Nmap smb-brute NSE Script


This page contains detailed information about how to use the smb-brute NSE script. For list of all NSE scripts, visit the Nmap NSE Library.

Select:
Overview
Error Messages

Script Overview

Script source code: https://github.com/nmap/nmap/tree/master/scripts/smb-brute.nse
Script categories: intrusive, brute
Target service / protocol: smb, netbios, tcp, udp
Target network port(s): 137, 139, 445
List of CVEs: -

Script Description

The smb-brute.nse script attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts. Every attempt will be made to get a valid list of users and to verify each username before actually using them. When a username is discovered, besides being printed, it is also saved in the Nmap registry so other Nmap scripts can use it. That means that if you're going to run smb-brute.nse, you should run other smb scripts you want. This checks passwords in a case-insensitive way, determining case after a password is found, for Windows versions before Vista.

This script is specifically targeted towards security auditors or penetration testers. One example of its use, suggested by Brandon Enright, was hooking up smb-brute.nse to the database of usernames and passwords used by the Conficker worm (the password list can be found at http://www.skullsecurity.org/wiki/index.php/Passwords, among other places. Then, the network is scanned and all systems that would be infected by Conficker are discovered.

From the penetration tester perspective its use is pretty obvious. By discovering weak passwords on SMB, a protocol that's well suited for bruteforcing, access to a system can be gained. Further, passwords discovered against Windows with SMB might also be used on Linux or MySQL or custom Web applications. Discovering a password greatly beneficial for a pen-tester.

This script uses a lot of little tricks that I (Ron Bowes) describe in detail in a blog posting, http://www.skullsecurity.org/blog/?p=164. The tricks will be summarized here, but that blog is the best place to learn more.

Usernames and passwords are initially taken from the unpwdb library. If possible, the usernames are verified as existing by taking advantage of Windows' odd behaviour with invalid username and invalid password responses. As soon as it is able, this script will download a full list of usernames from the server and replace the unpw usernames with those. This enables the script to restrict itself to actual accounts only.

When an account is discovered, it's saved in the smb module (which uses the Nmap registry). If an account is already saved, the account's privileges are checked; accounts with administrator privileges are kept over accounts without. The specific method for checking is by calling GetShareInfo("IPC$"), which requires administrative privileges. Once this script is finished (all other smb scripts depend on it, it'll run first), other scripts will use the saved account to perform their checks.

The blank password is always tried first, followed by "special passwords" (such as the username and the username reversed). Once those are exhausted, the unpwdb password list is used.

One major goal of this script is to avoid account lockouts. This is done in a few ways. First, when a lockout is detected, unless you user specifically overrides it with the smblockout argument, the scan stops. Second, all usernames are checked with the most common passwords first, so with not-too-strict lockouts (10 invalid attempts), the 10 most common passwords will still be tried. Third, one account, called the canary, "goes out ahead"; that is, three invalid attempts are made (by default) to ensure that it's locked out before others are.

In addition to active accounts, this script will identify valid passwords for accounts that are disabled, guest-equivalent, and require password changes. Although these accounts can't be used, it's good to know that the password is valid. In other cases, it's impossible to tell a valid password (if an account is locked out, for example). These are displayed, too. Certain accounts, such as guest or some guest-equivalent, will permit any password. This is also detected. When possible, the SMB protocol is used to its fullest to get maximum information.

When possible, checks are done using a case-insensitive password, then proper case is determined with a fairly efficient bruteforce. For example, if the actual password is "PassWord", then "password" will work and "PassWord" will be found afterwards (on the 14th attempt out of a possible 256 attempts, with the current algorithm).

Smb-brute NSE Script Arguments

This is a full list of arguments supported by the smb-brute.nse script:

brutelimit

Limits the number of usernames checked in the script. In some domains, it's possible to end up with 10,000+ usernames on each server. By default, this will be 5000, which should be higher than most servers and also prevent infinite loops or other weird things. This will only affect the user list pulled from the server, not the username list.

canaries

Sets the number of tests to do to attempt to lock out the first account. This will lock out the first account without locking out the rest of the accounts. The default is 3, which will only trigger strict lockouts, but will also bump the canary account up far enough to detect a lockout well before other accounts are hit.

smblockout

This argument will force the script to continue if it locks out an account or thinks it will lock out an account.

smbdomain

The domain to log in with. If you aren't in a domain environment, then anything will (should?) be accepted by the server.

