Failed authentication with smb-psexec.nse

[Francois Lachance <digitallachance () gmail com>]

I have been trying to use the smb-psexec.nse script in order to run
executable on a Windows target.  Unfortunately, I am not getting past the
authentication part.

I have attached two packet captures, one of the nmap attempt and one of a
Windows client making a drive connection.  The capture shows the SMB
Command: Negotiate Protocol (0x72) and the result from the target.  From
what I can tell, the key difference is found when comparing the returned
result on line 239 of nmap-nego-ptoto.txt and line 243 of
explorer-nego-proto.txt.  In the successful connection, the returned
response is "Dialect Index: 5: NT LM 0.12", whereas in the failed attempt,
the returned response is "Dialect Index: 0: NT LM 0.12".

> From what I can see, our network has been configured (through GPO) to only
use NTLMv2 authentication (Send NTLMv2 response only\refuse LM).

Since I am not seeing NTLMv2 in the list of requested protocol in the packet
trace of the nmap capture (lines 112-121 in nmap-nego-proto.txt), am I right
in assuming that smb-psexec will never work in my environment?

I would wager that implementing NTLMv2 is not a trivial task...

Thanks!

Attachment: explorer-nego-proto.txt
Description:

Attachment: nmap-nego-proto.txt
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/