mailing list archives
Re: Conficker Scan - ERROR: SMB: Couldn't find a NetBIOS name
From: Ron <ron () skullsecurity net>
Date: Wed, 01 Apr 2009 08:58:35 -0500
I'm not too worried about this, but just as a FYI I've found an error /
response which seems not to have been reported by anyone else.
Host 192.168.0.59 appears to be up ... good.
Interesting ports on 192.168.0.59:
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp closed microsoft-ds
MAC Address: 00:12:3F:AF:AC:98 (Dell)
Host script results:
| MS08-067: NOT RUN
| Conficker: ERROR: SMB: Couldn't find a NetBIOS name that works
for the server. Sorry!
|_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)
My knowledge of NetBIOS is pretty sketchy, but I'd have expected this
machine to respond in a similar manner to all the others on the LAN as
they're all on an MS domain managed by an SBS 2003 server. The only
thing that's remarkable about this particular machine is that it's a
laptop; there is at least one other laptop normally on the LAN, but this
is the only one in the office at this time. I think that laptops are
configured slightly differently by MS's domain management stuff, in that
users may be assigned to a laptop to allow them to log in to the machine
when the domain controller cannot be contacted, and the users are
allowed to use offline caches of network file shares (which are synced
when the user returns to the office). I don't know if this makes any
Adjacent machines show either "Likely CLEAN" or
"NT_STATUS_ACCESS_DENIED" (as per my other message).
I've attached what diagnostics I can think of,
That's a bit of a tricky question, but I'll try to answer it clearly.
There are two ports that can be used for talking SMB with Windows -- 139
and 445. 445 is considered "raw", you just get up and go. 139 is
considered "SMB over NetBIOS", and requires a handshake.
That handshake requires the server's name. So if you have TESTBOX314,
the handshake says "Hello, TESTBOX314!". Sometimes you can use a generic
name. Iirc it's "*SMBSERVE", or something like that.
In my scripts, I first check port 445. If that fails (port is closed,
firewalled, etc) I fall back to port 139. But before that, I send a
NetBIOS name request (essentially, nbstat) on UDP/137 to get the
server's name. Then, I try negotiating 139 with the name returned (if
any), and generic names. If they all fail, I give up and print that
Some of our servers at work have locked-down profiles, and the exact
same thing happens -- port 445 is closed, and port 139 refuses to talk
no matter what name is chosen.
Hopefully that helps!
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org
- Re: Conficker Scan - ERROR: SMB: Couldn't find a NetBIOS name Ron (Apr 01)