[Samba] any reliable way to discover Windows hostname over SMB2+?
walker.aj325 at gmail.com
Thu Jul 13 16:04:30 UTC 2017
I forgot to mention in the previous email that smbclient works over SMB2.
You just have increase the max protocol by adding the flag "-m SMB2".
I.e. "smbclient -m SMB2 -L 184.108.40.206 -N -d10 2>&1|grep AvNbComputerName"
rpcclient is potentially a more efficient way to get this information.
On Thu, Jul 13, 2017 at 3:40 AM, Jason Haar via samba <samba at lists.samba.org
> Hi there
> The WannaCry drama has got us pushing forward plans to turn off SMB1
> globally. Great, well, errr....
> Well not so great. I'm in the security team and we've relied on using
> smbclient in debug mode to reliably discover the Windows hostname.
> nmblookup sometime's doesn't work, and let's not even mention DNS PTR
> records! "smbclient -L 220.127.116.11 -N -d10 2>&1|grep AvNbComputerName" works a
> From what I can see, one of the changes that is in SMB2 is that it's a lot
> less chatty and doesn't hand over the Windows hostname like SMB1 does, so
> the days of this smbclient hack will soon be over.
> So does anyone have ideas on how to discover Windows hostnames when all you
> have is an IP address? Currently I'm moving to scraping the TLS data off
> the RDP port - but that doesn't work if you're set for NLA, don't have it
> enabled, etc. Has to be unauthenticated too (if all you have is an IP
> address, you can't even guess at what random creds to throw at it).
> Basically, is there a SMB2 trick to make the system give up it's hostname?
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba