Web lists-archives.com

Re: [Samba] any reliable way to discover Windows hostname over SMB2+?




Whoops - didn't see your reply until now :-/

Yes. In infosec a lot of "interesting events" begin with just knowing an IP
address. So you need to somehow discover the hostname and  OS before you
can check if you even have credentials you could use to properly
interrogate the system. And with lateral movement being the security
nightmare it is, arbitrarily throwing (local admin) credentials at every
box you come across without contemplating the possible consequences is
simply risky. So with SMB1 systems, smbclient-v3 could tell you the
hostname and domain without using creds. But with smbclient-v4, we cannot
get that debugging detail any more. (I now realise this isn't a SMB2
problem - it's smbclient-v4 itself)

On Fri, Jul 14, 2017 at 1:33 PM, Andrew Bartlett <abartlet@xxxxxxxxx> wrote:

> On Fri, 2017-07-14 at 12:36 +1200, Jason Haar via samba wrote:
> > On Fri, Jul 14, 2017 at 10:32 AM, Giulio via samba <
> samba@xxxxxxxxxxxxxxx>
> > wrote:
> >
> > >
> > > It seems that kind of debug messages is gone even when using smb1 with
> > > newer smbclient versions.
> > >
> > >
> >
> > Yes I noticed that too - even more motivation to find a different way
> >
> >
> > > ======
> > >
> > > rpcclient 3.x
> > >   $ rpcclient -U ""  -c srvinfo -N 192.168.1.171 -d 10 2>&1|grep
> AvNb|wc -l
> > >   0
> > >
> > >   $ rpcclient -U wrong%wrong  -c srvinfo -N 192.168.1.171 -d 10 2>&1
> > > > grep AvNb|wc -l
> > >
> > >   8  <== works
> > >
> > > rpcclient 4.7.0rc1 is like newer smbclient, the info is not there
> anymore.
> > >
> >
> > Yes - unfortunately all that only works against Win7. Doesn't work on
> > Win2012 or Win10
> >
> >
> > >
> > > ========
> > >
> > > If you need this, I'd investigate using some kind of LLMNR client,
> > > since this is the "zeroconf" way to get Windows names: when you
> > > disable smb1 on Windows, netbios name resolution gets disabled too,
> > > and automatic name resolution is LLMNR only.
> > >
> >
> > As far as I'm aware, LLMNR is multicast-only - which in practice means
> >  broadcast-only? We've got a global WAN - over 200 sites. I can't rely on
> > broadcast/multicast - gotta be unicast.
> >
> > Thanks for the help - you did some real digging there :-)
>
> I take it you don't have passwords for all these systems?
>
> I think somehow getting at the advertised hostname in the NTLMSSP
> challenge is probably still one of your better options.  Some code
> change might be needed to get the string printed again.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
>
>


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba