Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regression smb_enum_users and shares on Nmap V 7.80 #1707

Closed
roumy opened this issue Aug 23, 2019 · 9 comments

Comments

@roumy
Copy link

commented Aug 23, 2019

Hello there
I detect a regression on smb_enum_shares and smb_enum_users with nmap V7.80 version
It works correctly on V7.70

May be linked with [#1706 ]

Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-23 09:30 UTC                                                                                                                                                    
Warning: File ./nmap-services exists, but Nmap is using /usr/bin/../share/nmap/nmap-services for security and consistency reasons.  set NMAPDIR=. to give priority to files in your local directory (may affect the
 other data files too).                                                                                                                                                                                            
--------------- Timing report ---------------                                                                                                                                                                      
  hostgroups: min 1, max 100000                                                                                                                                                                                    
  rtt-timeouts: init 1000, min 100, max 10000                                                                                                                                                                      
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000                                                                                                                                                                    
  parallelism: min 0, max 0                                                                                                                                                                                        
  max-retries: 10, host-timeout: 0                                                                                                                                                                                 
  min-rate: 0, max-rate: 0                                                                                                                                                                                         
---------------------------------------------                                                                                                                                                                      
NSE: Using Lua 5.3.                                                                                                                                                                                                
NSE: Arguments from CLI:                                                                                                                                                                                           
NSE: Loaded 1 scripts for scanning.  

.....
/usr/bin/../share/nmap/nselib/smb.lua:1030: bad argument #2 to 'unpack' (data string too short)
stack traceback:
        [C]: in function 'string.unpack'
        /usr/bin/../share/nmap/nselib/smb.lua:1030: in function 'smb.negotiate_v1'
        /usr/bin/../share/nmap/nselib/smb.lua:1074: in function 'smb.negotiate_protocol'
        /usr/bin/../share/nmap/nselib/smb.lua:372: in function 'smb.start_ex'
        (...tail calls...)
        /usr/bin/../share/nmap/nselib/msrpc.lua:4926: in function 'msrpc.enum_shares'
        /usr/bin/../share/nmap/nselib/smb.lua:3194: in function 'smb.share_get_list'
        /usr/bin/../share/nmap/scripts/smb-enum-shares.nse:110: in function </usr/bin/../share/nmap/scripts/smb-enum-shares.nse:105>
        (...tail calls...)


@cnotin

This comment has been minimized.

Copy link

commented Aug 26, 2019

Related to: #1476 (same error, same line)
Could you try with the proposed patch please?

@roumy

This comment has been minimized.

Copy link
Author

commented Sep 2, 2019

Hi Clement ,
thanks for your feedback!
i've tried your patch with both smb-enum-users and smb-enum-shares.
Results were surprising.

Scripts smb-enum-shares works correctly, in fact it works better than with V7.70 or V7.40 that i have also tried , because it get some results whereas V7.70 get me following messages:

NSE: [smb-enum-shares 172.28.0.2] Couldn't negotiate a SMBv1 connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [12]
NSE: [smb-enum-shares 172.28.0.2] SMB: Enumerating shares failed, guessing at common ones (Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are m
issing); aborting [12])

The thing is that smb-enum-users script still not working, here is the error message:

v7.70 patch2
NSE: smb-enum-users against vuln_target (172.28.0.2) threw an error!                                                                                                                                               
/tmp/nmap-patch-2/nselib/msrpctypes.lua:847: attempt to perform arithmetic on a nil value (local 'pos')                                                                                                            
stack traceback:                                                                                                                                                                                                   
        /tmp/nmap-patch-2/nselib/msrpctypes.lua:847: in function 'msrpctypes.unmarshall_int32'                                                                                                                     
        /tmp/nmap-patch-2/nselib/msrpc.lua:1418: in function 'msrpc.samr_enumdomains'                                                                                                                              
        /tmp/nmap-patch-2/nselib/msrpc.lua:3816: in function 'msrpc.samr_enum_users'                                                                                                                               
        /tmp/nmap-patch-2/scripts/smb-enum-users.nse:171: in function </tmp/nmap-patch-2/scripts/smb-enum-users.nse:154>                                                                                           
        (...tail calls...)  
@cnotin

This comment has been minimized.

Copy link

commented Sep 2, 2019

"Merci" @roumy for your feedback ;)

I'm glad to know that the patch fixes the issues you had in smb.lua!

About smb-enum-users, according to the stacktrace, the error seems to be in msrpctypes.lua. I suppose that it's a different issue and unfortunately I don't have anything to suggest here...

@nnposter

This comment has been minimized.

Copy link

commented Sep 3, 2019

Regarding the latest error about nil arithmetic, this has been hopefully fixed in commit e5c4f48, as a partial fix for #1720.

At this point I would recommend to refresh both msrpc.lua and msrpctypes.lua from the master branch before further troubleshooting. See commits e5c4f48, be40965, 729260e, and ef2825b for details.

@roumy

This comment has been minimized.

Copy link
Author

commented Sep 3, 2019

Thx @nnposter ,
we progress !! the status is now following :
with commit ef2825b
smb-enum-users is working whereas smb-enum-shares still KO:

NSE: smb-enum-shares against vuln_target (172.18.0.2) threw an error!                                                                                                                                              
/tmp/nmap-master/nselib/smb.lua:1030: bad argument #2 to 'unpack' (data string too short)                                                                                                                          
stack traceback:                                                                                                                                                                                                   
        [C]: in function 'string.unpack'                                                                                                                                                                           
        /tmp/nmap-master/nselib/smb.lua:1030: in function 'smb.negotiate_v1'                                                                                                                                       
        /tmp/nmap-master/nselib/smb.lua:1074: in function 'smb.negotiate_protocol'                                                                                                                                 
        /tmp/nmap-master/nselib/smb.lua:372: in function 'smb.start_ex'                                                                                                                                            
        (...tail calls...)                                                                                                                                                                                         
        /tmp/nmap-master/nselib/msrpc.lua:4927: in function 'msrpc.enum_shares'                                                                                                                                    
        /tmp/nmap-master/nselib/smb.lua:3194: in function 'smb.share_get_list'                                                                                                                                     
        /tmp/nmap-master/scripts/smb-enum-shares.nse:110: in function </tmp/nmap-master/scripts/smb-enum-shares.nse:105>  

maybe the @cnotin patch for #1476 will fix both pbs

@cnotin

This comment has been minimized.

Copy link

commented Sep 3, 2019

Yes please try with all of them 😉

@roumy

This comment has been minimized.

Copy link
Author

commented Sep 3, 2019

Ok
i manually merged master...cnotin:patch-2 with ef2825b

both scripts worked well!
now waiting for #1476
thanks for your combined jobs, Guys

@cnotin

This comment has been minimized.

Copy link

commented Sep 3, 2019

Good to hear!
Thanks for your help in testing these :)

@nnposter

This comment has been minimized.

Copy link

commented Sep 8, 2019

A fix for this issue has been committed as r37733. Please report back if it does not work for you.

@nnposter nnposter self-assigned this Sep 8, 2019

@nnposter nnposter added bug NSE labels Sep 8, 2019

@nmap-bot nmap-bot closed this in c491143 Sep 8, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.