Nmap Development mailing list archives
Re: smb-psexec against Windows 7 Enterprise (32bit)
From: Ron <ron () skullsecurity net>
Date: Fri, 16 Aug 2013 23:22:29 -0500
I'm reasonably sure this is an issue with UAC. Can you try disabling UAC and seeing if that works? Ron On 2013-08-16 20:50, David Fifield wrote:
On Mon, Aug 12, 2013 at 06:19:32PM -0400, Mark Baseggio wrote:I have been playing with smb-exec and some VMs, trying to get just the default configuration working to no avail. I was hoping someone could possibly shed some light on the situation. I have included the full debug output of the command, I am beginning to think that something is broken because of all the "Invalid NTLM challenge message: unexpected signature" messages. As you will see, smb-psexec finds a writeable share, but then is unable to launch the service. If you have any ideas or know what the issue is I'd appreciate your help.Ron, I think we talked about the state of SMB scripts lately. Is smb-psexec likely to work in this configuration? David Fifield--snip-- $ nmap -d -n -p445 --script smb-psexec --script-args=smbuser=testuser,smbpass=password 192.168.2.28 Starting Nmap 6.40 ( http://nmap.org ) at 2013-08-12 23:11 ric Winpcap present, dynamic linked to: WinPcap version 4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b (20091008) --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Using Lua 5.2. NSE: Script Arguments seen from CLI: smbuser=testuser,smbpass=password NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 1) scan. Initiating ARP Ping Scan at 23:11 Scanning 192.168.2.28 [1 port] Packet capture filter (device eth0): arp and arp[18:4] = 0x10BF48BA and arp[22:2] = 0xED97 Completed ARP Ping Scan at 23:11, 0.12s elapsed (1 total hosts) Overall sending rates: 8.06 packets / s, 338.71 bytes / s. Initiating SYN Stealth Scan at 23:11 Scanning 192.168.2.28 [1 port] Packet capture filter (device eth0): dst host 192.168.2.12 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 192.168.2.28))) Discovered open port 445/tcp on 192.168.2.28 Completed SYN Stealth Scan at 23:11, 0.00s elapsed (1 total ports) Overall sending rates: 1000.00 packets / s, 44000.00 bytes / s. NSE: Script scanning 192.168.2.28. NSE: Starting runlevel 1 (of 1) scan. NSE: Starting smb-psexec against 192.168.2.28. Initiating NSE at 23:11 NSE: smb-psexec: Looking for the service file: nmap_service or nmap_service.exe NSE: smb-psexec: Attempting to find file: nmap_service NSE: smb-psexec: Attempting to find file: default NSE: smb-psexec: Attempting to load config file: C:\Program Files (x86)\Nmap/nselib/data/psexec/default.lua NSE: SMB: Attempting to log into the system to enumerate shares NSE: SMB: Added account '' to account list NSE: SMB: Added account 'guest' to account list NSE: SMB: Added account 'testuser' to account list NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Found 3 shares, will attempt to find more information NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Trying a random share to see if server responds properly: nmap-share-test NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Trying a random share to see if server responds properly: nmap-share-test NSE: SMB: Getting information for share: ADMIN$ NSE: SMB: Checking if share ADMIN$ can be read by the current user NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Checking if share ADMIN$ can be read by the anonymous user NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Checking if share ADMIN$ can be written by the current user NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Checking if share ADMIN$ can be written by the anonymous user NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Getting information for share: C$ NSE: SMB: Checking if share C$ can be read by the current user NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Checking if share C$ can be read by the anonymous user NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Checking if share C$ can be written by the current user NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Checking if share C$ can be written by the anonymous user NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Getting information for share: IPC$ NSE: SMB: Checking if share IPC$ can be read by the current user NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Checking if share IPC$ can be read by the anonymous user NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Checking if share IPC$ can be written by the current user NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Checking if share IPC$ can be written by the anonymous user NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: smb-psexec: Found usable share ADMIN$ (C:\Windows) (all writable shares: ADMIN$, C$) NSE: smb-psexec: Generated static service name: 1c59c462 NSE: smb-psexec: Generated static service name: 1c59c462 NSE: smb-psexec: Generated static service filename: 80422d23.out.tmp NSE: smb-psexec: Generated static output filename: b3880403.out NSE: smb-psexec: Verifying uploadable executables exist NSE: smb-psexec: Timeout waiting for a response is 38 seconds NSE: smb-psexec: Replacing variables in the modules' fields NSE: smb-psexec: Entering cleanup() -- errors here can generally be ignored NSE: Stopping service: 1c59c462 NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: smb-psexec: [cleanup] Couldn't stop service: NT_STATUS_SERVICE_DOES_NOT_EXIST (svcctl.openservicew) NSE: Deleting service: 1c59c462 NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: smb-psexec: [cleanup] Couldn't delete service: NT_STATUS_SERVICE_DOES_NOT_EXIST (svcctl.openservicew) NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Couldn't delete ADMIN$\b3883143.txt: NT_STATUS_OBJECT_NAME_NOT_FOUND NSE: SMB: Couldn't delete ADMIN$\b3880403.out: NT_STATUS_OBJECT_NAME_NOT_FOUND NSE: SMB: Couldn't delete ADMIN$\80422d23.out.tmp: NT_STATUS_OBJECT_NAME_NOT_FOUND NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Couldn't delete C$\b3883143.txt: NT_STATUS_OBJECT_NAME_NOT_FOUND NSE: SMB: Couldn't delete C$\b3880403.out: NT_STATUS_OBJECT_NAME_NOT_FOUND NSE: SMB: Couldn't delete C$\80422d23.out.tmp: NT_STATUS_OBJECT_NAME_NOT_FOUND NSE: smb-psexec: Leaving cleanup() NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: smb-psexec: Uploading: C:\Program Files (x86)\Nmap/nselib/data/psexec/nmap_service.exe => \\ADMIN$\b3883143.txt NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: smb-psexec: Service file successfully uploaded! NSE: smb-psexec: Attempting to upload the modules NSE: smb-psexec: Modules successfully uploaded! NSE: Creating service: 1c59c462 (C:\Windows\b3883143.txt) NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: Starting service: 1c59c462 NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: Opening the remote service manager NSE: smb-psexec: Couldn't start the service: NT_STATUS_WERR_ACCESS_DENIED (svcctl.startservicew) NSE: smb-psexec: Entering cleanup() -- errors here can generally be ignored NSE: Stopping service: 1c59c462 NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: smb-psexec: [cleanup] Couldn't stop service: NT_STATUS_SERVICE_NOT_ACTIVE (svcctl.controlservice) NSE: Deleting service: 1c59c462 NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Couldn't delete ADMIN$\b3880403.out: NT_STATUS_OBJECT_NAME_NOT_FOUND NSE: SMB: Couldn't delete ADMIN$\80422d23.out.tmp: NT_STATUS_OBJECT_NAME_NOT_FOUND NSE: SMB: Invalid NTLM challenge message: unexpected signature. NSE: SMB: Couldn't delete C$\b3883143.txt: NT_STATUS_OBJECT_NAME_NOT_FOUND NSE: SMB: Couldn't delete C$\b3880403.out: NT_STATUS_OBJECT_NAME_NOT_FOUND NSE: SMB: Couldn't delete C$\80422d23.out.tmp: NT_STATUS_OBJECT_NAME_NOT_FOUND NSE: smb-psexec: Leaving cleanup() NSE: Finished smb-psexec against 192.168.2.28. Completed NSE at 23:11, 0.49s elapsed Nmap scan report for 192.168.2.28 Host is up, received arp-response (0.0010s latency). Scanned at 2013-08-12 23:11:26 ric for 1s PORT STATE SERVICE REASON 445/tcp open microsoft-ds syn-ack MAC Address: 00:0C:29:95:E2:95 (VMware) Host script results: | smb-psexec: |_ ERROR: Couldn't start the service on the remote machine: NT_STATUS_WERR_ACCESS_DENIED (svcctl.startservicew) Final times for host: srtt: 1000 rttvar: 3750 to: 100000 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 1) scan. Read from C:\Program Files (x86)\Nmap: nmap-mac-prefixes nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 1.80 seconds Raw packets sent: 2 (72B) | Rcvd: 2 (72B) --snip--
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- smb-psexec against Windows 7 Enterprise (32bit) Mark Baseggio (Aug 13)
- Re: smb-psexec against Windows 7 Enterprise (32bit) David Fifield (Aug 16)
- Re: smb-psexec against Windows 7 Enterprise (32bit) Ron (Aug 16)
- Re: smb-psexec against Windows 7 Enterprise (32bit) Mark Baseggio (Aug 17)
- Re: smb-psexec against Windows 7 Enterprise (32bit) Ron (Aug 17)
- Re: smb-psexec against Windows 7 Enterprise (32bit) Mark Baseggio (Aug 19)
- Re: smb-psexec against Windows 7 Enterprise (32bit) Ron (Aug 19)
- Re: smb-psexec against Windows 7 Enterprise (32bit) Mark Baseggio (Aug 23)
- Re: smb-psexec against Windows 7 Enterprise (32bit) Ron (Aug 16)
- Re: smb-psexec against Windows 7 Enterprise (32bit) David Fifield (Aug 16)