[Samba] any reliable way to discover Windows hostname over SMB2+?
abartlet at samba.org
Sun Jul 23 22:12:14 UTC 2017
On Mon, 2017-07-24 at 08:51 +1200, Jason Haar wrote:
> Whoops - didn't see your reply until now :-/
> Yes. In infosec a lot of "interesting events" begin with just knowing
> an IP address. So you need to somehow discover the hostname and OS
> before you can check if you even have credentials you could use to
> properly interrogate the system. And with lateral movement being the
> security nightmare it is, arbitrarily throwing (local admin)
> credentials at every box you come across without contemplating the
> possible consequences is simply risky. So with SMB1 systems,
> smbclient-v3 could tell you the hostname and domain without using
> creds. But with smbclient-v4, we cannot get that debugging detail any
> more. (I now realise this isn't a SMB2 problem - it's smbclient-v4
My suggestion is to patch auth/ntlmssp/ntlmssp_client.c to extract that
name again. You could even make NTLMSSP a distinct debug class to make
printing that less verbose when you put it in the logs.
I would be happy to review and consider such a patch.
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
More information about the samba