smb-enum-shares.nse fails as it is unable to negotiate a SMBv1 connection

[infosecconsultant]

Describe the bug
Testing against the GOAD lab environment for SCCM, I am attempting to enumerate shares on a target machine using the following command:

nmap -p 445 -v3 --script "smb-enum-shares" --script-args smbusername=carol,smbdomain=sccm.lab,smbpassword=SCCMftw 192.168.56.11 -dd

Running with a single debug flag gets the following error:

Initiating NSE at 16:49
NSE: Starting smb-enum-shares against 192.168.56.11.
NSE: [smb-enum-shares 192.168.56.11] SMB: Attempting to log into the system to enumerate shares
NSE: [smb-enum-shares 192.168.56.11] SMB: Added account '' to account list
NSE: [smb-enum-shares 192.168.56.11] SMB: Added account 'guest' to account list
NSE: [smb-enum-shares 192.168.56.11] SMB: Added account 'carol' to account list
NSE: [smb-enum-shares 192.168.56.11] Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR
NSE: [smb-enum-shares 192.168.56.11] SMB: Enumerating shares failed, guessing at common ones (Could not negotiate a connection:SMB: Failed to receive bytes: ERROR)
NSE: [smb-enum-shares 192.168.56.11] Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR
NSE: [smb-enum-shares 192.168.56.11] Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR
NSE: Finished smb-enum-shares against 192.168.56.11.

And the more verbose debug output:

Starting Nmap 7.93 ( https://nmap.org ) at 2025-02-02 16:45 AEDT
Fetchfile found /usr/bin/../share/nmap/nmap-services
Fetchfile found /usr/bin/../share/nmap/nmap.xsl
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
Fetchfile found /usr/bin/../share/nmap/nse_main.lua
Fetchfile found /usr/bin/../share/nmap/nselib/lpeg-utility.lua
Fetchfile found /usr/bin/../share/nmap/nselib/stdnse.lua
Fetchfile found /usr/bin/../share/nmap/nselib/strict.lua
Fetchfile found /usr/bin/../share/nmap/scripts/script.db
Fetchfile found /usr/bin/../share/nmap/nselib/tableaux.lua
NSE: Arguments from CLI: smbusername=carol,smbdomain=sccm.lab,smbpassword=SCCMftw
NSE: Arguments parsed: smbusername=carol,smbdomain=sccm.lab,smbpassword=SCCMftw
NSE: {
        ["smbpassword"] = "SCCMftw",
        ["smbdomain"] = "sccm.lab",
        ["smbusername"] = "carol",
}
Fetchfile found /usr/bin/../share/nmap/scripts/smb-enum-shares.nse
NSE: Script smb-enum-shares.nse was selected by name.
Fetchfile found /usr/bin/../share/nmap/nselib/smb.lua
Fetchfile found /usr/bin/../share/nmap/nselib/asn1.lua
Fetchfile found /usr/bin/../share/nmap/nselib/unittest.lua
Fetchfile found /usr/bin/../share/nmap/nselib/nsedebug.lua
Fetchfile found /usr/bin/../share/nmap/nselib/listop.lua
Fetchfile found /usr/bin/../share/nmap/nselib/datetime.lua
Fetchfile found /usr/bin/../share/nmap/nselib/match.lua
Fetchfile found /usr/bin/../share/nmap/nselib/netbios.lua
Fetchfile found /usr/bin/../share/nmap/nselib/dns.lua
Fetchfile found /usr/bin/../share/nmap/nselib/ipOps.lua
Fetchfile found /usr/bin/../share/nmap/nselib/stringaux.lua
Fetchfile found /usr/bin/../share/nmap/nselib/base32.lua
Fetchfile found /usr/bin/../share/nmap/nselib/smbauth.lua
Fetchfile found /usr/bin/../share/nmap/nselib/unicode.lua
Fetchfile found /usr/bin/../share/nmap/nselib/smb2.lua
NSE: Loaded 1 scripts for scanning.
NSE: Loaded '/usr/bin/../share/nmap/scripts/smb-enum-shares.nse'.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 16:45
Completed NSE at 16:45, 0.00s elapsed
Initiating ARP Ping Scan at 16:45
Scanning 192.168.56.11 [1 port]
Packet capture filter (device vboxnet0): arp and arp[18:4] = 0x0A002700 and arp[22:2] = 0x0000
ultrascan_host_probe_update called for machine 192.168.56.11 state UNKNOWN -> HOST_UP (trynum 0 time: 175)
Fetchfile found /usr/bin/../share/nmap/nmap-mac-prefixes
MAC prefix 0001C8 is duplicated in /usr/bin/../share/nmap/nmap-mac-prefixes; ignoring duplicates.
MAC prefix 080030 is duplicated in /usr/bin/../share/nmap/nmap-mac-prefixes; ignoring duplicates.
MAC prefix 080030 is duplicated in /usr/bin/../share/nmap/nmap-mac-prefixes; ignoring duplicates.
Changing ping technique for 192.168.56.11 to ARP
Changing global ping host to 192.168.56.11.
Completed ARP Ping Scan at 16:45, 0.01s elapsed (1 total hosts)
Overall sending rates: 77.21 packets / s, 3242.74 bytes / s.
mass_rdns: Using DNS server 127.0.0.53
NSOCK INFO [0.1420s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [0.1420s] nsock_connect_udp(): UDP connection requested to 127.0.0.53:53 (IOD #1) EID 8
NSOCK INFO [0.1420s] nsock_read(): Read request from IOD #1 [127.0.0.53:53] (timeout: -1ms) EID 18
Initiating Parallel DNS resolution of 1 host. at 16:45
NSOCK INFO [0.1420s] nsock_write(): Write request for 44 bytes to IOD #1 EID 27 [127.0.0.53:53]
NSOCK INFO [0.1420s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [127.0.0.53:53]
NSOCK INFO [0.1420s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [127.0.0.53:53]
NSOCK INFO [0.1460s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [127.0.0.53:53] (44 bytes): .............11.56.168.192.in-addr.arpa.....
NSOCK INFO [0.1460s] nsock_read(): Read request from IOD #1 [127.0.0.53:53] (timeout: -1ms) EID 34
NSOCK INFO [0.1460s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [0.1460s] nevent_delete(): nevent_delete on event #34 (type READ)
mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 16:45, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:45
192.168.56.11 pingprobe type ARP is inappropriate for this scan type; resetting.
Scanning 192.168.56.11 [1 port]
Packet capture filter (device vboxnet0): dst host 192.168.56.1 and (icmp or icmp6 or ((tcp) and (src host 192.168.56.11)))
Discovered open port 445/tcp on 192.168.56.11
Changing ping technique for 192.168.56.11 to tcp to port 445; flags: S
Changing global ping host to 192.168.56.11.
Completed SYN Stealth Scan at 16:45, 0.02s elapsed (1 total ports)
Overall sending rates: 48.09 packets / s, 2115.79 bytes / s.
NSE: Script scanning 192.168.56.11.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 16:45
NSE: Starting smb-enum-shares M:5724f8980ca8 against 192.168.56.11.
Fetchfile found /usr/bin/../share/nmap/nselib/msrpc.lua
Fetchfile found /usr/bin/../share/nmap/nselib/msrpctypes.lua
NSE: [smb-enum-shares M:5724f8980ca8 192.168.56.11] SMB: Attempting to log into the system to enumerate shares
NSOCK INFO [0.1460s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [0.1810s] nsock_connect_udp(): UDP connection requested to 192.168.56.11:137 (IOD #1) EID 8
NSOCK INFO [0.1810s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.168.56.11:137]
NSOCK INFO [0.1810s] nsock_write(): Write request for 50 bytes to IOD #1 EID 19 [192.168.56.11:137]
NSOCK INFO [0.1810s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 19 [192.168.56.11:137]
NSOCK INFO [0.1810s] nsock_readbytes(): Read request for 1 bytes from IOD #1 [192.168.56.11:137] EID 26
NSOCK INFO [0.1810s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 26 [192.168.56.11:137] (175 bytes)
NSOCK INFO [0.1810s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSE: [smb-enum-shares M:5724f8980ca8 192.168.56.11] SMB: Starting SMB session for  (192.168.56.11)
NSE: [smb-enum-shares M:5724f8980ca8 192.168.56.11] SMB: Added account '' to account list
NSE: [smb-enum-shares M:5724f8980ca8 192.168.56.11] SMB: Added account 'guest' to account list
NSE: [smb-enum-shares M:5724f8980ca8 192.168.56.11] SMB: Added account 'carol' to account list
NSOCK INFO [0.1810s] nsock_iod_new2(): nsock_iod_new (IOD #2)
NSOCK INFO [0.1810s] nsock_connect_tcp(): TCP connection requested to 192.168.56.11:445 (IOD #2) EID 32
NSOCK INFO [0.1810s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 32 [192.168.56.11:445]
NSE: [smb-enum-shares M:5724f8980ca8 192.168.56.11] SMB: Sending SMB_COM_NEGOTIATE
NSOCK INFO [0.1810s] nsock_write(): Write request for 53 bytes to IOD #2 EID 43 [192.168.56.11:445]
NSOCK INFO [0.1810s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 43 [192.168.56.11:445]
NSOCK INFO [0.1810s] nsock_read(): Read request from IOD #2 [192.168.56.11:445] (timeout: 10000ms) EID 50
NSOCK INFO [0.1820s] nsock_trace_handler_callback(): Callback: READ ERROR [Connection reset by peer (104)] for EID 50 [192.168.56.11:445]
NSE: [smb-enum-shares M:5724f8980ca8 192.168.56.11] Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR
NSE: [smb-enum-shares M:5724f8980ca8 192.168.56.11] SMB: Closing socket
NSOCK INFO [0.1820s] nsock_iod_delete(): nsock_iod_delete (IOD #2)
NSE: [smb-enum-shares M:5724f8980ca8 192.168.56.11] SMB: Enumerating shares failed, guessing at common ones (Could not negotiate a connection:SMB: Failed to receive bytes: ERROR)
NSE: [smb-enum-shares M:5724f8980ca8 192.168.56.11] SMB: Resolved netbios name from cache
NSE: [smb-enum-shares M:5724f8980ca8 192.168.56.11] SMB: Starting SMB session for  (192.168.56.11)
NSOCK INFO [0.1820s] nsock_iod_new2(): nsock_iod_new (IOD #3)
NSOCK INFO [0.1820s] nsock_connect_tcp(): TCP connection requested to 192.168.56.11:445 (IOD #3) EID 56
NSOCK INFO [0.1820s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 56 [192.168.56.11:445]
NSE: [smb-enum-shares M:5724f8980ca8 192.168.56.11] SMB: Sending SMB_COM_NEGOTIATE
NSOCK INFO [0.1820s] nsock_write(): Write request for 53 bytes to IOD #3 EID 67 [192.168.56.11:445]
NSOCK INFO [0.1820s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 67 [192.168.56.11:445]
NSOCK INFO [0.1820s] nsock_read(): Read request from IOD #3 [192.168.56.11:445] (timeout: 10000ms) EID 74
NSOCK INFO [0.1820s] nsock_trace_handler_callback(): Callback: READ ERROR [Connection reset by peer (104)] for EID 74 [192.168.56.11:445]
NSE: [smb-enum-shares M:5724f8980ca8 192.168.56.11] Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR
NSE: [smb-enum-shares M:5724f8980ca8 192.168.56.11] SMB: Closing socket
NSOCK INFO [0.1820s] nsock_iod_delete(): nsock_iod_delete (IOD #3)
NSE: [smb-enum-shares M:5724f8980ca8 192.168.56.11] SMB: Resolved netbios name from cache
NSE: [smb-enum-shares M:5724f8980ca8 192.168.56.11] SMB: Starting SMB session for  (192.168.56.11)
NSOCK INFO [0.1820s] nsock_iod_new2(): nsock_iod_new (IOD #4)
NSOCK INFO [0.1820s] nsock_connect_tcp(): TCP connection requested to 192.168.56.11:445 (IOD #4) EID 80
NSOCK INFO [0.1820s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 80 [192.168.56.11:445]
NSE: [smb-enum-shares M:5724f8980ca8 192.168.56.11] SMB: Sending SMB_COM_NEGOTIATE
NSOCK INFO [0.1820s] nsock_write(): Write request for 53 bytes to IOD #4 EID 91 [192.168.56.11:445]
NSOCK INFO [0.1820s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 91 [192.168.56.11:445]
NSOCK INFO [0.1830s] nsock_read(): Read request from IOD #4 [192.168.56.11:445] (timeout: 10000ms) EID 98
NSOCK INFO [0.1830s] nsock_trace_handler_callback(): Callback: READ ERROR [Connection reset by peer (104)] for EID 98 [192.168.56.11:445]
NSE: [smb-enum-shares M:5724f8980ca8 192.168.56.11] Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR
NSE: [smb-enum-shares M:5724f8980ca8 192.168.56.11] SMB: Closing socket
NSOCK INFO [0.1830s] nsock_iod_delete(): nsock_iod_delete (IOD #4)
NSE: Finished smb-enum-shares M:5724f8980ca8 against 192.168.56.11.
Completed NSE at 16:45, 0.01s elapsed
Nmap scan report for 192.168.56.11
Host is up, received arp-response (0.00018s latency).
Scanned at 2025-02-02 16:45:11 AEDT for 0s

PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack ttl 128
MAC Address: 08:00:27:61:81:7B (Oracle VirtualBox virtual NIC)

Host script results:
| smb-enum-shares:
|_  ERROR: Couldn't enumerate shares: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
Final times for host: srtt: 178 rttvar: 3782  to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 16:45
Completed NSE at 16:45, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

To Reproduce
Steps to reproduce the behavior, including command-line options.

nmap -p 445 -v3 --script "smb-enum-shares" --script-args smbusername=carol,smbdomain=sccm.lab,smbpassword=SCCMftw 192.168.56.11 -dd
Against a GOAD SCCM server with SMBv1 disabled.

Expected behavior
I expect that the smb-enum-shares script allows for negotiation with SMBv2/v3 protocols, it does not appear there's any way to set an option for more modern SMB protocols.

Version info (please complete the following information):

Linux exegol-goad-sccm 6.8.0-41-generic #41-Ubuntu SMP PREEMPT_DYNAMIC Fri Aug  2 20:41:06 UTC 2024 x86_64 GNU/Linux

 nmap --version
Nmap version 7.93 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.6 openssl-3.0.14 libssh2-1.10.0 libz-1.2.13 libpcre-8.39 libpcap-1.10.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

nmap --iflist
Starting Nmap 7.93 ( https://nmap.org ) at 2025-02-02 16:51 AEDT
************************INTERFACES************************
DEV       (SHORT)     IP/MASK                      TYPE     UP MTU   MAC
lo        (lo)        127.0.0.1/8                  loopback up 65536
lo        (lo)        ::1/128                      loopback up 65536
wlp0s20f3 (wlp0s20f3) 10.10.10.114/24              ethernet up 1500  64:6E:E0:E0:38:AA
wlp0s20f3 (wlp0s20f3) fe80::bebb:7a09:1218:55b5/64 ethernet up 1500  64:6E:E0:E0:38:AA
vboxnet0  (vboxnet0)  192.168.56.1/24              ethernet up 1500  0A:00:27:00:00:00
vboxnet0  (vboxnet0)  fe80::800:27ff:fe00:0/64     ethernet up 1500  0A:00:27:00:00:00
docker0   (docker0)   172.17.0.1/16                ethernet up 1500  02:42:DB:23:26:62

**************************ROUTES**************************
DST/MASK                      DEV       METRIC GATEWAY
192.168.56.0/24               vboxnet0  0
10.10.10.0/24                 wlp0s20f3 600
172.17.0.0/16                 docker0   0
0.0.0.0/0                     wlp0s20f3 600    10.10.10.1
::1/128                       lo        0
fe80::800:27ff:fe00:0/128     vboxnet0  0
fe80::bebb:7a09:1218:55b5/128 wlp0s20f3 0
fe80::/64                     vboxnet0  256
fe80::/64                     wlp0s20f3 1024
ff00::/8                      vboxnet0  256
ff00::/8                      wlp0s20f3 256

Not sure if this is a feature request or a bug or if I'm just missing something else entirely but since there are smbv2-* scripts it does seem possible? Does the lack of smbv2-* prefixes to the existing smb-* scripts mean all of them ONLY support SMBv1?
If there's a need for a re-write of the existing smb-* scripts to be compatible with SMBv2+ let me know and I can look at getting that done as well.

Thanks!

[pbuff07]

I recently encountered the same problem, but I think it is a problem that cannot be solved in nse scripts. Because SMBV2/3 negotiation needs to be performed on SMBV1 objects, if the server does not support or disables the SMBV1 protocol, the process cannot be implemented.