Nmap Development mailing list archives

Re: [NSE]smb-psexec failed(Attacker: Windows 7, Victim: Windows 7)

From: kaito <kaito834 () gmail com>
Date: Wed, 6 Apr 2011 00:49:48 +0900

Hello, Ron,

Thank you for your reply.

I downloaded the latest source of Nmap, revision 22858,  and
built the Nmap on Ubuntu 8.04; I am sorry there is no develop-
ment envrionment on Windows 7, so I used Ubuntu.

Using the Nmap, I tried to smb-psexec script from the Ubuntu
to Windows 7. But, I failed too:(

The result is the following, and I attached pcap file;
the file is 20110406-nmap.pcap.

--------------------------------
# ./nmap -V

Nmap version 5.51SVN ( http://nmap.org )
Platform: i686-pc-linux-gnu
Compiled with: nmap-liblua-5.1.3 nmap-libpcre-7.6 nmap-libpcap-1.1.1
nmap-libdnet-1.12 ipv6
Compiled without: openssl

# ./nmap -d --script=smb-psexec
--script-args=smbuser=user_admin,smbpass=admin -p 445 192.168.0.50

Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-04-06 00:11 JST
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Loaded 1 scripts for scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating ARP Ping Scan at 00:11
Scanning 192.168.0.50 [1 port]
Packet capture filter (device eth0): arp and arp[18:4] = 0x000C29B7
and arp[22:2] = 0x33A8
Completed ARP Ping Scan at 00:11, 0.06s elapsed (1 total hosts)
Overall sending rates: 15.88 packets / s, 667.05 bytes / s.
(snip)
Completed Parallel DNS resolution of 1 host. at 00:11, 0.25s elapsed
DNS resolution of 1 IPs took 0.25s. Mode: Async [#: 2, OK: 0, NX: 1,
DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 00:11
Scanning 192.168.0.50 [1 port]
Packet capture filter (device eth0): dst host 192.168.0.101 and (icmp
or ((tcp or udp or sctp) and (src host 192.168.0.50)))
Discovered open port 445/tcp on 192.168.0.50
Completed SYN Stealth Scan at 00:11, 0.09s elapsed (1 total ports)
Overall sending rates: 11.03 packets / s, 485.30 bytes / s.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting smb-psexec against 192.168.0.50.
NSE: Script scanning 192.168.0.50.
Initiating NSE at 00:11
NSE: smb-psexec: Looking for the service file: nmap_service or nmap_service.exe
NSE: smb-psexec: Attempting to find file: nmap_service
NSE: smb-psexec: Attempting to find file: default
NSE: smb-psexec: Attempting to load config file:
/usr/local/nmap/bin/nselib/data/psexec/default.lua
NSE: SMB: Attempting to log into the system to enumerate shares
NSE: SMB: Added account '' to account list
NSE: SMB: Added account 'guest' to account list
NSE: SMB: Added account 'user_admin' to account list
NSE: SMB: Extended login to 192.168.0.50 as \user_admin failed
(NT_STATUS_NOT_SUPPORTED)
NSE: SMB: Extended login to 192.168.0.50 as \guest failed
(NT_STATUS_NOT_SUPPORTED)
NSE: SMB: Extended login to 192.168.0.50 as \<blank> failed
(NT_STATUS_NOT_SUPPORTED)
NSE: SMB: Enumerating shares failed, guessing at common ones (No
accounts left to try)
NSE: SMB: Extended login to 192.168.0.50 as \<blank> failed
(NT_STATUS_NOT_SUPPORTED)
NSE: SMB: ERROR: All logins failed, sorry it didn't work out!
NSE: Finished smb-psexec against 192.168.0.50.
Completed NSE at 00:11, 0.29s elapsed
Nmap scan report for 192.168.0.50
Host is up, received arp-response (0.010s latency).
Scanned at 2011-04-06 00:11:39 JST for 1s
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack
MAC Address: 00:0C:29:75:ED:ED (VMware)

Host script results:
| smb-psexec:
|_  ERROR: NT_STATUS_NOT_SUPPORTED (May not have an administrator account)
Final times for host: srtt: 10327 rttvar: 9003  to: 100000

NSE: Starting runlevel 1 (of 1) scan.
Read from /usr/local/nmap/bin/../share/nmap: nmap-mac-prefixes
nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 1.02 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
--------------------------------

The other thing to try is adding:
- --script-args=smbtype=nvlmv2


Was the option miss type? I think "ntlmv2" is correct.
I tried to smb-psexec script, but failed:(
The result is the following, and I attached pcap file;
the file is 20110406-nmap-ntlmv2.pcap.

--------------------------------
# ./nmap -d --script=smb-psexec
--script-args=smbuser=user_admin,smbpass=admin,smbtype=ntlmv2 -p 445
192.168.0.50

Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-04-06 00:22 JST
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Loaded 1 scripts for scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating ARP Ping Scan at 00:22
Scanning 192.168.0.50 [1 port]
Packet capture filter (device eth0): arp and arp[18:4] = 0x000C29B7
and arp[22:2] = 0x33A8
Completed ARP Ping Scan at 00:22, 0.06s elapsed (1 total hosts)
Overall sending rates: 16.84 packets / s, 707.13 bytes / s.
(snip)
Completed Parallel DNS resolution of 1 host. at 00:22, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 2, OK: 0, NX: 1,
DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 00:22
Scanning 192.168.0.50 [1 port]
Packet capture filter (device eth0): dst host 192.168.0.101 and (icmp
or ((tcp or udp or sctp) and (src host 192.168.0.50)))
Discovered open port 445/tcp on 192.168.0.50
Completed SYN Stealth Scan at 00:22, 0.09s elapsed (1 total ports)
Overall sending rates: 11.66 packets / s, 512.96 bytes / s.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting smb-psexec against 192.168.0.50.
NSE: Script scanning 192.168.0.50.
Initiating NSE at 00:22
NSE: smb-psexec: Looking for the service file: nmap_service or nmap_service.exe
NSE: smb-psexec: Attempting to find file: nmap_service
NSE: smb-psexec: Attempting to find file: default
NSE: smb-psexec: Attempting to load config file:
/usr/local/nmap/bin/nselib/data/psexec/default.lua
NSE: SMB: Attempting to log into the system to enumerate shares
NSE: SMB: Added account '' to account list
NSE: SMB: Added account 'guest' to account list
NSE: SMB: Added account 'user_admin' to account list
NSE: SMB: Extended login to 192.168.0.50 as \user_admin failed
(NT_STATUS_NOT_SUPPORTED)
NSE: SMB: Extended login to 192.168.0.50 as \guest failed
(NT_STATUS_NOT_SUPPORTED)
NSE: SMB: Extended login to 192.168.0.50 as \<blank> failed
(NT_STATUS_NOT_SUPPORTED)
NSE: SMB: Enumerating shares failed, guessing at common ones (No
accounts left to try)
NSE: SMB: Extended login to 192.168.0.50 as \<blank> failed
(NT_STATUS_NOT_SUPPORTED)
NSE: SMB: ERROR: All logins failed, sorry it didn't work out!
NSE: Finished smb-psexec against 192.168.0.50.
Completed NSE at 00:22, 0.02s elapsed
Nmap scan report for 192.168.0.50
Host is up, received arp-response (0.0044s latency).
Scanned at 2011-04-06 00:22:09 JST for 0s
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack
MAC Address: 00:0C:29:75:ED:ED (VMware)

Host script results:
| smb-psexec:
|_  ERROR: NT_STATUS_NOT_SUPPORTED (May not have an administrator account)
Final times for host: srtt: 4405 rttvar: 10882  to: 100000

NSE: Starting runlevel 1 (of 1) scan.
Read from /usr/local/nmap/bin/../share/nmap: nmap-mac-prefixes
nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
--------------------------------

kaito


2011年4月4日5:37 Ron <ron () skullsecurity net>:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It looks like the login failed on Nmap. I *think* I fixed a bug related to logins failing fairly recently, but I 
could be wrong. Can you try the latest svn version and see if it works?

The other thing to try is adding:
- --script-args=smbtype=nvlmv2

Right now I'm defaulting the hashtype to NTLMv1. I think I'm going to update the scripts, at some point, and default 
it to NTLMv2. I don't see any reason not to.

Ron

On Mon, 4 Apr 2011 00:44:21 +0900 kaito <kaito834 () gmail com> wrote:

Hello

This is kaito.

I failed to execute smb-psexec script for Nmap Script Engine(NSE).
I tried to Windows 7 from Nmap 5.51 on another Windows 7 and failed.
But, I tried to Windows 7 from PsExec v1.98 on Windows 7
and succeeded.

I configured a registry "LocalAccountTokenFilterPolicy" to DWORD 1
on Windows 7 for Victim; the registry key is explained in following
url.
http://technet.microsoft.com/en-us/library/ee844186%28WS.10%29.aspx
Therefore, PsExec was successful, I think.

I wrote output of Nmap and PsExec in this mail, and attached pcap
files.

* Nmap result from Windows 7 to another Windows 7
--------------------------------
D:\Nmap>nmap -d --script=smb-psexec
--script-args=smbuser=user_admin,smbpass=admin -p 445 192.168.0.50
Winpcap present, dynamic linked to: WinPcap version 4.1.2 (packet.dll
version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b
(20091008)

Starting Nmap 5.51 ( http://nmap.org ) at 2011-04-03 22:44 東京
(標準時) --------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Loaded 1 scripts for scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating ARP Ping Scan at 22:44
Scanning 192.168.0.50 [1 port]
Packet capture filter (device eth6): arp and arp[18:4] = 0x000B97BE
and arp[22:2] = 0x858C
Completed ARP Ping Scan at 22:44, 0.59s elapsed (1 total hosts)
Overall sending rates: 1.69 packets / s, 71.19 bytes / s.
(snip)
DNS resolution of 1 IPs took 0.09s. Mode: Async [#: 7, OK: 0, NX: 1,
DR: 0, SF:0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 22:44
Scanning 192.168.0.50 [1 port]
Packet capture filter (device eth6): dst host 192.168.0.108 and (icmp
or ((tcp or udp or sctp) and (src host 192.168.0.50)))
Discovered open port 445/tcp on 192.168.0.50
Completed SYN Stealth Scan at 22:44, 0.03s elapsed (1 total ports)
Overall sending rates: 35.71 packets / s, 1571.43 bytes / s.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting smb-psexec against 192.168.0.50.
NSE: Script scanning 192.168.0.50.
Initiating NSE at 22:44
NSE: smb-psexec: Looking for the service file: nmap_service or
nmap_service.exe NSE: smb-psexec: Attempting to find file:
nmap_service NSE: smb-psexec: Attempting to find file: default
NSE: smb-psexec: Attempting to load config file:
D:\Nmap\nselib/data/psexec/default.lua
NSE: SMB: Attempting to log into the system to enumerate shares
NSE: SMB: Added account '' to account list
NSE: SMB: Added account 'guest' to account list
NSE: SMB: Added account 'user_admin' to account list
NSE: SMB: Extended login as \user_admin failed
(NT_STATUS_NOT_SUPPORTED) NSE: SMB: Extended login as \guest failed
(NT_STATUS_NOT_SUPPORTED) NSE: SMB: Extended login as \<blank> failed
(NT_STATUS_NOT_SUPPORTED) NSE: SMB: Enumerating shares failed,
guessing at common ones (No accounts left to try)
NSE: SMB: Extended login as \<blank> failed (NT_STATUS_NOT_SUPPORTED)
NSE: SMB: ERROR: All logins failed, sorry it didn't work out!
NSE: Finished smb-psexec against 192.168.0.50.
Completed NSE at 22:44, 0.21s elapsed
Nmap scan report for 192.168.0.50
Host is up, received arp-response (0.0022s latency).
Scanned at 2011-04-03 22:44:20 東京 (標準時) for 1s
PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack
MAC Address: 00:0C:29:75:ED:ED (VMware)

Host script results:
| smb-psexec:
|_  ERROR: NT_STATUS_NOT_SUPPORTED (May not have an administrator
account) Final times for host: srtt: 2250 rttvar: 6250  to: 100000

NSE: Starting runlevel 1 (of 1) scan.
Read from D:\Nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 3.06 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
--------------------------------

* PsExec result from Windows 7 to another Windows 7
--------------------------------
D:\PsTools>psexec \\192.168.0.50 -u user_admin -p admin ipconfig

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

Windows IP 構成

イーサネット アダプター ローカル エリア接続:

   接続固有の DNS サフィックス . . . :
   リンクローカル IPv6 アドレス. . . . : fe80::6cfa:6faa:5805:71d2%11
   IPv4 アドレス . . . . . . . . . . : 192.168.0.50
   サブネット マスク . . . . . . . . : 255.255.255.0
   デフォルト ゲートウェイ . . . . . : 192.168.0.1

Tunnel adapter isatap.{D9412E54-B207-497F-ACF1-A74FAD2C26C6}:

   メディアの状態. . . . . . . . . . : メディアは接続されていません
   接続固有の DNS サフィックス . . . :

Tunnel adapter ローカル エリア接続* 9:

   接続固有の DNS サフィックス . . . :
   IPv6 アドレス . . . . . . . . . . . :
2001:0:4137:9e76:24a3:fba8:2575:aff6 リンクローカル IPv6
アドレス. . . . : fe80::24a3:fba8:2575:aff6%12 デフォルト
ゲートウェイ . . . . . : :: ipconfig exited on 192.168.0.50 with
error code 0. --------------------------------


--
kaito<kaito834 () gmail com>
Blog: http://d.hatena.ne.jp/kaito834/
Twitter: http://twitter.com/kaito834/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAk2Y2oIACgkQ2t2zxlt4g/QPNQCgsjGIHs7hmWsuLdYflUkEqkk+
NcgAn1SpXyF6FCsM8qffZIwRT2+XSxT9
=OKzU
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/




-- 
kaito<kaito834 () gmail com>
Blog: http://d.hatena.ne.jp/kaito834/
Twitter: http://twitter.com/kaito834/

Attachment: 20110406-nmap.zip
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE]smb-psexec failed(Attacker: Windows 7, Victim: Windows 7) kaito (Apr 03)
- Re: [NSE]smb-psexec failed(Attacker: Windows 7, Victim: Windows 7) Ron (Apr 03)
  - Re: [NSE]smb-psexec failed(Attacker: Windows 7, Victim: Windows 7) kaito (Apr 05)