From 26510fe8a777947474110f94fd64132d9353bfff Mon Sep 17 00:00:00 2001 From: dmiller Date: Fri, 15 Jan 2016 20:19:55 +0000 Subject: [PATCH] Remove hardcoded IP from ftp-bounce Instead of hard-coding the many-years-invalid IP address of scanme.nmap.org, look it up via DNS. Even better, you can override the host used for this purpose, in case you don't want to tip your hand. --- scripts/ftp-bounce.nse | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/scripts/ftp-bounce.nse b/scripts/ftp-bounce.nse index 9c4a00d93..9dbbbcf21 100644 --- a/scripts/ftp-bounce.nse +++ b/scripts/ftp-bounce.nse @@ -1,6 +1,7 @@ local coroutine = require "coroutine" local nmap = require "nmap" local shortport = require "shortport" +local stdnse = require "stdnse" local string = require "string" description=[[ @@ -14,6 +15,8 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html" -- "anonymous". -- @args ftp-bounce.password Password to log in with. Default -- "IEUser@". +-- @args ftp-bounce.checkhost Host to try connecting to with the PORT command. +-- Default: scanme.nmap.org -- -- @output -- PORT STATE SERVICE @@ -102,6 +105,19 @@ local get_login = function() return user or "anonymous", pass or "IEUser@" end +local portfmt_cached +local function get_portfmt() + if portfmt_cached then return portfmt_cached end + local arghost = stdnse.get_script_args(SCRIPT_NAME .. ".checkhost") or "scanme.nmap.org" + local status, addrs = nmap.resolve(arghost, "inet") + if not status or #addrs < 1 then + stdnse.verbose1("Couldn't resolve %s, scanning 10.0.0.1 instead.", arghost) + addrs = {"10.0.0.1"} + end + portfmt_cached = string.format("PORT %s,%%s\r\n", (string.gsub(addrs[1], "%.", ","))) + return portfmt_cached +end + action = function(host, port) local socket = nmap.new_socket() local result; @@ -182,7 +198,9 @@ action = function(host, port) end -- PORT scanme.nmap.com:highport - socket:send("PORT 205,217,153,62,80,80\r\n") + local portfmt = get_portfmt() + -- This is actually port 256*80 + 80 = 20560 + socket:send(string.format(portfmt, "80,80")) fc = get_ftp_code(socket) if (fc >= 500 and fc <= 599) then socket:close() @@ -201,7 +219,7 @@ action = function(host, port) end -- PORT scanme.nmap.com:lowport - socket:send("PORT 205,217,153,62,0,80\r\n") + socket:send(string.format(portfmt, "0,80")) fc = get_ftp_code(socket) if (fc >= 500 and fc <= 599) then socket:close()