Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

smb discards smbtype/hash_type resulting in NT_STATUS_LOGON_FAILURE #2300

Open
ipfyx opened this issue May 7, 2021 · 2 comments
Open

smb discards smbtype/hash_type resulting in NT_STATUS_LOGON_FAILURE #2300

ipfyx opened this issue May 7, 2021 · 2 comments
Labels
Nmap

Comments

@ipfyx
Copy link

ipfyx commented May 7, 2021
edited
Loading

Hi,

Describe the bug
When using NSE scripts which use smbauth, providing an smbtype argument appears to be tossed in favor of "ntlm"

Login Failure

$ nmap -d -p445 <IP> --script smb-enum-shares --script-args smbdomain='TOTO',smbusername='toto',smbpassword='toto',smbtype=lmv2

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-07 14:25 CEST
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: smbdomain=TOTO,smbusername=toto,smbpassword=toto,smbtype=lmv2
NSE: Arguments parsed: smbdomain=TOTO,smbusername=toto,smbpassword=toto,smbtype=lmv2
NSE: Loaded 2 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 14:25
Completed NSE at 14:25, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 14:25
Completed NSE at 14:25, 0.00s elapsed
Initiating Connect Scan at 14:25
Scanning 127.0.0.1 [1 port]
Discovered open port 445/tcp on 127.0.0.1
Completed Connect Scan at 14:25, 0.02s elapsed (1 total ports)
Overall sending rates: 47.26 packets / s.
NSE: Script scanning 127.0.0.1.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 14:25
NSE: Starting smb-enum-shares against 127.0.0.1.
NSE: [smb-enum-shares 127.0.0.1] SMB: Attempting to log into the system to enumerate shares
NSE: [smb-enum-shares 127.0.0.1] hash_type1 : none
NSE: [smb-enum-shares 127.0.0.1] hash_type4 : none
NSE: [smb-enum-shares 127.0.0.1] SMB: Added account '' to account list
NSE: [smb-enum-shares 127.0.0.1] hash_type1 : ntlm
NSE: [smb-enum-shares 127.0.0.1] hash_type4 : ntlm
NSE: [smb-enum-shares 127.0.0.1] SMB: Added account 'guest' to account list
NSE: [smb-enum-shares 127.0.0.1] hash_type6 : ntlm
NSE: [smb-enum-shares 127.0.0.1] hash_type7 : ntlm
NSE: [smb-enum-shares 127.0.0.1] hash_type8 : lmv2
NSE: [smb-enum-shares 127.0.0.1] hash_type1 : lmv2
NSE: [smb-enum-shares 127.0.0.1] hash_type4 : lmv2
NSE: [smb-enum-shares 127.0.0.1] SMB: Added account 'toto' to account list
NSE: [smb-enum-shares 127.0.0.1] hash_type9 : lmv2
NSE: [smb-enum-shares 127.0.0.1] hash_type5 : lmv2
NSE: [smb-enum-shares 127.0.0.1] hash_type25 : lmv2
NSE: [smb-enum-shares 127.0.0.1] hash_type26 : lmv2
NSE: [smb-enum-shares 127.0.0.1] hash_type27 : lmv2
NSE: [smb-enum-shares 127.0.0.1] hash_type28 : ntlm
NSE: [smb-enum-shares 127.0.0.1] hash_type10 : ntlm
NSE: [smb-enum-shares 127.0.0.1] hash_type11 : ntlm
NSE: [smb-enum-shares 127.0.0.1] hash_type12 : ntlm
NSE: [smb-enum-shares 127.0.0.1] hash_type13 : ntlm
NSE: [smb-enum-shares 127.0.0.1] SMB: Extended login to 127.0.0.1 as TOTO\toto failed (NT_STATUS_LOGON_FAILURE)

-dd during auth :

