mirror of
https://github.com/nmap/nmap.git
synced 2025-12-16 20:59:02 +00:00
Qualify some "I"s in script documentation to attribute them to their author, to
reduce confusion when many scripts are presented together. Also make a few other miscellaneous documentation cleanups.
This commit is contained in:
david
@@ -5,8 +5,6 @@ Attempt's to get the target's NetBIOS names and MAC address.
|
|||||||
By default, the script displays the name of the computer and the logged-in
|
By default, the script displays the name of the computer and the logged-in
|
||||||
user; if the verbosity is turned up, it displays all names the system thinks it
|
user; if the verbosity is turned up, it displays all names the system thinks it
|
||||||
owns.
|
owns.
|
||||||
\n\n
|
|
||||||
For more information on the NetBIOS protocol, see 'nselib/netbios.lua'.
|
|
||||||
]]
|
]]
|
||||||
|
|
||||||
---
|
---
|
||||||
@@ -37,9 +35,6 @@ categories = {"default", "discovery", "safe"}
|
|||||||
|
|
||||||
require "netbios"
|
require "netbios"
|
||||||
|
|
||||||
-- I have excluded the port function param because it doesn't make much sense
|
|
||||||
-- for a hostrule. It works without warning. The NSE documentation is
|
|
||||||
-- not explicit enough in this regard.
|
|
||||||
hostrule = function(host)
|
hostrule = function(host)
|
||||||
|
|
||||||
-- The following is an attempt to only run this script against hosts
|
-- The following is an attempt to only run this script against hosts
|
||||||
|
|||||||
@@ -115,7 +115,7 @@ action = function(host)
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
-- If no domanis were returned, print an error (I don't expect this will actually happen)
|
-- If no domains were returned, print an error (I don't expect this will actually happen)
|
||||||
if(#enumdomains_result['domains'] == 0) then
|
if(#enumdomains_result['domains'] == 0) then
|
||||||
if(nmap.debugging() > 0) then
|
if(nmap.debugging() > 0) then
|
||||||
return "ERROR: Couldn't find any domains to check"
|
return "ERROR: Couldn't find any domains to check"
|
||||||
|
|||||||
@@ -6,8 +6,8 @@ services), or through a SMB share.
|
|||||||
Enumerating the local and terminal services users is done by reading the remote registry. Keys under
|
Enumerating the local and terminal services users is done by reading the remote registry. Keys under
|
||||||
<code>HKEY_USERS</code> are SIDs that represent the currently logged in users, and those SIDs can be converted
|
<code>HKEY_USERS</code> are SIDs that represent the currently logged in users, and those SIDs can be converted
|
||||||
to proper names by using the <code>LsaLookupSids()</code> function. Doing this requires any access higher than
|
to proper names by using the <code>LsaLookupSids()</code> function. Doing this requires any access higher than
|
||||||
anonymous (guests, users, or administrators are all able to perform this request on the operating
|
anonymous. Guests, users, or administrators are all able to perform this request on the operating
|
||||||
systems I tested).
|
systems I (Ron Bowes) tested.
|
||||||
|
|
||||||
Enumerating SMB connections is done using the <code>srvsvc.netsessenum()</code> function, which returns who's
|
Enumerating SMB connections is done using the <code>srvsvc.netsessenum()</code> function, which returns who's
|
||||||
logged in, when they logged in, and how long they've been idle for. Unfortunately, I couldn't find
|
logged in, when they logged in, and how long they've been idle for. Unfortunately, I couldn't find
|
||||||
|
|||||||
@@ -6,7 +6,7 @@ retrieve more information about each share using <code>srvsvc.NetShareGetInfo()<
|
|||||||
Running
|
Running
|
||||||
<code>NetShareEnumAll()</code> will work anonymously on Windows 2000, and requires a user-level
|
<code>NetShareEnumAll()</code> will work anonymously on Windows 2000, and requires a user-level
|
||||||
account on any other Windows version. Calling <code>NetShareGetInfo()</code> requires an
|
account on any other Windows version. Calling <code>NetShareGetInfo()</code> requires an
|
||||||
administrator account on every version of Windows I tested.
|
administrator account on every version of Windows I (Ron Bowes) tested.
|
||||||
|
|
||||||
Although <code>NetShareEnumAll()</code> is restricted on certain systems, actually connecting to
|
Although <code>NetShareEnumAll()</code> is restricted on certain systems, actually connecting to
|
||||||
a share to check if it exists will always work. So, if <code>NetShareEnumAll()</code> fails, a
|
a share to check if it exists will always work. So, if <code>NetShareEnumAll()</code> fails, a
|
||||||
|
|||||||
@@ -38,11 +38,11 @@ a user on a domain or system. An LSA function is exposed which lets us convert t
|
|||||||
(say, 1000) to the username (say, "Ron"). So, the technique will essentially try
|
(say, 1000) to the username (say, "Ron"). So, the technique will essentially try
|
||||||
converting 1000 to a name, then 1001, 1002, etc., until we think we're done.
|
converting 1000 to a name, then 1001, 1002, etc., until we think we're done.
|
||||||
|
|
||||||
I break the users into groups of 5 RIDs, and check them individually (checking too many
|
Users are broken into groups of five RIDs, then checked individually (checking too many
|
||||||
at once causes problems). I continue checking until I reach 1100, and get an empty
|
at once causes problems). We continue checking until we reach 1100, and get an empty
|
||||||
group. This probably isn't the most effective way, but it seems to work.
|
group. This probably isn't the most effective way, but it seems to work.
|
||||||
It might be a good idea to modify this, in the future, with some more
|
It might be a good idea to modify this, in the future, with some more
|
||||||
intelligence. I performed a test on an old server with a lot of accounts,
|
intelligence. I (Ron Bowes) performed a test on an old server with a lot of accounts,
|
||||||
and I got these results: 500, 501, 1000, 1030, 1031, 1053, 1054, 1055,
|
and I got these results: 500, 501, 1000, 1030, 1031, 1053, 1054, 1055,
|
||||||
1056, 1057, 1058, 1059, 1060, 1061, 1062, 1063, 1064, 1065, 1066, 1067, 1070,
|
1056, 1057, 1058, 1059, 1060, 1061, 1062, 1063, 1064, 1065, 1066, 1067, 1070,
|
||||||
1075, 1081, 1088, 1090. The jump from 1000 to 1030 is quite large and can easily
|
1075, 1081, 1088, 1090. The jump from 1000 to 1030 is quite large and can easily
|
||||||
@@ -51,7 +51,7 @@ result in missing accounts, in an automated check.
|
|||||||
Before attempting this conversion, the SID of the server has to be determined.
|
Before attempting this conversion, the SID of the server has to be determined.
|
||||||
The SID is determined by doing the reverse operation, that is, converting a name into
|
The SID is determined by doing the reverse operation, that is, converting a name into
|
||||||
a RID. The name is determined by looking up any name present on the system.
|
a RID. The name is determined by looking up any name present on the system.
|
||||||
In this script, I try:
|
We try:
|
||||||
* The computer name and domain name, returned in <code>SMB_COM_NEGOTIATE</code>;
|
* The computer name and domain name, returned in <code>SMB_COM_NEGOTIATE</code>;
|
||||||
* An nbstat query to get the server name and the user currently logged in; and
|
* An nbstat query to get the server name and the user currently logged in; and
|
||||||
* Some common names: "administrator", "guest", and "test".
|
* Some common names: "administrator", "guest", and "test".
|
||||||
|
|||||||
Reference in New Issue
Block a user