I was recently trying as hard as I could to find out the
SAMBA version that a machine was running. I exhausted most of the well known tools out there that were meant for SMB enumeration but I was still unable to uncover the target's samba version. After spending couple hours, this was how I was able to uncover the samba version! Hope this helps someone out there!
Attack Box's Min SMB Protocol
Before I was able to negotiate with the target machine, I kept getting the following error.
protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED
Couple google searches later, I realized that I had to configure my attack box to use the weaker and more insecure protocol version to be able to talk to the target. The following is how I achieved that.
Add the following line into
/etc/samba/smb.conf with your fav text editor!
client min protocol = LANMAN1
Now I was all set for enumeration.
What I want to achieve manually
In this following section, you can see that MSF is able to pick the version up. Whereas NMAP is not able to do the same. I would like to achieve this without the help of MSF at the end of this.
Manually Enumerating Samba Version
There are 2 key things needed to perform this enumeration. smbver.sh and Wireshark. Firstly, setup a simple Wireshark capture. Then run the script as the following.
./smbver.sh <target> <port>
Once that's done, head to the capture and stop it. Then follow the TCP stream of the first SMB related capture.
Once we start looking at a few related streams, the version should eventually be staring at us in plain text as seen below!
And that's how to enumerate samba versions manually without the help of Metasploit! Metasploit's a great tool, don't get me wrong. But you know...OSCP and stuff Hope this saves someone 3 hours of their time 😢~!