Skip to content

Commit fbeab5f

Browse files
NeffIsBackNeffIsBack
committed
Fingerprint Samba
1 parent 665f778 commit fbeab5f

1 file changed

Lines changed: 21 additions & 3 deletions

File tree

nxc/protocols/smb.py

Lines changed: 21 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -147,6 +147,9 @@ class smb(connection):
147147
def __init__(self, args, db, host):
148148
self.domain = None
149149
self.server_os = None
150+
self.server_os_major = None
151+
self.server_os_minor = None
152+
self.server_os_build = None
150153
self.os_arch = 0
151154
self.hash = None
152155
self.lmhash = ""
@@ -230,7 +233,19 @@ def enum_host_info(self):
230233
self.domain = self.hostname
231234
self.targetDomain = self.hostname
232235

236+
# As of June 2024 Samba will always report the version as "Windows 6.1", apparently due to a bug https://stackoverflow.com/a/67577401/17395725
237+
# Together with the reported build version "0" by Samba we can assume that it is a Samba server. Windows should always report a build version > 0
238+
# Also only on Windows we should get an OS arch as for that we would need MSRPC
233239
self.server_os = self.conn.getServerOS()
240+
self.server_os_major = self.conn.getServerOSMajor()
241+
self.server_os_minor = self.conn.getServerOSMinor()
242+
self.server_os_build = self.conn.getServerOSBuild()
243+
if "Windows 6.1" in self.server_os and self.server_os_build == 0 and self.os_arch == 0:
244+
self.server_os = "Unix - Samba"
245+
elif self.server_os_build == 0 and self.os_arch == 0:
246+
self.server_os = "Unix"
247+
self.logger.debug(f"Server OS: {self.server_os} {self.server_os_major}.{self.server_os_minor} build {self.server_os_build}")
248+
234249
self.logger.extra["hostname"] = self.hostname
235250

236251
if isinstance(self.server_os.lower(), bytes):
@@ -311,7 +326,8 @@ def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="",
311326
self.logger.debug(f"Got TGS for {self.args.delegate} through S4U")
312327

313328
self.conn.kerberosLogin(self.username, password, domain, lmhash, nthash, aesKey, kdcHost, useCache=useCache, TGS=tgs)
314-
self.check_if_admin()
329+
if "Unix" not in self.server_os:
330+
self.check_if_admin()
315331

316332
if username == "":
317333
self.username = self.conn.getCredentials()[0]
@@ -379,7 +395,8 @@ def plaintext_login(self, domain, username, password):
379395
self.logger.debug(f"Logged in with password to SMB with {domain}/{self.username}")
380396
self.is_guest = bool(self.conn.isGuestSession())
381397
self.logger.debug(f"{self.is_guest=}")
382-
self.check_if_admin()
398+
if "Unix" not in self.server_os:
399+
self.check_if_admin()
383400
self.logger.debug(f"Adding credential: {domain}/{self.username}:{self.password}")
384401
self.db.add_credential("plaintext", domain, self.username, self.password)
385402
user_id = self.db.get_credential("plaintext", domain, self.username, self.password)
@@ -450,7 +467,8 @@ def hash_login(self, domain, username, ntlm_hash):
450467
self.logger.debug(f"Logged in with hash to SMB with {domain}/{self.username}")
451468
self.is_guest = bool(self.conn.isGuestSession())
452469
self.logger.debug(f"{self.is_guest=}")
453-
self.check_if_admin()
470+
if "Unix" not in self.server_os:
471+
self.check_if_admin()
454472
user_id = self.db.add_credential("hash", domain, self.username, self.hash)
455473
host_id = self.db.get_hosts(self.host)[0].id
456474

0 commit comments

Comments
 (0)