Re: [NSE] SMB authentication patch

[Ron <ron () skullsecurity net>]

David Fifield wrote:
> On Fri, Oct 10, 2008 at 10:31:23AM -0500, Ron wrote:
>
> With that little change it works great:

Excellent!

> Host script results:
> |  NBSTAT: NetBIOS name: MAC-MINI, NetBIOS user: <unknown>, NetBIOS MAC: 00:16:cb:ae:d4:ac
> |  Name: MAC-MINI<00>         Flags: <unique><active>
> |  Name: MSHOME<00>           Flags: <group><active>
> |  Name: MAC-MINI<20>         Flags: <unique><active>
> |  Name: MSHOME<1e>           Flags: <group><active>
> |  Name: MSHOME<1d>           Flags: <unique><active>
> |  Name: \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
> |_ Statistics: 00 16 cb ae d4 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
> 00 00 00 00 00 00 00 00 00 00 00 00
> |  OS from SMB: Windows XP
> |  LAN Manager: Windows 2000 LAN Manager
> |  Name: MSHOME\MAC-MINI
> |_ System time: 2008-10-10 14:28:20 UTC-6
> |  SMB Security: User-level authentication
> |  SMB Security: Challenge/response passwords supported
> |_ SMB Security: Message signing not supported
> |_ MSRPC: List of domains: ERROR: STATUS_ACCESS_DENIED (samr.opendomain)
> |  MSRPC: List of user accounts:
> |  Enum via SAMR error: STATUS_ACCESS_DENIED (samr.opendomain)
> |  ,\xE0J\xC0V
> |    |_ Domain: MAC-MINI
> |    |_ RID: 1010
> |  Administrator
> |    |_ Domain: MAC-MINI
> |    |_ RID: 500
> |  Guest
> |    |_ Domain: MAC-MINI
> |    |_ RID: 501
> |  HelpAssistant
> |    |_ Domain: MAC-MINI
> |    |_ RID: 1000
> |  HelpServicesGroup
> |    |_ Domain: MAC-MINI
> |    |_ RID: 1002
> |  jrandom
> |    |_ Domain: MAC-MINI
> |    |_ RID: 1019
> |  Kurt G\xF6del
> |    |_ Domain: MAC-MINI
> |    |_ RID: 1018
> |  SUPPORT_388945a0
> |    |_ Domain: MAC-MINI
> |_   |_ RID: 1003
> |  MSRPC: NetShareEnumAll():
> |  Anonymous shares: IPC$
> |_ Restricted shares: print$, SharedDocs, My Pictures, ADMIN$, C$, Printer
>
> How wonderful that Windows is willing to reveal all this information! I
> should mention that the output is a lot shorter without -d3.
>
> How come I don't see my main "david" account? Is it because it's the
> same as the Administrator account? It was the account I set up the
> computer with.
Well, I see a couple odd things:
- You were able to enum accounts through LSA but not through SAMR. LSA 
is a bruteforce type lookup, so it can miss accounts. I'm guessing it's 
a permissions thing, try assigning the user to the administrators group 
and see if you get better information.
- The first account, with RID 1010, seems to have the username 
",\xE0J\xC0V". I'm not sure if it's supposed to be obfuscated or if I 
ended up in the wrong field, but it would be useful if you could send me 
a pcap. RID 1018 is also odd, "Kurt G\xF6del" -- is the username in 
unicode or is it being read incorrectly?

You are also missing the 'domains' section, which is also pulled from 
SAMR. I'm going to take a guess and say that you require administrative 
privileges to access SAMR.

> It's hard to give a blank password. Just using
>         --script-args smbusername=user
> doesn't work, using
>         --script-args smbusername=user,smbpassword=
> doesn't work ("Error parsing --script-args"). I had to use
>         --script-args smbusername=user,smbpassword=\'\'
Ah, my bad. I intended not adding a password field to be a blank 
password, but I think when I changed from smbpassword to smbhash, I 
broke that. This is related to the bug filling out the username 
incorrectly, too, neither should generate an error.

> David Fifield


Thanks for the feedback, it's good to know that it's (mostly) working 
for somebody else!

Ron

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org