Nmap Development mailing list archives
Re: [NSE] SMB authentication patch
From: Ron <ron () skullsecurity net>
Date: Fri, 10 Oct 2008 11:12:07 -0500
David Fifield wrote:
On Fri, Oct 10, 2008 at 10:31:23AM -0500, Ron wrote: With that little change it works great:
Excellent!
Host script results: | NBSTAT: NetBIOS name: MAC-MINI, NetBIOS user: <unknown>, NetBIOS MAC: 00:16:cb:ae:d4:ac | Name: MAC-MINI<00> Flags: <unique><active> | Name: MSHOME<00> Flags: <group><active> | Name: MAC-MINI<20> Flags: <unique><active> | Name: MSHOME<1e> Flags: <group><active> | Name: MSHOME<1d> Flags: <unique><active> | Name: \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> |_ Statistics: 00 16 cb ae d4 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | OS from SMB: Windows XP | LAN Manager: Windows 2000 LAN Manager | Name: MSHOME\MAC-MINI |_ System time: 2008-10-10 14:28:20 UTC-6 | SMB Security: User-level authentication | SMB Security: Challenge/response passwords supported |_ SMB Security: Message signing not supported |_ MSRPC: List of domains: ERROR: STATUS_ACCESS_DENIED (samr.opendomain) | MSRPC: List of user accounts: | Enum via SAMR error: STATUS_ACCESS_DENIED (samr.opendomain) | ,\xE0J\xC0V | |_ Domain: MAC-MINI | |_ RID: 1010 | Administrator | |_ Domain: MAC-MINI | |_ RID: 500 | Guest | |_ Domain: MAC-MINI | |_ RID: 501 | HelpAssistant | |_ Domain: MAC-MINI | |_ RID: 1000 | HelpServicesGroup | |_ Domain: MAC-MINI | |_ RID: 1002 | jrandom | |_ Domain: MAC-MINI | |_ RID: 1019 | Kurt G\xF6del | |_ Domain: MAC-MINI | |_ RID: 1018 | SUPPORT_388945a0 | |_ Domain: MAC-MINI |_ |_ RID: 1003 | MSRPC: NetShareEnumAll(): | Anonymous shares: IPC$ |_ Restricted shares: print$, SharedDocs, My Pictures, ADMIN$, C$, Printer How wonderful that Windows is willing to reveal all this information! I should mention that the output is a lot shorter without -d3. How come I don't see my main "david" account? Is it because it's the same as the Administrator account? It was the account I set up the computer with.
Well, I see a couple odd things:- You were able to enum accounts through LSA but not through SAMR. LSA is a bruteforce type lookup, so it can miss accounts. I'm guessing it's a permissions thing, try assigning the user to the administrators group and see if you get better information. - The first account, with RID 1010, seems to have the username ",\xE0J\xC0V". I'm not sure if it's supposed to be obfuscated or if I ended up in the wrong field, but it would be useful if you could send me a pcap. RID 1018 is also odd, "Kurt G\xF6del" -- is the username in unicode or is it being read incorrectly?
You are also missing the 'domains' section, which is also pulled from SAMR. I'm going to take a guess and say that you require administrative privileges to access SAMR.
Ah, my bad. I intended not adding a password field to be a blank password, but I think when I changed from smbpassword to smbhash, I broke that. This is related to the bug filling out the username incorrectly, too, neither should generate an error.It's hard to give a blank password. Just using --script-args smbusername=user doesn't work, using --script-args smbusername=user,smbpassword= doesn't work ("Error parsing --script-args"). I had to use --script-args smbusername=user,smbpassword=\'\'
David Fifield
Thanks for the feedback, it's good to know that it's (mostly) working for somebody else!
Ron _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE] SMB authentication patch Ron (Oct 09)
- Re: [NSE] SMB authentication patch David Fifield (Oct 10)
- Re: [NSE] SMB authentication patch Ron (Oct 10)
- Re: [NSE] SMB authentication patch David Fifield (Oct 10)
- Re: [NSE] SMB authentication patch Ron (Oct 10)
- Re: [NSE] SMB authentication patch David Fifield (Oct 13)
- Re: [NSE] SMB authentication patch Ron (Oct 13)
- Re: [NSE] SMB authentication patch David Fifield (Oct 13)
- Re: [NSE] SMB authentication patch Ron (Oct 10)
- Re: [NSE] SMB authentication patch David Fifield (Oct 10)
- Re: [NSE] SMB authentication patch Ron (Oct 10)
- Re: [NSE] SMB authentication patch Ron (Oct 10)
- Re: [NSE] SMB authentication patch David Fifield (Oct 13)
- Re: [NSE] SMB authentication patch Ron (Oct 13)
- Re: [NSE] SMB authentication patch David Fifield (Oct 13)