Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regression smb_enum_users and shares on Nmap V 7.80 #1707

Closed
roumy opened this issue Aug 23, 2019 · 21 comments
Closed

Regression smb_enum_users and shares on Nmap V 7.80 #1707

roumy opened this issue Aug 23, 2019 · 21 comments
Assignees
@nnposter
Labels
bug NSE

Comments

@roumy
Copy link

roumy commented Aug 23, 2019

Hello there
I detect a regression on smb_enum_shares and smb_enum_users with nmap V7.80 version
It works correctly on V7.70

May be linked with [#1706 ]

Starting Nmap 7.80 ( https://nmap.org ) at 2019-08-23 09:30 UTC                                                                                                                                                    
Warning: File ./nmap-services exists, but Nmap is using /usr/bin/../share/nmap/nmap-services for security and consistency reasons.  set NMAPDIR=. to give priority to files in your local directory (may affect the
 other data files too).                                                                                                                                                                                            
--------------- Timing report ---------------                                                                                                                                                                      
  hostgroups: min 1, max 100000                                                                                                                                                                                    
  rtt-timeouts: init 1000, min 100, max 10000                                                                                                                                                                      
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000                                                                                                                                                                    
  parallelism: min 0, max 0                                                                                                                                                                                        
  max-retries: 10, host-timeout: 0                                                                                                                                                                                 
  min-rate: 0, max-rate: 0                                                                                                                                                                                         
---------------------------------------------                                                                                                                                                                      
NSE: Using Lua 5.3.                                                                                                                                                                                                
NSE: Arguments from CLI:                                                                                                                                                                                           
NSE: Loaded 1 scripts for scanning.  

.....
/usr/bin/../share/nmap/nselib/smb.lua:1030: bad argument #2 to 'unpack' (data string too short)
stack traceback:
        [C]: in function 'string.unpack'
        /usr/bin/../share/nmap/nselib/smb.lua:1030: in function 'smb.negotiate_v1'
        /usr/bin/../share/nmap/nselib/smb.lua:1074: in function 'smb.negotiate_protocol'
        /usr/bin/../share/nmap/nselib/smb.lua:372: in function 'smb.start_ex'
        (...tail calls...)
        /usr/bin/../share/nmap/nselib/msrpc.lua:4926: in function 'msrpc.enum_shares'
        /usr/bin/../share/nmap/nselib/smb.lua:3194: in function 'smb.share_get_list'
        /usr/bin/../share/nmap/scripts/smb-enum-shares.nse:110: in function </usr/bin/../share/nmap/scripts/smb-enum-shares.nse:105>
        (...tail calls...)
@cnotin
Copy link

cnotin commented Aug 26, 2019

Related to: #1476 (same error, same line)
Could you try with the proposed patch please?

@roumy
Copy link
Author

roumy commented Sep 2, 2019

Hi Clement ,
thanks for your feedback!
i've tried your patch with both smb-enum-users and smb-enum-shares.
Results were surprising.

Scripts smb-enum-shares works correctly, in fact it works better than with V7.70 or V7.40 that i have also tried , because it get some results whereas V7.70 get me following messages:

NSE: [smb-enum-shares 172.28.0.2] Couldn't negotiate a SMBv1 connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [12]
NSE: [smb-enum-shares 172.28.0.2] SMB: Enumerating shares failed, guessing at common ones (Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are m
issing); aborting [12])

The thing is that smb-enum-users script still not working, here is the error message:

v7.70 patch2
NSE: smb-enum-users against vuln_target (172.28.0.2) threw an error!                                                                                                                                               
/tmp/nmap-patch-2/nselib/msrpctypes.lua:847: attempt to perform arithmetic on a nil value (local 'pos')                                                                                                            
stack traceback:                                                                                                                                                                                                   
        /tmp/nmap-patch-2/nselib/msrpctypes.lua:847: in function 'msrpctypes.unmarshall_int32'                                                                                                                     
        /tmp/nmap-patch-2/nselib/msrpc.lua:1418: in function 'msrpc.samr_enumdomains'                                                                                                                              
        /tmp/nmap-patch-2/nselib/msrpc.lua:3816: in function 'msrpc.samr_enum_users'                                                                                                                               
        /tmp/nmap-patch-2/scripts/smb-enum-users.nse:171: in function </tmp/nmap-patch-2/scripts/smb-enum-users.nse:154>                                                                                           
        (...tail calls...)

@cnotin
Copy link

cnotin commented Sep 2, 2019

"Merci" @roumy for your feedback ;)

I'm glad to know that the patch fixes the issues you had in smb.lua!

About smb-enum-users, according to the stacktrace, the error seems to be in msrpctypes.lua. I suppose that it's a different issue and unfortunately I don't have anything to suggest here...

@cnotin cnotin mentioned this issue Sep 2, 2019
Closed
@nnposter
Copy link

nnposter commented Sep 3, 2019

Regarding the latest error about nil arithmetic, this has been hopefully fixed in commit e5c4f48, as a partial fix for #1720.

At this point I would recommend to refresh both msrpc.lua and msrpctypes.lua from the master branch before further troubleshooting. See commits e5c4f48, be40965, 729260e, and ef2825b for details.

@roumy
Copy link
Author

roumy commented Sep 3, 2019

Thx @nnposter ,
we progress !! the status is now following :
with commit ef2825b
smb-enum-users is working whereas smb-enum-shares still KO:

NSE: smb-enum-shares against vuln_target (172.18.0.2) threw an error!                                                                                                                                              
/tmp/nmap-master/nselib/smb.lua:1030: bad argument #2 to 'unpack' (data string too short)                                                                                                                          
stack traceback:                                                                                                                                                                                                   
        [C]: in function 'string.unpack'                                                                                                                                                                           
        /tmp/nmap-master/nselib/smb.lua:1030: in function 'smb.negotiate_v1'                                                                                                                                       
        /tmp/nmap-master/nselib/smb.lua:1074: in function 'smb.negotiate_protocol'                                                                                                                                 
        /tmp/nmap-master/nselib/smb.lua:372: in function 'smb.start_ex'                                                                                                                                            
        (...tail calls...)                                                                                                                                                                                         
        /tmp/nmap-master/nselib/msrpc.lua:4927: in function 'msrpc.enum_shares'                                                                                                                                    
        /tmp/nmap-master/nselib/smb.lua:3194: in function 'smb.share_get_list'                                                                                                                                     
        /tmp/nmap-master/scripts/smb-enum-shares.nse:110: in function </tmp/nmap-master/scripts/smb-enum-shares.nse:105>

maybe the @cnotin patch for #1476 will fix both pbs

@cnotin
Copy link

cnotin commented Sep 3, 2019

Yes please try with all of them 😉

@roumy
Copy link
Author

roumy commented Sep 3, 2019
edited

Ok
i manually merged master...cnotin:patch-2 with ef2825b

both scripts worked well!
now waiting for #1476
thanks for your combined jobs, Guys

@cnotin
Copy link

cnotin commented Sep 3, 2019

Good to hear!
Thanks for your help in testing these :)

@nnposter
Copy link

nnposter commented Sep 8, 2019

A fix for this issue has been committed as r37733. Please report back if it does not work for you.

@nnposter nnposter self-assigned this Sep 8, 2019
@nnposter nnposter mentioned this issue Sep 8, 2019
Closed
@mattbrun
Copy link

Dear all,
I'm still getting the Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR error while trying to use some of the smb-* scripts against a Windows 10 Enterprise 64bit v1809.

I'm running nmap on an Arch Linux machine, and I tried both the 7.80 version installed with the packet manager, and the git master branch version.

Considering the git master branch version of nmap

$ git log --name-status HEAD^..HEAD
commit f83de100b3c6873552228c3f5613628fb6513248 (HEAD -> master, origin/master, origin/HEAD)
Author: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date:   Wed Mar 11 21:24:56 2020 +0000

    Avoid integer overflow in nping elapsedRuntime. Fixes #1961

M       nping/stats.cc
M       nping/stats.h

running the smb-protocols works just fine

$ ./nmap --script scripts/smb-protocols.nse -p445 10.0.1.105
Starting Nmap 7.80SVN ( https://nmap.org ) at 2020-03-19 02:44 CET
Nmap scan report for ########.lan (10.0.1.105)
Host is up (0.0023s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-protocols: 
|   dialects: 
|     2.02
|     2.10
|     3.00
|     3.02
|_    3.11

Nmap done: 1 IP address (1 host up) scanned in 6.28 seconds

Running the default scripts on the port 445 works fine for the smb2- scripts:

$ ./nmap -sC -p445 10.0.1.105
Starting Nmap 7.80SVN ( https://nmap.org ) at 2020-03-19 02:45 CET
Nmap scan report for #######.lan (10.0.1.105)
Host is up (0.0018s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-03-19T01:45:55
|_  start_date: N/A

