File smb-os-discovery
Download: http://nmap.org/svn/scripts/smb-os-discovery.nse
User Summary
Attempts to determine the operating system, computer name, domain, and current time over the SMB protocol (ports 445 or 139). This is done by starting a session with the anonymous account (or with a proper user account, if one is given; it likely doesn't make a difference); in response to a session starting, the server will send back all this information.
Some systems, like Samba, will blank out their name (and only send their domain). Other systems (like embedded printers) will simply leave out the information. Other systems will blank out various pieces (some will send back 0 for the current time, for example).
Retrieving the name and operating system of a server is a vital step in targeting an attack against it, and this script makes that retrieval easy. Additionally, if a penetration tester is choosing between multiple targets, the time can help identify servers that are being poorly maintained (for more information/random thoughts on using the time, see http://www.skullsecurity.org/blog/?p=76.
Although the standard smb* script arguments can be used,
they likely won't change the outcome in any meaningful way.
Script Arguments
randomseed, smbbasic, smbport, smbsign
See the documentation for the smb library.smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.Example Usage
nmap --script smb-os-discovery.nse -p445 127.0.0.1 sudo nmap -sU -sS --script smb-os-discovery.nse -p U:137,T:139 127.0.0.1
Script Output
Host script results: | smb-os-discovery: | | OS: Windows 2000 (Windows 2000 LAN Manager) | | Name: WORKGROUP\RON-WIN2K-TEST |_ |_ System time: 2009-11-09 14:33:39 UTC-6
Requires
Categories: default discovery safe
Author: Ron Bowes
License: Same as Nmap--See http://nmap.org/book/man-legal.html