Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regression smb_enum_users and shares on Nmap V 7.80 #1707

Closed
roumy opened this issue Aug 23, 2019 · 11 comments
Closed

Regression smb_enum_users and shares on Nmap V 7.80 #1707

roumy opened this issue Aug 23, 2019 · 11 comments
Assignees
Labels

Comments

@roumy
Copy link

@roumy roumy commented Aug 23, 2019

Hello there
I detect a regression on smb_enum_shares and smb_enum_users with nmap V7.80 version
It works correctly on V7.70

May be linked with [#1706 ]

Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-23 09:30 UTC                                                                                                                                                    
Warning: File ./nmap-services exists, but Nmap is using /usr/bin/../share/nmap/nmap-services for security and consistency reasons.  set NMAPDIR=. to give priority to files in your local directory (may affect the
 other data files too).                                                                                                                                                                                            
--------------- Timing report ---------------                                                                                                                                                                      
  hostgroups: min 1, max 100000                                                                                                                                                                                    
  rtt-timeouts: init 1000, min 100, max 10000                                                                                                                                                                      
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000                                                                                                                                                                    
  parallelism: min 0, max 0                                                                                                                                                                                        
  max-retries: 10, host-timeout: 0                                                                                                                                                                                 
  min-rate: 0, max-rate: 0                                                                                                                                                                                         
---------------------------------------------                                                                                                                                                                      
NSE: Using Lua 5.3.                                                                                                                                                                                                
NSE: Arguments from CLI:                                                                                                                                                                                           
NSE: Loaded 1 scripts for scanning.  

.....
/usr/bin/../share/nmap/nselib/smb.lua:1030: bad argument #2 to 'unpack' (data string too short)
stack traceback:
        [C]: in function 'string.unpack'
        /usr/bin/../share/nmap/nselib/smb.lua:1030: in function 'smb.negotiate_v1'
        /usr/bin/../share/nmap/nselib/smb.lua:1074: in function 'smb.negotiate_protocol'
        /usr/bin/../share/nmap/nselib/smb.lua:372: in function 'smb.start_ex'
        (...tail calls...)
        /usr/bin/../share/nmap/nselib/msrpc.lua:4926: in function 'msrpc.enum_shares'
        /usr/bin/../share/nmap/nselib/smb.lua:3194: in function 'smb.share_get_list'
        /usr/bin/../share/nmap/scripts/smb-enum-shares.nse:110: in function </usr/bin/../share/nmap/scripts/smb-enum-shares.nse:105>
        (...tail calls...)


@cnotin

This comment has been minimized.

Copy link

@cnotin cnotin commented Aug 26, 2019

Related to: #1476 (same error, same line)
Could you try with the proposed patch please?

@roumy

This comment has been minimized.

Copy link
Author

@roumy roumy commented Sep 2, 2019

Hi Clement ,
thanks for your feedback!
i've tried your patch with both smb-enum-users and smb-enum-shares.
Results were surprising.

Scripts smb-enum-shares works correctly, in fact it works better than with V7.70 or V7.40 that i have also tried , because it get some results whereas V7.70 get me following messages:

NSE: [smb-enum-shares 172.28.0.2] Couldn't negotiate a SMBv1 connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [12]
NSE: [smb-enum-shares 172.28.0.2] SMB: Enumerating shares failed, guessing at common ones (Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are m
issing); aborting [12])

The thing is that smb-enum-users script still not working, here is the error message:

v7.70 patch2
NSE: smb-enum-users against vuln_target (172.28.0.2) threw an error!                                                                                                                                               
/tmp/nmap-patch-2/nselib/msrpctypes.lua:847: attempt to perform arithmetic on a nil value (local 'pos')                                                                                                            
stack traceback:                                                                                                                                                                                                   
        /tmp/nmap-patch-2/nselib/msrpctypes.lua:847: in function 'msrpctypes.unmarshall_int32'                                                                                                                     
        /tmp/nmap-patch-2/nselib/msrpc.lua:1418: in function 'msrpc.samr_enumdomains'                                                                                                                              
        /tmp/nmap-patch-2/nselib/msrpc.lua:3816: in function 'msrpc.samr_enum_users'                                                                                                                               
        /tmp/nmap-patch-2/scripts/smb-enum-users.nse:171: in function </tmp/nmap-patch-2/scripts/smb-enum-users.nse:154>                                                                                           
        (...tail calls...)  
@cnotin

This comment has been minimized.

