nmap/scripts/smb-security-mode.nse

--- Returns information about the SMB security level determined by SMB. 
--
-- Here is how to interpret the output:
--
-- User-level security: Each user has a separate username/password that is used
--  to log into the system. This is the default setup of pretty much everything
--  these days. 
-- Share-level security: The anonymous account should be used to log in, then 
--  the password is given (in plaintext) when a share is accessed. All users who
--  have access to the share use this password. This was the original way of doing
--  things, but isn't commonly seen, now. If a server uses share-level security, 
--  it is vulnerable to sniffing. 
--
-- Challenge/response passwords: If enabled, the server can accept any type of
--  password:
--  * Plaintext
--  * LM and NTLM
--  * LMv2 and NTLMv2
-- If it isn't set, the server can only accept plaintext passwords. Most servers
--  are configured to use challenge/response these days. If a server is configured
--  to accept plaintext passwords, it is vulnerable to sniffing. 
--
-- Message signing: If required, all messages between the client and server must
--  sign be signed by a shared key, derived from the password and the server 
--  challenge. If supported and not required, message signing is negotiated between
--  clients and servers and used if both support and request it. By default, Windows clients 
--  don't sign messages, so if message signing isn't required by the server, messages
--  probably won't be signed; additionally, if performing a man-in-the-middle attack,
--  an attacker can negotiate no message signing. If message signing isn't required, the 
--  server is vulnerable to man-in-the-middle attacks. 
-- 
--  See nselib/smb.lua for more information on the protocol itself. 
--
--@usage
-- nmap --script smb-security-mode.nse -p445 127.0.0.1\n
-- sudo nmap -sU -sS --script smb-security-mode.nse -p U:137,T:139 127.0.0.1\n
--
--@output
-- |  SMB Security: User-level authentication
-- |  SMB Security: Challenge/response passwords supported
-- |_ SMB Security: Message signing supported
-- 
-----------------------------------------------------------------------

id = "SMB Security"
description = "Attempts to determine the security mode over the SMB protocol (ports 445 and 139)."
author = "Ron Bowes"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}

require 'smb'

--- Check whether or not this script should be run.
hostrule = function(host)

	local port = smb.get_port(host)

	if(port == nil) then
		return false
	else
		return true
	end

end


action = function(host)

	local status, socket = smb.start(host)

	if(status == false) then
		return "Error: " .. socket
	end

	status, result = smb.negotiate_protocol(socket)

	if(status == false) then
		smb.stop(socket)
		return "Error: " .. result
	end

	local security_mode = result['security_mode']
	local response = ""
	
	-- User-level authentication or share-level authentication
    if(bit.band(security_mode, 1) == 1) then
        response = response .. "User-level authentication\n"
    else
        response = response .. " Share-level authentication\n"
    end

    -- Challenge/response supported?
    if(bit.band(security_mode, 2) == 0) then
        response = response .. "SMB Security: Plaintext only\n"
    else
        response = response .. "SMB Security: Challenge/response passwords supported\n"
    end

    -- Message signing supported/required?
    if(bit.band(security_mode, 8) == 8) then
        response = response .. "SMB Security: Message signing required\n"
    elseif(bit.band(security_mode, 4) == 4) then
        response = response .. "SMB Security: Message signing supported\n"
    else
        response = response .. "SMB Security: Message signing not supported\n"
    end

	smb.stop(socket)
	return response
end