[Samba] any reliable way to discover Windows hostname over SMB2+?

Andrew Bartlett abartlet at samba.org
Sun Jul 23 22:12:14 UTC 2017

On Mon, 2017-07-24 at 08:51 +1200, Jason Haar wrote:
> Whoops - didn't see your reply until now :-/
> Yes. In infosec a lot of "interesting events" begin with just knowing
> an IP address. So you need to somehow discover the hostname and  OS
> before you can check if you even have credentials you could use to
> properly interrogate the system. And with lateral movement being the
> security nightmare it is, arbitrarily throwing (local admin)
> credentials at every box you come across without contemplating the
> possible consequences is simply risky. So with SMB1 systems,
> smbclient-v3 could tell you the hostname and domain without using
> creds. But with smbclient-v4, we cannot get that debugging detail any
> more. (I now realise this isn't a SMB2 problem - it's smbclient-v4
> itself)

My suggestion is to patch auth/ntlmssp/ntlmssp_client.c to extract that
name again.  You could even make NTLMSSP a distinct debug class to make
printing that less verbose when you put it in the logs.

I would be happy to review and consider such a patch.


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

More information about the samba mailing list