[Samba] any reliable way to discover Windows hostname over SMB2+?
Giulio
giulioo at gmail.com
Thu Jul 13 22:32:24 UTC 2017
AFAIK:
- smbclient supports smb2/smb3 starting from samba-4x, and you need to
use -m smb2/smb3.
- starting from samba 4.7.0rc1 smbclient defaults to -m smb3_11 (no
need to use -m")
- samba-3.x supports smb2 server side only (setting "max protocol"),
smbclient is smb1/nt1 only in 3.x.
I did some tests running smbclient against a win7 machine
smbclient 3.x (smb1 only)
$ smbclient -d 10 -L 192.168.1.171 -N 2>&1|grep AvNb|wc -l
8 <== info is present
smbclient 4.7.0rc1 smb1 mode:
$ smbclient -d 10 -L 192.168.1.171 -N -m nt1 2>&1|grep AvNb|wc-l
0 <== no more
smbclient 4.7.0rc1 smb2 mode:
$ ./smbclient -d 10 -L 192.168.1.171 -N -m smb2 2>&1|grep AvNb|wc -l
0 <== no more
It seems that kind of debug messages is gone even when using smb1 with
newer smbclient versions.
======
rpcclient 3.x
$ rpcclient -U "" -c srvinfo -N 192.168.1.171 -d 10 2>&1|grep AvNb|wc -l
0
$ rpcclient -U wrong%wrong -c srvinfo -N 192.168.1.171 -d 10 2>&1
|grep AvNb|wc -l
8 <== works
rpcclient 4.7.0rc1 is like newer smbclient, the info is not there anymore.
========
If you need this, I'd investigate using some kind of LLMNR client,
since this is the "zeroconf" way to get Windows names: when you
disable smb1 on Windows, netbios name resolution gets disabled too,
and automatic name resolution is LLMNR only.
For instance, this https://nmap.org/nsedoc/scripts/llmnr-resolve.html
will do name-to-IP via LLMNR using nmap from command line.
To do the reverse lookup, I tried changing the script where it uses
"0x0001 Host address" to "0x000C "PTR" and asking for
171.1.168.192.in-addr.arpa; the Windows PC will answer something but
the script output is garbled because it expects to print an IP, and I
don't know LUA to change the script to properly format the new answer,
however I can see the Windows PC name in the tcpdump output (in an UDP
packet coming from the Windows PC), so it's possible.
More information about the samba
mailing list