Improve fingerprinting of SMB endpoints via native_lm + recog

lib/msf/core/exploit/smb/client.rb

@@ -323,8 +323,6 @@ def smb_enumprintproviders
 
       # This method performs an extensive set of fingerprinting operations
       def smb_fingerprint
-        fprint = {}
-
         # Connect to the server if needed
         if not self.simple
           connect()
@@ -338,12 +336,38 @@ def smb_fingerprint
           end
         end
 
-        fprint['native_os'] = smb_peer_os()
+        native_os_fingerprint = smb_fingerprint_native_os()
+        native_lm_fingerprint = smb_fingerprint_native_lm()
+        # attempt to nicely merge together the fingerprints
+        merged_fingerprint = native_os_fingerprint.merge(native_lm_fingerprint) { |key, native_os_val, native_lm_val|
+          # in the event of fingerprint conflicts, prefer the one we got from native_os
+          unique_vals = { "#{native_lm_val}": 1 }
+          unique_vals.merge({ "#{native_os_val}": 1 }).keys.join(' ')
+        }
+        merged_fingerprint["os"] = 'Unknown' unless merged_fingerprint["os"]
+        merged_fingerprint
+      end
+
+      def smb_fingerprint_native_lm()
+        fprint = {}
         fprint['native_lm'] = smb_peer_lm()
 
+        # Leverage Recog for SMB native LM fingerprinting
+        fp_match = Recog::Nizer.match('smb.native_lm', fprint['native_lm']) || { }
+        fprint["os"] = fp_match['os.product']
+        fprint["sp"] = fp_match['os.version']
+        fprint["service"] = fp_match['service.product']
+        fprint["service.version"] = fp_match['service.version']
+
+        fprint
+      end
+
+      def smb_fingerprint_native_os()
+        fprint = {}
+        fprint['native_os'] = smb_peer_os()
+
         # Leverage Recog for SMB native OS fingerprinting
         fp_match = Recog::Nizer.match('smb.native_os', fprint['native_os']) || { }
-
         os = fp_match['os.product'] || 'Unknown'
         sp = fp_match['os.version'] || ''
 
@@ -366,8 +390,16 @@ def smb_fingerprint
 
         lang = smb_fingerprint_windows_lang
 
-        fprint['os']   = os
-        fprint['sp']   = sp
+        if os != 'Unknown'
+          fprint['os'] = os
+        end
+
+        if sp != ''
+          fprint['sp'] = sp
+        end
+
+        fprint["service"] = fp_match['service.product']
+        fprint["service.version"] = fp_match['service.version']
         fprint['lang'] = lang
 
         fprint

modules/auxiliary/scanner/smb/smb_version.rb

@@ -149,9 +149,18 @@ def run_host(ip)
           :data  => match_conf
         )
       else
-        desc = "#{res['native_os']} (#{res['native_lm']})"
-        report_service(:host => ip, :port => rport, :name => 'smb', :info => desc)
-        print_status("Host could not be identified: #{desc}")
+        descs = []
+        descs << "native_lm=#{res['native_lm']}" unless res['native_lm'].blank?
+        descs << "native_os=#{res['native_os']}" unless res['native_os'].blank?
+        desc = descs.join(' ')
+        if desc.blank?
+          report_service(:host => ip, :port => rport, :name => 'smb')
+          print_status("Host could not be identified: no native LM/OS info obtained")
+        else
+          desc = "no native LM/OS info obtained" if desc.blank?
+          report_service(:host => ip, :port => rport, :name => 'smb', :info => desc)
+          print_status("Host could not be identified: #{desc}")
+        end
       end
 
       # Report a smb.fingerprint hash of attributes for OS fingerprinting