Hey all,
For my SANS GPEN Gold certification (first Gold-certified analyst for GPEN -- go me!) I wrote a paper on my SMB scripts for Nmap. The paper is titled "Scanning Windows Deeper With the Nmap Scanning Engine". I started writing it a few months ago, and collaborated with Fyodor in the early stages. Hopefully it's a useful guide!
I talk a bit about the theory and protocols behind the scripts, then dive into a few of the more interesting ones and talk about how they work and how they can be used.
Let me know what you think!
Congratulations!
Time to update that resume ;)
I have read it yesterday and its awesome. Its very nice and informative. Anybody should test it.
hi, Ron how are hearty congrats for ur certification , i am really fan of ur scripts and commands, and have said many of my friends abt this website... i wanted some info on this like whts the fees for this particular examination
Hey,
Thanks all :)
As for the price, I don't remember exactly. But it's a series of events:
* SANS 560 is a course, and is a couple thousand; you don't HAVE to take it, though
* GIAC Silver you get from taking an exam after the course; it's a few hundred
* GIAC Gold you get from writing a paper after the exam; it's a couple hundred
Hope that helps!
Hi Ron,
I have a problem running those scripts in a non domain environment. Like smb-brute.nse is asking for a valid dns server. Is there a way that this scripts will run in either workgroup or domain environment? SOme of the scripts also like smb-enum-shares with argument display dns-error
Result on the brute script
nmap --script smb-brute.nse -p445 192.168.41.2
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-06-30 10:43 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Interesting ports on 192.168.41.2:
PORT STATE SERVICE
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
Hi Ron,
This is continuation with my inquiry, now some scripts like smb-enum-users has no output:
Nmap 4.85BETA10 ( http://nmap.org ) at 2009-06-30 11:31 PHT
Interesting ports on 159.215.191.19:
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: ----- (Dell)
Is there something wrong with this version? Im using it in domain environment.
Hi Ron,
I introduce a -d (debugging) in all the scripts i have a problem and this is the result. Currently cehcking a solution
Host script results:
| smb-enum-users:
| ERROR: Couldn't enumerate through LSA: NT_STATUS_ACCESS_DENIED (lsa.openpolicy2)
|_ ERROR: Couldn't enumerate through SAMR: NT_STATUS_ACCESS_DENIED (samr.connect4)
Final times for host: srtt: 373 rttvar: 3774 to: 100000
Note: Can you please delete the IP in the 6th thread.
Ron,
I have supplied a correct local admin account but still I can view all the necessary information
(test username is a user in the local resources and part of the administrators group)
nmap -F -d --script smb-enum-shares --script-args smbuser=test,smbpass=test 192.168.41.6
Result:
Host script results:
| smb-enum-shares:
| ERROR: Couldn't enum all shares, checking for common ones (NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netshareenumall))
| Anonymous shares:
| IPC$
| TEST$
| Restricted shares:
| ADMIN$
also tried using a domain account
smbuser=contoso\admin,smbpass=admin1234
but no enough information
also did smbuser=admin,smbpass=admin1234
but no luck
I hoping you can clear the confsion
Hey Zack,
You're getting an access denied error, which means that the account you're using doesn't have the required access to make the requests.
I'm going to guess you're using Windows XP. Under Windows XP, all accounts are by default treated as 'guest'. To disable this (annoying) behaviour, open up
* Control Panel
-> Administrative tools
-> Local security policy
-> Local policies
-> Security options
-> Network access: Sharing and security model for local accounts
Change the option from "Guest only" to "Classic"
Then try again, you should have access.
*edit* Incidentally, to use a domain account, give smbuser=username,smbdomain=domain,smbpass=password -- it doesn't understand the 'username\domain' syntax.
Ron
Hello Ron,
Sorry for the lack of information, im using a Ubunto 9.x and targetting XP boxes.
The same error even if using the domain format.
This is the result of enum-users
Host script results:
| smb-enum-users:
| ERROR: Couldn't enumerate through LSA: NT_STATUS_ACCESS_DENIED (lsa.openpolicy2)
|_ ERROR: Couldn't enumerate through SAMR: NT_STATUS_ACCESS_DENIED (samr.connect4)
Is there something wrong with my installation in ubuntu
Hey Zack,
It sounds like the Nmap portion is working correctly, but the default configuration of Windows XP is what's tripping you up. Read the part in my last reply about changing the behaviour of accounts on Windows.
okay thank you