
Hello, Ron, Thank you for your reply. I downloaded the latest source of Nmap, revision 22858, and built the Nmap on Ubuntu 8.04; I am sorry there is no develop- ment envrionment on Windows 7, so I used Ubuntu. Using the Nmap, I tried to smb-psexec script from the Ubuntu to Windows 7. But, I failed too:( The result is the following, and I attached pcap file; the file is 20110406-nmap.pcap. -------------------------------- # ./nmap -V Nmap version 5.51SVN ( http://nmap.org ) Platform: i686-pc-linux-gnu Compiled with: nmap-liblua-5.1.3 nmap-libpcre-7.6 nmap-libpcap-1.1.1 nmap-libdnet-1.12 ipv6 Compiled without: openssl # ./nmap -d --script=smb-psexec --script-args=smbuser=user_admin,smbpass=admin -p 445 192.168.0.50 Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-04-06 00:11 JST --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Loaded 1 scripts for scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating ARP Ping Scan at 00:11 Scanning 192.168.0.50 [1 port] Packet capture filter (device eth0): arp and arp[18:4] = 0x000C29B7 and arp[22:2] = 0x33A8 Completed ARP Ping Scan at 00:11, 0.06s elapsed (1 total hosts) Overall sending rates: 15.88 packets / s, 667.05 bytes / s. (snip) Completed Parallel DNS resolution of 1 host. at 00:11, 0.25s elapsed DNS resolution of 1 IPs took 0.25s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 00:11 Scanning 192.168.0.50 [1 port] Packet capture filter (device eth0): dst host 192.168.0.101 and (icmp or ((tcp or udp or sctp) and (src host 192.168.0.50))) Discovered open port 445/tcp on 192.168.0.50 Completed SYN Stealth Scan at 00:11, 0.09s elapsed (1 total ports) Overall sending rates: 11.03 packets / s, 485.30 bytes / s. NSE: Starting runlevel 1 (of 1) scan. NSE: Starting smb-psexec against 192.168.0.50. NSE: Script scanning 192.168.0.50. Initiating NSE at 00:11 NSE: smb-psexec: Looking for the service file: nmap_service or nmap_service.exe NSE: smb-psexec: Attempting to find file: nmap_service NSE: smb-psexec: Attempting to find file: default NSE: smb-psexec: Attempting to load config file: /usr/local/nmap/bin/nselib/data/psexec/default.lua NSE: SMB: Attempting to log into the system to enumerate shares NSE: SMB: Added account '' to account list NSE: SMB: Added account 'guest' to account list NSE: SMB: Added account 'user_admin' to account list NSE: SMB: Extended login to 192.168.0.50 as \user_admin failed (NT_STATUS_NOT_SUPPORTED) NSE: SMB: Extended login to 192.168.0.50 as \guest failed (NT_STATUS_NOT_SUPPORTED) NSE: SMB: Extended login to 192.168.0.50 as \<blank> failed (NT_STATUS_NOT_SUPPORTED) NSE: SMB: Enumerating shares failed, guessing at common ones (No accounts left to try) NSE: SMB: Extended login to 192.168.0.50 as \<blank> failed (NT_STATUS_NOT_SUPPORTED) NSE: SMB: ERROR: All logins failed, sorry it didn't work out! NSE: Finished smb-psexec against 192.168.0.50. Completed NSE at 00:11, 0.29s elapsed Nmap scan report for 192.168.0.50 Host is up, received arp-response (0.010s latency). Scanned at 2011-04-06 00:11:39 JST for 1s PORT STATE SERVICE REASON 445/tcp open microsoft-ds syn-ack MAC Address: 00:0C:29:75:ED:ED (VMware) Host script results: | smb-psexec: |_ ERROR: NT_STATUS_NOT_SUPPORTED (May not have an administrator account) Final times for host: srtt: 10327 rttvar: 9003 to: 100000 NSE: Starting runlevel 1 (of 1) scan. Read from /usr/local/nmap/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 1.02 seconds Raw packets sent: 2 (72B) | Rcvd: 2 (72B) --------------------------------
The other thing to try is adding: - --script-args=smbtype=nvlmv2
Was the option miss type? I think "ntlmv2" is correct. I tried to smb-psexec script, but failed:( The result is the following, and I attached pcap file; the file is 20110406-nmap-ntlmv2.pcap. -------------------------------- # ./nmap -d --script=smb-psexec --script-args=smbuser=user_admin,smbpass=admin,smbtype=ntlmv2 -p 445 192.168.0.50 Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-04-06 00:22 JST --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Loaded 1 scripts for scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating ARP Ping Scan at 00:22 Scanning 192.168.0.50 [1 port] Packet capture filter (device eth0): arp and arp[18:4] = 0x000C29B7 and arp[22:2] = 0x33A8 Completed ARP Ping Scan at 00:22, 0.06s elapsed (1 total hosts) Overall sending rates: 16.84 packets / s, 707.13 bytes / s. (snip) Completed Parallel DNS resolution of 1 host. at 00:22, 0.04s elapsed DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 00:22 Scanning 192.168.0.50 [1 port] Packet capture filter (device eth0): dst host 192.168.0.101 and (icmp or ((tcp or udp or sctp) and (src host 192.168.0.50))) Discovered open port 445/tcp on 192.168.0.50 Completed SYN Stealth Scan at 00:22, 0.09s elapsed (1 total ports) Overall sending rates: 11.66 packets / s, 512.96 bytes / s. NSE: Starting runlevel 1 (of 1) scan. NSE: Starting smb-psexec against 192.168.0.50. NSE: Script scanning 192.168.0.50. Initiating NSE at 00:22 NSE: smb-psexec: Looking for the service file: nmap_service or nmap_service.exe NSE: smb-psexec: Attempting to find file: nmap_service NSE: smb-psexec: Attempting to find file: default NSE: smb-psexec: Attempting to load config file: /usr/local/nmap/bin/nselib/data/psexec/default.lua NSE: SMB: Attempting to log into the system to enumerate shares NSE: SMB: Added account '' to account list NSE: SMB: Added account 'guest' to account list NSE: SMB: Added account 'user_admin' to account list NSE: SMB: Extended login to 192.168.0.50 as \user_admin failed (NT_STATUS_NOT_SUPPORTED) NSE: SMB: Extended login to 192.168.0.50 as \guest failed (NT_STATUS_NOT_SUPPORTED) NSE: SMB: Extended login to 192.168.0.50 as \<blank> failed (NT_STATUS_NOT_SUPPORTED) NSE: SMB: Enumerating shares failed, guessing at common ones (No accounts left to try) NSE: SMB: Extended login to 192.168.0.50 as \<blank> failed (NT_STATUS_NOT_SUPPORTED) NSE: SMB: ERROR: All logins failed, sorry it didn't work out! NSE: Finished smb-psexec against 192.168.0.50. Completed NSE at 00:22, 0.02s elapsed Nmap scan report for 192.168.0.50 Host is up, received arp-response (0.0044s latency). Scanned at 2011-04-06 00:22:09 JST for 0s PORT STATE SERVICE REASON 445/tcp open microsoft-ds syn-ack MAC Address: 00:0C:29:75:ED:ED (VMware) Host script results: | smb-psexec: |_ ERROR: NT_STATUS_NOT_SUPPORTED (May not have an administrator account) Final times for host: srtt: 4405 rttvar: 10882 to: 100000 NSE: Starting runlevel 1 (of 1) scan. Read from /usr/local/nmap/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds Raw packets sent: 2 (72B) | Rcvd: 2 (72B) -------------------------------- kaito 2011年4月4日5:37 Ron <ron () skullsecurity net>:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It looks like the login failed on Nmap. I *think* I fixed a bug related to logins failing fairly recently, but I could be wrong. Can you try the latest svn version and see if it works? The other thing to try is adding: - --script-args=smbtype=nvlmv2 Right now I'm defaulting the hashtype to NTLMv1. I think I'm going to update the scripts, at some point, and default it to NTLMv2. I don't see any reason not to. Ron On Mon, 4 Apr 2011 00:44:21 +0900 kaito <kaito834 () gmail com> wrote:Hello This is kaito. I failed to execute smb-psexec script for Nmap Script Engine(NSE). I tried to Windows 7 from Nmap 5.51 on another Windows 7 and failed. But, I tried to Windows 7 from PsExec v1.98 on Windows 7 and succeeded. I configured a registry "LocalAccountTokenFilterPolicy" to DWORD 1 on Windows 7 for Victim; the registry key is explained in following url. http://technet.microsoft.com/en-us/library/ee844186%28WS.10%29.aspx Therefore, PsExec was successful, I think. I wrote output of Nmap and PsExec in this mail, and attached pcap files. * Nmap result from Windows 7 to another Windows 7 -------------------------------- D:\Nmap>nmap -d --script=smb-psexec --script-args=smbuser=user_admin,smbpass=admin -p 445 192.168.0.50 Winpcap present, dynamic linked to: WinPcap version 4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b (20091008) Starting Nmap 5.51 ( http://nmap.org ) at 2011-04-03 22:44 東京 (標準時) --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Loaded 1 scripts for scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating ARP Ping Scan at 22:44 Scanning 192.168.0.50 [1 port] Packet capture filter (device eth6): arp and arp[18:4] = 0x000B97BE and arp[22:2] = 0x858C Completed ARP Ping Scan at 22:44, 0.59s elapsed (1 total hosts) Overall sending rates: 1.69 packets / s, 71.19 bytes / s. (snip) DNS resolution of 1 IPs took 0.09s. Mode: Async [#: 7, OK: 0, NX: 1, DR: 0, SF:0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 22:44 Scanning 192.168.0.50 [1 port] Packet capture filter (device eth6): dst host 192.168.0.108 and (icmp or ((tcp or udp or sctp) and (src host 192.168.0.50))) Discovered open port 445/tcp on 192.168.0.50 Completed SYN Stealth Scan at 22:44, 0.03s elapsed (1 total ports) Overall sending rates: 35.71 packets / s, 1571.43 bytes / s. NSE: Starting runlevel 1 (of 1) scan. NSE: Starting smb-psexec against 192.168.0.50. NSE: Script scanning 192.168.0.50. Initiating NSE at 22:44 NSE: smb-psexec: Looking for the service file: nmap_service or nmap_service.exe NSE: smb-psexec: Attempting to find file: nmap_service NSE: smb-psexec: Attempting to find file: default NSE: smb-psexec: Attempting to load config file: D:\Nmap\nselib/data/psexec/default.lua NSE: SMB: Attempting to log into the system to enumerate shares NSE: SMB: Added account '' to account list NSE: SMB: Added account 'guest' to account list NSE: SMB: Added account 'user_admin' to account list NSE: SMB: Extended login as \user_admin failed (NT_STATUS_NOT_SUPPORTED) NSE: SMB: Extended login as \guest failed (NT_STATUS_NOT_SUPPORTED) NSE: SMB: Extended login as \<blank> failed (NT_STATUS_NOT_SUPPORTED) NSE: SMB: Enumerating shares failed, guessing at common ones (No accounts left to try) NSE: SMB: Extended login as \<blank> failed (NT_STATUS_NOT_SUPPORTED) NSE: SMB: ERROR: All logins failed, sorry it didn't work out! NSE: Finished smb-psexec against 192.168.0.50. Completed NSE at 22:44, 0.21s elapsed Nmap scan report for 192.168.0.50 Host is up, received arp-response (0.0022s latency). Scanned at 2011-04-03 22:44:20 東京 (標準時) for 1s PORT STATE SERVICE REASON 445/tcp open microsoft-ds syn-ack MAC Address: 00:0C:29:75:ED:ED (VMware) Host script results: | smb-psexec: |_ ERROR: NT_STATUS_NOT_SUPPORTED (May not have an administrator account) Final times for host: srtt: 2250 rttvar: 6250 to: 100000 NSE: Starting runlevel 1 (of 1) scan. Read from D:\Nmap: nmap-mac-prefixes nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 3.06 seconds Raw packets sent: 2 (72B) | Rcvd: 2 (72B) -------------------------------- * PsExec result from Windows 7 to another Windows 7 -------------------------------- D:\PsTools>psexec \\192.168.0.50 -u user_admin -p admin ipconfig PsExec v1.98 - Execute processes remotely Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com Windows IP 構成 イーサネット アダプター ローカル エリア接続: 接続固有の DNS サフィックス . . . : リンクローカル IPv6 アドレス. . . . : fe80::6cfa:6faa:5805:71d2%11 IPv4 アドレス . . . . . . . . . . : 192.168.0.50 サブネット マスク . . . . . . . . : 255.255.255.0 デフォルト ゲートウェイ . . . . . : 192.168.0.1 Tunnel adapter isatap.{D9412E54-B207-497F-ACF1-A74FAD2C26C6}: メディアの状態. . . . . . . . . . : メディアは接続されていません 接続固有の DNS サフィックス . . . : Tunnel adapter ローカル エリア接続* 9: 接続固有の DNS サフィックス . . . : IPv6 アドレス . . . . . . . . . . . : 2001:0:4137:9e76:24a3:fba8:2575:aff6 リンクローカル IPv6 アドレス. . . . : fe80::24a3:fba8:2575:aff6%12 デフォルト ゲートウェイ . . . . . : :: ipconfig exited on 192.168.0.50 with error code 0. -------------------------------- -- kaito<kaito834 () gmail com> Blog: http://d.hatena.ne.jp/kaito834/ Twitter: http://twitter.com/kaito834/-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAk2Y2oIACgkQ2t2zxlt4g/QPNQCgsjGIHs7hmWsuLdYflUkEqkk+ NcgAn1SpXyF6FCsM8qffZIwRT2+XSxT9 =OKzU -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
-- kaito<kaito834 () gmail com> Blog: http://d.hatena.ne.jp/kaito834/ Twitter: http://twitter.com/kaito834/
Attachment:
20110406-nmap.zip
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE]smb-psexec failed(Attacker: Windows 7, Victim: Windows 7) kaito (Apr 03)
- Re: [NSE]smb-psexec failed(Attacker: Windows 7, Victim: Windows 7) Ron (Apr 03)
- Re: [NSE]smb-psexec failed(Attacker: Windows 7, Victim: Windows 7) kaito (Apr 05)
- Re: [NSE]smb-psexec failed(Attacker: Windows 7, Victim: Windows 7) Ron (Apr 03)