Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SMB related version detection updates

From: Tom Sellers <nmap () fadedcode net>
Date: Sat, 2 Apr 2016 00:37:59 -0500
I've just finished another pass at tuning the version detection for netbios-ns ( 137/udp ). The
results should be more reliable and provide some additional detail. We can now tell if the target
is an Active Directory / Domain controller. There are new match lines for Apple's SMB implementation.
Also, I've addressed a couple of cases where the hostname and workgroup or domain name were switched.

Once I've had a chance to test it against some really old clients ( Win XP ) I might be able to
remove some of the legacy entries.  The responses from modern Windows OSes ( Win 7+ ) are fairly
consistent and none of them are triggering the older matchlines at the beginning of that section.

Tom

On 3/30/2016 9:12 AM, Daniel Miller wrote:

Tom,

Thanks for these updates! We occasionally get service fingerprints for SMB, but it can be hard to tell which parts of 
the response are relevant to the service version. Solid empirical results like
these are very valuable.

Dan

On Wed, Mar 30, 2016 at 5:38 AM, Tom Sellers <nmap () fadedcode net <mailto:nmap () fadedcode net>> wrote:

    FYI,
      Yesterday in commit 35748 I updated some SMB related match lines.  The intent was to
    improve the scan results in preparation for dealing with Badlock.  Fixed are certain
    matchlines that indicated a specific OS version such as 'Microsoft Windows NT netbios-ssn'
    that actually matched newer versions of Windows including 2012 R2.  Matches that indicated
    Samba 3.x have been updated as they also match Samba 4.x as well. There are also a
    couple of new matchlines that help handle and capture data, particularly in cases where
    responses from Samba exactly match those from Windows.

    The changes were tested against Windows 7 and 8, Windows Server 2008, 2008 R2, 2012, 2012 R2
    as well as Samba 3.6.x, 4.1.x, and Apple's current SMB fork.


    Tom
    _______________________________________________
    Sent through the dev mailing list
    https://nmap.org/mailman/listinfo/dev
    Archived at http://seclists.org/nmap-dev/



_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: