Thank’s to some great effort put into the smb libraries by the folks over at nmap-dev, porting mbenum to Nmap wasn’t as hard as I’ve imagined. A first version has been committed to subversion a while ago but I forgot to publish this blog post at the time. Feel free to try it out! If you haven’t used mbenum before it’s a tool that allows you to get a good picture of a network by querying a single system.
Mbenum or the Nmap script smb-mbenum relies on being able to query the master browser for a particular domain or workgroup. You can find the master browser by sending a netbios query for the __MSBROWSE__ name. The Nmap script broadcast-netbios-master-browser can be used to identify the master browser for your broadcast domain by sending a netbios query to the broadcast address.
Chris Woodbury and I have been working on some new exciting features and enhancements to the ms-sql scripts and library in Nmap lately. We’ve been working in a separate branch which will hopefully get merged to trunk really soon. Chris work has been of high quality and very inspiring! It got me to pick up some of the stuff I meant to implement, but hadn’t got to, and has brought a number of new great ideas. For a good summary of changes consult the following nmap-dev mailing list thread.
Among the many new features and enhancements I’m really happy to see are:
Support for more precise version checking, by using the prelogin packet (same technique as SQLPing)
Support for connections using named pipes, rather than tcp-sockets
Support for integrated authentication (Ntlmv1) in addition to the existing SQL authentication
Support for connecting to named instances in addition to specific tcp ports
Support for running each of the ms-sql scripts against all instances detected by the discovery mechanisms
If you would like to give the scripts a run they’re available from here, and will hopefully be merged to trunk really soon.