Nmap Development mailing list archives
Pushed in my changes
From: Ron <ron () skullsecurity net>
Date: Fri, 20 Nov 2009 10:17:29 -0600
Nobody had any issues with smb-enum-groups or my updated output, so I committed the changes into the main trunk. This'll be the last of my changes for a little while, since I'm sort of out of ideas. I didn't want to leave stuff sitting my branch, though.
I added smb-enum-groups.nse to the CHANGELOG, but not the updated output (I didn't want to mess with it too much while Fyodor was updating it).
As for the updated output, I went with Fyodor's suggestion of delimiting it with spaces. I attached the output of a full smb-* scan against a Windows 2000 machine for your comments.
Ron
Starting Nmap 5.05BETA2 ( http://nmap.org ) at 2009-11-20 10:16 CST --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Loaded 13 scripts for scanning. Initiating Ping Scan at 10:16 Scanning 10.0.0.30 [2 ports] Completed Ping Scan at 10:16, 1.11s elapsed (1 total hosts) Overall sending rates: 2.71 packets / s. mass_rdns: Using DNS server 4.2.2.1 mass_rdns: Using DNS server 4.2.2.2 Initiating Parallel DNS resolution of 1 host. at 10:16 mass_rdns: 0.02s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 10:16, 0.02s elapsed DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 10:16 Scanning 10.0.0.30 [1 port] Discovered open port 445/tcp on 10.0.0.30 Completed Connect Scan at 10:16, 0.01s elapsed (1 total ports) Overall sending rates: 149.08 packets / s. NSE: Script scanning 10.0.0.30. NSE: Starting runlevel 0.5 scan Initiating NSE at 10:16 NSE: NSE Script Threads (1) running: NSE: Starting smb-brute against 10.0.0.30. NSE: SMB: Added account '' to account list NSE: SMB: Added account 'guest' to account list NSE: smb-brute: Remote operating system: Windows 5.0 NSE: smb-brute: Trying to get user list from server NSE: smb-brute: Opening password list NSE: smb-brute: Starting the initial SMB session NSE: smb-brute: Server's response to invalid usernames: GUEST_ACCESS NSE: smb-brute: Server's response to invalid passwords: FAIL NSE: smb-brute: Invalid username and password response are different, so identifying valid accounts is possible NSE: smb-brute: Restarting the session before the bruteforce NSE: smb-brute: Checking which account names exist (based on what goes to the 'guest' account) NSE: smb-brute: Blank password for 'administrator' => 'FAIL' (probably valid) NSE: SMB: Checking if guest is an administrator NSE: SMB: No login type specified, using default (NTLM) NSE: SMB; is_admin: Couldn't get server stats (may be normal): NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netservergetstatistics) [guest] NSE: smb-brute: Blank password for 'iusr_ron-win2k-test' => 'FAIL' (probably valid) NSE: smb-brute: Blank password for 'iwam_ron-win2k-test' => 'FAIL' (probably valid) NSE: smb-brute: Blank password for 'nmap' => 'FAIL' (probably valid) NSE: smb-brute: Blank password for 'rontest123' => 'FAIL' (probably valid) NSE: smb-brute: Blank password for 'sshd' -> 'GUEST_ACCESS' (invalid account) NSE: smb-brute: Blank password for 'svccopssh' => 'FAIL' (probably valid) NSE: smb-brute: Blank password for 'test1234' => 'FAIL' (probably valid) NSE: smb-brute: Blank password for 'testing' => 'FAIL' (probably valid) NSE: smb-brute: Blank password for 'tsinternetuser' => 'FAIL' (probably valid) NSE: Finished smb-brute against 10.0.0.30. Completed NSE at 10:16, 5.20s elapsed NSE: Starting runlevel 1 scan Initiating NSE at 10:16 NSE: NSE Script Threads (11) running: NSE: Starting smb-system-info against 10.0.0.30. NSE: Starting smb-server-stats against 10.0.0.30. NSE: Starting smb-security-mode against 10.0.0.30. NSE: Starting smb-psexec against 10.0.0.30. NSE: Starting smb-os-discovery against 10.0.0.30. NSE: Starting smb-enum-users against 10.0.0.30. NSE: Starting smb-enum-shares against 10.0.0.30. NSE: Starting smb-enum-sessions against 10.0.0.30. NSE: Starting smb-enum-processes against 10.0.0.30. NSE: Starting smb-enum-groups against 10.0.0.30. NSE: Starting smb-enum-domains against 10.0.0.30. NSE: smb-psexec: Attempting to find file: default NSE: smb-psexec: Attempting to load config file: ./nselib/data/psexec/default.lua NSE: SMB: Attempting to log into the system to enumerate shares NSE: SMB: Attempting to log into the system to enumerate shares NSE: MSRPC: Attempting to enumerate groups on 10.0.0.30 NSE: SMB: Found 3 shares, will attempt to find more information NSE: SMB: Getting information for share: ADMIN$ NSE: SMB: Found 3 shares, will attempt to find more information NSE: SMB: Getting information for share: ADMIN$ NSE: Finished smb-os-discovery against 10.0.0.30. NSE: Finished smb-security-mode against 10.0.0.30. NSE: Finished smb-enum-domains against 10.0.0.30. NSE: Finished smb-server-stats against 10.0.0.30. NSE: Finished smb-system-info against 10.0.0.30. NSE: MSRPC: Found 0 groups in RON-WIN2K-TEST NSE: MSRPC: Found 6 groups in Builtin NSE: MSRPC: Adding group 'Administrators' (RID: 544) with 4 members NSE: MSRPC: Adding group 'Backup Operators' (RID: 551) with 0 members NSE: MSRPC: Adding group 'Guests' (RID: 546) with 4 members NSE: MSRPC: Adding group 'Power Users' (RID: 547) with 0 members NSE: MSRPC: Adding group 'Replicator' (RID: 552) with 0 members NSE: MSRPC: Adding group 'Users' (RID: 545) with 8 members NSE: Finished smb-enum-processes against 10.0.0.30. NSE: SMB: Trying a random share to see if server responds properly: nmap-share-test NSE: SMB: Checking if share ADMIN$ can be read by the current user NSE: SMB: Trying a random share to see if server responds properly: nmap-share-test NSE: SMB: Checking if share ADMIN$ can be read by the current user NSE: Finished smb-enum-users against 10.0.0.30. NSE: Finished smb-enum-groups against 10.0.0.30. NSE: SMB: Checking if share ADMIN$ can be read by the anonymous user NSE: SMB: Checking if share ADMIN$ can be read by the anonymous user NSE: Finished smb-enum-sessions against 10.0.0.30. NSE: SMB: Checking if share ADMIN$ can be written by the current user NSE: SMB: Checking if share ADMIN$ can be written by the current user NSE: SMB: Checking if share ADMIN$ can be written by the anonymous user NSE: SMB: Checking if share ADMIN$ can be written by the anonymous user NSE: SMB: Failed to get share info for ADMIN$: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsharegetinfo) NSE: SMB: Getting information for share: C$ NSE: SMB: Failed to get share info for ADMIN$: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsharegetinfo) NSE: SMB: Getting information for share: C$ NSE: SMB: Trying a random share to see if server responds properly: nmap-share-test NSE: SMB: Checking if share C$ can be read by the current user NSE: SMB: Trying a random share to see if server responds properly: nmap-share-test NSE: SMB: Checking if share C$ can be read by the current user NSE: SMB: Checking if share C$ can be read by the anonymous user NSE: SMB: Checking if share C$ can be read by the anonymous user NSE: SMB: Checking if share C$ can be written by the current user NSE: SMB: Checking if share C$ can be written by the current user NSE: SMB: Checking if share C$ can be written by the anonymous user NSE: SMB: Checking if share C$ can be written by the anonymous user NSE: SMB: Failed to get share info for C$: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsharegetinfo) NSE: SMB: Getting information for share: IPC$ NSE: SMB: Failed to get share info for C$: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsharegetinfo) NSE: SMB: Getting information for share: IPC$ NSE: SMB: Trying a random share to see if server responds properly: nmap-share-test NSE: SMB: Checking if share IPC$ can be read by the current user NSE: SMB: Trying a random share to see if server responds properly: nmap-share-test NSE: SMB: Checking if share IPC$ can be read by the current user NSE: SMB: Checking if share IPC$ can be read by the anonymous user NSE: SMB: Checking if share IPC$ can be read by the anonymous user NSE: SMB: Checking if share IPC$ can be written by the current user NSE: SMB: Checking if share IPC$ can be written by the current user NSE: SMB: Checking if share IPC$ can be written by the anonymous user NSE: SMB: Checking if share IPC$ can be written by the anonymous user NSE: SMB: Failed to get share info for IPC$: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsharegetinfo) NSE: smb-psexec against 10.0.0.30 threw an error! ./scripts/smb-psexec.nse:697: variable 'share' is not declared stack traceback: [C]: in function 'error' ./nselib/strict.lua:68: in function <./nselib/strict.lua:59> ./scripts/smb-psexec.nse:697: in function 'get_config' ./scripts/smb-psexec.nse:1285: in function <./scripts/smb-psexec.nse:1273> (tail call): ? NSE: SMB: Failed to get share info for IPC$: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsharegetinfo) NSE: Finished smb-enum-shares against 10.0.0.30. Completed NSE at 10:16, 1.75s elapsed NSE: Starting runlevel 2 scan Initiating NSE at 10:16 NSE: NSE Script Threads (1) running: NSE: Starting smb-check-vulns against 10.0.0.30. NSE: Finished smb-check-vulns against 10.0.0.30. Completed NSE at 10:16, 0.08s elapsed NSE: Script Scanning completed. Nmap scan report for 10.0.0.30 Host is up, received syn-ack (0.0025s latency). Scanned at 2009-11-20 10:16:03 CST for 8s PORT STATE SERVICE REASON 445/tcp open microsoft-ds syn-ack Host script results: |_ smb-brute: guest:<blank> => Login was successful | smb-os-discovery: | OS: Windows 2000 (Windows 2000 LAN Manager) | Name: WORKGROUP\RON-WIN2K-TEST |_ System time: 2009-11-20 10:15:21 UTC-6 | smb-security-mode: | Account that was used for smb scripts: guest | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing disabled (dangerous, but default) | smb-enum-domains: | RON-WIN2K-TEST (S-1-5-21-1229272821-1409082233-725345543) | Groups: n/a | Users: Administrator, Guest, IUSR_RON-WIN2K-TEST, IWAM_RON-WIN2K-TEST, nmap, rontest123, sshd, SvcCOPSSH, test1234, Testing, TsInternetUser | Creation time: 2008-10-10 05:42:45 | Passwords: min length: 8 characters; min age: 4 days; max age: 40 days; history: 10 passwords | Account lockout disabled | Builtin (S-1-5-32) | Groups: Administrators, Backup Operators, Guests, Power Users, Replicator, Users | Users: n/a | Creation time: 2008-10-10 05:42:45 | Passwords: min length: n/a; min age: n/a; max age: 42 days; history: n/a |_ Account lockout disabled |_ smb-server-stats: |_ smb-enum-processes: ERROR: NT_STATUS_WERR_ACCESS_DENIED (winreg.openhkpd) | smb-enum-users: | RON-WIN2K-TEST\Administrator (RID: 500) | Description: Built-in account for administering the computer/domain | Flags: Password does not expire, Normal user account | RON-WIN2K-TEST\Guest (RID: 501) | Description: Built-in account for guest access to the computer/domain | Flags: Password not required, Password does not expire, Normal user account | RON-WIN2K-TEST\IUSR_RON-WIN2K-TEST (RID: 1001) | Full name: Internet Guest Account | Description: Built-in account for anonymous access to Internet Information Services | Flags: Password not required, Password does not expire, Normal user account | RON-WIN2K-TEST\IWAM_RON-WIN2K-TEST (RID: 1002) | Full name: Launch IIS Process Account | Description: Built-in account for Internet Information Services to start out of process applications | Flags: Password not required, Password does not expire, Normal user account | RON-WIN2K-TEST\nmap (RID: 1011) | Flags: Normal user account | RON-WIN2K-TEST\rontest123 (RID: 1013) | Flags: Normal user account | RON-WIN2K-TEST\sshd (RID: 1010) | Full name: sshd privsep | Flags: Account disabled, Normal user account | RON-WIN2K-TEST\SvcCOPSSH (RID: 1009) | Description: copSSH service account | Flags: Password does not expire, Normal user account | RON-WIN2K-TEST\test1234 (RID: 1005) | Flags: Normal user account | RON-WIN2K-TEST\Testing (RID: 1006) | Full name: Testing | Flags: Password does not expire, Normal user account | RON-WIN2K-TEST\TsInternetUser (RID: 1000) | Full name: TsInternetUser | Description: This user account is used by Terminal Services. |_ Flags: Password not required, Password does not expire, Normal user account | smb-enum-groups: | Builtin\Administrators (RID: 544): Administrator, SvcCOPSSH, test1234, Testing | Builtin\Guests (RID: 546): Guest, TsInternetUser, IUSR_RON-WIN2K-TEST, IWAM_RON-WIN2K-TEST | Builtin\Replicator (RID: 552): <empty> | Builtin\Power Users (RID: 547): <empty> | Builtin\Users (RID: 545): test1234, Testing, sshd, nmap, rontest123 |_ Builtin\Backup Operators (RID: 551): <empty> | smb-enum-sessions: | Users logged in | RON-WIN2K-TEST\Administrator since <unknown> | Active SMB sessions |_ GUEST is connected from 10.0.0.138 for [just logged in, it's probably you], idle for [not idle] | smb-enum-shares: | ADMIN$ (WARNING: Couldn't get details for share: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsharegetinfo)) | Anonymous access: <none> | Current user ('guest') access: <none> | C$ (WARNING: Couldn't get details for share: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsharegetinfo)) | Anonymous access: <none> | Current user ('guest') access: <none> | IPC$ (WARNING: Couldn't get details for share: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsharegetinfo)) | Anonymous access: READ <not a file share> |_ Current user ('guest') access: READ <not a file share> | smb-check-vulns: | MS08-067: NOT VULNERABLE | Conficker: Likely CLEAN | regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run) |_ SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run) Final times for host: srtt: 2534 rttvar: 3067 to: 100000 Read from .: nmap-services. Nmap done: 1 IP address (1 host up) scanned in 8.44 seconds
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Pushed in my changes Ron (Nov 20)
- Re: Pushed in my changes Fyodor (Nov 22)