Nmap Development mailing list archives
Re: [NSE] MSRPC Libraries (stable, I hope!)
From: Ron <ron () skullsecurity net>
Date: Wed, 29 Oct 2008 08:55:09 -0500
David Fifield wrote:
On Tue, Oct 28, 2008 at 10:19:13AM -0500, Ron wrote:
><snip>
Yeah, I agree. Re-doing a lot of the output of my scripts is on my list of things to do, particularly to make it more consistent and cleaner, so maybe I'll do it tonight.(In this case if I run with -d I get the familiar "SCRIPT ENGINE DEBUG: Login as \anything failed, so Windows automatically logged you in as a guest (this may be due to an incorrect username, or the system policy may be set to only allow guest logins (Windows XP Professional does so by default)", just so you know what's happening.) My feeling is that this output is too verbose (I didn't use -v). Like in "MSRPC: List of user accounts" there was an error in one method of enumerating accounts, but I still got the whole list through another method. The error message should be hidden except in debug mode. Same with "System info", "MSRPC: Server statistics", "MSRPC: List of domains": they all show output that only shows that they failed to run. In "MSRPC: NetSessEnum()" it says nobody is logged in, but I was logged in at the time of the scan. Is it because of the NT_STATUS_WERR_ACCESS_DENIED error in the next line? If so, the script should avoid saying that nobody is logged in, if it's not known. I got a lot more information just by putting "--script-args smbuser=anything", and it can be literally anything: a real user name, a nonexistent one, even an empty string. Ron didn't mention it, but there's an "smbguest" script arg, which, if it's set to "true", automatically tries the guest account so you don't have to give a phony user name.
If somebody wants to make suggestions (or even mock up David's results to show what you'd prefer to see), that'd save me a lot of thinking (I'm not a designer :) ).
This may be another topic, but right now I'm not a huge fan of how the script results work in general (prepending the 'id' to the message) -- it feels very limiting. That's where the "List of user accounts" and "NetSessEnum()" bits come from.
Something I'd be interested in for the future is being able to build a tree of information that you return, and that's formatted for the commandline, but that can also be formatted in XML or something that zenmap can handle. That's something that'll affect every script, though, so maybe I'll bring it up in its own thread at some point.
The next tests are with the "Classic" login mode, which allows authenticating as a real user. If I give no script args, I get the same result as I did in "Guest only" mode (little information). The same thing happens if I give a real user name and the wrong password. If I give a nonexistent smbuser, I get the same result as in "Guest only" mode (just guest information). Here's what happens if I use an administrator login.<snip>
>
Holy cow! That's an impressive amount of information. This is a faster way to learn my CPU clock speed than logging in and looking for it in the control panel.
Heh, funny, eh?I was sort of thinking of pulling more information (this is all just straight from the registry) like a device list, installed programs, windows patches, etc. -- I don't know how far I want to go right now, though. This is almost more on the administration side of things than on the pen-testing side, and I'm not sure where I prefer to keep my focus.
Unfortunately (for us :) ), as Brandon pointed out, accounts with blank passwords are automatically limited. I've been performing my tests with admin, user, guest, anonymous accounts, in addition to admin and user with blank passwords, and the results (on some systems) are quite different.I have an administrator account with no password. If I use smbuser and not smbpass, it appears to try to use a blank password, but it doesn't work. I see SCRIPT ENGINE DEBUG: SMB: Couldn't determine which password to use, using a blank one SCRIPT ENGINE DEBUG: Login as \david failed, so Windows automatically logged you in as a guest (this may be due to an incorrect username, or the system policy may be set to only allow guest logins (Windows XP Professional does so by default) And then I get the limited guest user output. Is this expected? Do you want a packet capture, or does Windows restrict passwordless accounts like this?
David Fifield
Ron _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE] MSRPC Libraries (stable, I hope!) Ron (Oct 28)
- Re: [NSE] MSRPC Libraries (stable, I hope!) David Fifield (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) Brandon Enright (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) David Fifield (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) Ron (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) David Fifield (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) Ron (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) Brandon Enright (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) David Fifield (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) Fyodor (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) Ron (Oct 29)
- Re: [NSE] MSRPC Libraries (stable, I hope!) David Fifield (Nov 03)
- Re: [NSE] MSRPC Libraries (stable, I hope!) Ron (Nov 03)
- Re: [NSE] MSRPC Libraries (stable, I hope!) Ron (Nov 04)
- Re: [NSE] MSRPC Libraries (stable, I hope!) David Fifield (Nov 04)