Copy link

@cnotin cnotin commented Sep 2, 2019

"Merci" @roumy for your feedback ;)

I'm glad to know that the patch fixes the issues you had in smb.lua!

About smb-enum-users, according to the stacktrace, the error seems to be in msrpctypes.lua. I suppose that it's a different issue and unfortunately I don't have anything to suggest here...

@nnposter

This comment has been minimized.

Copy link

@nnposter nnposter commented Sep 3, 2019

Regarding the latest error about nil arithmetic, this has been hopefully fixed in commit e5c4f48, as a partial fix for #1720.

At this point I would recommend to refresh both msrpc.lua and msrpctypes.lua from the master branch before further troubleshooting. See commits e5c4f48, be40965, 729260e, and ef2825b for details.

@roumy

This comment has been minimized.

Copy link
Author

@roumy roumy commented Sep 3, 2019

Thx @nnposter ,
we progress !! the status is now following :
with commit ef2825b
smb-enum-users is working whereas smb-enum-shares still KO:

NSE: smb-enum-shares against vuln_target (172.18.0.2) threw an error!                                                                                                                                              
/tmp/nmap-master/nselib/smb.lua:1030: bad argument #2 to 'unpack' (data string too short)                                                                                                                          
stack traceback:                                                                                                                                                                                                   
        [C]: in function 'string.unpack'                                                                                                                                                                           
        /tmp/nmap-master/nselib/smb.lua:1030: in function 'smb.negotiate_v1'                                                                                                                                       
        /tmp/nmap-master/nselib/smb.lua:1074: in function 'smb.negotiate_protocol'                                                                                                                                 
        /tmp/nmap-master/nselib/smb.lua:372: in function 'smb.start_ex'                                                                                                                                            
        (...tail calls...)                                                                                                                                                                                         
        /tmp/nmap-master/nselib/msrpc.lua:4927: in function 'msrpc.enum_shares'                                                                                                                                    
        /tmp/nmap-master/nselib/smb.lua:3194: in function 'smb.share_get_list'                                                                                                                                     
        /tmp/nmap-master/scripts/smb-enum-shares.nse:110: in function </tmp/nmap-master/scripts/smb-enum-shares.nse:105>  

maybe the @cnotin patch for #1476 will fix both pbs

@cnotin

This comment has been minimized.

Copy link

@cnotin cnotin commented Sep 3, 2019

Yes please try with all of them 😉

@roumy

This comment has been minimized.

Copy link
Author

@roumy roumy commented Sep 3, 2019

Ok
i manually merged master...cnotin:patch-2 with ef2825b

both scripts worked well!
now waiting for #1476
thanks for your combined jobs, Guys

@cnotin

This comment has been minimized.

Copy link

@cnotin cnotin commented Sep 3, 2019

Good to hear!
Thanks for your help in testing these :)

@nnposter

This comment has been minimized.

Copy link

@nnposter nnposter commented Sep 8, 2019

A fix for this issue has been committed as r37733. Please report back if it does not work for you.

@nnposter nnposter self-assigned this Sep 8, 2019
@nnposter nnposter added bug NSE labels Sep 8, 2019
@nmap-bot nmap-bot closed this in c491143 Sep 8, 2019
@mattbrun

This comment has been minimized.

Copy link

@mattbrun mattbrun commented Mar 19, 2020

Dear all,
I'm still getting the Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR error while trying to use some of the smb-* scripts against a Windows 10 Enterprise 64bit v1809.