NSOCK INFO [1.3880s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 66 [127.0.0.1:445] (388 bytes)
NSE: [smb-enum-shares M:5623e139ab28 127.0.0.1] hash_type27 : lmv2
NSE: [smb-enum-shares M:5623e139ab28 127.0.0.1] hash_type28 : ntlm
NSE: [smb-enum-shares M:5623e139ab28 127.0.0.1] hash_type13 : ntlm
NSE: [smb-enum-shares M:5623e139ab28 127.0.0.1] hash_type10 : ntlm
NSE: [smb-enum-shares M:5623e139ab28 127.0.0.1] hash_type11 : ntlm
NSE: [smb-enum-shares M:5623e139ab28 127.0.0.1] SMB: Lanman hash: fffffffffffffffffffffffffffffffffffffffffffffff
NSE: [smb-enum-shares M:5623e139ab28 127.0.0.1] SMB: NTLM   hash: fffffffffffffffffffffffffffffffffffffffffffffff
NSE: [smb-enum-shares M:5623e139ab28 127.0.0.1] hash_type12 : ntlm
NSE: [smb-enum-shares M:5623e139ab28 127.0.0.1] hash_type12-nofix : ntlm
NSE: [smb-enum-shares M:5623e139ab28 127.0.0.1] SMB: Creating NTLMv1 response
NSE: [smb-enum-shares M:5623e139ab28 127.0.0.1] SMB: Lanman response: fffffffffffffffffffffffffffffffffffffffffffffff
NSE: [smb-enum-shares M:5623e139ab28 127.0.0.1] SMB: NTLM   response: fffffffffffffffffffffffffffffffffffffffffffffff
NSE: [smb-enum-shares M:5623e139ab28 127.0.0.1] hash_type13 : ntlm
NSE: [smb-enum-shares M:5623e139ab28 127.0.0.1] SMB: Sending SMB_COM_SESSION_SETUP_ANDX
NSOCK INFO [1.3900s] nsock_write(): Write request for 281 bytes to IOD #2 EID 75 [127.0.0.1:445]
NSOCK INFO [1.3900s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 75 [127.0.0.1:445]
NSOCK INFO [1.3900s] nsock_read(): Read request from IOD #2 [127.0.0.1:445] (timeout: 10000ms) EID 82
NSOCK INFO [1.4870s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 82 [127.0.0.1:445] (39 bytes): ...#.SMBsm....Eh....s.PK@.....aC.......
NSE: [smb-enum-shares M:5623e139ab28 127.0.0.1] SMB: Extended login to 127.0.0.1 as TOTO\toto (NT_STATUS_LOGON_FAILURE)

Logging success

By fixing it

$ nmap -d -Pn -n 127.0.0.1 -p445 --script smb-enum-shares,smb-ls --script-args smbdomain=TOTO,smbusername='toto',smbpassword='toto',smbtype=lmv2
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-07 14:46 CEST
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: smbdomain=TOTO,smbusername=toto,smbpassword=toto,smbtype=lmv2
NSE: Arguments parsed: smbdomain=TOTO,smbusername=toto,smbpassword=toto,smbtype=lmv2
NSE: Loaded 2 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 14:46
Completed NSE at 14:46, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 14:46
Completed NSE at 14:46, 0.00s elapsed
Initiating Connect Scan at 14:46
Scanning 127.0.0.1 [1 port]
Discovered open port 445/tcp on 127.0.0.1
Completed Connect Scan at 14:46, 0.02s elapsed (1 total ports)
Overall sending rates: 47.64 packets / s.
NSE: Script scanning 127.0.0.1.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 14:46
NSE: Starting smb-enum-shares against 127.0.0.1.
NSE: [smb-enum-shares 127.0.0.1] SMB: Attempting to log into the system to enumerate shares
NSE: [smb-enum-shares 127.0.0.1] hash_type1 : none
NSE: [smb-enum-shares 127.0.0.1] hash_type4 : none
NSE: [smb-enum-shares 127.0.0.1] SMB: Added account '' to account list
NSE: [smb-enum-shares 127.0.0.1] hash_type1 : ntlm
NSE: [smb-enum-shares 127.0.0.1] hash_type4 : ntlm
NSE: [smb-enum-shares 127.0.0.1] SMB: Added account 'guest' to account list
NSE: [smb-enum-shares 127.0.0.1] hash_type6 : ntlm
NSE: [smb-enum-shares 127.0.0.1] hash_type7 : ntlm
NSE: [smb-enum-shares 127.0.0.1] hash_type8 : lmv2
NSE: [smb-enum-shares 127.0.0.1] hash_type1 : lmv2
NSE: [smb-enum-shares 127.0.0.1] hash_type4 : lmv2
NSE: [smb-enum-shares 127.0.0.1] SMB: Added account 'toto' to account list
NSE: [smb-enum-shares 127.0.0.1] hash_type9 : lmv2
NSE: [smb-enum-shares 127.0.0.1] hash_type5 : lmv2
NSE: [smb-enum-shares 127.0.0.1] hash_type25 : lmv2
NSE: [smb-enum-shares 127.0.0.1] hash_type26 : lmv2
NSE: [smb-enum-shares 127.0.0.1] hash_type27 : lmv2
NSE: [smb-enum-shares 127.0.0.1] hash_type28 : ntlm
NSE: [smb-enum-shares 127.0.0.1] hash_type13 : ntlm
NSE: [smb-enum-shares 127.0.0.1] hash_type10 : ntlm
NSE: [smb-enum-shares 127.0.0.1] hash_type11 : ntlm
NSE: [smb-enum-shares 127.0.0.1] hash_type12 : ntlm
NSE: [smb-enum-shares 127.0.0.1] hash_type12-fix : lmv2
NSE: [smb-enum-shares 127.0.0.1] hash_type13 : ntlm
NSE: [smb-enum-shares 127.0.0.1] SMB: Found N shares, will attempt to find more information

