Regression smb_enum_users and shares on Nmap V 7.80

[roumy]

Hello there
I detect a regression on smb_enum_shares and smb_enum_users with nmap V7.80 version
It works correctly on V7.70

May be linked with [#1706 ]

Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-23 09:30 UTC                                                                                                                                                    
Warning: File ./nmap-services exists, but Nmap is using /usr/bin/../share/nmap/nmap-services for security and consistency reasons.  set NMAPDIR=. to give priority to files in your local directory (may affect the
 other data files too).                                                                                                                                                                                            
--------------- Timing report ---------------                                                                                                                                                                      
  hostgroups: min 1, max 100000                                                                                                                                                                                    
  rtt-timeouts: init 1000, min 100, max 10000                                                                                                                                                                      
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000                                                                                                                                                                    
  parallelism: min 0, max 0                                                                                                                                                                                        
  max-retries: 10, host-timeout: 0                                                                                                                                                                                 
  min-rate: 0, max-rate: 0                                                                                                                                                                                         
---------------------------------------------                                                                                                                                                                      
NSE: Using Lua 5.3.                                                                                                                                                                                                
NSE: Arguments from CLI:                                                                                                                                                                                           
NSE: Loaded 1 scripts for scanning.  

.....
/usr/bin/../share/nmap/nselib/smb.lua:1030: bad argument #2 to 'unpack' (data string too short)
stack traceback:
        [C]: in function 'string.unpack'
        /usr/bin/../share/nmap/nselib/smb.lua:1030: in function 'smb.negotiate_v1'
        /usr/bin/../share/nmap/nselib/smb.lua:1074: in function 'smb.negotiate_protocol'
        /usr/bin/../share/nmap/nselib/smb.lua:372: in function 'smb.start_ex'
        (...tail calls...)
        /usr/bin/../share/nmap/nselib/msrpc.lua:4926: in function 'msrpc.enum_shares'
        /usr/bin/../share/nmap/nselib/smb.lua:3194: in function 'smb.share_get_list'
        /usr/bin/../share/nmap/scripts/smb-enum-shares.nse:110: in function </usr/bin/../share/nmap/scripts/smb-enum-shares.nse:105>
        (...tail calls...)

[cnotin]

Related to: #1476 (same error, same line)
Could you try with the proposed patch please?

[roumy]

Hi Clement ,
thanks for your feedback!
i've tried your patch with both smb-enum-users and smb-enum-shares.
Results were surprising.

Scripts smb-enum-shares works correctly, in fact it works better than with V7.70 or V7.40 that i have also tried , because it get some results whereas V7.70 get me following messages:

NSE: [smb-enum-shares 172.28.0.2] Couldn't negotiate a SMBv1 connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [12]
NSE: [smb-enum-shares 172.28.0.2] SMB: Enumerating shares failed, guessing at common ones (Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are m
issing); aborting [12])

The thing is that smb-enum-users script still not working, here is the error message:

v7.70 patch2
NSE: smb-enum-users against vuln_target (172.28.0.2) threw an error!                                                                                                                                               
/tmp/nmap-patch-2/nselib/msrpctypes.lua:847: attempt to perform arithmetic on a nil value (local 'pos')                                                                                                            
stack traceback:                                                                                                                                                                                                   
        /tmp/nmap-patch-2/nselib/msrpctypes.lua:847: in function 'msrpctypes.unmarshall_int32'                                                                                                                     
        /tmp/nmap-patch-2/nselib/msrpc.lua:1418: in function 'msrpc.samr_enumdomains'                                                                                                                              
        /tmp/nmap-patch-2/nselib/msrpc.lua:3816: in function 'msrpc.samr_enum_users'                                                                                                                               
        /tmp/nmap-patch-2/scripts/smb-enum-users.nse:171: in function </tmp/nmap-patch-2/scripts/smb-enum-users.nse:154>                                                                                           
        (...tail calls...)  

[cnotin]

"Merci" @roumy for your feedback ;)

I'm glad to know that the patch fixes the issues you had in smb.lua!

About smb-enum-users, according to the stacktrace, the error seems to be in msrpctypes.lua. I suppose that it's a different issue and unfortunately I don't have anything to suggest here...

[nnposter]

Regarding the latest error about nil arithmetic, this has been hopefully fixed in commit e5c4f48, as a partial fix for #1720.

At this point I would recommend to refresh both msrpc.lua and msrpctypes.lua from the master branch before further troubleshooting. See commits e5c4f48, be40965, 729260e, and ef2825b for details.

[roumy]

Thx @nnposter ,
we progress !! the status is now following :
with commit ef2825b
smb-enum-users is working whereas smb-enum-shares still KO:

NSE: smb-enum-shares against vuln_target (172.18.0.2) threw an error!                                                                                                                                              
/tmp/nmap-master/nselib/smb.lua:1030: bad argument #2 to 'unpack' (data string too short)                                                                                                                          
stack traceback:                                                                                                                                                                                                   
        [C]: in function 'string.unpack'                                                                                                                                                                           
        /tmp/nmap-master/nselib/smb.lua:1030: in function 'smb.negotiate_v1'                                                                                                                                       
        /tmp/nmap-master/nselib/smb.lua:1074: in function 'smb.negotiate_protocol'                                                                                                                                 
        /tmp/nmap-master/nselib/smb.lua:372: in function 'smb.start_ex'                                                                                                                                            
        (...tail calls...)                                                                                                                                                                                         
        /tmp/nmap-master/nselib/msrpc.lua:4927: in function 'msrpc.enum_shares'                                                                                                                                    
        /tmp/nmap-master/nselib/smb.lua:3194: in function 'smb.share_get_list'                                                                                                                                     
        /tmp/nmap-master/scripts/smb-enum-shares.nse:110: in function </tmp/nmap-master/scripts/smb-enum-shares.nse:105>  

maybe the @cnotin patch for #1476 will fix both pbs

[cnotin]

Yes please try with all of them 😉

[roumy]

Ok
i manually merged master...cnotin:patch-2 with ef2825b

both scripts worked well!
now waiting for #1476
thanks for your combined jobs, Guys

[cnotin]

Good to hear!
Thanks for your help in testing these :)

[nnposter]

A fix for this issue has been committed as r37733. Please report back if it does not work for you.