Windows-based networks are still the most common type of network found in organizations, mainly because of the Active Directory (AD) technology that helps system administrators simplify many of their daily tasks. While Windows systems have come a long way regarding security, there are still a few default configurations that we can deem as insecure. Not only default configurations, but some undesirable functionality is also there, such as obtaining system information through SMBv1 pre-authentication.

For this reason, scanning Windows machines is a common task for penetration testers and system administrators, and thankfully, Nmap is full of resources to help us. There are Nmap Scripting Engine (NSE) scripts available to perform tasks from information gathering to vulnerability detection in workstations and servers. As advanced Nmap users, we need to understand what is available and, most importantly, what platforms and configurations these scripts...

SMB is a protocol commonly found in Microsoft Windows clients that have matured through the years. Despite the newer versions available, SMBv1 can still be found enabled in most systems for compatibility reasons. SMBv1 has an interesting feature that has been abused for years, that is, that SMBv1 servers return system information pre-authentication. The information available includes the Windows version, build number, NetBIOS computer name, workgroup, and exact system time. This is valuable information as it allows us to fingerprint systems without the noise from OS detection scans.

This recipe shows how to obtain system information from SMB with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -p139,445 --script smb-os-discovery <target>

The smb-os-discovery script will return valuable system information if SMBv1 is enabled:

PORT  STATE SERVICE
445/tcp open   ...

SMB, unarguably the most important protocol of Windows-based hosts, supports message signing to help hosts confirm the origin and authenticity of the data transmitted. Unfortunately, this is disabled by default for all systems except Domain Controllers (DCs). This makes Windows hosts susceptible to Man in the Middle (MitM) attacks, leading to remote code execution through SMB poisoning/relaying.

This recipe shows how to obtain the SMB signing configuration of Windows machines with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -p137,139,445 --script smb-security-mode <target>

If SMB message signing is disabled, you should see the message_signing: disabled message:

PORT  STATE SERVICE
445/tcp open    microsoft-ds
MAC Address: 9C:2A:70:10:84:BF (Hon Hai Precision Ind.)
Host script results:
| smb-security-mode:
|     ...

IIS servers are vulnerable to an information disclosure vulnerability that reveals the Windows 8.3 names of files in the web server's root folder. It is commonly known as the IIS tilde character vulnerability, and it can also be used to bypass authentication and cause denial of service conditions. Since it reveals information about files that are not publicly exposed, it can present a risk that can lead to attackers accessing hidden functionality or forgotten files such as backups. Every time you see an IIS web server, you should be checking for this vulnerability.

This recipe shows how to detect and extract the list of hosted files in IIS web servers vulnerable to Windows 8.3 name disclosure with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -sV --script iis-short-name-brute <target>

If the script detects that the web server is vulnerable, it will return a report...

Two of the most infamous remote code execution vulnerabilities affecting outdated systems are MS08-067 and MS17-010. They have been exploited by attackers for years now as there are public exploits available for most platforms.

This recipe shows how to detect Windows machines vulnerable to MS08-067 or MS17-010 with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -p445 --script smb-vuln-ms08-067,smb-vuln-ms17-010 <target>

If the target is vulnerable, the scan results will include a report similar to the following:

Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|    ...

NetBIOS name resolution is enabled in most Windows clients today. Even a debugging utility called nbtstat is shipped with Windows to diagnose name resolution problems with NetBIOS over TCP/IP. We can use NetBIOS to obtain information such as the computer name, user, and MAC address with one single request.

This recipe shows how to retrieve the NetBIOS information and MAC address of a Windows host with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -sU -p137 --script nbstat <target>

The NSE nbstat script will return the NetBIOS name, NetBIOS user, and MAC address of the system:

PORT  STATE SERVICE
137/udp open    microsoft-ds
MAC Address: 9C:2A:70:10:84:BF (Hon Hai Precision Ind.) Host script results:
|_nbstat: NetBIOS name: ALIEN, NetBIOS user: <unknown>, NetBIOS MAC: 9C:2A:70:10:84:BF (Hon Hai Precision Ind.)

How it works...

User enumeration allows attackers to conduct dictionary attacks against systems and reveals information about who has access to them. Against Windows systems, there are two known techniques to enumerate the users in the system: SAMR enumeration and LSA brute forcing. Both user enumeration techniques are implemented in NSE. While this attack requires a valid account on most systems, some systems (such as Windows 2000 by default) allow user enumeration anonymously.

This recipe shows how to enumerate users that have logged in to a Microsoft Windows system with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -p139,445 --script smb-enum-users <target>

If the system allows user enumeration anonymously, the user list will be included in the scan results. Remember that in modern systems, you need to provide valid credentials as anonymous access is disabled by default:

Host script results...

Shared folders in organizations are widespread, and poor data storage practices among users present a significant risk. Even if the shared folder isn't entirely open to the world, it is not uncommon to find misconfigured permissions that expose sensitive information.

This recipe shows how to list shared folders of Windows machines with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -p139,445 --script smb-enum-shares --script-args smbusername=Administrator,smbpassword=Password <target>

A list of shares will be returned, including their permissions:

Host script results:
| smb-enum-shares:
|     account_used: WORKGROUP\Administrator
|     ADMIN$
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Remote Admin
|     Users: 0
|     Max Users: <unlimited...

SMB sessions reflect people connected to file shares or making RPC calls and they can provide invaluable information to profile users and machines. The SMB session information includes usernames, origin IP addresses, and even idle time. Because this information can be used to launch other attacks, listing SMB sessions remotely can be handy during the information-gathering phase.

This recipe shows how to enumerate SMB sessions of Windows machines with Nmap.

How to do it...

Open your terminal and enter the following Nmap command to enumerate the current SMB sessions on a target:

$ nmap -p445 --script smb-enum-sessions <target>

Local users on the system will be listed, as well as the SMB connections detected:

Host script results:
|     smb-enum-sessions:
|     Users logged in:
|     |    MATRIX\Administrator since 2017-01-12 12:03:20
| &...

DCs are the most critical systems in Microsoft Windows networks using AD technology. They control all the machines in the network and host essential services for the organization's operations, such as DNS resolution. During a black-box penetration test, attackers need to locate these critical systems to examine them for possible vulnerabilities.

This recipe shows how to find the DCs on the network with Nmap.

How to do it...

Open your terminal and enter the following Nmap command to find DCs on your network:

$ nmap -p389 -sV <target>

DCs will show port 389 running the Microsoft Windows AD LDAP service:

PORT  STATE SERVICE VERSION
389/tcp open    ldap  Microsoft Windows AD LDAP (Domain:TESTDOMAIN, Site: TEST)

How it works...

Penetration testers often need to locate the DCs on networks as they are the most important systems that, if vulnerable, will give access to any machine that is...

The NSA backdoor leaked by the Shadow Brokers with the code name DOUBLEPULSAR uses SMB's Trans2 to notify exploits as to whether a system is already infected. If a system is infected, then attackers can use SMB to execute commands remotely.

This recipe shows how to detect systems infected by the Shadow Brokers' DOUBLEPULSAR with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -p445 --script smb-vuln-double-pulsar-backdoor <target>

If the system is running the DOUBLEPULSAR backdoor, you should see a report like the following:

| smb-vuln-double-pulsar-backdoor:
|     VULNERABLE:
|     Double Pulsar SMB Backdoor
|     State: VULNERABLE
|     Risk factor: HIGH    CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
|    ...

SMB servers negotiate the dialect version before each connection. Therefore, we can determine the supported protocol dialects in SMB servers remotely. Nmap can determine whether a server supports older and insecure protocols such as SMB1 and even troubleshoot SMB servers.

This recipe shows how to list the supported SMB dialects in a server with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -p445 --script smb-protocols <target>

The scan results will include the available SMB dialects of that server:

| smb-protocols:
|   dialects:
|     NT LM 0.12 (SMBv1) [dangerous, but default]
|     2.0.2
|     2.1
|     3.0
|     3.0.2
|_    3.1.1

How it works...

The smb-protocols script attempts to initiate a connection using the following...

Before the Windows Fall Creators Update, it was possible to use the boot-time field returned by SMB2/3 servers during protocol negotiation. Systems that return boot-time information can be fingerprinted for missing security patches. Because the response was part of a valid protocol negotiation before each SMB connection, IDS/IPS/AVs couldn't detect it.

This recipe shows how to detect missing security patches in Windows systems with SMB2/3.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -p445 --script smb2-vuln-uptime <target>

The script will report if a system hasn't been rebooted since a critical patch got released:

| smb2-vuln-uptime:
|   VULNERABLE:
|   MS17-010: Security update for Windows SMB Server
|     State: LIKELY VULNERABLE
|     IDs:  ms:ms17-010  ...

SMB2/3 servers support different features, and we can list those capabilities to check some aspects of their configuration security. Encryption is supported in SMB3 connections, but not everyone uses encryption as it slows down traffic.

This recipe shows how to detect whether encryption is enabled in SMB servers with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -p445 --script smb2-capabilities <target>

The scan results will include the detected features in the response:

| smb2-capabilities:
|   3.1.1:
|     Distributed File System
|     Leasing
|     Multi-credit operations
|     Encryption

How it works...

The script reads the response to the SMB SMB2_COM_NEGOTIATE command and parses the field describing the server capabilities. This technique...