smbhash

A password hash to use when logging in. This is given as a single hex string (32 characters) or a pair of hex strings (both 32 characters, optionally separated by a single character). These hashes are the LanMan or NTLM hash of the user's password, and are stored on disk or in memory. They can be retrieved from memory using the fgdump or pwdump tools.

smbnoguest

Use to disable usage of the 'guest' account.

smbpassword

The password to connect with. Be cautious with this, since some servers will lock accounts if the incorrect password is given. Although it's rare that the Administrator account can be locked out, in the off chance that it can, you could get yourself in trouble. To use a blank password, leave this parameter off altogether.

smbtype

The type of SMB authentication to use. These are the possible options:

  • v1: Sends LMv1 and NTLMv1.
  • LMv1: Sends LMv1 only.
  • NTLMv1: Sends NTLMv1 only (default).
  • v2: Sends LMv2 and NTLMv2.
  • LMv2: Sends LMv2 only.
  • NTLMv2: Doesn't exist; the protocol doesn't support NTLMv2 alone. The default, NTLMv1, is a pretty decent compromise between security and compatibility. If you are paranoid, you might want to use v2 or lmv2 for this. (Actually, if you're paranoid, you should be avoiding this protocol altogether!). If you're using an extremely old system, you might need to set this to v1 or lm, which are less secure but more compatible. For information, see smbauth.lua.

smbusername

The SMB username to log in with. The forms "DOMAIN\username" and "username@DOMAIN" are not understood. To set a domain, use the smbdomain argument.

randomseed

Set to a value to change the filenames/service names that are randomly generated.

smbbasic

Forces the authentication to use basic security, as opposed to "extended security". Against most modern systems, extended security should work, but there may be cases where you want to force basic. There's a chance that you'll get better results for enumerating users if you turn on basic authentication.

smbport

Override the default port choice. If smbport is open, it's used. It's assumed to be the same protocol as port 445, not port 139. Since it probably isn't possible to change Windows' ports normally, this is mostly useful if you're bouncing through a relay or something.

smbsign

Controls whether or not server signatures are checked in SMB packets. By default, on Windows, server signatures aren't enabled or required. By default, this library will always sign packets if it knows how, and will check signatures if the server says to. Possible values are:

  • force: Always check server signatures, even if server says it doesn't support them (will Probably fail, but is technically more secure).
  • negotiate: [default] Use signatures if server supports them.
  • ignore: Never check server signatures. Not recommended.
  • disable: Don't send signatures, at all, and don't check the server's. not recommended. More information on signatures can be found in smbauth.lua.

passdb

The filename of an alternate password database. Default: nselib/data/passwords.lst

unpwdb.passlimit

The maximum number of passwords passwords will return (default unlimited).

unpwdb.timelimit

The maximum amount of time that any iterator will run before stopping. The value is in seconds by default and you can follow it with ms, s, m, or h for milliseconds, seconds, minutes, or hours. For example, unpwdb.timelimit=30m or unpwdb.timelimit=.5h for 30 minutes. The default depends on the timing template level (see the module description). Use the value 0 to disable the time limit.

unpwdb.userlimit

The maximum number of usernames usernames will return (default unlimited).

userdb

The filename of an alternate username database. Default: nselib/data/usernames.lst

- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..] syntax. For example:

nmap --script=smb-brute --script-args brutelimit=value,canaries=value <target>

Smb-brute NSE Script Example Usage

Here's an example of how to use the smb-brute.nse script:

nmap --script smb-brute.nse -p445 <host>

sudo nmap -sU -sS --script smb-brute.nse -p U:137,T:139 <host>

Smb-brute NSE Script Example Output

Here's a sample output from the smb-brute.nse script:

Host script results:
| smb-brute:
|   bad name:test => Valid credentials
|   consoletest:test => Valid credentials, password must be changed at next logon
|   guest:<anything> => Valid credentials, account disabled
|   mixcase:BuTTeRfLY1 => Valid credentials
|   test:password1 => Valid credentials, account expired
|   this:password => Valid credentials, account cannot log in at current time
|   thisisaverylong:password => Valid credentials
|   thisisaverylongname:password => Valid credentials
|   thisisaverylongnamev:password => Valid credentials
|_  web:TeSt => Valid credentials, account disabled

Smb-brute NSE Script Example XML Output

There is no sample XML output for this module. However, by providing the -oX <file> option, Nmap will produce a XML output and save it in the file.xml file.

Author

  • Ron Bowes

References

See Also

Related NSE scripts to the smb-brute.nse script:

Visit Nmap NSE Library for more scripts.

The smb-brute.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.

goes out ahead

Here is a relevant code snippet related to the "goes out ahead" error message:

51:	
52:	One major goal of this script is to avoid account lockouts. This is done in a few ways. First,
53:	when a lockout is detected, unless you user specifically overrides it with the <code>smblockout</code>
54:	argument, the scan stops. Second, all usernames are checked with the most common passwords first,
55:	so with not-too-strict lockouts (10 invalid attempts), the 10 most common passwords will still
56:	be tried. Third, one account, called the canary, "goes out ahead"; that is, three invalid
57:	attempts are made (by default) to ensure that it's locked out before others are.
58:	
59:	In addition to active accounts, this script will identify valid passwords for accounts that
60:	are disabled, guest-equivalent, and require password changes. Although these accounts can't
61:	be used, it's good to know that the password is valid. In other cases, it's impossible to

Invalid credentials

Here is a relevant code snippet related to the "Invalid credentials" error message:

157:	result_strings[results.DISABLED]             = "Valid credentials, account disabled"
158:	result_strings[results.EXPIRED]              = "Valid credentials, account expired"
159:	result_strings[results.CHANGE_PASSWORD]      = "Valid credentials, password must be changed at next logon"
160:	result_strings[results.ACCOUNT_LOCKED]       = "Valid credentials, account locked (hopefully not by us!)"
161:	result_strings[results.ACCOUNT_LOCKED_NOW]   = "Valid credentials, account just became locked (oops!)"
162:	result_strings[results.FAIL]                 = "Invalid credentials"
163:	result_strings[results.INVALID_LOGON_HOURS]  = "Valid credentials, account cannot log in at current time"
164:	result_strings[results.INVALID_WORKSTATION]  = "Valid credentials, account cannot log in from current host"
165:	
166:	---Constants for special passwords. These each contain a null character, which is illegal in
167:	-- actual passwords.

Valid credentials, account cannot log in at current time

Here is a relevant code snippet related to the "Valid credentials, account cannot log in at current time" error message:

158:	result_strings[results.EXPIRED]              = "Valid credentials, account expired"
159:	result_strings[results.CHANGE_PASSWORD]      = "Valid credentials, password must be changed at next logon"
160:	result_strings[results.ACCOUNT_LOCKED]       = "Valid credentials, account locked (hopefully not by us!)"
161:	result_strings[results.ACCOUNT_LOCKED_NOW]   = "Valid credentials, account just became locked (oops!)"
162:	result_strings[results.FAIL]                 = "Invalid credentials"
163:	result_strings[results.INVALID_LOGON_HOURS]  = "Valid credentials, account cannot log in at current time"
164:	result_strings[results.INVALID_WORKSTATION]  = "Valid credentials, account cannot log in from current host"
165:	
166:	---Constants for special passwords. These each contain a null character, which is illegal in
167:	-- actual passwords.
168:	local USERNAME          = "\0username"

Valid credentials, account cannot log in from current host

Here is a relevant code snippet related to the "Valid credentials, account cannot log in from current host" error message:

159:	result_strings[results.CHANGE_PASSWORD]      = "Valid credentials, password must be changed at next logon"
160:	result_strings[results.ACCOUNT_LOCKED]       = "Valid credentials, account locked (hopefully not by us!)"
161:	result_strings[results.ACCOUNT_LOCKED_NOW]   = "Valid credentials, account just became locked (oops!)"
162:	result_strings[results.FAIL]                 = "Invalid credentials"
163:	result_strings[results.INVALID_LOGON_HOURS]  = "Valid credentials, account cannot log in at current time"
164:	result_strings[results.INVALID_WORKSTATION]  = "Valid credentials, account cannot log in from current host"
165:	
166:	---Constants for special passwords. These each contain a null character, which is illegal in
167:	-- actual passwords.
168:	local USERNAME          = "\0username"
169:	local USERNAME_REVERSED = "\0username reversed"

ERROR: smb-brute: Was unable to determine case of %s's password

Here is a relevant code snippet related to the "ERROR: smb-brute: Was unable to determine case of %s's password" error message:

496:	      return thispassword
497:	    end
498:	  end
499:	
500:	  -- Print an error message
501:	  stdnse.debug1("ERROR: smb-brute: Was unable to determine case of %s's password", username)
502:	
503:	  -- If all else fails, just return the actual password (we probably shouldn't get here)
504:	  return password
505:	end
506:

Couldn't retrieve lockout policy:

Here is a relevant code snippet related to the "Couldn't retrieve lockout policy: " error message:

514:	  end
515:	
516:	  local status, result = msrpc.get_domains(host)
517:	  if(not(status)) then
518:	    stdnse.debug1("Couldn't detect lockout policy: %s", result)
519:	    return false, "Couldn't retrieve lockout policy: " .. result
520:	  end
521:	
522:	  for domain, data in pairs(result) do
523:	    if(data and data.lockout_threshold) then
524:	      stdnse.debug1("Server's lockout policy: lock out after %d attempts", data.lockout_threshold)

WARNING: couldn't determine lockout policy: %s

Here is a relevant code snippet related to the "WARNING: couldn't determine lockout policy: %s" error message:

555:	  stdnse.debug1("Remote operating system: %s", hostinfo['os'])
556:	
557:	  -- Check lockout policy
558:	  status, bad_lockout_policy_result = bad_lockout_policy(host)
559:	  if(not(status)) then
560:	    stdnse.debug1("WARNING: couldn't determine lockout policy: %s", bad_lockout_policy_result)
561:	  else
562:	    if(bad_lockout_policy_result) then
563:	      return false, "Account lockouts are enabled on the host. To continue (and risk lockouts), add --script-args=smblockout=1 -- for more information, run smb-enum-domains."
564:	    end
565:	  end

Account lockouts are enabled on the host. To continue (and risk lockouts), add --script-args=smblockout=1 -- for more information, run smb-enum-domains.

Here is a relevant code snippet related to the "Account lockouts are enabled on the host. To continue (and risk lockouts), add --script-args=smblockout=1 -- for more information, run smb-enum-domains." error message:

558:	  status, bad_lockout_policy_result = bad_lockout_policy(host)
559:	  if(not(status)) then
560:	    stdnse.debug1("WARNING: couldn't determine lockout policy: %s", bad_lockout_policy_result)
561:	  else
562:	    if(bad_lockout_policy_result) then
563:	      return false, "Account lockouts are enabled on the host. To continue (and risk lockouts), add --script-args=smblockout=1 -- for more information, run smb-enum-domains."
564:	    end
565:	  end
566:	
567:	  -- Attempt to enumerate users
568:	  stdnse.debug1("Trying to get user list from server")

Couldn't open username file

Here is a relevant code snippet related to the "Couldn't open username file" error message:

576:	  -- If the enumeration failed, try using the built-in list
577:	  if(not(hostinfo['have_user_list'])) then
578:	    stdnse.debug1("Couldn't enumerate users (normal for Windows XP and higher), using unpwdb initially")
579:	    status, hostinfo['user_list_default'] = unpwdb.usernames()
580:	    if(status == false) then
581:	      return false, "Couldn't open username file"
582:	    end
583:	  end
584:	
585:	  -- Open the password file
586:	  stdnse.debug1("Opening password list")

Couldn't open password file

Here is a relevant code snippet related to the "Couldn't open password file" error message:

584:	
585:	  -- Open the password file
586:	  stdnse.debug1("Opening password list")
587:	  status, hostinfo['password_list'] = unpwdb.passwords()
588:	  if(status == false) then
589:	    return false, "Couldn't open password file"
590:	  end
591:	
592:	  -- Start the SMB session
593:	  stdnse.debug1("Starting the initial SMB session")
594:	  local err

invalid_password

Here is a relevant code snippet related to the "invalid_password" error message:

600:	
601:	  -- Some hosts will accept any username -- check for this by trying to log in with a totally random name. If the
602:	  -- server accepts it, it'll be impossible to bruteforce; if it gives us a weird result code, we have to remember
603:	  -- it.
604:	  hostinfo['invalid_username'] = check_login(hostinfo, get_random_string(8), get_random_string(8), "ntlm")
605:	  hostinfo['invalid_password'] = check_login(hostinfo, "Administrator",      get_random_string(8), "ntlm")
606:	
607:	  stdnse.debug1("Server's response to invalid usernames: %s", result_short_strings[hostinfo['invalid_username']])
608:	  stdnse.debug1("Server's response to invalid passwords: %s", result_short_strings[hostinfo['invalid_password']])
609:	
610:	  -- If either of these comes back as success, there's no way to tell what's valid/invalid

Server's response to invalid usernames: %s

Here is a relevant code snippet related to the "Server's response to invalid usernames: %s" error message:

602:	  -- server accepts it, it'll be impossible to bruteforce; if it gives us a weird result code, we have to remember
603:	  -- it.
604:	  hostinfo['invalid_username'] = check_login(hostinfo, get_random_string(8), get_random_string(8), "ntlm")
605:	  hostinfo['invalid_password'] = check_login(hostinfo, "Administrator",      get_random_string(8), "ntlm")
606:	
607:	  stdnse.debug1("Server's response to invalid usernames: %s", result_short_strings[hostinfo['invalid_username']])
608:	  stdnse.debug1("Server's response to invalid passwords: %s", result_short_strings[hostinfo['invalid_password']])
609:	
610:	  -- If either of these comes back as success, there's no way to tell what's valid/invalid
611:	  if(hostinfo['invalid_username'] == results.SUCCESS) then
612:	    stop_session(hostinfo)

Server's response to invalid passwords: %s

Here is a relevant code snippet related to the "Server's response to invalid passwords: %s" error message:

603:	  -- it.
604:	  hostinfo['invalid_username'] = check_login(hostinfo, get_random_string(8), get_random_string(8), "ntlm")
605:	  hostinfo['invalid_password'] = check_login(hostinfo, "Administrator",      get_random_string(8), "ntlm")
606:	
607:	  stdnse.debug1("Server's response to invalid usernames: %s", result_short_strings[hostinfo['invalid_username']])
608:	  stdnse.debug1("Server's response to invalid passwords: %s", result_short_strings[hostinfo['invalid_password']])
609:	
610:	  -- If either of these comes back as success, there's no way to tell what's valid/invalid
611:	  if(hostinfo['invalid_username'] == results.SUCCESS) then
612:	    stop_session(hostinfo)
613:	    return false, "Invalid username was accepted; unable to bruteforce"

Invalid username was accepted; unable to bruteforce

Here is a relevant code snippet related to the "Invalid username was accepted; unable to bruteforce" error message:

608:	  stdnse.debug1("Server's response to invalid passwords: %s", result_short_strings[hostinfo['invalid_password']])
609:	
610:	  -- If either of these comes back as success, there's no way to tell what's valid/invalid
611:	  if(hostinfo['invalid_username'] == results.SUCCESS) then
612:	    stop_session(hostinfo)
613:	    return false, "Invalid username was accepted; unable to bruteforce"
614:	  end
615:	  if(hostinfo['invalid_password'] == results.SUCCESS) then
616:	    stop_session(hostinfo)
617:	    return false, "Invalid password was accepted; unable to bruteforce"
618:	  end

Invalid password was accepted; unable to bruteforce

Here is a relevant code snippet related to the "Invalid password was accepted; unable to bruteforce" error message:

612:	    stop_session(hostinfo)
613:	    return false, "Invalid username was accepted; unable to bruteforce"
614:	  end
615:	  if(hostinfo['invalid_password'] == results.SUCCESS) then
616:	    stop_session(hostinfo)
617:	    return false, "Invalid password was accepted; unable to bruteforce"
618:	  end
619:	
620:	  -- Print a message to the user if we can identify passwords
621:	  if(hostinfo['invalid_username'] ~= hostinfo['invalid_password']) then
622:	    stdnse.debug1("Invalid username and password response are different, so identifying valid accounts is possible")

Invalid username and password response are different, so identifying valid accounts is possible

Here is a relevant code snippet related to the "Invalid username and password response are different, so identifying valid accounts is possible" error message:

617:	    return false, "Invalid password was accepted; unable to bruteforce"
618:	  end
619:	
620:	  -- Print a message to the user if we can identify passwords
621:	  if(hostinfo['invalid_username'] ~= hostinfo['invalid_password']) then
622:	    stdnse.debug1("Invalid username and password response are different, so identifying valid accounts is possible")
623:	  end
624:	
625:	  -- Print a warning message if invalid_username and invalid_password go to the same thing that isn't FAIL
626:	  if(hostinfo['invalid_username'] ~= results.FAIL and hostinfo['invalid_username'] == hostinfo['invalid_password']) then
627:	    stdnse.debug1("WARNING: Difficult to recognize invalid usernames/passwords; may not get good results")

WARNING: Difficult to recognize invalid usernames/passwords; may not get good results

Here is a relevant code snippet related to the "WARNING: Difficult to recognize invalid usernames/passwords; may not get good results" error message:

