Watch out for evil SMB servers: MS10-006
Filed under: Hacking, NetBIOS/SMB
Thanks to a Google Alert on my name, I recently found Laurent GaffiƩ's blog post about MS10-006 (Microsoft Technet link).
Read MoreJust another security weblog
Archive for the ‘NetBIOS/SMB’ Category
smb-psexec.nse: owning Windows, fast (Part 3)
Filed under: Hacking, NetBIOS/SMB, Nmap
Posts in this series (I'll add links as they're written):
What does smb-psexec do?
Sample configurations ("sample.lua")
smb-psexec.nse: owning Windows, fast (Part 2)
Filed under: Hacking, NetBIOS/SMB, Nmap
Posts in this series (I'll add links as they're written):
What does smb-psexec do?
Sample configurations ("sample.lua")
Default configuration ("default.lua")
Advanced configuration ("pwdump.lua" and "backdoor.lua")
smb-psexec.nse: owning Windows, fast (Part 1)
Filed under: Hacking, NetBIOS/SMB, Nmap
Posts in this series (I'll add links as they're written):
What does smb-psexec do?
Sample configurations ("sample.lua")
Default configuration ("default.lua")
Advanced configuration ("pwdump.lua" and "backdoor.lua")
Pwning hotel guests
Filed under: Hacking, NetBIOS/SMB, Tools
Greetings everybody!
I spent a good part of the past month traveling, which meant staying in several hotels, both planned and unplanned. There's nothing like having a canceled flight and spending a boring night in San Francisco! But hey, why be bored when you have a packet sniffer installed? :)
Scorched earth: Finding vulnerable SMBv2 systems with Nmap
Filed under: NetBIOS/SMB, Nmap, Tools
Hello once again!
I just finished updating my smb-check-vulns.nse Nmap script to check for the recent SMBv2 vulnerability, which had a proof-of-concept posted on full-disclosure.
WARNING: This script will cause vulnerable systems to bluescreen and restart. Do NOT run this in a production environment, unless you like angry phonecalls. You have been warned!
My SANS Gold Paper: Nmap SMB Scripts
Filed under: NetBIOS/SMB
Hey all,
For my SANS GPEN Gold certification (first Gold-certified analyst for GPEN -- go me!) I wrote a paper on my SMB scripts for Nmap. The paper is titled "Scanning Windows Deeper With the Nmap Scanning Engine". I started writing it a few months ago, and collaborated with Fyodor in the early stages. Hopefully it's [...]
nbstat.nse: just like nbtscan
Filed under: NetBIOS/SMB, Tools
Hey all,
With the upcoming release of Nmap 4.85, Brandon Enright posted some comments on random Nmap thoughts. One of the things he pointed out was that people hadn't heard of nbstat.nse! Since I love showing off what I write, this blog was in order.
Updated Conficker detection
Filed under: Malware, NetBIOS/SMB
Morning, all!
Last night Fyodor and crew rolled out Nmap 4.85beta7. This was because some folks from the Honeynet Project discovered a false negative (showed no infection where an infection was present), which was then confirmed by Tenable. We decided to be on the safe side, and updated our checks.
4.85 also contains several bugfixes [...]
Using PsTools in a pentest
Filed under: Hacking, NetBIOS/SMB, Tools
I'm going to start off this blog by wishing a happy birthday to a very important person -- me. :)
Now, onto the content!
PsTools is a suite of tools developed by Sysinternals (now Microsoft). They're a great complement to any pen test, and many of my Nmap scripts are loosely based on them. As good [...]
Scanning for Conficker with Nmap
Filed under: Malware, NetBIOS/SMB
Using Nmap to scan for the famous Conficker worm.
Read MoreBruteforcing Windows over SMB: Tips and Tricks
Filed under: Hacking, NetBIOS/SMB
Today, I'm going to share some knowledge and techniques on bruteforcing Windows passwords. Hopefully, some of you have thought about this and can give me even more advice. If you know anything, post it!
Read MoreHow Pwdump6 works, and how Nmap can do it
Filed under: Hacking, NetBIOS/SMB
Today I want to discuss how the pwdump6 and fgdump tools work, in detail, and how I was able to integrate pwdump6 into my Nmap scripts. Is this integration useful? Maybe or maybe not, but it was definitely an interesting problem.
Read MoreGetting HKEY_PERFORMANCE_DATA
Filed under: NetBIOS/SMB
Hi everybody,
I spent most of last Saturday exploring how SysInternals' PsList program works, and how I could re-implement it as an Nmap script. I quickly discovered that the HKEY_PERFORMANCE_DATA (HKPD) registry hive was opened, then it got complicated. So I went digging for documentation and discovered a couple journals posts written by Microsoft's Matt Pietrek [...]
ms08-068 -- Preventing SMBRelay Attacks
Filed under: Hacking, NetBIOS/SMB
Microsoft released ms08-068 this week, which fixes a vulnerability that's been present and documented since 2001. I'm going to write a quick overview of it here, although you'll probably get a better one by reading The Metasploit Blog.
Read MoreCalling RPC functions over SMB
Filed under: NetBIOS/SMB
Hi everybody!
This is going to be a fairly high level discussion on the sequence of calls and packets required to make MSRPC calls over the SMB protocol. I've learned this from a combination of reading the book Implementing CIFS, watching other tools do their stuff with Wireshark, and plain ol' guessing/checking.
What does Windows tell its guests?
Filed under: NetBIOS/SMB
Hello everybody!
Lately I've been putting a lot of work into Nmap scripts that'll probe Windows deeply for information. I'm testing this with both authenticated and unauthenticated users, mostly to determine how well error conditions are handled. Every once in awhile, however, I notice something that the anonymous account or guest account can access that [...]
What time IS it?
Filed under: Hacking, NetBIOS/SMB
How synced up are the clocks on your servers? Ignoring your system times may give an important clue to attackers. Read on to find out more!
Read MoreMy Scripting Experience with Nmap
Filed under: NetBIOS/SMB
As you can see from my past few posts, I've been working on implementing an SMB client in C. Once I got that into a stable state, I decided to pursue the second part of my goal for a bit -- porting that code over to an Nmap script. Never having used Lua before, this [...]
Read MoreNTLMv2, as promised, plus some random SMB stuff!
Filed under: NetBIOS/SMB
Last post, I promised I'd post about NTLMv2 once I got it implemented. And, here we are.
The LMv2 and NTLMv2 responses are a little bit trickier than the first versions, although most of my trouble was trying to figure out how to use HMAC-MD5 in OpenSSL. The good news is that LMv2 and NTLMv2 [...]