smb docs looking good

Author: h00die

documentation/modules/auxiliary/scanner/smb/smb_enumusers.md

@@ -1,4 +1,4 @@
-The `smb_enumusers` module ?????????????????????????????????
+The `smb_enumusers` module enumerates users via SAM User Enumeration over the SMB user interface.
 This module works against Windows and Samba.
 
 ## Vulnerable Application
@@ -18,11 +18,85 @@ To use `smb_enumusers`, make sure you are able to connect to a SMB service that
 ```
 msf auxiliary(smb_enumusers) > run
 
-[+] 192.168.2.35:139      - METASPLOITABLE [ games, nobody, bind, proxy, syslog, user, www-data, root, news, postgres, bin, mail, distccd, proftpd, dhcp, daemon, sshd, man, lp, mysql, gnats, libuuid, backup, msfadmin, telnetd, sys, klog, postfix, service, list, irc, ftp, tomcat55, sync, uucp ] ( LockoutTries=0 PasswordMin=5 )
+[+] 10.9.7.35:139      - METASPLOITABLE [ games, nobody, bind, proxy, syslog, user, www-data, root, news, postgres, bin, mail, distccd, proftpd, dhcp, daemon, sshd, man, lp, mysql, gnats, libuuid, backup, msfadmin, telnetd, sys, klog, postfix, service, list, irc, ftp, tomcat55, sync, uucp ] ( LockoutTries=0 PasswordMin=5 )
 ```
 
 ### Windows 2000 SP4
 
 ```
-[+] 192.168.2.127:445     - WIN2K [ disabled, Guest, renamedAdministrator, test ] ( LockoutTries=0 PasswordMin=0 )
+[+] 10.9.7.127:445     - WIN2K [ disabled, Guest, renamedAdministrator, test ] ( LockoutTries=0 PasswordMin=0 )
+```
+
+## Confirmation with nmap
+
+NMAP utilizes [smb-enum-users](https://nmap.org/nsedoc/scripts/smb-enum-users.html) to do SID bruteforcing.
+
+```
+nmap --script smb-enum-users.nse -p445 10.9.7.127,35
+
+Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-19 14:36 EDT
+Nmap scan report for 10.9.7.35
+Host is up (0.0013s latency).
+PORT    STATE SERVICE
+445/tcp open  microsoft-ds
+MAC Address: 00:0C:29:59:D4:F7 (VMware)
+
+Host script results:
+| smb-enum-users: 
+|   METASPLOITABLE\backup (RID: 1068)
+|     Full name:   backup
+|     Flags:       Account disabled, Normal user account
+|   METASPLOITABLE\bin (RID: 1004)
+|     Full name:   bin
+|     Flags:       Account disabled, Normal user account
+|   METASPLOITABLE\bind (RID: 1210)
+|     Flags:       Account disabled, Normal user account
+|   METASPLOITABLE\daemon (RID: 1002)
+|     Full name:   daemon
+|     Flags:       Account disabled, Normal user account
+|   METASPLOITABLE\dhcp (RID: 1202)
+|     Flags:       Account disabled, Normal user account
+|   METASPLOITABLE\distccd (RID: 1222)
+|     Flags:       Account disabled, Normal user account
+|   METASPLOITABLE\ftp (RID: 1214)
+|     Flags:       Account disabled, Normal user account
+```
+...snip...
+
+```
+|   METASPLOITABLE\tomcat55 (RID: 1220)
+|     Flags:       Account disabled, Normal user account
+|   METASPLOITABLE\user (RID: 3002)
+|     Full name:   just a user,111,,
+|     Flags:       Normal user account
+|   METASPLOITABLE\uucp (RID: 1020)
+|     Full name:   uucp
+|     Flags:       Account disabled, Normal user account
+|   METASPLOITABLE\www-data (RID: 1066)
+|     Full name:   www-data
+|_    Flags:       Account disabled, Normal user account
+
+Nmap scan report for win2k (10.9.7.127)
+Host is up (0.0013s latency).
+PORT    STATE SERVICE
+445/tcp open  microsoft-ds
+MAC Address: 00:0C:29:C8:97:2D (VMware)
+
+Host script results:
+| smb-enum-users: 
+|   WIN2K\disabled (RID: 1000)
+|     Full name:   disabled
+|     Description: user account is disabled
+|     Flags:       Account disabled, Normal user account
+|   WIN2K\Guest (RID: 501)
+|     Description: Built-in account for guest access to the computer/domain
+|     Flags:       Password not required, Password does not expire, Account disabled, Normal user account
+|   WIN2K\renamedAdministrator (RID: 500)
+|     Description: Built-in account for administering the computer/domain
+|     Flags:       Password does not expire, Normal user account
+|   WIN2K\test (RID: 1001)
+|     Full name:   test
+|_    Flags:       Normal user account
+
+Nmap done: 2 IP addresses (2 hosts up) scanned in 0.62 seconds
 ```

documentation/modules/auxiliary/scanner/smb/smb_lookupsid.md

@@ -19,16 +19,16 @@ To use `smb_lookupsid`, make sure you are able to connect to a SMB service that
 
 ```
 msf > use auxiliary/scanner/smb/smb_lookupsid 
-msf auxiliary(smb_lookupsid) > set rhosts 192.168.2.127
-rhosts => 192.168.2.127
-
-[*] 192.168.2.127:445     - PIPE(LSARPC) LOCAL(WIN2K - 5-21-484763869-823518204-682003330) DOMAIN(RAGEGROUP - )
-[*] 192.168.2.127:445     - USER=renamedAdministrator RID=500
-[*] 192.168.2.127:445     - USER=Guest RID=501
-[*] 192.168.2.127:445     - GROUP=None RID=513
-[*] 192.168.2.127:445     - USER=disabled RID=1000
-[*] 192.168.2.127:445     - USER=test RID=1001
-[*] 192.168.2.127:445     - WIN2K [renamedAdministrator, Guest, disabled, test ]
+msf auxiliary(smb_lookupsid) > set rhosts 10.9.7.127
+rhosts => 10.9.7.127
+
+[*] 10.9.7.127:445     - PIPE(LSARPC) LOCAL(WIN2K - 5-21-484763869-823518204-682003330) DOMAIN(RAGEGROUP - )
+[*] 10.9.7.127:445     - USER=renamedAdministrator RID=500
+[*] 10.9.7.127:445     - USER=Guest RID=501
+[*] 10.9.7.127:445     - GROUP=None RID=513
+[*] 10.9.7.127:445     - USER=disabled RID=1000
+[*] 10.9.7.127:445     - USER=test RID=1001
+[*] 10.9.7.127:445     - WIN2K [renamedAdministrator, Guest, disabled, test ]
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
 ```
@@ -39,27 +39,101 @@ rhosts => 192.168.2.127
 msf auxiliary(smb_lookupsid) > run
 
 [*] Scanned  26 of 253 hosts (10% complete)
-[*] 192.168.2.35:139      - PIPE(LSARPC) LOCAL(METASPLOITABLE - 5-21-1042354039-2475377354-766472396) DOMAIN(WORKGROUP - )
-[*] 192.168.2.35:139      - USER=Administrator RID=500
-[*] 192.168.2.35:139      - USER=nobody RID=501
-[*] 192.168.2.35:139      - GROUP=Domain Admins RID=512
-[*] 192.168.2.35:139      - GROUP=Domain Users RID=513
-[*] 192.168.2.35:139      - GROUP=Domain Guests RID=514
-[*] 192.168.2.35:139      - USER=root RID=1000
-[*] 192.168.2.35:139      - GROUP=root RID=1001
-[*] 192.168.2.35:139      - USER=daemon RID=1002
-[*] 192.168.2.35:139      - GROUP=daemon RID=1003
-[*] 192.168.2.35:139      - USER=bin RID=1004
-[*] 192.168.2.35:139      - GROUP=bin RID=1005
-[*] 192.168.2.35:139      - USER=sys RID=1006
-[*] 192.168.2.35:139      - GROUP=sys RID=1007
+[*] 10.9.7.35:139      - PIPE(LSARPC) LOCAL(METASPLOITABLE - 5-21-1042354039-2475377354-766472396) DOMAIN(WORKGROUP - )
+[*] 10.9.7.35:139      - USER=Administrator RID=500
+[*] 10.9.7.35:139      - USER=nobody RID=501
+[*] 10.9.7.35:139      - GROUP=Domain Admins RID=512
+[*] 10.9.7.35:139      - GROUP=Domain Users RID=513
+[*] 10.9.7.35:139      - GROUP=Domain Guests RID=514
+[*] 10.9.7.35:139      - USER=root RID=1000
+[*] 10.9.7.35:139      - GROUP=root RID=1001
+[*] 10.9.7.35:139      - USER=daemon RID=1002
+[*] 10.9.7.35:139      - GROUP=daemon RID=1003
+[*] 10.9.7.35:139      - USER=bin RID=1004
+[*] 10.9.7.35:139      - GROUP=bin RID=1005
+[*] 10.9.7.35:139      - USER=sys RID=1006
+[*] 10.9.7.35:139      - GROUP=sys RID=1007
 ```
 ...snip...
 
 ```
-[*] 192.168.2.35:139      - USER=user RID=3002
-[*] 192.168.2.35:139      - GROUP=user RID=3003
-[*] 192.168.2.35:139      - USER=service RID=3004
-[*] 192.168.2.35:139      - GROUP=service RID=3005
-[*] 192.168.2.35:139      - METASPLOITABLE [Administrator, nobody, root, daemon, bin, sys, sync, games, man, lp, mail, news, uucp, proxy, www-data, backup, list, irc, gnats, libuuid, dhcp, syslog, klog, sshd, bind, postfix, ftp, postgres, mysql, tomcat55, distccd, telnetd, proftpd, statd, msfadmin, user, service ]
+[*] 10.9.7.35:139      - USER=user RID=3002
+[*] 10.9.7.35:139      - GROUP=user RID=3003
+[*] 10.9.7.35:139      - USER=service RID=3004
+[*] 10.9.7.35:139      - GROUP=service RID=3005
+[*] 10.9.7.35:139      - METASPLOITABLE [Administrator, nobody, root, daemon, bin, sys, sync, games, man, lp, mail, news, uucp, proxy, www-data, backup, list, irc, gnats, libuuid, dhcp, syslog, klog, sshd, bind, postfix, ftp, postgres, mysql, tomcat55, distccd, telnetd, proftpd, statd, msfadmin, user, service ]
+```
+
+## Confirmation with nmap
+
+NMAP utilizes [smb-enum-users](https://nmap.org/nsedoc/scripts/smb-enum-users.html) to do SID bruteforcing.
+
+```
+nmap --script smb-enum-users.nse -p445 10.9.7.127,35
+
+Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-19 14:36 EDT
+Nmap scan report for 10.9.7.35
+Host is up (0.0013s latency).
+PORT    STATE SERVICE
+445/tcp open  microsoft-ds
+MAC Address: 00:0C:29:59:D4:F7 (VMware)
+
+Host script results:
+| smb-enum-users: 
+|   METASPLOITABLE\backup (RID: 1068)
+|     Full name:   backup
+|     Flags:       Account disabled, Normal user account
+|   METASPLOITABLE\bin (RID: 1004)
+|     Full name:   bin
+|     Flags:       Account disabled, Normal user account
+|   METASPLOITABLE\bind (RID: 1210)
+|     Flags:       Account disabled, Normal user account
+|   METASPLOITABLE\daemon (RID: 1002)
+|     Full name:   daemon
+|     Flags:       Account disabled, Normal user account
+|   METASPLOITABLE\dhcp (RID: 1202)
+|     Flags:       Account disabled, Normal user account
+|   METASPLOITABLE\distccd (RID: 1222)
+|     Flags:       Account disabled, Normal user account
+|   METASPLOITABLE\ftp (RID: 1214)
+|     Flags:       Account disabled, Normal user account
+```
+...snip...
+
+```
+|   METASPLOITABLE\tomcat55 (RID: 1220)
+|     Flags:       Account disabled, Normal user account
+|   METASPLOITABLE\user (RID: 3002)
+|     Full name:   just a user,111,,
+|     Flags:       Normal user account
+|   METASPLOITABLE\uucp (RID: 1020)
+|     Full name:   uucp
+|     Flags:       Account disabled, Normal user account
+|   METASPLOITABLE\www-data (RID: 1066)
+|     Full name:   www-data
+|_    Flags:       Account disabled, Normal user account
+
+Nmap scan report for win2k (10.9.7.127)
+Host is up (0.0013s latency).
+PORT    STATE SERVICE
+445/tcp open  microsoft-ds
+MAC Address: 00:0C:29:C8:97:2D (VMware)
+
+Host script results:
+| smb-enum-users: 
+|   WIN2K\disabled (RID: 1000)
+|     Full name:   disabled
+|     Description: user account is disabled
+|     Flags:       Account disabled, Normal user account
+|   WIN2K\Guest (RID: 501)
+|     Description: Built-in account for guest access to the computer/domain
+|     Flags:       Password not required, Password does not expire, Account disabled, Normal user account
+|   WIN2K\renamedAdministrator (RID: 500)
+|     Description: Built-in account for administering the computer/domain
+|     Flags:       Password does not expire, Normal user account
+|   WIN2K\test (RID: 1001)
+|     Full name:   test
+|_    Flags:       Normal user account
+
+Nmap done: 2 IP addresses (2 hosts up) scanned in 0.62 seconds
 ```

documentation/modules/auxiliary/scanner/smb/smb_version.md

@@ -50,4 +50,118 @@ msf auxiliary(smb_version) > run
 [*] 10.9.7.232:445     - Host is running Windows 7 Enterprise SP1 (build:7601) (name:IE11WIN7) (workgroup:WORKGROUP )
 [*] Scanned 254 of 254 hosts (100% complete)
 [*] Auxiliary module execution completed
+```
+
+## Confirmation with nmap
+
+There are several scripts that attempt to validate OS information through SMB.  The most equivalent is [smb-os-discovery](https://nmap.org/nsedoc/scripts/smb-os-discovery.html).
+
+```
+nmap --script smb-os-discovery.nse -p445 10.9.7.7,35,91,108,119,127,164,175,232
+
+Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-19 14:12 EDT
+Nmap scan report for WIN-O712LQK2K69 (10.9.7.7)
+Host is up (0.0025s latency).
+PORT    STATE SERVICE
+445/tcp open  microsoft-ds
+MAC Address: 00:0C:29:28:DD:A0 (VMware)
+
+Host script results:
+| smb-os-discovery: 
+|   OS: Windows Server 2008 R2 Standard 7600 (Windows Server 2008 R2 Standard 6.1)
+|   OS CPE: cpe:/o:microsoft:windows_server_2008::-
+|   Computer name: WIN-O712LQK2K69
+|   NetBIOS computer name: WIN-O712LQK2K69\x00
+|   Workgroup: WORKGROUP\x00
+|_  System time: 2017-05-19T11:12:15-07:00
+
+Nmap scan report for 10.9.7.35
+Host is up (0.0018s latency).
+PORT    STATE SERVICE
+445/tcp open  microsoft-ds
+MAC Address: 00:0C:29:59:D4:F7 (VMware)
+
+Host script results:
+| smb-os-discovery: 
+|   OS: Unix (Samba 3.0.20-Debian)
+|   NetBIOS computer name: 
+|   Workgroup: WORKGROUP\x00
+|_  System time: 2017-05-19T14:33:31-04:00
+
+Nmap scan report for IE11Win8_1 (10.9.7.91)
+Host is up (0.0020s latency).
+PORT    STATE SERVICE
+445/tcp open  microsoft-ds
+MAC Address: 00:0C:29:E0:CF:FB (VMware)
+
+Host script results:
+| smb-os-discovery: 
+|   OS: Windows 8.1 Enterprise Evaluation 9600 (Windows 8.1 Enterprise Evaluation 6.3)
+|   OS CPE: cpe:/o:microsoft:windows_8.1::-
+|   NetBIOS computer name: IE11WIN8_1\x00
+|   Workgroup: WORKGROUP\x00
+|_  System time: 2017-05-19T11:04:48-07:00
+
+Nmap scan report for winxp (10.9.7.108)
+Host is up (0.0018s latency).
+PORT    STATE SERVICE
+445/tcp open  microsoft-ds
+MAC Address: 00:0C:29:D6:24:67 (VMware)
+
+Host script results:
+| smb-os-discovery: 
+|   OS: Windows XP (Windows 2000 LAN Manager)
+|   OS CPE: cpe:/o:microsoft:windows_xp::-
+|   Computer name: winxp
+|   NetBIOS computer name: WINXP\x00
+|   Workgroup: RAGEGROUP\x00
+|_  System time: 2017-05-19T14:12:29-04:00
+
+Nmap scan report for workNAS (10.9.7.119)
+Host is up (0.0024s latency).
+PORT    STATE SERVICE
+445/tcp open  microsoft-ds
+MAC Address: 00:11:32:10:FE:C4 (Synology Incorporated)
+
+Host script results:
+| smb-os-discovery: 
+|   OS: Windows 6.1 (Samba 4.4.9)
+|   Computer name: worknas
+|   NetBIOS computer name: WORKNAS\x00
+|   Domain name: \x00
+|   FQDN: worknas
+|_  System time: 2017-05-19T14:12:41-04:00
+
+Nmap scan report for win2k (10.9.7.127)
+Host is up (0.0025s latency).
+PORT    STATE SERVICE
+445/tcp open  microsoft-ds
+MAC Address: 00:0C:29:C8:97:2D (VMware)
+
+Host script results:
+| smb-os-discovery: 
+|   OS: Windows 2000 (Windows 2000 LAN Manager)
+|   OS CPE: cpe:/o:microsoft:windows_2000::-
+|   Computer name: win2k
+|   NetBIOS computer name: WIN2K\x00
+|   Workgroup: WORKGROUP\x00
+|_  System time: 2017-05-19T14:04:37-04:00
+
+Nmap scan report for IE11Win7 (10.9.7.232)
+Host is up (0.0019s latency).
+PORT    STATE SERVICE
+445/tcp open  microsoft-ds
+MAC Address: 00:0C:29:7D:29:4C (VMware)
+
+Host script results:
+| smb-os-discovery: 
+|   OS: Windows 7 Enterprise 7601 Service Pack 1 (Windows 7 Enterprise 6.1)
+|   OS CPE: cpe:/o:microsoft:windows_7::sp1
+|   Computer name: IE11Win7
+|   NetBIOS computer name: IE11WIN7\x00
+|   Workgroup: WORKGROUP\x00
+|_  System time: 2017-05-19T11:04:46-07:00
+
+Nmap done: 8 IP addresses (7 hosts up) scanned in 4.67 seconds
+
 ```