{{tag>deutsch it-security pentest kali linux}}
====== nmap SMBv1 Scan via Script ======

:!: noch ungetestet :!:

Folgende Modifikationen müssen vorgenommen werden, um einen reinen SMBv1 Scan mittels nmap Script zu ermöglichen:

===== nmap/nselib/smb.lua =====

Folgende Funktion einfügen:

<code lua>
function list_smbv1dialect(host, overrides)
  local supported_dialects = {}
  local status, smb1_dialect
  local smbstate

  overrides = tableaux.tcopy(overrides or {})

  -- Check for SMBv1 first
  stdnse.debug2("Checking if SMBv1 is supported")
  status, smbstate = start(host)
  if(status == false) then
    return false, smbstate
  end

  status, smb1_dialect = negotiate_v1(smbstate, overrides)
  if status then --Add SMBv1 as a dialect
    table.insert(supported_dialects, smb1_dialect)
  end
  stop(smbstate) -- Finish SMBv1 and close connection

  status, smbstate = start(host)
  if(status == false) then
    return false, smbstate
  end

  return true, supported_dialects
end
</code>

===== nmap/scripts/smbv1.nse =====

<code lua>
local smb = require "smb"
local stdnse = require "stdnse"
local nmap = require "nmap"

description = [[
List SMBv1 Servers only.

The script attempts to initiate a connection using the dialects:
* NT LM 0.12 (SMBv1)

Additionally if SMBv1 is found enabled, it will mark it as insecure. This
script is the successor to the (removed) smbv2-enabled script.
]]

---
-- @usage nmap -p445 --script smbv1 <target>
-- @usage nmap -p139 --script smbv1 <target>
--
-- @output
-- | smb-protocols:
-- |   dialects:
-- |     NT LM 0.12 (SMBv1) [dangerous, but default]
--
-- @xmloutput
-- <table key="dialects">
-- <elem>NT LM 0.12 (SMBv1) [dangerous, but default]</elem>
-- </table>
---

author = "Paulino Calderon, modded by PsyCore"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe", "discovery"}

hostrule = function(host)
  return smb.get_port(host) ~= nil
end

action = function(host,port)
  local status, supported_dialects = smb.list_smbv1dialect(host)
  if status then
    for i, v in pairs(supported_dialects) do -- Mark SMBv1 as insecure
      if v == "NT LM 0.12" then
        supported_dialects[i] = v .. " (SMBv1) [dangerous, but default]"
      end
    end
    if #supported_dialects > 0 then
      local output = stdnse.output_table()
      output.dialects = supported_dialects
      return output
    end
  end
  stdnse.debug1("No dialects were accepted")
  if nmap.verbosity()>1 then
    return "No dialects accepted. Something may be blocking the responses"
  end
end
</code>

===== Scan starten =====

<code bash>
nmap -p139,445 --script smbv1 <target>
</code>