Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] SMB authentication patch

From: Ron <ron () skullsecurity net>
Date: Fri, 10 Oct 2008 11:12:07 -0500
David Fifield wrote:

On Fri, Oct 10, 2008 at 10:31:23AM -0500, Ron wrote:

With that little change it works great:


Excellent!


Host script results:
|  NBSTAT: NetBIOS name: MAC-MINI, NetBIOS user: <unknown>, NetBIOS MAC: 00:16:cb:ae:d4:ac
|  Name: MAC-MINI<00>         Flags: <unique><active>
|  Name: MSHOME<00>           Flags: <group><active>
|  Name: MAC-MINI<20>         Flags: <unique><active>
|  Name: MSHOME<1e>           Flags: <group><active>
|  Name: MSHOME<1d>           Flags: <unique><active>
|  Name: \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|_ Statistics: 00 16 cb ae d4 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00
|  OS from SMB: Windows XP
|  LAN Manager: Windows 2000 LAN Manager
|  Name: MSHOME\MAC-MINI
|_ System time: 2008-10-10 14:28:20 UTC-6
|  SMB Security: User-level authentication
|  SMB Security: Challenge/response passwords supported
|_ SMB Security: Message signing not supported
|_ MSRPC: List of domains: ERROR: STATUS_ACCESS_DENIED (samr.opendomain)
|  MSRPC: List of user accounts:
|  Enum via SAMR error: STATUS_ACCESS_DENIED (samr.opendomain)
|  ,\xE0J\xC0V
|    |_ Domain: MAC-MINI
|    |_ RID: 1010
|  Administrator
|    |_ Domain: MAC-MINI
|    |_ RID: 500
|  Guest
|    |_ Domain: MAC-MINI
|    |_ RID: 501
|  HelpAssistant
|    |_ Domain: MAC-MINI
|    |_ RID: 1000
|  HelpServicesGroup
|    |_ Domain: MAC-MINI
|    |_ RID: 1002
|  jrandom
|    |_ Domain: MAC-MINI
|    |_ RID: 1019
|  Kurt G\xF6del
|    |_ Domain: MAC-MINI
|    |_ RID: 1018
|  SUPPORT_388945a0
|    |_ Domain: MAC-MINI
|_   |_ RID: 1003
|  MSRPC: NetShareEnumAll():
|  Anonymous shares: IPC$
|_ Restricted shares: print$, SharedDocs, My Pictures, ADMIN$, C$, Printer

How wonderful that Windows is willing to reveal all this information! I
should mention that the output is a lot shorter without -d3.

How come I don't see my main "david" account? Is it because it's the
same as the Administrator account? It was the account I set up the
computer with.

Well, I see a couple odd things:
- You were able to enum accounts through LSA but not through SAMR. LSA is a bruteforce type lookup, so it can miss accounts. I'm guessing it's a permissions thing, try assigning the user to the administrators group and see if you get better information. - The first account, with RID 1010, seems to have the username ",\xE0J\xC0V". I'm not sure if it's supposed to be obfuscated or if I ended up in the wrong field, but it would be useful if you could send me a pcap. RID 1018 is also odd, "Kurt G\xF6del" -- is the username in unicode or is it being read incorrectly?
You are also missing the 'domains' section, which is also pulled from SAMR. I'm going to take a guess and say that you require administrative privileges to access SAMR. 



It's hard to give a blank password. Just using
        --script-args smbusername=user
doesn't work, using
        --script-args smbusername=user,smbpassword=
doesn't work ("Error parsing --script-args"). I had to use
        --script-args smbusername=user,smbpassword=\'\'
Ah, my bad. I intended not adding a password field to be a blank password, but I think when I changed from smbpassword to smbhash, I broke that. This is related to the bug filling out the username incorrectly, too, neither should generate an error. 



David Fifield
Thanks for the feedback, it's good to know that it's (mostly) working for somebody else! 

Ron

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: