Inhaltsverzeichnis

, , , ,

nmap SMBv1 Scan via Script

:!: noch ungetestet :!:

Folgende Modifikationen müssen vorgenommen werden, um einen reinen SMBv1 Scan mittels nmap Script zu ermöglichen:

nmap/nselib/smb.lua

Folgende Funktion einfügen:

function list_smbv1dialect(host, overrides)
  local supported_dialects = {}
  local status, smb1_dialect
  local smbstate
 
  overrides = tableaux.tcopy(overrides or {})
 
  -- Check for SMBv1 first
  stdnse.debug2("Checking if SMBv1 is supported")
  status, smbstate = start(host)
  if(status == false) then
    return false, smbstate
  end
 
  status, smb1_dialect = negotiate_v1(smbstate, overrides)
  if status then --Add SMBv1 as a dialect
    table.insert(supported_dialects, smb1_dialect)
  end
  stop(smbstate) -- Finish SMBv1 and close connection
 
  status, smbstate = start(host)
  if(status == false) then
    return false, smbstate
  end
 
  return true, supported_dialects
end

nmap/scripts/smbv1.nse

local smb = require "smb"
local stdnse = require "stdnse"
local nmap = require "nmap"
 
description = [[
List SMBv1 Servers only.
 
The script attempts to initiate a connection using the dialects:
* NT LM 0.12 (SMBv1)
 
Additionally if SMBv1 is found enabled, it will mark it as insecure. This
script is the successor to the (removed) smbv2-enabled script.
]]
 
---
-- @usage nmap -p445 --script smbv1 <target>
-- @usage nmap -p139 --script smbv1 <target>
--
-- @output
-- | smb-protocols:
-- |   dialects:
-- |     NT LM 0.12 (SMBv1) [dangerous, but default]
--
-- @xmloutput
-- <table key="dialects">
-- <elem>NT LM 0.12 (SMBv1) [dangerous, but default]</elem>
-- </table>
---
 
author = "Paulino Calderon, modded by PsyCore"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe", "discovery"}
 
hostrule = function(host)
  return smb.get_port(host) ~= nil
end
 
action = function(host,port)
  local status, supported_dialects = smb.list_smbv1dialect(host)
  if status then
    for i, v in pairs(supported_dialects) do -- Mark SMBv1 as insecure
      if v == "NT LM 0.12" then
        supported_dialects[i] = v .. " (SMBv1) [dangerous, but default]"
      end
    end
    if #supported_dialects > 0 then
      local output = stdnse.output_table()
      output.dialects = supported_dialects
      return output
    end
  end
  stdnse.debug1("No dialects were accepted")
  if nmap.verbosity()>1 then
    return "No dialects accepted. Something may be blocking the responses"
  end
end

Scan starten

nmap -p139,445 --script smbv1 <target>