Re: [NSE] Additional information for smb-os-discovery.nse

[Rob Nicholls <robert () robnicholls co uk>]

I managed to run the scan against a wide range of Windows hosts 
(Windows 2000 - 2008 R2; XP; Vista; 7) and everything looked fine for 
the workgroup hosts and a couple of Windows Server 2003 domain 
controllers. I haven't tried a child domain DC (to verify the issue that 
Chris mentioned about it not returning the forest name) as I don't 
currently have one setup, but so far I haven't seen any issues.

Rob

On Tue, 12 Jul 2011 08:10:58 +0200, Patrik Karlsson wrote:
> I applied the patch and committed it as r24847.
> Rob, if you get the chance to run that scan in the future let us know
> if you hit any problems.
>
> //Patrik
>
> On Jul 12, 2011, at 12:02 AM, Rob Nicholls wrote:
>
> > Hi Chris,
> >
> > Sorry for the slow reply. I've only tested it against some Windows 7
> > and
> > 2008 R2 hosts so far, but it worked fine there. I've been meaning to
> > run it
> > against a Windows test subnet at work, so it'll cover a wide range
> > of older
> > versions of Windows, but I've not managed to find the time yet. I'll
> > see
> > what I can do in the next couple of days, otherwise I'm unlikely to
> > be able
> > to test it properly for 5-6 weeks (sorry).
> >
> > Rob
> >
> > -----Original Message-----
> > From: Patrik Karlsson [mailto:patrik () labb1 com] On Behalf Of Patrik
> > Karlsson
> > Sent: 10 July 2011 21:20
> > To: Chris Woodbury
> > Cc: Nmap-Dev; Ron; Rob Nicholls
> > Subject: Re: [NSE] Additional information for smb-os-discovery.nse
> >
> > Hi Chris,
> >
> > I tried it out and it worked well for me. Regarding the code, the
> > only
> > question I have is whether the 0x2 in the following comparison could
> > be made
> > any clearer?
> > elseif ( message_type ~= 0x2 ) then
> >
> > Other than that I think the code looks great. While it changes both
> > the smb
> > and smbauth libraries it shouldn't have any impact on the other
> > scripts
> > making use of them.
> > Unless anyone has any strong objections against doing so, I would
> > like to
> > commit this patch as I think it greatly improves the
> > smb-os-discovery
> > script.
> >
> > //Patrik
> >
> > On Jul 10, 2011, at 8:40 PM, Chris Woodbury wrote:
> >
> > > Did anyone else have a chance to look at this?
> > >
> > > Rob, were you able to test it out? It worked on my systems, but I'd
> > > like to know what other people's experiences were.
> > >
> > > -chris
> > >
> > >
> > > On Wed, Apr 20, 2011 at 4:21 PM, Rob Nicholls
> > > <robert () robnicholls co uk>
> > wrote:
> > > > Hi Chris,
> > > >
> > > > Personally, I think all of this information would be really useful
> > > > and I'd love to see the patch added to the existing script.
> > > >
> > > > The only downside is I'd be using Patrik's fantastic MBEnun less
> > > > often ;-)
> > > >
> > > > Rob
> > > >
> > > > -----Original Message-----
> > > > From: nmap-dev-bounces () insecure org
> > > > [mailto:nmap-dev-bounces () insecure org]
> > > > On Behalf Of Chris Woodbury
> > > > Sent: 20 April 2011 21:33
> > > > To: Nmap-Dev
> > > > Subject: [NSE] Additional information for smb-os-discovery.nse
> > > >
> > > > I would like to propose some additions to the smb-os-discovery
> > > > script, namely the following:
> > > > * DNS host name
> > > > * DNS domain name
> > > > * DNS forest name
> > > > * FQDN
> > > >
> > > > This information can be retrieved from the NTLMSSP data (a.k.a.
> > > > security blob) in a SMB_COM_SESSION_SETUP_ANDX response in
> > > > extended-security mode. The attached patch implements this with
> > > > the
> > following changes:
> > > > * A new "get_host_info_from_security_blob()" function in
> > > > smbauth.lua,
> > > > which parses the information from the NTLMSSP data.
> > > > * A call to the new function in smb.start_session_extended().
> > > > * Changes to smb.get_os() to start an extended-security session to
> > > > get the new information (unfortunately, this requires a second
> > > > session - the hostname and domain name aren't returned in the
> > > > SMB_COM_NEGOTIATE response if the extended security flag is set).
> > > > * Changes to smb-os-discovery.nse to output the new information.
> > > > * There are a few variables where I needed to handle nils
> > > > explicitly
> > > > in smb-os-discovery, so, for the sake of consistency, I removed
> > > > the
> > > > stdnse.string_or_blank() calls in smb.get_os() and did all of the
> > > > nil-handling in the script. The only other script that uses
> > > > smb.get_os() is smb-brute, which needed a very small change to
> > > > handle
> > > > the different output.
> > > > * I also made some small changes throughout smb.lua to add
> > > > documentation where I thought it would help, and to fix a couple
> > > > typos
> > that I noticed.
> > > > The output is now like so:
> > > > A domain member (Showing all available info, excluding workgroup
> > > > of
> > course):
> > > > |   OS: Windows Server (R) 2008 Standard 6001 Service Pack 1
> > > > (Windows
> > > > Server (R) 2008 Standard 6.0)
> > > > |   Computer name: Sql2008
> > > > |   Domain name: lab.test.local
> > > > |   Forest name: test.local
> > > > |   FQDN: Sql2008.lab.test.local
> > > > |   NetBIOS computer name: SQL2008
> > > > |   NetBIOS domain name: LAB
> > > > |_  System time: 2011-04-20 15:11:20 UTC-5
> > > >
> > > > A standalone system:
> > > > |   OS: Windows Server 2003 3790 Service Pack 2 (Windows Server
> > > > 2003 5.2)
> > > > |   Computer name: win2003-server
> > > > |   NetBIOS computer name: WIN2003-SERVER
> > > > |   Workgroup: WORKGROUP
> > > > |_  System time: 2011-04-20 15:10:19 UTC-5
> > > >
> > > > A domain controller (for some reason, the DC of the child domain
> > > > doesn't return the forest name, although members of the child
> > > > domain
> > > > do, and the forest DC does):
> > > > |   OS: Windows Server (R) 2008 Standard 6001 Service Pack 1
> > > > (Windows
> > > > Server (R) 2008 Standard 6.0)
> > > > |   Computer name: Lab-DC
> > > > |   Domain name: lab.test.local
> > > > |   FQDN: Lab-DC.lab.test.local
> > > > |   NetBIOS computer name: LAB-DC
> > > > |   NetBIOS domain name: LAB
> > > > |_  System time: 2011-04-20 15:10:38 UTC-7
> > > >
> > > > A Windows 7 host (my Windows 7 systems return STATUS_NOT_SUPPORTED
> > > > to
> > > > SMB_COM_SESSION_SETUP_ANDXs with extended security, so the
> > > > additional
> > > > info isn't available):
> > > > |   OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate
> > > > 6.1)
> > > > |   NetBIOS computer name: WIN7TEST
> > > > |   Workgroup: WORKGROUP
> > > > |_  System time: 2011-04-20 15:10:18 UTC-5
> > > >
> > > >
> > > > I think this adds some useful information to the script results. I
> > > > hope I haven't stepped on any toes. Please test out the changes
> > > > and
> > > > let me know what you think.
> > > >
> > > > Thanks
> > > > -chris
> > > _______________________________________________
> > > Sent through the nmap-dev mailing list
> > > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > > Archived at http://seclists.org/nmap-dev/
> >
> > --
> > Patrik Karlsson
> > http://www.cqure.net
> > http://www.twitter.com/nevdull77
>
> --
> Patrik Karlsson
> http://www.cqure.net
> http://www.twitter.com/nevdull77
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/