any reliable way to discover Windows hostname over SMB2+?

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

any reliable way to discover Windows hostname over SMB2+?

Samba - General mailing list
Hi there

The WannaCry drama has got us pushing forward plans to  turn off SMB1
globally. Great, well, errr....

Well not so great. I'm in the security team and we've relied on using
smbclient in debug mode to reliably discover the Windows hostname.
nmblookup sometime's doesn't work, and let's not even mention DNS PTR
records! "smbclient -L 1.2.3.4 -N -d10 2>&1|grep AvNbComputerName" works a
treat.

From what I can see, one of the changes that is in SMB2 is that it's a lot
less chatty and doesn't hand over the Windows hostname like SMB1 does, so
the days of this smbclient hack will soon be over.

So does anyone have ideas on how to discover Windows hostnames when all you
have is an IP address? Currently I'm moving to scraping the TLS data off
the RDP port - but that doesn't work if you're set for NLA, don't have it
enabled, etc. Has to be unauthenticated too (if all you have is an IP
address, you can't even guess at what random creds to throw at it).
Basically, is there a SMB2 trick to make the system give up it's hostname?

Thanks!

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: any reliable way to discover Windows hostname over SMB2+?

Samba - General mailing list
What about using rpcclient?

rpcclient -U ""  -c srvinfo -N 192.168.42.42

On Thu, Jul 13, 2017 at 3:40 AM, Jason Haar via samba <[hidden email]
> wrote:

> Hi there
>
> The WannaCry drama has got us pushing forward plans to  turn off SMB1
> globally. Great, well, errr....
>
> Well not so great. I'm in the security team and we've relied on using
> smbclient in debug mode to reliably discover the Windows hostname.
> nmblookup sometime's doesn't work, and let's not even mention DNS PTR
> records! "smbclient -L 1.2.3.4 -N -d10 2>&1|grep AvNbComputerName" works a
> treat.
>
> From what I can see, one of the changes that is in SMB2 is that it's a lot
> less chatty and doesn't hand over the Windows hostname like SMB1 does, so
> the days of this smbclient hack will soon be over.
>
> So does anyone have ideas on how to discover Windows hostnames when all you
> have is an IP address? Currently I'm moving to scraping the TLS data off
> the RDP port - but that doesn't work if you're set for NLA, don't have it
> enabled, etc. Has to be unauthenticated too (if all you have is an IP
> address, you can't even guess at what random creds to throw at it).
> Basically, is there a SMB2 trick to make the system give up it's hostname?
>
> Thanks!
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: any reliable way to discover Windows hostname over SMB2+?

Samba - General mailing list
In reply to this post by Samba - General mailing list
I forgot to mention in the previous email that smbclient works over SMB2.
You just have increase the max protocol by adding the flag "-m SMB2".

I.e. "smbclient -m SMB2 -L 1.2.3.4 -N -d10 2>&1|grep AvNbComputerName"

rpcclient is potentially a more efficient way to get this information.

On Thu, Jul 13, 2017 at 3:40 AM, Jason Haar via samba <[hidden email]
> wrote:

> Hi there
>
> The WannaCry drama has got us pushing forward plans to  turn off SMB1
> globally. Great, well, errr....
>
> Well not so great. I'm in the security team and we've relied on using
> smbclient in debug mode to reliably discover the Windows hostname.
> nmblookup sometime's doesn't work, and let's not even mention DNS PTR
> records! "smbclient -L 1.2.3.4 -N -d10 2>&1|grep AvNbComputerName" works a
> treat.
>
> From what I can see, one of the changes that is in SMB2 is that it's a lot
> less chatty and doesn't hand over the Windows hostname like SMB1 does, so
> the days of this smbclient hack will soon be over.
>
> So does anyone have ideas on how to discover Windows hostnames when all you
> have is an IP address? Currently I'm moving to scraping the TLS data off
> the RDP port - but that doesn't work if you're set for NLA, don't have it
> enabled, etc. Has to be unauthenticated too (if all you have is an IP
> address, you can't even guess at what random creds to throw at it).
> Basically, is there a SMB2 trick to make the system give up it's hostname?
>
> Thanks!
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: any reliable way to discover Windows hostname over SMB2+?

Samba - General mailing list
On Thu, 13 Jul 2017 11:04:30 -0500
Andrew Walker via samba <[hidden email]> wrote:

> I forgot to mention in the previous email that smbclient works over
> SMB2. You just have increase the max protocol by adding the flag "-m
> SMB2".
>
> I.e. "smbclient -m SMB2 -L 1.2.3.4 -N -d10 2>&1|grep AvNbComputerName"
>
> rpcclient is potentially a more efficient way to get this information.
>

I take it as you are talking about smbclient, this is on a Unix
machine, so how about:

host -i 192.168.0.2 | awk '{print $NF}' | awk -F '.' '{print $1}'

If you want the FQDN, just remove the last part.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: any reliable way to discover Windows hostname over SMB2+?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, Jul 14, 2017 at 3:51 AM, Andrew Walker via samba <
[hidden email]> wrote:

> What about using rpcclient?
>
> rpcclient -U ""  -c srvinfo -N 192.168.42.42
>
>
That doesn't work - access denied

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: any reliable way to discover Windows hostname over SMB2+?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, Jul 14, 2017 at 4:04 AM, Andrew Walker via samba <
[hidden email]> wrote:

> I forgot to mention in the previous email that smbclient works over SMB2.
> You just have increase the max protocol by adding the flag "-m SMB2".
>
> I.e. "smbclient -m SMB2 -L 1.2.3.4 -N -d10 2>&1|grep AvNbComputerName"
>

Doesn't work for me... This is  samba-3.6.23-43.el6_9.x86_64 on CentOS6 and
in my opinion the "-m SMB2" option shows no evidence that it does anything.
If you point smbclient-3 at a Windows system that has SMB1 disabled, it
does not work - irrespective of the "-m" option. If you point smbclient-4
at the same server, it doesn't work either (default still "-m NT1"), but if
you give it "-m SMB2" it works fine

I know smbclient-v3 claims it supports SMB2, but that isn't the case at
least with the CentOS/RHEL 6 version...

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: any reliable way to discover Windows hostname over SMB2+?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, Jul 14, 2017 at 4:19 AM, Rowland Penny via samba <
[hidden email]> wrote:

> On Thu, 13 Jul 2017 11:04:30 -0500
> I take it as you are talking about smbclient, this is on a Unix
> machine, so how about:
>
> host -i 192.168.0.2 | awk '{print $NF}' | awk -F '.' '{print $1}'
>
> If you want the FQDN, just remove the last part.
>

"host" invokes DNS - which I did say is awful (for us), so no. I really
need a realtime lookup instead of a "cached" lookup (which DNS and DHCP
logs are)

Basically I need something for when all else has failed. And even then I
adamantly refuse to use DNS PTR records - they are that bad (for us)

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: any reliable way to discover Windows hostname over SMB2+?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 2017-07-14 at 08:22 +1200, Jason Haar via samba wrote:

> On Fri, Jul 14, 2017 at 4:04 AM, Andrew Walker via samba <
> [hidden email]> wrote:
>
> > I forgot to mention in the previous email that smbclient works over SMB2.
> > You just have increase the max protocol by adding the flag "-m SMB2".
> >
> > I.e. "smbclient -m SMB2 -L 1.2.3.4 -N -d10 2>&1|grep AvNbComputerName"
> >
>
> Doesn't work for me... This is  samba-3.6.23-43.el6_9.x86_64 on CentOS6 and
> in my opinion the "-m SMB2" option shows no evidence that it does anything.
> If you point smbclient-3 at a Windows system that has SMB1 disabled, it
> does not work - irrespective of the "-m" option. If you point smbclient-4
> at the same server, it doesn't work either (default still "-m NT1"), but if
> you give it "-m SMB2" it works fine
>
> I know smbclient-v3 claims it supports SMB2, but that isn't the case at
> least with the CentOS/RHEL 6 version...

I would suggest starting with using Samba 4.7rc2.  

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: any reliable way to discover Windows hostname over SMB2+?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 14 Jul 2017 08:25:22 +1200
Jason Haar <[hidden email]> wrote:

> On Fri, Jul 14, 2017 at 4:19 AM, Rowland Penny via samba <
> [hidden email]> wrote:
>
> > On Thu, 13 Jul 2017 11:04:30 -0500
> > I take it as you are talking about smbclient, this is on a Unix
> > machine, so how about:
> >
> > host -i 192.168.0.2 | awk '{print $NF}' | awk -F '.' '{print $1}'
> >
> > If you want the FQDN, just remove the last part.
> >
>
> "host" invokes DNS - which I did say is awful (for us), so no. I
> really need a realtime lookup instead of a "cached" lookup (which DNS
> and DHCP logs are)
>
> Basically I need something for when all else has failed. And even
> then I adamantly refuse to use DNS PTR records - they are that bad
> (for us)
>

I see from one of your other post that you are using Centos 6, it would
be a good idea to upgrade Samba and it will probably be better to
compile it yourself, so start with the latest RC candidate. It would
also be a good idea to fix your DNS ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: any reliable way to discover Windows hostname over SMB2+?

Samba - General mailing list
In reply to this post by Samba - General mailing list
AFAIK:
- smbclient supports smb2/smb3 starting from samba-4x, and you need to
use -m smb2/smb3.
- starting from samba 4.7.0rc1 smbclient defaults to -m smb3_11 (no
need to use -m")
- samba-3.x  supports smb2  server side only (setting "max protocol"),
smbclient is smb1/nt1 only in 3.x.

I did some tests running smbclient against a win7 machine

smbclient 3.x (smb1 only)
  $ smbclient  -d 10 -L 192.168.1.171 -N  2>&1|grep AvNb|wc -l
  8   <== info is present

smbclient 4.7.0rc1 smb1 mode:
  $ smbclient  -d 10 -L 192.168.1.171 -N -m nt1 2>&1|grep AvNb|wc-l
  0   <== no more

smbclient 4.7.0rc1 smb2 mode:
  $ ./smbclient  -d 10 -L 192.168.1.171 -N -m smb2 2>&1|grep AvNb|wc -l
  0   <== no more

It seems that kind of debug messages is gone even when using smb1 with
newer smbclient versions.

======

rpcclient 3.x
  $ rpcclient -U ""  -c srvinfo -N 192.168.1.171 -d 10 2>&1|grep AvNb|wc -l
  0

  $ rpcclient -U wrong%wrong  -c srvinfo -N 192.168.1.171 -d 10 2>&1
|grep AvNb|wc -l
  8  <== works

rpcclient 4.7.0rc1 is like newer smbclient, the info is not there anymore.

========

If you need this, I'd investigate using some kind of LLMNR client,
since this is the "zeroconf" way to get Windows names: when you
disable smb1 on Windows, netbios name resolution gets disabled too,
and automatic name resolution is LLMNR only.

For instance, this https://nmap.org/nsedoc/scripts/llmnr-resolve.html
will do name-to-IP via LLMNR using nmap from command line.

To do the reverse lookup, I tried changing the script where it uses
"0x0001 Host address" to "0x000C "PTR" and asking for
171.1.168.192.in-addr.arpa; the Windows PC will answer something but
the script output is garbled because it expects to print an IP, and I
don't know LUA to change the script to properly format the new answer,
however I can see the Windows PC name in the tcpdump output (in an UDP
packet coming from the Windows PC), so it's possible.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: any reliable way to discover Windows hostname over SMB2+?

Samba - General mailing list
On Fri, Jul 14, 2017 at 10:32 AM, Giulio via samba <[hidden email]>
wrote:

>
> It seems that kind of debug messages is gone even when using smb1 with
> newer smbclient versions.
>
>
Yes I noticed that too - even more motivation to find a different way


> ======
>
> rpcclient 3.x
>   $ rpcclient -U ""  -c srvinfo -N 192.168.1.171 -d 10 2>&1|grep AvNb|wc -l
>   0
>
>   $ rpcclient -U wrong%wrong  -c srvinfo -N 192.168.1.171 -d 10 2>&1
> |grep AvNb|wc -l
>   8  <== works
>
> rpcclient 4.7.0rc1 is like newer smbclient, the info is not there anymore.
>

Yes - unfortunately all that only works against Win7. Doesn't work on
Win2012 or Win10


>
> ========
>
> If you need this, I'd investigate using some kind of LLMNR client,
> since this is the "zeroconf" way to get Windows names: when you
> disable smb1 on Windows, netbios name resolution gets disabled too,
> and automatic name resolution is LLMNR only.
>

As far as I'm aware, LLMNR is multicast-only - which in practice means
 broadcast-only? We've got a global WAN - over 200 sites. I can't rely on
broadcast/multicast - gotta be unicast.

Thanks for the help - you did some real digging there :-)


--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: any reliable way to discover Windows hostname over SMB2+?

Samba - General mailing list
On Fri, 2017-07-14 at 12:36 +1200, Jason Haar via samba wrote:

> On Fri, Jul 14, 2017 at 10:32 AM, Giulio via samba <[hidden email]>
> wrote:
>
> >
> > It seems that kind of debug messages is gone even when using smb1 with
> > newer smbclient versions.
> >
> >
>
> Yes I noticed that too - even more motivation to find a different way
>
>
> > ======
> >
> > rpcclient 3.x
> >   $ rpcclient -U ""  -c srvinfo -N 192.168.1.171 -d 10 2>&1|grep AvNb|wc -l
> >   0
> >
> >   $ rpcclient -U wrong%wrong  -c srvinfo -N 192.168.1.171 -d 10 2>&1
> > > grep AvNb|wc -l
> >
> >   8  <== works
> >
> > rpcclient 4.7.0rc1 is like newer smbclient, the info is not there anymore.
> >
>
> Yes - unfortunately all that only works against Win7. Doesn't work on
> Win2012 or Win10
>
>
> >
> > ========
> >
> > If you need this, I'd investigate using some kind of LLMNR client,
> > since this is the "zeroconf" way to get Windows names: when you
> > disable smb1 on Windows, netbios name resolution gets disabled too,
> > and automatic name resolution is LLMNR only.
> >
>
> As far as I'm aware, LLMNR is multicast-only - which in practice means
>  broadcast-only? We've got a global WAN - over 200 sites. I can't rely on
> broadcast/multicast - gotta be unicast.
>
> Thanks for the help - you did some real digging there :-)

I take it you don't have passwords for all these systems?

I think somehow getting at the advertised hostname in the NTLMSSP
challenge is probably still one of your better options.  Some code
change might be needed to get the string printed again.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...