Javascript SMB module not detecting correct SMB version

epicsilence99 commented 4 months ago

Nuclei version:

                 __     _

__ ___/ / (_) / \/ / / / / / \/ / / / / / // / // / / / // //_,/\/_/__// v3.1.10

    projectdiscovery.io

Current Behavior:

When I'm scanning using javascript code with the smb protocol supported it's not returning the correct SMB version on the host being scanned. Every single it time it's saying the version is 2.1 I've verified with shodan and nmap that the host is indeed actually running SMBv1, not SMBv2

Expected Behavior:

I would expect it to return the actual SMB version that's running on the target being scanned.

Steps To Reproduce:

Example: steps to reproduce the behavior:

Run nuclei -u https://target_here -t smb-detect-service-version.yaml
Observe results below:

[JS] {
  "SupportV1": false,
  "Version": {
    "Major": 2,
    "Minor": 1,
    "Revision": 0,
    "VerString": "SMB 2.1"
  },
  "NativeOs": "",
  "NTLM": "",
  "GroupName": "",
  "Capabilities": {
    "DFSSupport": true,
    "Leasing": true,
    "LargeMTU": true,
    "MultiChan": false,
    "Persist": false,
    "DirLeasing": false,
    "Encryption": false
  },
  "HasNTLM": true,
  "NegotiationLog": {
    "HeaderLog": {
      "ProtocolID": [
        0,
        0,
        0,
        0,
        254,
        83,
        77,
        66
      ],
      "Status": 0,
      "Command": 0,
      "Credits": 1,
      "Flags": 1
    },
    "ProtocolID": [
      0,
      0,
      0,
      0,
      254,
      83,
      77,
      66
    ],
    "Status": 0,
    "Command": 0,
    "Credits": 1,
    "Flags": 1,
    "SecurityMode": 1,
    "DialectRevision": 528,
    "ServerGuid": [
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      0,
      211,
      138,
      30,
      169,
      255,
      137,
      176,
      73,
      183,
      160,
      154,
      52,
      37,
      227,
      149,
      241
    ],
    "Capabilities": 7,
    "SystemTime": 1709586164,
    "ServerStartTime": 1703694346,
    "AuthenticationTypes": [
      "1.3.6.1.4.1.311.2.2.30",
      "1.2.840.48018.1.2.2",
      "1.2.840.113554.1.2.2",
      "1.2.840.113554.1.2.2.3",
      "1.3.6.1.4.1.311.2.2.10"
    ]
  },
  "SessionSetupLog": {
    "HeaderLog": {
      "ProtocolID": [
        0,
        0,
        0,
        0,
        254,
        83,
        77,
        66
      ],
      "Status": 3221225494,
      "Command": 1,
      "Credits": 1,
      "Flags": 1
    },
    "ProtocolID": [
      0,
      0,
      0,
      0,
      254,
      83,
      77,
      66
    ],
    "Status": 3221225494,
    "Command": 1,
    "Credits": 1,
    "Flags": 1,
    "SetupFlags": 0,
    "TargetName": "{obfuscate}",
    "NegotiateFlags": 2726887941
  }
}

Anything else:

Template being used below that got the above response:

id: smb-service-detection-version
info:
  name: Detect SMB Service and Version
  author: inkeep
  severity: info

javascript:
  - code: |
      var smb = require('nuclei/smb');
      var c = smb.SMBClient();
      var metadata = c.ConnectSMBInfoMode(Host, Port);
      log(to_json(metadata));

    args:
      Host: "{{Host}}"
      Port: 445

    extractors:
      - type: json
        json:
          - '.Version.VerString'

Mzack9999 commented 3 months ago

@epicsilence99 Would it be possible to provide a target to test? Feel free to join our discord server join our discord server and DM anyone from the staff mentioning this issue if the information cannot be provided publicly. Thanks!

epicsilence99 commented 2 months ago

@Mzack9999 I discussed this with @tarunKoyalwar at discord: https://discord.com/channels/695645237418131507/1224092148844986452/1226988099914174474

He suggested this is due to a library issue that's used and it's limitation and there not being a better one available

projectdiscovery / nuclei