Home page logo

nmap-dev logo Nmap Development mailing list archives

RE: [NSE] Additional information for smb-os-discovery.nse
From: "Rob Nicholls" <robert () robnicholls co uk>
Date: Wed, 20 Apr 2011 22:21:09 +0100

Hi Chris,

Personally, I think all of this information would be really useful and I'd
love to see the patch added to the existing script.

The only downside is I'd be using Patrik's fantastic MBEnun less often ;-)


-----Original Message-----
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org]
On Behalf Of Chris Woodbury
Sent: 20 April 2011 21:33
To: Nmap-Dev
Subject: [NSE] Additional information for smb-os-discovery.nse

I would like to propose some additions to the smb-os-discovery script,
namely the following:
* DNS host name
* DNS domain name
* DNS forest name

This information can be retrieved from the NTLMSSP data (a.k.a.
security blob) in a SMB_COM_SESSION_SETUP_ANDX response in extended-security
mode. The attached patch implements this with the following changes:
* A new "get_host_info_from_security_blob()" function in smbauth.lua, which
parses the information from the NTLMSSP data.
* A call to the new function in smb.start_session_extended().
* Changes to smb.get_os() to start an extended-security session to get the
new information (unfortunately, this requires a second session - the
hostname and domain name aren't returned in the SMB_COM_NEGOTIATE response
if the extended security flag is set).
* Changes to smb-os-discovery.nse to output the new information.
* There are a few variables where I needed to handle nils explicitly in
smb-os-discovery, so, for the sake of consistency, I removed the
stdnse.string_or_blank() calls in smb.get_os() and did all of the
nil-handling in the script. The only other script that uses
smb.get_os() is smb-brute, which needed a very small change to handle the
different output.
* I also made some small changes throughout smb.lua to add documentation
where I thought it would help, and to fix a couple typos that I noticed.

The output is now like so:
A domain member (Showing all available info, excluding workgroup of course):
|   OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows
Server (R) 2008 Standard 6.0)
|   Computer name: Sql2008
|   Domain name: lab.test.local
|   Forest name: test.local
|   FQDN: Sql2008.lab.test.local
|   NetBIOS computer name: SQL2008
|   NetBIOS domain name: LAB
|_  System time: 2011-04-20 15:11:20 UTC-5

A standalone system:
|   OS: Windows Server 2003 3790 Service Pack 2 (Windows Server 2003 5.2)
|   Computer name: win2003-server
|   NetBIOS computer name: WIN2003-SERVER
|   Workgroup: WORKGROUP
|_  System time: 2011-04-20 15:10:19 UTC-5

A domain controller (for some reason, the DC of the child domain doesn't
return the forest name, although members of the child domain do, and the
forest DC does):
|   OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows
Server (R) 2008 Standard 6.0)
|   Computer name: Lab-DC
|   Domain name: lab.test.local
|   FQDN: Lab-DC.lab.test.local
|   NetBIOS computer name: LAB-DC
|   NetBIOS domain name: LAB
|_  System time: 2011-04-20 15:10:38 UTC-7

A Windows 7 host (my Windows 7 systems return STATUS_NOT_SUPPORTED to
SMB_COM_SESSION_SETUP_ANDXs with extended security, so the additional info
isn't available):
|   OS: Windows 7 Ultimate 7601 Service Pack 1 (Windows 7 Ultimate 6.1)
|   NetBIOS computer name: WIN7TEST
|   Workgroup: WORKGROUP
|_  System time: 2011-04-20 15:10:18 UTC-5

I think this adds some useful information to the script results. I hope I
haven't stepped on any toes. Please test out the changes and let me know
what you think.


Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]