I'm running nmap on an Arch Linux machine, and I tried both the 7.80 version installed with the packet manager, and the git master branch version.

Considering the git master branch version of nmap

$ git log --name-status HEAD^..HEAD
commit f83de100b3c6873552228c3f5613628fb6513248 (HEAD -> master, origin/master, origin/HEAD)
Author: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date:   Wed Mar 11 21:24:56 2020 +0000

    Avoid integer overflow in nping elapsedRuntime. Fixes #1961

M       nping/stats.cc
M       nping/stats.h

running the smb-protocols works just fine

$ ./nmap --script scripts/smb-protocols.nse -p445 10.0.1.105
Starting Nmap 7.80SVN ( https://nmap.org ) at 2020-03-19 02:44 CET
Nmap scan report for ########.lan (10.0.1.105)
Host is up (0.0023s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-protocols: 
|   dialects: 
|     2.02
|     2.10
|     3.00
|     3.02
|_    3.11

Nmap done: 1 IP address (1 host up) scanned in 6.28 seconds

Running the default scripts on the port 445 works fine for the smb2- scripts:

$ ./nmap -sC -p445 10.0.1.105
Starting Nmap 7.80SVN ( https://nmap.org ) at 2020-03-19 02:45 CET
Nmap scan report for #######.lan (10.0.1.105)
Host is up (0.0018s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-03-19T01:45:55
|_  start_date: N/A

Nmap done: 1 IP address (1 host up) scanned in 10.66 seconds

Finally, if I try to run the smb-enum-users script I get the following error:

$ ./nmap --script scripts/smb-enum-users.nse -p445 -d 10.0.1.105
Starting Nmap 7.80SVN ( https://nmap.org ) at 2020-03-19 02:49 CET
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: 
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 02:49
Completed NSE at 02:49, 0.00s elapsed
Initiating Ping Scan at 02:49
Scanning 10.0.1.105 [2 ports]
Completed Ping Scan at 02:49, 0.00s elapsed (1 total hosts)
Overall sending rates: 640.61 packets / s.
mass_rdns: Using DNS server 10.0.1.1
Initiating Parallel DNS resolution of 1 host. at 02:49
mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 02:49, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 02:49
Scanning ######.lan (10.0.1.105) [1 port]
Discovered open port 445/tcp on 10.0.1.105
Completed Connect Scan at 02:49, 0.00s elapsed (1 total ports)
Overall sending rates: 278.01 packets / s.
NSE: Script scanning 10.0.1.105.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 02:49
NSE: Starting smb-enum-users against 10.0.1.105.
NSE: [smb-enum-users 10.0.1.105] SMB: Added account '' to account list
NSE: [smb-enum-users 10.0.1.105] SMB: Added account 'guest' to account list
NSE: [smb-enum-users 10.0.1.105] Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR
NSE: [smb-enum-users 10.0.1.105] Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR
NSE: Finished smb-enum-users against 10.0.1.105.
Completed NSE at 02:49, 2.01s elapsed
Nmap scan report for #####.lan (10.0.1.105)
Host is up, received syn-ack (0.0031s latency).
Scanned at 2020-03-19 02:49:37 CET for 2s

PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack

Host script results:
| smb-enum-users: 
|   ERROR: Couldn't enumerate users
|   ERROR: SAMR returned Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_  ERROR: LSA returned Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
Final times for host: srtt: 3067 rttvar: 3873  to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 02:49
Completed NSE at 02:49, 0.00s elapsed
Read from /home/matteo/work/sw/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 2.27 seconds

I'm not sure if the behavior is correct or not, since with the smb-protocols script I don't see any "smb v1" protocol enabled.

Thanks for your support and your hard work!

@nnposter

This comment has been minimized.

Copy link

@nnposter nnposter commented Mar 19, 2020

Unfortunately the code requires SMB1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.