Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1247
Views
1
Helpful
5
Replies

SMB Domain Information via NMAP

paul
Level 10
Level 10

‎06-29-2018 05:53 AM

I am starting to play around with SMB information more for profiling.  When I scan my domain joined machines I am not getting the domain information:

SMB.cpe cpe:/o:microsoft:windows_10::-

SMB.lanmanager Windows 10 Enterprise 6.3

SMB.operating-system Windows 10 Enterprise 15063

SMB.server IUSCCCATO1\x00


I have seen workgroup information show up for non-domain joined devices and domain joined information show up for devices not in the domain ISE is a part of.  If I do a scan using Zenmap I get the domain information of from the device just fine. I am scanning from a non-domain joined device with Zenmap so I know there are no special permissions required.


Any thoughts would be appreciated.

5 Replies 5

paul
Level 10
Level 10

‎06-29-2018 10:59 AM

As an example here is what Zenmap gets from scanning a system with the SMB script:

|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)


|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional


|   Computer name: UHAOC--PHOTOID


|   NetBIOS computer name: UHAOC--PHOTOID\x00


|   Domain name: chp.clarian.org


|   Forest name: clarian.org


|   FQDN: UHAOC--PHOTOID.chp.clarian.org


There should be no reason ISE isn't getting that data.  The SMB domain field is already a NMAP variable defined in ISE.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to paul

‎06-29-2018 06:43 PM

When I allowing TCP 139 and 445 only from ISE to a domain Windows computer, I got the info on the specific ports only. When I disable the Windows Firewall on the domain Windows computer, I got the host script results with the OS and Domain info; e.g.

SMB.cpecpe:/o:microsoft:windows_10::-
SMB.fqdnwx-corp.demo.local
SMB.lanmanagerWindows 10 Enterprise 2016 LTSB 6.3
SMB.operating-systemWindows 10 Enterprise 2016 LTSB 14393
SMB.serverWX-CORP\x00
SMB.workgroupDEMO\x00
0 Helpful

paul
Level 10
Level 10
In response to hslai

‎06-29-2018 06:46 PM

Why is ISE not pulling SMB domain. Use Zenmap SMB OS script it is all available.

Sent from my iPhone

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to paul

‎06-29-2018 07:44 PM

I believe the system where you ran Zenmap SMB OS script has more access than ISE. Please ensure these ports are allowed from ISE to the endpoints:

T:445,139,U:137

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to paul

‎06-29-2018 08:12 PM

Regarding no SMB domain or forest, it's a known issue -- CSCuy27476, which might take a couple of days to be visible to you.

0 Helpful
Customers Also Viewed These Support Documents