My SANS Gold Paper: Nmap SMB Scripts

Hey all,

For my SANS GPEN Gold certification (first Gold-certified analyst for GPEN -- go me!) I wrote a paper on my SMB scripts for Nmap. The paper is titled "Scanning Windows Deeper With the Nmap Scanning Engine". I started writing it a few months ago, and collaborated with Fyodor in the early stages. Hopefully it's a useful guide!

I talk a bit about the theory and protocols behind the scripts, then dive into a few of the more interesting ones and talk about how they work and how they can be used.

Let me know what you think!

12 thoughts on “My SANS Gold Paper: Nmap SMB Scripts

  1. Reply

    Andrew

    Congratulations!

    Time to update that resume ;)

  2. Reply

    Zack

    I have read it yesterday and its awesome. Its very nice and informative. Anybody should test it.

  3. Reply

    Ne0

    hi, Ron how are hearty congrats for ur certification , i am really fan of ur scripts and commands, and have said many of my friends abt this website... i wanted some info on this like whts the fees for this particular examination

  4. Reply

    Ron Post author

    Hey,

    Thanks all :)

    As for the price, I don't remember exactly. But it's a series of events:
    * SANS 560 is a course, and is a couple thousand; you don't HAVE to take it, though
    * GIAC Silver you get from taking an exam after the course; it's a few hundred
    * GIAC Gold you get from writing a paper after the exam; it's a couple hundred

    Hope that helps!

  5. Reply

    Zack

    Hi Ron,

    I have a problem running those scripts in a non domain environment. Like smb-brute.nse is asking for a valid dns server. Is there a way that this scripts will run in either workgroup or domain environment? SOme of the scripts also like smb-enum-shares with argument display dns-error

    Result on the brute script
    nmap --script smb-brute.nse -p445 192.168.41.2

    Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-06-30 10:43 CST
    mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
    Interesting ports on 192.168.41.2:
    PORT STATE SERVICE
    445/tcp open microsoft-ds

    Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds

  6. Reply

    Zack

    Hi Ron,

    This is continuation with my inquiry, now some scripts like smb-enum-users has no output:
    Nmap 4.85BETA10 ( http://nmap.org ) at 2009-06-30 11:31 PHT
    Interesting ports on 159.215.191.19:
    PORT STATE SERVICE
    445/tcp open microsoft-ds
    MAC Address: ----- (Dell)

    Is there something wrong with this version? Im using it in domain environment.

  7. Reply

    Zack

    Hi Ron,

    I introduce a -d (debugging) in all the scripts i have a problem and this is the result. Currently cehcking a solution

    Host script results:
    | smb-enum-users:
    | ERROR: Couldn't enumerate through LSA: NT_STATUS_ACCESS_DENIED (lsa.openpolicy2)
    |_ ERROR: Couldn't enumerate through SAMR: NT_STATUS_ACCESS_DENIED (samr.connect4)
    Final times for host: srtt: 373 rttvar: 3774 to: 100000

    Note: Can you please delete the IP in the 6th thread.

  8. Reply

    Zack

    Ron,

    I have supplied a correct local admin account but still I can view all the necessary information

    (test username is a user in the local resources and part of the administrators group)
    nmap -F -d --script smb-enum-shares --script-args smbuser=test,smbpass=test 192.168.41.6

    Result:
    Host script results:
    | smb-enum-shares:
    | ERROR: Couldn't enum all shares, checking for common ones (NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netshareenumall))
    | Anonymous shares:
    | IPC$
    | TEST$
    | Restricted shares:
    | ADMIN$

    also tried using a domain account
    smbuser=contoso\admin,smbpass=admin1234
    but no enough information

    also did smbuser=admin,smbpass=admin1234
    but no luck

    I hoping you can clear the confsion

    1. Reply

      Ron Post author

      Hey Zack,

      You're getting an access denied error, which means that the account you're using doesn't have the required access to make the requests.

      I'm going to guess you're using Windows XP. Under Windows XP, all accounts are by default treated as 'guest'. To disable this (annoying) behaviour, open up
      * Control Panel
      -> Administrative tools
      -> Local security policy
      -> Local policies
      -> Security options
      -> Network access: Sharing and security model for local accounts

      Change the option from "Guest only" to "Classic"

      Then try again, you should have access.

      *edit* Incidentally, to use a domain account, give smbuser=username,smbdomain=domain,smbpass=password -- it doesn't understand the 'username\domain' syntax.

      Ron

  9. Reply

    Zack

    Hello Ron,

    Sorry for the lack of information, im using a Ubunto 9.x and targetting XP boxes.

    The same error even if using the domain format.

    This is the result of enum-users
    Host script results:
    | smb-enum-users:
    | ERROR: Couldn't enumerate through LSA: NT_STATUS_ACCESS_DENIED (lsa.openpolicy2)
    |_ ERROR: Couldn't enumerate through SAMR: NT_STATUS_ACCESS_DENIED (samr.connect4)

    Is there something wrong with my installation in ubuntu

    1. Reply

      Ron Post author

      Hey Zack,

      It sounds like the Nmap portion is working correctly, but the default configuration of Windows XP is what's tripping you up. Read the part in my last reply about changing the behaviour of accounts on Windows.

  10. Reply

    John

    okay thank you

Leave a Reply

Your email address will not be published.