622:	    stdnse.debug1("Invalid username and password response are different, so identifying valid accounts is possible")
623:	  end
624:	
625:	  -- Print a warning message if invalid_username and invalid_password go to the same thing that isn't FAIL
626:	  if(hostinfo['invalid_username'] ~= results.FAIL and hostinfo['invalid_username'] == hostinfo['invalid_password']) then
627:	    stdnse.debug1("WARNING: Difficult to recognize invalid usernames/passwords; may not get good results")
628:	  end
629:	
630:	  -- Restart the SMB connection so we have a clean slate
631:	  stdnse.debug1("Restarting the session before the bruteforce")
632:	  status, err = restart_session(hostinfo)

invalid_usernames'][username] ~= true and hostinfo['locked_usernames'][username] ~= true and hostinfo['accounts

Here is a relevant code snippet related to the "invalid_usernames'][username] ~= true and hostinfo['locked_usernames'][username] ~= true and hostinfo['accounts" error message:

699:	    -- Make the username lowercase (usernames aren't case sensitive, so making it lower case prevents duplicates)
700:	    if(username ~= nil) then
701:	      username = string.lower(username)
702:	    end
703:	
704:	  until username == nil or (hostinfo['invalid_usernames'][username] ~= true and hostinfo['locked_usernames'][username] ~= true and hostinfo['accounts'][username] == nil)
705:	
706:	  return username
707:	end
708:	
709:	---Reset to the first username.

Marking '%s' as 'invalid'

Here is a relevant code snippet related to the "Marking '%s' as 'invalid'" error message:

774:	      -- Add it to the locked username list (so it can be reported)
775:	      hostinfo['locked_usernames'][username] = true
776:	
777:	      -- Mark all the usernames as invalid (a bit of a hack, but it's safer this way)
778:	      while(username ~= nil) do
779:	        stdnse.debug1("Marking '%s' as 'invalid'", username)
780:	        hostinfo['invalid_usernames'][username] = true
781:	        username = get_next_username(hostinfo)
782:	      end
783:	    end
784:	  end

Blank password for '%s' -> '%s' (invalid account)

Here is a relevant code snippet related to the "Blank password for '%s' -> '%s' (invalid account)" error message:

819:	  while(username ~= nil) do
820:	    result = check_login(hostinfo, username, "", "ntlm")
821:	
822:	    if(result ~= hostinfo['invalid_password'] and result == hostinfo['invalid_username']) then
823:	      -- If the account matches the value of 'invalid_username', but not the value of 'invalid_password', it's invalid
824:	      stdnse.debug1("Blank password for '%s' -> '%s' (invalid account)", username, result_short_strings[result])
825:	      hostinfo['invalid_usernames'][username] = true
826:	
827:	    elseif(result == hostinfo['invalid_password']) then
828:	
829:	      -- If the account matches the value of 'invalid_password', and 'invalid_password' is reliable, it's probably valid

WARNING: couldn't determine lockout policy: %s

Here is a relevant code snippet related to the "WARNING: couldn't determine lockout policy: %s" error message:

915:	    smb.add_account(hostinfo['host'], username, '', password, nil, nil, is_admin)
916:	
917:	    -- Check lockout policy
918:	    local status, bad_lockout_policy_result = bad_lockout_policy(hostinfo['host'])
919:	    if(not(status)) then
920:	      stdnse.debug1("WARNING: couldn't determine lockout policy: %s", bad_lockout_policy_result)
921:	    else
922:	      if(bad_lockout_policy_result) then
923:	        return false, "Account lockouts are enabled on the host. To continue (and risk lockouts), add --script-args=smblockout=1 -- for more information, run smb-enum-domains."
924:	      end
925:	    end

Account lockouts are enabled on the host. To continue (and risk lockouts), add --script-args=smblockout=1 -- for more information, run smb-enum-domains.

Here is a relevant code snippet related to the "Account lockouts are enabled on the host. To continue (and risk lockouts), add --script-args=smblockout=1 -- for more information, run smb-enum-domains." error message:

918:	    local status, bad_lockout_policy_result = bad_lockout_policy(hostinfo['host'])
919:	    if(not(status)) then
920:	      stdnse.debug1("WARNING: couldn't determine lockout policy: %s", bad_lockout_policy_result)
921:	    else
922:	      if(bad_lockout_policy_result) then
923:	        return false, "Account lockouts are enabled on the host. To continue (and risk lockouts), add --script-args=smblockout=1 -- for more information, run smb-enum-domains."
924:	      end
925:	    end
926:	
927:	    -- If we haven't retrieved the real user list yet, do so
928:	    if(hostinfo['have_user_list'] == false) then

Version

This page has been created based on Nmap version 7.92.

Go back to menu.