Regression smb_enum_users and shares on Nmap V 7.80

[roumy]

Hello there
I detect a regression on smb_enum_shares and smb_enum_users with nmap V7.80 version
It works correctly on V7.70

May be linked with [#1706 ]

Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-23 09:30 UTC                                                                                                                                                    
Warning: File ./nmap-services exists, but Nmap is using /usr/bin/../share/nmap/nmap-services for security and consistency reasons.  set NMAPDIR=. to give priority to files in your local directory (may affect the
 other data files too).                                                                                                                                                                                            
--------------- Timing report ---------------                                                                                                                                                                      
  hostgroups: min 1, max 100000                                                                                                                                                                                    
  rtt-timeouts: init 1000, min 100, max 10000                                                                                                                                                                      
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000                                                                                                                                                                    
  parallelism: min 0, max 0                                                                                                                                                                                        
  max-retries: 10, host-timeout: 0                                                                                                                                                                                 
  min-rate: 0, max-rate: 0                                                                                                                                                                                         
---------------------------------------------                                                                                                                                                                      
NSE: Using Lua 5.3.                                                                                                                                                                                                
NSE: Arguments from CLI:                                                                                                                                                                                           
NSE: Loaded 1 scripts for scanning.  

.....
/usr/bin/../share/nmap/nselib/smb.lua:1030: bad argument #2 to 'unpack' (data string too short)
stack traceback:
        [C]: in function 'string.unpack'
        /usr/bin/../share/nmap/nselib/smb.lua:1030: in function 'smb.negotiate_v1'
        /usr/bin/../share/nmap/nselib/smb.lua:1074: in function 'smb.negotiate_protocol'
        /usr/bin/../share/nmap/nselib/smb.lua:372: in function 'smb.start_ex'
        (...tail calls...)
        /usr/bin/../share/nmap/nselib/msrpc.lua:4926: in function 'msrpc.enum_shares'
        /usr/bin/../share/nmap/nselib/smb.lua:3194: in function 'smb.share_get_list'
        /usr/bin/../share/nmap/scripts/smb-enum-shares.nse:110: in function </usr/bin/../share/nmap/scripts/smb-enum-shares.nse:105>
        (...tail calls...)

[cnotin]

Related to: #1476 (same error, same line)
Could you try with the proposed patch please?

[roumy]

Hi Clement ,
thanks for your feedback!
i've tried your patch with both smb-enum-users and smb-enum-shares.
Results were surprising.

Scripts smb-enum-shares works correctly, in fact it works better than with V7.70 or V7.40 that i have also tried , because it get some results whereas V7.70 get me following messages:

NSE: [smb-enum-shares 172.28.0.2] Couldn't negotiate a SMBv1 connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [12]
NSE: [smb-enum-shares 172.28.0.2] SMB: Enumerating shares failed, guessing at common ones (Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are m
issing); aborting [12])

The thing is that smb-enum-users script still not working, here is the error message:

v7.70 patch2
NSE: smb-enum-users against vuln_target (172.28.0.2) threw an error!                                                                                                                                               
/tmp/nmap-patch-2/nselib/msrpctypes.lua:847: attempt to perform arithmetic on a nil value (local 'pos')                                                                                                            
stack traceback:                                                                                                                                                                                                   
        /tmp/nmap-patch-2/nselib/msrpctypes.lua:847: in function 'msrpctypes.unmarshall_int32'                                                                                                                     
        /tmp/nmap-patch-2/nselib/msrpc.lua:1418: in function 'msrpc.samr_enumdomains'                                                                                                                              
        /tmp/nmap-patch-2/nselib/msrpc.lua:3816: in function 'msrpc.samr_enum_users'                                                                                                                               
        /tmp/nmap-patch-2/scripts/smb-enum-users.nse:171: in function </tmp/nmap-patch-2/scripts/smb-enum-users.nse:154>                                                                                           
        (...tail calls...)  

