Vulners
Lucene search
Microsoft Windows SMB Log In Possible
| Source | Link |
|---|---|
| nessus | www.nessus.org/u |
| support | www.support.microsoft.com/en-us/help/246261 |
#TRUSTED 9608c00d07d36510567c2833690077cd72c6634a942c7461c3af6ec73c8af2582c0500dd91c4c0ecb62b476a53babce1d6872e508f6eee7098d782002b6e094072ccce8b8b9f4487f5d246245fb0d7b9629331592aab53d65ce06206acbd3313399c7ba8b2c08bd56d5a71dfb388def84ec2b68138a510a365a05ef06eb5ffac054fb82ea8eceb3a0366d64a14d7fd716940d579f90a6b1e648d6fb6cfadebda9724ba33d24c4e4d402a5417dbdf529790c2e757571234e7ccec72266c84860548c82d163fccf09fcf9ef1f084aadf6b116314726e04a55eb25202b3a9d002ff35a19fce60921656135ccd9d58995f3b85d8764a555ed292e9071b0291436066e32a139d2c1ba81fa126aab6571016be7cfd0bdc0345ae8cb17db6fca216a838ed50a8df48b2b405ba8179d8ccd90b020bb8b95ecf7f1ffa595e9be911afafc5f13347d14b2ebb308cc2ca4733c7557c21e6c76387ca5c332e1b596a9af95fe14d9e4615105d28a8837299dac8c91782c26ffae63741eaa6094676ff745b0c114350e6b942f49f330fefb1ff25486b362e91cb3098ec3cebd2ac569f91f2fb4786302235722812c61a6b6be30a5dceec840ae2af38f8ede79590280a0d6b085d046c1aaade28ab54cdcd3ffc26cee7fc61e49f776a5eaed07a51ce613100ec5847777a4fa2793fd293798fb6730a6ac78b83d0bc26ff822648a1c21cc5fa9c1a
#TRUST-RSA-SHA256 884f52bb5605880991ea6576a74e858595b38da0d15a65cfd85476098c09f1c7395d9fc5002513817c28cd86b01c14034cdbcb5e38a6f21cc334b8d46aaabf4513e02471a46118d28ef3ab698c707e27f236a3c5c71e25b7079d25e13e41d7847e27ae2b0c2722137cb990f7f4c6e0f4d6797a5243496797da90d94297971b478ca24a23fbdbef31c6e10b2543ffcf707f3c335108bc6eb699cae98d0f529a7e74d448da7f7b199e78e70194794b289627a10c041d64ba12ca9623a66e7b1c1d1a21291f0a3deaed69c91a94255c9d25a3df0df5858a995bb8310487c55f3b80644c66080cabd84788bac4e5d9b159a2c19af0079eafccd973f0f57f7e5125431d008c4f36b764a912968ce33a6f35325a30e0b9517fc947db3b388e3a573aae54f98469e4d56e1f8fdbfc022e54cfce3af1168ff6729ffca24db70bba6d5e3f541e470dd88b600c7085e3d9715b184e9b961b8226e29b119006e475209bfee1156d56ae4708614f2c278c13da93e2a37b0433e84b748f579f56eb89ba40fb8644bc7f93c719de19f6d2006ff5bdba9886a4c79d9c5d902ca612a8aabafaaf35bc140eea4b18ca5724a8e698b1b1d8cfdb3b17016047a338059bd9dc48a5a7c48bae3cf40095354132312a73b173a9864d65348c29f86a5620f05065ad06333b32bd9359dc90f751b2ac7ac2f66f9c1e10c6b5a325fa5064fe5065e31b5c6d21
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if(description)
{
script_id(10394);
script_version("1.178");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/08");
script_name(english:"Microsoft Windows SMB Log In Possible");
script_summary(english:"Attempts to log into the remote host.");
script_set_attribute(attribute:"synopsis", value:
"It was possible to log into the remote host.");
script_set_attribute(attribute:"description", value:
"The remote host is running a Microsoft Windows operating system or
Samba, a CIFS/SMB server for Unix. It was possible to log into it
using one of the following accounts :
- Guest account
- Supplied credentials
- Randomly generated credentials");
# https://support.microsoft.com/en-us/help/143474/restricting-information-available-to-anonymous-logon-users
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5c2589f6");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/246261");
script_set_attribute(attribute:"solution", value:"n/a");
script_set_attribute(attribute:"risk_factor", value:"None");
script_set_attribute(attribute:"plugin_publication_date", value:"2000/05/09");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"asset_inventory", value:"True");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2000-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("wmi_start_server_svc.nbin", "global_settings.nasl", "kerberos.nasl", "netbios_name_get.nasl", "cifs445.nasl", "logins.nasl", "smb_nativelanman.nasl");
script_require_keys("SMB/name", "SMB/transport");
script_require_ports(139, 445, "/tmp/settings");
exit(0);
}
include("smb_func.inc");
include("lcx.inc");
include("structured_data.inc");
# Plugin is run by the local Windows Nessus Agent
if(get_kb_item("nessus/product/agent"))
{
# Note: some Windows credentialed plugins call:
# script_require_keys("SMB/transport", "SMB/name", "SMB/login", "SMB/password");
# Here we manually set the KBs
set_kb_item(name:"SMB/login", value:"");
set_kb_item(name:"SMB/password", value:"");
# Set Local checks KB items
set_kb_item(name:"Host/windows_local_checks", value:TRUE);
set_kb_item(name:"Host/local_checks_enabled", value:TRUE);
replace_kb_item(name:'debug/Host/local_checks_enabled_source/plugins/Windows/s/smb_login.nasl', value: 68);
# set domain/workgroup if known
# set_kb_item(name:"SMB/domain", value:"");
exit(0);
}
global_var session_is_admin, port;
##
# kdc will only be present for credentials where the user has
# specified kerberos authentication on scanners >= nessus 6.0
##
function login(lg, pw, dom, lm, ntlm, kdc)
{
local_var r, r2, soc;
session_is_admin = 0;
if(kdc)
{
replace_kb_item(name:"Kerberos/SMB/kdc_use_tcp", value:kdc["use_tcp"]);
replace_kb_item(name:"SMB/only_use_kerberos", value:TRUE);
replace_kb_item(name:"KerberosAuth/enabled", value:TRUE);
# used by open_sock_ex() (nessus >= 6)
replace_kb_item(name:"Secret/SMB/kdc_hostname", value:kdc["host"]);
replace_kb_item(name:"Secret/SMB/kdc_port", value:int(kdc["port"]));
# used by open_sock_kdc() (nessus < 6)
replace_kb_item(name:"Secret/kdc_hostname", value:kdc["host"]);
replace_kb_item(name:"Secret/kdc_port", value:int(kdc["port"]));
replace_kb_item(name:"Secret/kdc_use_tcp", value:int(kdc["use_tcp"]));
}
# Use latest version of SMB that Nessus and host share (likely SMB 2.002)
if(!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
r = NetUseAdd(login:lg, password:pw, domain:dom, lm_hash:lm, ntlm_hash:ntlm, share:"IPC$");
if(r == 1)
{
NetUseDel(close:FALSE);
r2 = NetUseAdd(share:"ADMIN$");
if(r2 == 1) session_is_admin = TRUE;
}
NetUseDel();
# If that fails, fallback to SMB1
if(r != 1)
{
if(!smb_session_init(smb2:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');
r = NetUseAdd(login:lg, password:pw, domain:dom, lm_hash:lm, ntlm_hash:ntlm, share:"IPC$");
if(r == 1)
{
NetUseDel(close:FALSE);
r2 = NetUseAdd(share:"ADMIN$");
if(r2 == 1) session_is_admin = TRUE;
}
NetUseDel();
}
if(kdc)
{
# this needs to be deleted after each authentication attempt to avoid having stale KDC data in the KB
# (e.g. 1st credentials attempt kerberos auth, 2nd credentials do not attempt kerberos auth).
# if kerberos auth succeeds, this data will be saved in the KB permanently below where SMB/login et al are saved
rm_kb_item(name:"Kerberos/SMB/kdc_use_tcp");
rm_kb_item(name:"SMB/only_use_kerberos");
rm_kb_item(name:"KerberosAuth/enabled");
rm_kb_item(name:"Secret/SMB/kdc_hostname");
rm_kb_item(name:"Secret/SMB/kdc_post");
rm_kb_item(name:"Secret/kdc_hostname");
rm_kb_item(name:"Secret/kdc_port");
rm_kb_item(name:"Secret/kdc_use_tcp");
}
if(r == 1)
{
if(session_is_admin) replace_kb_item(name:"SMB/use_smb2", value:session_is_smb2());
return TRUE;
}
else
{
return FALSE;
}
}
var login_has_been_supplied = 0;
port = kb_smb_transport();
var name = kb_smb_name();
# the port scanner ran and determined the SMB transport port isn't open
if(get_kb_item("Host/scanned") && !get_port_state(port))
{
audit(AUDIT_PORT_CLOSED, port);
}
var soc = open_sock_tcp(port);
if(!soc)
{
audit(AUDIT_SOCK_FAIL, port);
}
close(soc);
##
# Get all of the required parameters from the kb and
# set them to an array for access.
##
var l, p, d, t;
var cred_type, kdc_host, kdc_port, kdc_use_tcp, kdc_info;
var logins, passwords, domains, password_types, cred_types;
for (var i = 0; TRUE; i ++)
{
l = get_kb_item("SMB/login_filled/" + i);
if(l)
{
l = ereg_replace(pattern:"([^ ]*) *$", string:l, replace:"\1");
}
p = get_kb_item("SMB/password_filled/" + i);
if(p)
{
p = ereg_replace(pattern:"([^ ]*) *$", string:p, replace:"\1");
}
else
{
p = "";
}
d = get_kb_item("SMB/domain_filled/" + i);
if(d)
{
d = ereg_replace(pattern:"([^ ]*) *$", string:d, replace:"\1");
}
t = get_kb_item("SMB/password_type_filled/" + i);
cred_type = get_kb_item("SMB/cred_type/" + i);
if(!get_kb_item("Kerberos/global"))
{
kdc_host = get_kb_item("SMB/kdc_hostname_filled/" + i);
kdc_port = get_kb_item("SMB/kdc_port_filled/" + i);
kdc_use_tcp = get_kb_item("SMB/kdc_use_tcp_filled/" + i);
}
if(l)
{
login_has_been_supplied ++;
logins[i] = l;
passwords[i] = p;
domains[i] = d;
password_types[i] = t;
cred_types[i] = cred_type;
if(kdc_host && kdc_port)
{
kdc_info[i] = make_array(
"host", kdc_host,
"port", int(kdc_port),
"use_tcp", kdc_use_tcp
);
}
}
else break;
}
var smb_domain = string(get_kb_item("SMB/workgroup"));
if(smb_domain)
{
smb_domain = ereg_replace(pattern:"([^ ]*) *$", string:smb_domain, replace:"\1");
}
##
# Start testing access levels for SMB service
##
var hole = 0;
var rand_lg = rand_str(length:8, charset:"abcdefghijklmnopqrstuvwxyz");
var rand_pw = rand_str(length:8);
# Test Null sessions
var null_session;
if(login(lg:NULL, pw:NULL, dom:NULL))
{
null_session = TRUE;
}
else
null_session = FALSE;
# Test administrator Null Login
var admin_no_pw, any_login;
if(!supplied_logins_only)
{
if(login(lg:"administrator", pw:NULL, dom:NULL) && !session_is_guest())
{
admin_no_pw = TRUE;
}
else
{
admin_no_pw = FALSE;
}
# Test open to anyone login settings
if(login(lg:rand_lg, pw:rand_pw, dom:NULL))
{
any_login = TRUE;
set_kb_item(name:"SMB/any_login", value:TRUE);
}
else
{
any_login = FALSE;
}
}
##
# Start testing supplied creds
##
var supplied_login_is_correct = FALSE;
var working_login = NULL;
var working_password = NULL;
var working_password_type = NULL;
var working_kdc = NULL;
var working_domain = NULL;
var working_cred_type = NULL;
var login_cred_type = NULL;
var ntlm_failover = FALSE;
var valid_logins = make_list();
var valid_passwords = make_list();
var logged_in, user_login, user_password, k_password, user_domain, p_type, kdc;
var lm, ntlm, thisUser;
var loginFails = make_nested_array(); # for reporting failed login attempts
var at_least_one_kerb_cred = FALSE;
var all_kerb_creds = TRUE;
while(!supplied_login_is_correct)
{
for (i = 0; logins[i] && !supplied_login_is_correct; i++)
{
logged_in = 0;
user_login = logins[i];
k_password = user_password = passwords[i];
user_domain = domains[i];
p_type = password_types[i];
if(!ntlm_failover)
kdc = kdc_info[i];
else
kdc = NULL;
if(!kdc)
all_kerb_creds = FALSE;
else
at_least_one_kerb_cred = TRUE;
if(p_type == 0)
{
lm = ntlm = NULL;
}
if(p_type == 1)
{
lm = hex2raw2(s:tolower(user_password));
ntlm = user_password = NULL;
}
else if(p_type == 2)
{
ntlm = hex2raw2(s:tolower(user_password));
lm = user_password = NULL;
}
# user domain
if(!isnull(kdc))
{
replace_kb_item(name:"Secret/kdc_use_tcp", value:kdc.use_tcp);
replace_kb_item(name:"Secret/SMB/kdc_hostname", value:kdc.host);
replace_kb_item(name:"Secret/SMB/kdc_port", value:kdc.port);
replace_kb_item(name:"Kerberos/SMB/kdc_use_tcp", value:kdc.use_tcp);
}
if(login(lg:user_login, pw:user_password, dom:user_domain, lm:lm, ntlm:ntlm, kdc:kdc) && !session_is_guest())
{
logged_in ++;
if(session_is_admin) supplied_login_is_correct = TRUE;
if(!working_login || session_is_admin)
{
working_login = user_login;
if(isnull(user_password))
{
if(!isnull(lm)) user_password = hexstr(lm);
else if(!isnull(ntlm)) user_password = hexstr(ntlm);
}
working_password = user_password;
working_password_type = p_type;
if(!ntlm_failover)
working_kdc = kdc;
working_domain = user_domain;
working_cred_type = cred_types[i];
}
}
else
{
if(tolower(user_domain) != tolower(smb_domain))
{
# smb domain
if(login(lg:user_login, pw:user_password, dom:smb_domain, lm:lm, ntlm:ntlm, kdc:kdc) && !session_is_guest())
{
logged_in ++;
if(session_is_admin) supplied_login_is_correct = TRUE;
if(!working_login || session_is_admin)
{
working_login = user_login;
if(isnull(user_password))
{
if(!isnull(lm)) user_password = hexstr(lm);
else if(!isnull(ntlm)) user_password = hexstr(ntlm);
}
working_password = user_password;
working_password_type = p_type;
working_domain = smb_domain;
working_cred_type = cred_types[i];
}
}
}
if(!logged_in)
{
# no domain
if(login(lg:user_login, pw:user_password, dom:NULL, lm:lm, ntlm:ntlm, kdc:kdc) && !session_is_guest())
{
logged_in++;
if(session_is_admin) supplied_login_is_correct = TRUE;
if(!working_login || session_is_admin)
{
working_login = user_login;
if(isnull(user_password))
{
if(!isnull(lm)) user_password = hexstr(lm);
else if(!isnull(ntlm)) user_password = hexstr(ntlm);
}
working_password = user_password;
working_password_type = p_type;
working_domain = NULL;
working_cred_type = cred_types[i];
}
smb_domain = NULL;
}
}
if(!logged_in)
{
thisUser = '';
if(!empty_or_null(user_domain))
thisUser += user_domain + "\";
thisUser += user_login;
if(!empty(thisUser))
loginFails[thisUser] = 'Failed to authenticate using the supplied credentials.';
}
}
if(!isnull(kdc))
{
rm_kb_item(name:"Secret/kdc_use_tcp");
rm_kb_item(name:"Secret/SMB/kdc_hostname");
rm_kb_item(name:"Secret/SMB/kdc_port");
rm_kb_item(name:"Kerberos/SMB/kdc_use_tcp");
}
}
if(!at_least_one_kerb_cred || ntlm_failover || working_login)
break;
ntlm_failover = TRUE;
if(all_kerb_creds)
replace_kb_item(name:"SMB/kerberos_not_working", value:TRUE);
}
var user_password_type, user_kdc;
var sd_auth_info = new("structured_data_authentication_status_information");
if(working_login)
{
supplied_login_is_correct = TRUE;
user_login = working_login;
user_password = working_password;
user_password_type = working_password_type;
user_kdc = working_kdc;
smb_domain = working_domain;
login_cred_type = working_cred_type;
replace_kb_item(name:"Host/Auth/SMB/"+port+"/Success", value:working_login);
rm_kb_item(name:"Host/Auth/SMB/"+port+"/"+SCRIPT_NAME+"/Problem");
rm_kb_item(name:"Host/Auth/SMB/"+port+"/Failure");
lcx::log_auth_success(proto:lcx::PROTO_SMB, port:port, user:user_login, clear_failures:TRUE);
sd_auth_info.insert_auth_status(auth_type:"SMB", user_id:user_login, method:login_cred_type, status:sd_auth_info.SUCCESS);
foreach var username (keys(loginFails))
{
# Right now we only count the number of failed logins, if we ever send the failed login up we will
# need to assess if we need to supply the method as well.
sd_auth_info.insert_auth_status(auth_type:"SMB", user_id:username, method:"N/A", status:sd_auth_info.FAILED);
}
}
else
{
var kb_pre = "Host/Auth/SMB/"+port;
set_kb_item(name:kb_pre+"/Failure", value:TRUE);
foreach var username (keys(loginFails))
{
lcx::log_issue(type:lcx::ISSUES_AUTH, msg:loginFails[username],
port:port, proto:lcx::PROTO_SMB, user:username);
# Right now we only count the number of failed logins, if we ever send the failed login up we will
# need to assess if we need to supply the method as well.
sd_auth_info.insert_auth_status(auth_type:"SMB", user_id:username, method:"N/A", status:sd_auth_info.FAILED);
}
if(!supplied_login_is_correct && !admin_no_pw && login_has_been_supplied)
lcx::log_issue(type:lcx::ISSUES_SVC, proto:lcx::PROTO_SMB, msg:
'It was not possible to log into the remote host via smb ' +
'(invalid credentials).', port:port);
}
sd_auth_info.report_internal();
var report = '';
if(null_session || supplied_login_is_correct || admin_no_pw || any_login)
{
if(supplied_login_is_correct)
{
if(!user_password) user_password = "";
set_kb_item(name:"SMB/login", value:user_login);
set_kb_item(name:"SMB/password", value:user_password);
set_kb_item(name:"SMB/password_type", value:user_password_type);
if(!isnull(user_kdc))
{
replace_kb_item(name:"Secret/SMB/kdc_hostname", value:user_kdc["host"]);
replace_kb_item(name:"Secret/SMB/kdc_port", value:int(user_kdc["port"]));
replace_kb_item(name:"Secret/kdc_hostname", value:user_kdc["host"]);
replace_kb_item(name:"Secret/kdc_port", value:int(user_kdc["port"]));
replace_kb_item(name:"Secret/kdc_use_tcp", value:int(user_kdc["use_tcp"]));
replace_kb_item(name:"Kerberos/SMB/kdc_use_tcp", value:user_kdc["use_tcp"]);
replace_kb_item(name:"KerberosAuth/enabled", value:TRUE);
replace_kb_item(name:"SMB/only_use_kerberos", value:TRUE);
}
if(smb_domain != NULL)
{
set_kb_item(name:"SMB/domain", value:smb_domain);
report += '- The SMB tests will be done as ' + smb_domain + '\\' + user_login + '/******\n';
}
else
report += '- The SMB tests will be done as ' + user_login + '/******\n';
if(session_is_admin)
replace_kb_item(name:"Host/Auth/SMB/" + port + "/MaxPrivs", value:1);
}
# https://discussions.nessus.org/message/9562#9562 -- Apple's Time Capsule accepts any login with a
# blank password
if(admin_no_pw && !any_login && !login(lg:rand_str(length:8), pw:""))
{
set_kb_item(name:"SMB/blank_admin_password", value:TRUE);
report += '- The \'administrator\' account has no password set.\n';
hole = 1;
if(!supplied_login_is_correct)
{
set_kb_item(name:"SMB/login", value:"administrator");
set_kb_item(name:"SMB/password", value:"");
set_kb_item(name:"SMB/domain", value:"");
}
}
if(any_login)
{
set_kb_item(name:"SMB/guest_enabled", value:TRUE);
report += '- Randomly generated remote users are authenticated as \'Guest\' or a guest-like account.\n';
if(!supplied_login_is_correct && !admin_no_pw)
{
set_kb_item(name:"SMB/login", value:rand_lg);
set_kb_item(name:"SMB/password", value:rand_pw);
set_kb_item(name:"SMB/domain", value:"");
}
}
if(null_session)
{
set_kb_item(name:"SMB/null_session_suspected", value:TRUE);
if(report_paranoia >= 2 || !empty_or_null(report))
{
report += '- NULL sessions may be enabled on the remote host.\n';
}
if(!supplied_login_is_correct && !admin_no_pw && !any_login)
{
set_kb_item(name:"SMB/login", value:"");
set_kb_item(name:"SMB/password", value:"");
set_kb_item(name:"SMB/domain", value:"");
}
}
if(supplied_login_is_correct || admin_no_pw)
{
if(!get_kb_item("SMB/not_windows"))
{
set_kb_item(name:"Host/windows_local_checks", value:TRUE);
set_kb_item(name:"Host/local_checks_enabled", value:TRUE);
replace_kb_item(name:'debug/Host/local_checks_enabled_source/plugins/Windows/s/smb_login.nasl', value: 538);
}
var kb_dom = get_kb_item("SMB/domain");
var kb_lg = get_kb_item("SMB/login");
if(isnull(kb_dom)) kb_dom = get_host_ip();
var login_used = kb_dom + '\\' + kb_lg;
set_kb_item(name:"HostLevelChecks/smb_login", value:login_used);
if(!empty_or_null(login_cred_type))
{
replace_kb_item(name:"HostLevelChecks/cred_type", value:login_cred_type);
}
if(defined_func("report_xml_tag"))
{
report_xml_tag(tag:"local-checks-proto", value:"smb");
report_xml_tag(tag:"smb-login-used", value:login_used);
}
}
if(supplied_login_is_correct || admin_no_pw || any_login || (null_session && (report_paranoia >= 2)))
{
security_note(port:port, extra:report);
}
else
{
audit(AUDIT_POTENTIAL_VULN, 'scanner was able to connect to a share with no username or password, but did not
attempt to bind. A NULL session may be possible but this');
# The scanner was able to connect to a share with no username or password, but did not attempt to bind. A NULL
# session may be possible but this install is potentially affected and therefore is only reported if
# 'Report Paranoia' is set to 'Paranoid'.
}
}
else
{
if(isnull(get_kb_item('SMB/login_filled/0'))) audit(AUDIT_MISSING_CREDENTIALS, "Windows");
else exit(0, "Failed to connect to the SMB service. Could not authenticate with the supplied credentials.");
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Apr 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8