Thank’s to some great effort put into the smb libraries by the folks over at nmap-dev, porting mbenum to Nmap wasn’t as hard as I’ve imagined. A first version has been committed to subversion a while ago but I forgot to publish this blog post at the time. Feel free to try it out! If you haven’t used mbenum before it’s a tool that allows you to get a good picture of a network by querying a single system.
Mbenum or the Nmap script smb-mbenum relies on being able to query the master browser for a particular domain or workgroup. You can find the master browser by sending a netbios query for the __MSBROWSE__ name. The Nmap script broadcast-netbios-master-browser can be used to identify the master browser for your broadcast domain by sending a netbios query to the broadcast address.
I created a new Nmap script today that attempts to discover the Kerberos realm and the server time. It does this by sending an incorrect AS-REQ request to the server. The Microsoft implementation of Kerberos responds with an error packet containing the correct Realm name. On systems with other implementation, the server time alone is returned. The script works against both TCP and UDP. It’s available for download at the dedicated nmap-scripts page over here.
I must say that I am somewhat surprised that people still use the smbat suite for Windows security testing. Since I am doing most Windows testing from Windows now a days I have found myself using alternative tools instead.
I have recieved numerous of questions over time regarding compilation problems, the most common being. Why does smbat fail to compile with the following error message?
error: ‘CLK_TCK’ undeclared (first use in this function)
This is due to the CLK_TCK being deprecated and replaced by CLOCKS_PER_SEC. The following patch solves this problem. Apply it by running the following command from within the smbat directory: