Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

smbauth discards smbdomain if domain is returned in NTLM challenge #1544

Closed
aph3rson opened this Issue Apr 8, 2019 · 2 comments

Comments

Projects
None yet
2 participants
@aph3rson
Copy link

aph3rson commented Apr 8, 2019

When using NSE scripts which use smbauth, providing an smbdomain argument appears to be tossed in favor of the domain provided in the challenge. This is difficult if the machine resides in one domain, but accepts credentials from another domain.

In the below example, 10.11.12.13 is on the ALT domain, but I possess credentials for the CORPORATE domain, which should (?) be accepted by this host.
(Note that username/password/dnsName have been replaced in the example below.)

#> nmap -d -A -sV -p445 --script smb-enum-domains --script-args 'smbusername=[username],smbpassword=[password],smbdomain=CORPORATE' 10.11.12.13

Starting Nmap 7.60 ( https://nmap.org ) at 2019-04-08 12:43 CDT
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: smbusername=[username],smbpassword=[password],smbdomain=CORPORATE
NSE: Arguments parsed: smbusername=[username],smbpassword=[password],smbdomain=CORPORATE
NSE: Loaded 43 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 12:43
Completed NSE at 12:43, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 12:43
Completed NSE at 12:43, 0.00s elapsed
Initiating Ping Scan at 12:43
Scanning 10.11.12.13 [2 ports]
Completed Ping Scan at 12:43, 0.04s elapsed (1 total hosts)
Overall sending rates: 54.67 packets / s.
mass_rdns: Using DNS server 10.131.1.76
mass_rdns: Using DNS server 10.131.1.77
Initiating Parallel DNS resolution of 1 host. at 12:43
mass_rdns: 0.04s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 12:43, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 12:43
Scanning [dnsName] (10.11.12.13) [1 port]
Discovered open port 445/tcp on 10.11.12.13
Completed Connect Scan at 12:43, 0.04s elapsed (1 total ports)
Overall sending rates: 27.48 packets / s.
Initiating Service scan at 12:43
Scanning 1 service on [dnsName] (10.11.12.13)
Completed Service scan at 12:43, 6.08s elapsed (1 service on 1 host)
NSE: Script scanning 10.11.12.13.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 12:43
NSE: Starting smb-enum-domains against 10.11.12.13.
NSE: [smb-enum-domains 10.11.12.13] SMB: Added account '' to account list
NSE: [smb-enum-domains 10.11.12.13] SMB: Added account 'guest' to account list
NSE: [smb-enum-domains 10.11.12.13] SMB: Added account '[username]' to account list
NSE: [smb-enum-domains 10.11.12.13] LM Password: [hash]
NSE: [smb-enum-domains 10.11.12.13] SMB: Extended login to 10.11.12.13 as ALT\[username] failed (NT_STATUS_LOGON_FAILURE)
NSE: [smb-enum-domains 10.11.12.13] LM Password:
NSE: [smb-enum-domains 10.11.12.13] SMB: Extended login to 10.11.12.13 as ALT\guest failed (NT_STATUS_LOGON_FAILURE)
NSE: [smb-enum-domains 10.11.12.13] LM Password:
NSE: [smb-enum-domains 10.11.12.13] SMB: Extended login to 10.11.12.13 as ALT\<blank> failed (NT_STATUS_ACCESS_DENIED)
NSE: [smb-enum-domains 10.11.12.13] SMB: ERROR: Server disconnected the connection
NSE: Finished smb-enum-domains against 10.11.12.13.
Completed NSE at 12:43, 0.37s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 12:43
Completed NSE at 12:43, 0.00s elapsed
Nmap scan report for [dnsName] (10.11.12.13)
Host is up, received syn-ack (0.036s latency).
Scanned at 2019-04-08 12:43:13 CDT for 6s

PORT    STATE SERVICE      REASON  VERSION
445/tcp open  microsoft-ds syn-ack Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
Service Info: OS: Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-enum-domains:
|_  ERROR: No accounts left to try
Final times for host: srtt: 36335 rttvar: 27299  to: 145531

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 12:43
Completed NSE at 12:43, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 12:43
Completed NSE at 12:43, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.93 seconds
@dmiller-nmap

This comment has been minimized.

Copy link

dmiller-nmap commented Apr 8, 2019

Thanks for this detailed report! I think there is a problem with precedence or associativity of logical operators in smb.lua. Can you try this patch and see if it solves your problem?

--- a/nselib/smb.lua
+++ b/nselib/smb.lua
@@ -1351,7 +1351,7 @@ local function start_session_extended(smb, log_errors, overrides)
         end
       else
         if ( sp_nego ) then
-          if ( smb['domain'] or smb['server'] and ( not(domain) or #domain == 0 ) ) then
+          if ( (smb['domain'] or smb['server']) and ( not(domain) or #domain == 0 ) ) then
             domain = smb['domain'] or smb['server']
           end
           hash_type = "ntlm"
@aph3rson

This comment has been minimized.

Copy link
Author

aph3rson commented Apr 10, 2019

After applying your patch, it seems to be functioning as expected. Note that, for whatever reason, applying your patch exposed symptoms described in #1255, but that's possibly due to my nmap version. Applying those fixes made everything work great, and the output is what I'm looking for.

Thanks for the quick fix!

@nmap-bot nmap-bot closed this in 0855eb4 Apr 13, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.