My SANS Gold Paper: Nmap SMB Scripts

Hey all,

For my SANS GPEN Gold certification (first Gold-certified analyst for GPEN – go me!) I wrote a paper on my SMB scripts for Nmap. The paper is titled “Scanning Windows Deeper With the Nmap Scanning Engine”. I started writing it a few months ago, and collaborated with Fyodor in the early stages. Hopefully it’s a useful guide!

I talk a bit about the theory and protocols behind the scripts, then dive into a few of the more interesting ones and talk about how they work and how they can be used.

Let me know what you think!

Continue reading

nbstat.nse: just like nbtscan

Hey all,

With the upcoming release of Nmap 4.85, Brandon Enright posted some comments on random Nmap thoughts. One of the things he pointed out was that people hadn’t heard of nbstat.nse! Since I love showing off what I write, this blog was in order.

Continue reading

WebDAV Detection, Vulnerability Checking and Exploitation

Ahoy! My name is Andrew and I’ve been playing with the recent IIS WebDAV authentication bypass vulnerability (CVE-2009-1676) and helping Ron with writing the nmap detection script (http-iis-webdav-vuln.nse) and testing it in the lab. Ron is in a meeting today so I thought I’d jump in where he left off and post a bit about how to detect if WebDAV is enabled and how to actually exploit a folder once you’ve determined it is vulnerable.

Continue reading

WebDAV Scanning with Nmap


This morning I heard (from the security-basics mailing list, of all places) that there’s a zero-day vulnerability going around for WebDAV on Windows 2003. I always like a good vulnerability early in the week, so I decided to write an Nmap script to find it!

Continue reading

Bypassing AV over the Internet with Metasploit

I performed all of this to learn more about data exfiltration, remote control, etc… over a tightly controlled corp environment. It was depressing actually…. It’s far too easy to gain control of a corp network even one that is conscientious. This work is built on the info at

Oh, let me just say thanks for Metasploit.  Words fail to describe how nice this project is.  Thanks guys.

So, I want to share what I’ve learned and offer some thoughts for pondering.

Continue reading

Nmap 4.85beta9 released

In case you haven’t heard, Fyodor released Nmap 4.85beta9 this week. This is the first release in awhile that wasn’t related to my code (or, most properly, mistakes :) ). It looks like the new stable version will be here soon, so give this one a shot and report your bugs. Here’s the download page.

Continue reading

Scanning for Conficker’s peer to peer

Hi everybody,

With the help of Symantec’s Security Intelligence Analysis Team, I’ve put together a script that’ll detect Conficker (.C and up) based on its peer to peer ports. The script is called p2p-conficker.nse, and automatically runs against any Windows system when scripts are being used:

nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns \
        --script-args=safe=1 -T4 -p445 <host>
sudo nmap -sU -sS --script p2p-conficker,smb-os-discovery,smb-check-vulns \
        --script-args=safe=1 -T4 -p U:137,T:139 <host>

See below for more information!

Or, if you just want to scan your network fast, give this a shot:

nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns \
        --script-args=checkconficker=1,safe=1 -T4 <host>
Continue reading

Updated Conficker detection

Morning, all!

Last night Fyodor and crew rolled out Nmap 4.85beta7. This was because some folks from the Honeynet Project discovered a false negative (showed no infection where an infection was present), which was then confirmed by Tenable. We decided to be on the safe side, and updated our checks.

Continue reading

Using PsTools in a pentest

I’m going to start off this blog by wishing a happy birthday to a very important person – me. :)

Now, onto the content!

PsTools is a suite of tools developed by Sysinternals (now Microsoft). They’re a great complement to any pen test, and many of my Nmap scripts are loosely based on them. As good as they are, they aren’t without their quirks!

Here are a few topics worth discussing:

  • Ports and traffic
  • Specifying an account
  • Running it purely in a console

Most (possibly all) of the PsTools use standard Windows functions. That makes life easy – we can expect PsTools to act the same way other remote functions work. If we know how!

Continue reading

Scanning for Conficker with Nmap

Using Nmap to scan for the famous Conficker worm.

Continue reading

Bruteforcing Windows over SMB: Tips and Tricks

Today, I’m going to share some knowledge and techniques on bruteforcing Windows passwords. Hopefully, some of you have thought about this and can give me even more advice. If you know anything, post it!

Continue reading

How Pwdump6 works, and how Nmap can do it

Today I want to discuss how the pwdump6 and fgdump tools work, in detail, and how I was able to integrate pwdump6 into my Nmap scripts. Is this integration useful? Maybe or maybe not, but it was definitely an interesting problem.

Continue reading

More password dictionaries

Last month, I posted about some password dictionaries I’ve collected. Well, thanks to a hacker who compromised PHPBB’s site, I added another. There’s a big caveat to this one, though – these passwords are apparently based on ones that were cracked by the hacker, so they’re only an accurate representation of weak passwords.

Continue reading

Password dictionaries

Greetings from 2009!

I have a real post planned for the near future, but for now you’re stuck with something short (and probably more useful, ultimately). I just wanted to draw attention to a few password databases I put on my wiki. You can find them here.

Continue reading

How NOT to do CAPTCHAs

Yes, this is a real CAPTCHA that I ran across.

Continue reading


Hi everybody,

I spent most of last Saturday exploring how SysInternals’ PsList program works, and how I could re-implement it as an Nmap script. I quickly discovered that the HKEY_PERFORMANCE_DATA (HKPD) registry hive was opened, then it got complicated. So I went digging for documentation and discovered a couple journals posts written by Microsoft’s Matt Pietrek wrote back in 1996. Those led me to the WinPerf.h header file. The three of those together were enough to get this working.

Continue reading

ms08-068 — Preventing SMBRelay Attacks

Microsoft released ms08-068 this week, which fixes a vulnerability that’s been present and documented since 2001. I’m going to write a quick overview of it here, although you’ll probably get a better one by reading The Metasploit Blog.

Continue reading

Calling RPC functions over SMB

Hi everybody!

This is going to be a fairly high level discussion on the sequence of calls and packets required to make MSRPC calls over the SMB protocol. I’ve learned this from a combination of reading the book Implementing CIFS, watching other tools do their stuff with Wireshark, and plain ol’ guessing/checking.

Continue reading

Matching passwords

Sometimes, I can’t help but laugh…

Continue reading

What does Windows tell its guests?

Hello everybody!

Lately I’ve been putting a lot of work into Nmap scripts that’ll probe Windows deeply for information. I’m testing this with both authenticated and unauthenticated users, mostly to determine how well error conditions are handled. Every once in awhile, however, I notice something that the anonymous account or guest account can access that seems odd. And today, I felt like I ought to post a blog, so you get to hear about it!

Continue reading