[cnotin]

"Merci" @roumy for your feedback ;)

I'm glad to know that the patch fixes the issues you had in smb.lua!

About smb-enum-users, according to the stacktrace, the error seems to be in msrpctypes.lua. I suppose that it's a different issue and unfortunately I don't have anything to suggest here...

[nnposter]

Regarding the latest error about nil arithmetic, this has been hopefully fixed in commit e5c4f48, as a partial fix for #1720.

At this point I would recommend to refresh both msrpc.lua and msrpctypes.lua from the master branch before further troubleshooting. See commits e5c4f48, be40965, 729260e, and ef2825b for details.

[roumy]

Thx @nnposter ,
we progress !! the status is now following :
with commit ef2825b
smb-enum-users is working whereas smb-enum-shares still KO:

NSE: smb-enum-shares against vuln_target (172.18.0.2) threw an error!                                                                                                                                              
/tmp/nmap-master/nselib/smb.lua:1030: bad argument #2 to 'unpack' (data string too short)                                                                                                                          
stack traceback:                                                                                                                                                                                                   
        [C]: in function 'string.unpack'                                                                                                                                                                           
        /tmp/nmap-master/nselib/smb.lua:1030: in function 'smb.negotiate_v1'                                                                                                                                       
        /tmp/nmap-master/nselib/smb.lua:1074: in function 'smb.negotiate_protocol'                                                                                                                                 
        /tmp/nmap-master/nselib/smb.lua:372: in function 'smb.start_ex'                                                                                                                                            
        (...tail calls...)                                                                                                                                                                                         
        /tmp/nmap-master/nselib/msrpc.lua:4927: in function 'msrpc.enum_shares'                                                                                                                                    
        /tmp/nmap-master/nselib/smb.lua:3194: in function 'smb.share_get_list'                                                                                                                                     
        /tmp/nmap-master/scripts/smb-enum-shares.nse:110: in function </tmp/nmap-master/scripts/smb-enum-shares.nse:105>  

maybe the @cnotin patch for #1476 will fix both pbs

[cnotin]

Yes please try with all of them 😉

[roumy]

Ok
i manually merged master...cnotin:patch-2 with ef2825b

both scripts worked well!
now waiting for #1476
thanks for your combined jobs, Guys

[cnotin]

Good to hear!
Thanks for your help in testing these :)

[nnposter]

A fix for this issue has been committed as r37733. Please report back if it does not work for you.

[mattbrun]

Dear all,
I'm still getting the Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR error while trying to use some of the smb-* scripts against a Windows 10 Enterprise 64bit v1809.

I'm running nmap on an Arch Linux machine, and I tried both the 7.80 version installed with the packet manager, and the git master branch version.

Considering the git master branch version of nmap

$ git log --name-status HEAD^..HEAD
commit f83de100b3c6873552228c3f5613628fb6513248 (HEAD -> master, origin/master, origin/HEAD)
Author: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date:   Wed Mar 11 21:24:56 2020 +0000

    Avoid integer overflow in nping elapsedRuntime. Fixes #1961

M       nping/stats.cc
M       nping/stats.h

running the smb-protocols works just fine

$ ./nmap --script scripts/smb-protocols.nse -p445 10.0.1.105
Starting Nmap 7.80SVN ( https://nmap.org ) at 2020-03-19 02:44 CET
Nmap scan report for ########.lan (10.0.1.105)
Host is up (0.0023s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-protocols: 
|   dialects: 
|     2.02
|     2.10
|     3.00
|     3.02
|_    3.11

Nmap done: 1 IP address (1 host up) scanned in 6.28 seconds

Running the default scripts on the port 445 works fine for the smb2- scripts:

$ ./nmap -sC -p445 10.0.1.105
Starting Nmap 7.80SVN ( https://nmap.org ) at 2020-03-19 02:45 CET
Nmap scan report for #######.lan (10.0.1.105)
Host is up (0.0018s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-03-19T01:45:55
|_  start_date: N/A