-dd during auth :

NSE: [smb-enum-shares M:559a791926b8 127.0.0.1] hash_type11 : ntlm                                                                                                                                                           [123/1992]
NSE: [smb-enum-shares M:559a791926b8 127.0.0.1] SMB: Lanman hash: fffffffffffffffffffffffffffffffffffffffffffffff
NSE: [smb-enum-shares M:559a791926b8 127.0.0.1] SMB: NTLM   hash: fffffffffffffffffffffffffffffffffffffffffffffff
NSE: [smb-enum-shares M:559a791926b8 127.0.0.1] hash_type12 : ntlm
NSE: [smb-enum-shares M:559a791926b8 127.0.0.1] hash_type12-fix : lmv2
NSE: [smb-enum-shares M:559a791926b8 127.0.0.1] SMB: Creating LMv2 response
NSE: [smb-enum-shares M:559a791926b8 127.0.0.1] SMB: Lanman response: fffffffffffffffffffffffffffffffffffffffffffffff
NSE: [smb-enum-shares M:559a791926b8 127.0.0.1] SMB: NTLM   response:
NSE: [smb-enum-shares M:559a791926b8 127.0.0.1] hash_type13 : ntlm
NSE: [smb-enum-shares M:559a791926b8 127.0.0.1] SMB: Sending SMB_COM_SESSION_SETUP_ANDX
NSOCK INFO [1.3380s] nsock_write(): Write request for 257 bytes to IOD #2 EID 75 [127.0.0.1:445]
NSOCK INFO [1.3380s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 75 [127.0.0.1:445]
NSOCK INFO [1.3380s] nsock_read(): Read request from IOD #2 [127.0.0.1:445] (timeout: 10000ms) EID 82
NSOCK INFO [1.4240s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 82 [127.0.0.1:445] (144 bytes)
NSE: [smb-enum-shares M:559a791926b8 127.0.0.1] SMB: Extended login to 127.0.0.1 as TOTO\toto

The problem seems to be related to sp_nego at smb.lua:1368, which is overiding the hash_type.

        if ( sp_nego ) then
          if (smb['domain'] or smb['server']) and (not domain or #domain == 0) then
            domain = smb['domain'] or smb['server']
          end
          **hash_type = "ntlm"**
        end

Expected behavior

Nmap should use the authentification parameter specified in smbtype.
Nmap should try by default all the authentication method (v1, lmv1, ntlmv1, v2, lmv2,ntlmv2_session).

Version info (please complete the following information):
Tested on Centos and Kali.

  • OS:
Linux kali 5.9.0-kali5-amd64 #1 SMP Debian 5.9.15-1kali1 (2020-12-18)
Linux host 3.10.0-862.3.2.el7.x86_64
  • Output of nmap --version:
Kali $ nmap --version
Nmap version 7.91 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1g libssh2-1.8.0 libz-1.2.11 libpcre-8.39 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Centos7 $ nmap --version
Nmap version 7.70 ( https://nmap.org )
Platform: x86_64-redhat-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.0.2n nmap-libssh2-1.8.0 nmap-libz-1.2.8 nmap-libpcre-7.6 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Here is my debug code,
This might not be the best way to debug lua :D, I can't find how to include it as a patch...
@ipfyx ipfyx added the Nmap label May 7, 2021
ipfyx pushed a commit to ipfyx/nmap that referenced this issue May 7, 2021
Fix Issue nmap#2300
29bf99f 
smb discards smbtype/hash_type resulting in NT_STATUS_LOGON_FAILURE
@ipfyx
Copy link
Author

ipfyx commented May 7, 2021
edited
Loading

Check pull request #2301 for a fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Nmap
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ipfyx and others