Nmap done: 1 IP address (1 host up) scanned in 10.66 seconds

Finally, if I try to run the smb-enum-users script I get the following error:

$ ./nmap --script scripts/smb-enum-users.nse -p445 -d 10.0.1.105
Starting Nmap 7.80SVN ( https://nmap.org ) at 2020-03-19 02:49 CET
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: 
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 02:49
Completed NSE at 02:49, 0.00s elapsed
Initiating Ping Scan at 02:49
Scanning 10.0.1.105 [2 ports]
Completed Ping Scan at 02:49, 0.00s elapsed (1 total hosts)
Overall sending rates: 640.61 packets / s.
mass_rdns: Using DNS server 10.0.1.1
Initiating Parallel DNS resolution of 1 host. at 02:49
mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 02:49, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 02:49
Scanning ######.lan (10.0.1.105) [1 port]
Discovered open port 445/tcp on 10.0.1.105
Completed Connect Scan at 02:49, 0.00s elapsed (1 total ports)
Overall sending rates: 278.01 packets / s.
NSE: Script scanning 10.0.1.105.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 02:49
NSE: Starting smb-enum-users against 10.0.1.105.
NSE: [smb-enum-users 10.0.1.105] SMB: Added account '' to account list
NSE: [smb-enum-users 10.0.1.105] SMB: Added account 'guest' to account list
NSE: [smb-enum-users 10.0.1.105] Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR
NSE: [smb-enum-users 10.0.1.105] Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR
NSE: Finished smb-enum-users against 10.0.1.105.
Completed NSE at 02:49, 2.01s elapsed
Nmap scan report for #####.lan (10.0.1.105)
Host is up, received syn-ack (0.0031s latency).
Scanned at 2020-03-19 02:49:37 CET for 2s

PORT    STATE SERVICE      REASON
445/tcp open  microsoft-ds syn-ack

Host script results:
| smb-enum-users: 
|   ERROR: Couldn't enumerate users
|   ERROR: SAMR returned Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_  ERROR: LSA returned Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
Final times for host: srtt: 3067 rttvar: 3873  to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 02:49
Completed NSE at 02:49, 0.00s elapsed
Read from /home/matteo/work/sw/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 2.27 seconds

I'm not sure if the behavior is correct or not, since with the smb-protocols script I don't see any "smb v1" protocol enabled.

Thanks for your support and your hard work!

@nnposter
Copy link

Unfortunately the code requires SMB1.

@nnposter nnposter mentioned this issue Apr 8, 2020
Closed
@aditya162002
Copy link

@mattbrun hey! i need your help regarding smb error.
help;)

@cnotin
Copy link

cnotin commented Oct 9, 2020

@aditya162002 as stated above, the code only works if SMB1 is supported by the server

@aditya162002
Copy link

@cnotin so what should i do?
i m at the beginner level,please help!

@cnotin
Copy link

cnotin commented Oct 9, 2020

Use the "smb-protocols" script to check if SMB1 is supported.
If not, and supposing that you want to enumerate users, unfortunately you should use a different tool for now

@aditya162002
Copy link

@cnotin can you tell me which tool i can use?
i have checked "smb-protocols" but its not working fine.

@cnotin
Copy link

cnotin commented Oct 9, 2020

Crackmapexec, SharpHound, mimikatz, and many others allow remote enumeration of local users through SMB

The "smb-protocols" script should not have any issue though. Are you using it correctly? For example:

nmap -p445 -v --script smb-protocols <ip>

@aditya162002
Copy link

@cnotin its showing
PORT STATE SERVICE
445/tcp open microsoft-ds

Host script results:
| smb-protocols:
| dialects:
| 2.02
| 2.10
| 3.00
| 3.02
|_ 3.11

NSE: Script Post-scanning.
Initiating NSE at 00:10
Completed NSE at 00:10, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 7.58 seconds
Raw packets sent: 5 (196B) | Rcvd: 2 (84B)

@aditya162002
Copy link

@cnotin how can i exploit into such vulnerabilities like:
samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR

@cnotin
Copy link

cnotin commented Oct 9, 2020

So "smb-protocols" works fine and shows you that SMB1 is not supported, and thus many Nmap scripts which do not support SMB2+ will not work.
I can't provide more general help here, as it is an issue discussion.

@aditya162002
Copy link

@cnotin thanks alott.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nnposter nnposter

Labels
bug NSE
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@cnotin @mattbrun @roumy @nnposter @aditya162002