Re: SMB probe script

[Ron <ron () skullsecurity net>]

Hey Mike,

mike wrote:
> Ron. i looked into that script a bit more. i noticed that you are using a generic "nmap" for the OS identifier in the 
> packet payload. is this wise? wouldn't that set off many a application/inspection tools people are using for 
> payload/OS fingerprinting? why not set it to a simple "Windows 2k" or something that could actually be seen as legit? 
> maybe this isn't a big deal to everyone so i will just mention it and move on
I wasn't really sure about that. As the security guy in a company, I
like the idea of leaving things that are easily detectable, but I can
see the argument not to. I'll think about it, but ultimately will
probably make it configurable.

> i also noticed the same thing i mentioned above when you call for the generic "Native LANman". is that even 
> recognized as legit by the SMB server? i guess if it works, it works
I believe I copied that from a legit server, but I'm not positive.

> i was wondering about 2 things i would hope you could include, since you have already gone so far into the kind of 
> detail this SMB script already gives us:
>  
> would there be a way to dump the received hashes back to stdout (for cracking later)?
> i beleive it is based on the SPNEGO that is used, correct?
No password hashes are actually received. The only thing we receive is
the server challenge, which is random, not based on the password hash at
all.

> lastly, i was watching the SMB tree requests and transactions in tshark and i saw alot of times when you were setting 
> HOME and TEST as queries, my target would send me back "NT_STATUS_UNRECOGNIZED_NAME" failures. can i ask what the 
> TEST and HOME references are for? is that for IPC logins? i always thought if you got back STATUS_FAILURES, then you 
> would have the TID pulled you created and you would be disconnected. again, maybe you know alot more about this than 
> i do. still interested in that patch addon for the stdout for LAN manager version
At the top of the script, I made an array of names to check including
those ones. It's mostly for testing at the moment, I'll probably do
proper bruteforcing later.

> *do you ever think you will tackle the issues i brought up with trying to get payload established to port 138? did 
> you read what i submitted about what could possibly be done? (forcing issued MASTERBROWSER announcements for response)
Sure, when I get around to reading the next chapter in the book. It
might be awhile, though, no promises! :)

Ron

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org