Nmap done: 1 IP address (1 host up) scanned in 10.66 seconds

Finally, if I try to run the smb-enum-users script I get the following error:

$ ./nmap --script scripts/smb-enum-users.nse -p445 -d 10.0.1.105
Starting Nmap 7.80SVN ( https://nmap.org ) at 2020-03-19 02:49 CET
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: 
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 02:49
Completed NSE at 02:49, 0.00s elapsed
Initiating Ping Scan at 02:49
Scanning 10.0.1.105 [2 ports]
Completed Ping Scan at 02:49, 0.00s elapsed (1 total hosts)
Overall sending rates: 640.61 packets / s.
mass_rdns: Using DNS server 10.0.1.1
Initiating Parallel DNS resolution of 1 host. at 02:49
mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 02:49, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 02:49
Scanning ######.lan (10.0.1.105) [1 port]
Discovered open port 445/tcp on 10.0.1.105
Completed Connect Scan at 02:49, 0.00s elapsed (1 total ports)
Overall sending rates: 278.01 packets / s.
NSE: Script scanning 10.0.1.105.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 02:49
NSE: Starting smb-enum-users against 10.0.1.105.
NSE: [smb-enum-users 10.0.1.105] SMB: Added account '' to account list
NSE: [smb-enum-users 10.0.1.105] SMB: Added account 'guest' to account list
NSE: [smb-enum-users 10.0.1.105] Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR
NSE: [smb-enum-users 10.0.1.105] Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR
NSE: Finished smb-enum-users against 10.0.1.105.
Completed NSE at 02:49, 2.01s elapsed
Nmap scan report for #####.lan (10.0.1.105)
Host is up, received syn-ack (0.0031s latency).
Scanned at 2020-03-19 02:49:37 CET for 2s

PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack

Host script results:
| smb-enum-users: 
|   ERROR: Couldn't enumerate users
|   ERROR: SAMR returned Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_  ERROR: LSA returned Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
Final times for host: srtt: 3067 rttvar: 3873  to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 02:49
Completed NSE at 02:49, 0.00s elapsed
Read from /home/matteo/work/sw/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 2.27 seconds

I'm not sure if the behavior is correct or not, since with the smb-protocols script I don't see any "smb v1" protocol enabled.

Thanks for your support and your hard work!

[nnposter]

Unfortunately the code requires SMB1.

[aditya162002]

@mattbrun hey! i need your help regarding smb error.
help;)

[cnotin]

@aditya162002 as stated above, the code only works if SMB1 is supported by the server

[aditya162002]

@cnotin so what should i do?
i m at the beginner level,please help!

[cnotin]

Use the "smb-protocols" script to check if SMB1 is supported.
If not, and supposing that you want to enumerate users, unfortunately you should use a different tool for now

[aditya162002]

@cnotin can you tell me which tool i can use?
i have checked "smb-protocols" but its not working fine.

[cnotin]

Crackmapexec, SharpHound, mimikatz, and many others allow remote enumeration of local users through SMB

The "smb-protocols" script should not have any issue though. Are you using it correctly? For example:

nmap -p445 -v --script smb-protocols <ip>

[aditya162002]

@cnotin its showing
PORT STATE SERVICE
445/tcp open microsoft-ds

Host script results:
| smb-protocols:
| dialects:
| 2.02
| 2.10
| 3.00
| 3.02
|_ 3.11

NSE: Script Post-scanning.
Initiating NSE at 00:10
Completed NSE at 00:10, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 7.58 seconds
Raw packets sent: 5 (196B) | Rcvd: 2 (84B)

[aditya162002]

@cnotin how can i exploit into such vulnerabilities like:
samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR

[cnotin]

So "smb-protocols" works fine and shows you that SMB1 is not supported, and thus many Nmap scripts which do not support SMB2+ will not work.
I can't provide more general help here, as it is an issue discussion.

[aditya162002]

@cnotin thanks alott.