[framework-hackers] Understanding SMB/CIFS protocol
H D Moore
hdm at metasploit.com
Wed Apr 9 16:50:05 CDT 2008
On Wednesday 09 April 2008, Señor Natron wrote:
> However, when Victor wants to make an SMB connection, his PC issues an
> NBSTAT request to the IP:137, which metasploit/linux has no idea what
> to do with, and responds with an ICMP Type 3 Port Unreachable message.
Yup, you can solve this by installing Samba, configuring the hostname in
smbd.conf, and running the nmbd daemon. At some later point, it may make
sense to add a NBNS responder to metasploit, but it doesn't sound like
fun to write.
> Questions:
> 1) What causes Victor to issue an NBSTAT request? Is it something
> wrong in my spoofed response packet, perhaps? (When Victor opens an
> SMB connection to \\ip.add.res, it immediately performs an SMB connect
> to :139; no NBSTAT to 137 is performed.) I've examined my spoofed
> response and can't see anything that would be kicking off an NBSTAT
> request, but I may be missing something.
Name lookups in Windows loosely follow this order:
1. Hosts File
2. DNS
3. WINS
4. NBNS
> 2) Anyone know if it's possible to answer 4) in such a way that Victor
will skip the NBSTAT request?
Yeah, just reply to the DNS request.
> 3) Is it possible to answer 4) with an NBSTAT response that
> will elicit a Negotiate Protocol Request to :139 or :445?
Yes, use nmbd from Samba.
-HD
More information about the Framework-Hackers
mailing list