From 26ef852a28d573fead43dbfc41857e5cd4acfdb7 Mon Sep 17 00:00:00 2001 From: dmiller Date: Sat, 8 Sep 2018 17:07:06 +0000 Subject: [PATCH] Move stdnse.generate_random_string to new rand.lua --- nselib/anyconnect.lua | 10 +++---- nselib/bittorrent.lua | 15 ++++++----- nselib/ike.lua | 18 +++++-------- nselib/ipmi.lua | 3 ++- nselib/mqtt.lua | 3 ++- nselib/sip.lua | 31 ++++++++-------------- nselib/sslv2.lua | 3 ++- nselib/stdnse.lua | 33 ------------------------ nselib/tls.lua | 3 ++- scripts/broadcast-dhcp-discover.nse | 13 +--------- scripts/broadcast-jenkins-discover.nse | 3 ++- scripts/broadcast-ping.nse | 6 ++--- scripts/dhcp-discover.nse | 8 ++---- scripts/dns-brute.nse | 5 ++-- scripts/dns-nsec3-enum.nse | 5 ++-- scripts/http-drupal-enum.nse | 3 ++- scripts/http-form-brute.nse | 5 ++-- scripts/http-form-fuzzer.nse | 21 ++++----------- scripts/http-jsonp-detection.nse | 3 ++- scripts/http-method-tamper.nse | 3 ++- scripts/http-methods.nse | 3 ++- scripts/http-shellshock.nse | 3 ++- scripts/http-vuln-cve2011-3368.nse | 5 ++-- scripts/http-vuln-cve2013-6786.nse | 3 ++- scripts/http-vuln-cve2014-3704.nse | 15 ++++++----- scripts/http-vuln-cve2014-8877.nse | 5 ++-- scripts/http-vuln-cve2015-1427.nse | 3 ++- scripts/http-vuln-cve2015-1635.nse | 3 ++- scripts/http-vuln-cve2017-5638.nse | 3 ++- scripts/http-vuln-cve2017-5689.nse | 3 ++- scripts/ipmi-brute.nse | 5 ++-- scripts/ipv6-ra-flood.nse | 13 ++++------ scripts/irc-botnet-channels.nse | 7 ++--- scripts/irc-brute.nse | 7 ++--- scripts/irc-info.nse | 9 +++---- scripts/oracle-enum-users.nse | 3 ++- scripts/rtsp-url-brute.nse | 3 ++- scripts/smb-brute.nse | 6 ++--- scripts/smb-vuln-ms06-025.nse | 3 ++- scripts/ssh-auth-methods.nse | 3 ++- scripts/targets-ipv6-multicast-slaac.nse | 4 +-- scripts/tftp-enum.nse | 3 ++- scripts/tls-ticketbleed.nse | 3 ++- 43 files changed, 123 insertions(+), 186 deletions(-) diff --git a/nselib/anyconnect.lua b/nselib/anyconnect.lua index 4dc8f64ae..5f05d8619 100644 --- a/nselib/anyconnect.lua +++ b/nselib/anyconnect.lua @@ -11,8 +11,8 @@ local http = require('http') local stdnse = require('stdnse') local url = require('url') -local math = require('math') local table = require('table') +local rand = require "rand" local args_group= stdnse.get_script_args('anyconnect.group') or "VPN" local args_mac= stdnse.get_script_args('anyconnect.mac') @@ -26,11 +26,7 @@ Cisco = { Util = { generate_mac = function() - local mac = {} - for i=1,6 do - mac[#mac + 1] = (("%x"):format(math.random(255))):gsub(' ', '0'); - end - return table.concat(mac,':') + return stdnse.format_mac(rand.random_string(6)) end, }, @@ -47,7 +43,7 @@ Cisco = { -- generate a random hex-string of length 'length' -- generate_random = function(length) - return stdnse.generate_random_string(length * 2, '0123456789ABCDEF') + return rand.random_string(length * 2, '0123456789ABCDEF') end, connect = function(self) diff --git a/nselib/bittorrent.lua b/nselib/bittorrent.lua index 5806b8e4b..8fc503332 100644 --- a/nselib/bittorrent.lua +++ b/nselib/bittorrent.lua @@ -99,6 +99,7 @@ local stdnse = require "stdnse" local string = require "string" local table = require "table" local url = require "url" +local rand = require "rand" _ENV = stdnse.module("bittorrent", stdnse.seeall) --- Given a buffer and a starting position in the buffer, this function decodes @@ -432,7 +433,7 @@ local find_node_thread = function(pnt, timeout) -- q = "find_node" (type of query), -- find_node Query = {"t":, "y":"q", "q":"find_node", "a": {"id":, "target":}} local find_node_query = "d1:ad2:id20:" .. pnt.node_id .. "6:target20:" .. - pnt.info_hash .. "e1:q9:find_node1:t2:" .. openssl.rand_bytes(2) .. "1:y1:qe" + pnt.info_hash .. "e1:q9:find_node1:t2:" .. rand.random_string(2) .. "1:y1:qe" -- add the traversed nodes to pnt.nodes_get_peers so they can be traversed by get_peers_thread pnt.nodes_get_peers[node_ip] = node_info @@ -509,7 +510,7 @@ local get_peers_thread = function(pnt, timeout) -- and q = "get_peers" (type of query) -- {"t":, "y":"q", "q":"get_peers", "a": {"id":, "info_hash":}} local get_peers_query = "d1:ad2:id20:" .. pnt.node_id .. "9:info_hash20:" .. - pnt.info_hash .. "e1:q9:get_peers1:t2:" .. openssl.rand_bytes(2) .. "1:y1:qe" + pnt.info_hash .. "e1:q9:get_peers1:t2:" .. rand.random_string(2) .. "1:y1:qe" pnt.nodes[node_ip] = node_info pnt.nodes_get_peers[node_ip] = nil @@ -719,7 +720,7 @@ Torrent = pnt.nodes_get_peers = {} pnt.nodes_find_node = self.nodes - pnt.node_id = openssl.rand_bytes(20) + pnt.node_id = rand.random_string(20) pnt.info_hash = self.info_hash local condvar = nmap.condvar(pnt) @@ -868,7 +869,7 @@ Torrent = local fingerprint = "-KT4110-" local chars = {} -- the full length of a peer_id is 20 bytes but we already have 8 from the fingerprint - return fingerprint .. stdnse.generate_random_string(12, + return fingerprint .. rand.random_string(12, "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789") end, @@ -966,7 +967,7 @@ Torrent = local socket = nmap.new_socket("udp") -- The initial connection parameters' variables have hello_ prefixed names - local hello_transaction_id = openssl.rand_bytes(4) + local hello_transaction_id = rand.random_string(4) local hello_packet = "\0\0\x04\x17\x27\x10\x19\x80" -- identification of the protocol .. "\0\0\0\0" -- 0 for a connection request .. hello_transaction_id @@ -992,7 +993,7 @@ Torrent = -- the announce connection parameters' variables are prefixed with a_ local a_action = 1 -- 1 for announce - local a_transaction_id = openssl.rand_bytes(4) + local a_transaction_id = rand.random_string(4) local a_info_hash = self.info_hash -- info_hash of the torrent local a_peer_id = self:generate_peer_id() local a_downloaded = 0 -- 0 bytes downloaded @@ -1003,7 +1004,7 @@ Torrent = local a_event = 2 -- value of 2 for started torrent local a_ip = 0 -- not necessary to specify our ip since it's resolved -- by tracker automatically - local a_key = openssl.rand_bytes(4) + local a_key = rand.random_string(4) local a_num_want = 0xFFFFFFFF -- request for many many peers local a_port = 6881 -- the port "we are listening on" local a_extensions = 0 -- client recognizes no extensions of the bittorrent proto diff --git a/nselib/ike.lua b/nselib/ike.lua index c16255b9d..22bff7b54 100644 --- a/nselib/ike.lua +++ b/nselib/ike.lua @@ -27,6 +27,7 @@ local nmap = require "nmap" local stdnse = require "stdnse" local string = require "string" local table = require "table" +local rand = require "rand" _ENV = stdnse.module("ike", stdnse.seeall) local ENC_METHODS = { @@ -127,13 +128,6 @@ local function load_fingerprints() end --- generate a random hex-string of length 'length' --- -local function generate_random(length) - return stdnse.generate_random_string(length * 2, '0123456789ABCDEF') -end - - -- convert a string to a hex-string (of the ASCII representation) -- local function convert_to_hex(id) @@ -406,16 +400,16 @@ local function generate_aggressive(port, protocol, id, diffie) key_length = 192 end - return bin.pack(">SHHSSHSHCHHH", + return bin.pack(">SHASSASHCHHH", -- Key Exchange 0x0a00, -- Next payload (Nonce) string.format("%04X", key_length+4), -- Length (132-bit) - generate_random(key_length), -- Random key data + rand.random_string(key_length), -- Random key data -- Nonce 0x0500, -- Next payload (Identification) 0x0018, -- Length (24) - generate_random(20), -- Nonce data + rand.random_string(20), -- Nonce data -- Identification 0x0000, -- Next Payload (None) @@ -523,8 +517,8 @@ function request(port, proto, mode, transforms, diffie, id) l_pro = string.format("%.4X", 8 + transform_string:len()) -- Build the packet - local packet = bin.pack(">HLCCCCIHSHIISHCCCH", - generate_random(8), -- Initiator cookie + local packet = bin.pack(">ALCCCCIHSHIISHCCCH", + rand.random_string(8), -- Initiator cookie 0x0000000000000000, -- Responder cookie 0x01, -- Next payload (SA) 0x10, -- Version diff --git a/nselib/ipmi.lua b/nselib/ipmi.lua index 7ac96ae3a..531da836a 100644 --- a/nselib/ipmi.lua +++ b/nselib/ipmi.lua @@ -8,6 +8,7 @@ local bin = require "bin" local stdnse = require "stdnse" local string = require "string" +local rand = require "rand" _ENV = stdnse.module("ipmi", stdnse.seeall) @@ -98,7 +99,7 @@ end -- Open rmcpplus_request session_open_cipher_zero_request = function(console_session_id) - console_session_id = console_session_id or stdnse.generate_random_string(4) + console_session_id = console_session_id or rand.random_string(4) local data = ( "\x00\x00" .. -- Maximum Access diff --git a/nselib/mqtt.lua b/nselib/mqtt.lua index d56718043..b84a0d1dd 100644 --- a/nselib/mqtt.lua +++ b/nselib/mqtt.lua @@ -6,6 +6,7 @@ local stdnse = require "stdnse" local string = require "string" local table = require "table" local unittest = require "unittest" +local rand = require "rand" _ENV = stdnse.module("mqtt", stdnse.seeall) @@ -539,7 +540,7 @@ MQTT.packet["CONNECT"].build = function(options) if not client_id then -- We throw in randomness in case there are multiple scripts using this -- library on a single port. - client_id = "nmap" .. stdnse.generate_random_string(16) + client_id = "nmap" .. rand.random_alpha(16) end assert(type(client_id) == "string") tail = tail .. MQTT.utf8_build(client_id) diff --git a/nselib/sip.lua b/nselib/sip.lua index 4de78ea5e..84b1e06f0 100644 --- a/nselib/sip.lua +++ b/nselib/sip.lua @@ -20,8 +20,6 @@ -- - A class containing code for handling SIP responses -- * Request -- - A class containing code for handling SIP requests --- * Util --- - A class containing static utility functions -- * SIPAuth -- - A class containing code related to SIP Authentication -- * Helper @@ -42,6 +40,7 @@ local stdnse = require "stdnse" local openssl = stdnse.silent_require "openssl" local string = require "string" local table = require "table" +local rand = require "rand" _ENV = stdnse.module("sip", stdnse.seeall) -- Method constants @@ -66,6 +65,13 @@ Error = { PROXY_AUTH_REQUIRED = 407, } +-- Generates a random string of the requested length. +-- @param length The length of the string to return +-- @return The random string. +local get_random_string = function(length) + return rand.random_string(length, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_") +end + -- The SessionData class SessionData = { @@ -529,7 +535,7 @@ Request = { o.maxfwd = 70 o.method = method o.length = 0 - o.cid = Util.get_random_string(60) + o.cid = get_random_string(60) return o end, @@ -638,9 +644,9 @@ Request = { -- @return ret string containing the complete request for sending over the socket __tostring = function(self) local data = {} - local branch = "z9hG4bK" .. Util.get_random_string(25) + local branch = "z9hG4bK" .. get_random_string(25) -- must be at least 32-bit unique - self.from_tag = self.from_tag or Util.get_random_string(20) + self.from_tag = self.from_tag or get_random_string(20) local sessdata = self.sessdata local lhost, lport = sessdata:getClient() local rhost, rport = sessdata:getServer() @@ -727,21 +733,6 @@ Request = { } --- A minimal Util class with supporting functions -Util = { - - --- Generates a random string of the requested length. - -- @name Util.get_random_string - -- @param length (optional) The length of the string to return. Default: 8. - -- @param set (optional) The set of letters to choose from. Default: upper, lower, numbers, and underscore. - -- @return The random string. - get_random_string = function(length, set) - return stdnse.generate_random_string(length or 8, - set or "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_") - end, - -} - -- The SIP authentication class, supporting MD5 digest authentication SipAuth = { diff --git a/nselib/sslv2.lua b/nselib/sslv2.lua index 5e631eaaa..4e0cdbb99 100644 --- a/nselib/sslv2.lua +++ b/nselib/sslv2.lua @@ -10,6 +10,7 @@ local bin = require "bin" local table = require "table" local nmap = require "nmap" local sslcert = require "sslcert" +local rand = require "rand" _ENV = stdnse.module("sslv2", stdnse.seeall) SSL_MESSAGE_TYPES = { @@ -230,7 +231,7 @@ function client_hello (ciphers) cipher_codes[#cipher_codes+1] = ck end - local challenge = stdnse.generate_random_string(16) + local challenge = rand.random_string(16) local ssl_v2_hello = bin.pack(">CSSSSAA", 1, -- MSG-CLIENT-HELLO diff --git a/nselib/stdnse.lua b/nselib/stdnse.lua index 7db8c9b5b..3e6d171d2 100644 --- a/nselib/stdnse.lua +++ b/nselib/stdnse.lua @@ -30,7 +30,6 @@ local pcall = pcall local ceil = math.ceil local max = math.max -local random = math.random local format = string.format; local rep = string.rep @@ -227,38 +226,6 @@ function strsplit(pattern, text) return list; end ---- Generate a random string. --- --- You can either provide your own charset or the function will use --- a default one which is [A-Z]. --- @param len Length of the string we want to generate. --- @param charset Charset that will be used to generate the string. String or table --- @return A random string of length len consisting of --- characters from charset if one was provided, otherwise --- charset defaults to [A-Z] letters. -function generate_random_string(len, charset) - local t = {} - local ascii_A = 65 - local ascii_Z = 90 - if charset then - if type(charset) == "string" then - for i=1,len do - local r = random(#charset) - t[i] = sub(charset, r, r) - end - else - for i=1,len do - t[i]=charset[random(#charset)] - end - end - else - for i=1,len do - t[i]=char(random(ascii_A,ascii_Z)) - end - end - return concat(t) -end - --- Return a wrapper closure around a socket that buffers socket reads into -- chunks separated by a pattern. -- diff --git a/nselib/tls.lua b/nselib/tls.lua index 08b2c2f3b..c4e73c4d6 100644 --- a/nselib/tls.lua +++ b/nselib/tls.lua @@ -14,6 +14,7 @@ local string = require "string" local math = require "math" local os = require "os" local table = require "table" +local rand = require "rand" _ENV = stdnse.module("tls", stdnse.seeall) local pack = string.pack @@ -1459,7 +1460,7 @@ function client_hello(t) )) -- Set the random data. - table.insert(b, stdnse.generate_random_string(28)) + table.insert(b, rand.random_string(28)) -- Set the session ID. local sid = t["session_id"] or "" diff --git a/scripts/broadcast-dhcp-discover.nse b/scripts/broadcast-dhcp-discover.nse index 7ae771971..bb36e9621 100644 --- a/scripts/broadcast-dhcp-discover.nse +++ b/scripts/broadcast-dhcp-discover.nse @@ -75,17 +75,6 @@ prerule = function() return true end --- Creates a random MAC address --- --- @return mac_addr string containing a random MAC -local function randomizeMAC() - local mac_addr = {} - for j=1, 6 do - mac_addr[j] = string.char(math.random(1, 255)) - end - return table.concat(mac_addr) -end - -- Gets a list of available interfaces based on link and up filters -- -- @param link string containing the link type to filter @@ -162,7 +151,7 @@ action = function() -- randomizing the MAC could exhaust dhcp servers with small scopes -- if ran multiple times, so we should probably refrain from doing -- this? - local mac = "\xDE\xAD\xC0\xDE\xCA\xFE" --randomizeMAC() + local mac = "\xDE\xAD\xC0\xDE\xCA\xFE" local interfaces diff --git a/scripts/broadcast-jenkins-discover.nse b/scripts/broadcast-jenkins-discover.nse index 2cc95e7dd..be9ae06c9 100644 --- a/scripts/broadcast-jenkins-discover.nse +++ b/scripts/broadcast-jenkins-discover.nse @@ -3,6 +3,7 @@ local stdnse = require "stdnse" local string = require "string" local os = require "os" local table = require "table" +local rand = require "rand" description = [[ Discovers Jenkins servers on a LAN by sending a discovery broadcast probe. @@ -46,7 +47,7 @@ action = function() socket:set_timeout(500) -- send two packets, just in case - local probe = stdnse.generate_random_string(10) + local probe = rand.random_string(10) for i=1,2 do local status = socket:sendto(host, port, probe) if ( not(status) ) then diff --git a/scripts/broadcast-ping.nse b/scripts/broadcast-ping.nse index 4c8f89462..da48cb4d7 100644 --- a/scripts/broadcast-ping.nse +++ b/scripts/broadcast-ping.nse @@ -7,8 +7,8 @@ local tab = require "tab" local string = require "string" local table = require "table" local target = require "target" +local rand = require "rand" -local openssl = stdnse.silent_require "openssl" description = [[ Sends broadcast pings on a selected interface using raw ethernet packets and @@ -96,7 +96,7 @@ local icmp_packet = function(srcIP, dstIP, ttl, data_length, mtu, seqNo, icmp_id -- ICMP Message local icmp_payload = nil if data_length and data_length>0 then - icmp_payload = openssl.rand_bytes(data_length) + icmp_payload = rand.random_string(data_length) else icmp_payload = "" end @@ -170,7 +170,7 @@ local broadcast_if = function(if_table,icmp_responders) for i = 1, num_probes do -- ICMP packet - local icmp_id = openssl.rand_bytes(2) + local icmp_id = rand.random_string(2) icmp_ids[icmp_id]=true local icmp = icmp_packet( source_IP, destination_IP, ttl, data_length, mtu, sequence_number, icmp_id) diff --git a/scripts/dhcp-discover.nse b/scripts/dhcp-discover.nse index 1ecb068cd..cc5b6eb22 100644 --- a/scripts/dhcp-discover.nse +++ b/scripts/dhcp-discover.nse @@ -1,5 +1,5 @@ local dhcp = require "dhcp" -local math = require "math" +local rand = require "rand" local nmap = require "nmap" local shortport = require "shortport" local stdnse = require "stdnse" @@ -110,11 +110,7 @@ local function go(host, port) local mac_addr = host.mac_addr_src if(nmap.registry.args.randomize_mac == 'true' or nmap.registry.args.randomize_mac == '1') then stdnse.debug2("Generating a random MAC address") - mac_addr = {} - for j=1, 6, 1 do - mac_addr[i] = string.char(math.random(1, 255)) - end - mac_addr = table.concat(mac_addr) + mac_addr = rand.random_string(6) end local iface, err = nmap.get_interface_info(host.interface) diff --git a/scripts/dns-brute.nse b/scripts/dns-brute.nse index 09888a48d..1caac448e 100644 --- a/scripts/dns-brute.nse +++ b/scripts/dns-brute.nse @@ -7,6 +7,7 @@ local stdnse = require "stdnse" local string = require "string" local table = require "table" local target = require "target" +local rand = require "rand" description = [[ Attempts to enumerate DNS hostnames by brute force guessing of common @@ -179,8 +180,8 @@ local function srv_main(domainname, srvresults, srv_iter) end local function detect_wildcard(domainname, record) - local rand_host1 = stdnse.generate_random_string(24).."."..domainname - local rand_host2 = stdnse.generate_random_string(24).."."..domainname + local rand_host1 = rand.random_alpha(24).."."..domainname + local rand_host2 = rand.random_alpha(24).."."..domainname local res1 = resolve(rand_host1, record) stdnse.debug1("Detecting wildcard for \"%s\" records using random hostname \"%s\".", record, rand_host1) diff --git a/scripts/dns-nsec3-enum.nse b/scripts/dns-nsec3-enum.nse index b64b6dfae..f74ac86fc 100644 --- a/scripts/dns-nsec3-enum.nse +++ b/scripts/dns-nsec3-enum.nse @@ -5,6 +5,7 @@ local base32 = require "base32" local nmap = require "nmap" local string = require "string" local table = require "table" +local rand = require "rand" local openssl = stdnse.silent_require "openssl" @@ -173,7 +174,7 @@ end -- generate a random hash with domains suffix -- return both domain and its hash local function generate_hash(domain, iter, salt) - local rand_str = stdnse.generate_random_string(8, "etaoinshrdlucmfw") + local rand_str = rand.random_string(8, "etaoinshrdlucmfw") local random_domain = rand_str .. "." .. domain local packed_domain = {} for word in string.gmatch(random_domain, "[^%.]+") do @@ -237,7 +238,7 @@ local function enum(host, port, domain) local todo = {} local dnssec, status, result = false, false, "No Answer" local result = {} - local subdomain = stdnse.generate_random_string(8, "etaoinshrdlucmfw") + local subdomain = rand.random_string(8, "etaoinshrdlucmfw") local full_domain = join({subdomain, domain}) local iter local salt diff --git a/scripts/http-drupal-enum.nse b/scripts/http-drupal-enum.nse index 4c33a7a49..2128f8252 100644 --- a/scripts/http-drupal-enum.nse +++ b/scripts/http-drupal-enum.nse @@ -6,6 +6,7 @@ local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" local table = require "table" +local rand = require "rand" description = [[ Enumerates the installed Drupal modules/themes by using a list of known modules and themes. @@ -177,7 +178,7 @@ function action (host, port) -- We default to HEAD requests unless the server returns -- non 404 (200 or other) status code - local response = http.head(host, port, modules_path .. stdnse.generate_random_string(8) .. "/LICENSE.txt") + local response = http.head(host, port, modules_path .. rand.random_string(8, rand.charset('a','z')) .. "/LICENSE.txt") if response.status ~= 404 then method = "GET" end diff --git a/scripts/http-form-brute.nse b/scripts/http-form-brute.nse index ba420ab94..3ea90039c 100644 --- a/scripts/http-form-brute.nse +++ b/scripts/http-form-brute.nse @@ -7,6 +7,7 @@ local stdnse = require "stdnse" local string = require "string" local table = require "table" local url = require "url" +local rand = require "rand" description = [[ Performs brute force password auditing against http form-based authentication. @@ -580,8 +581,8 @@ action = function (host, port) } -- validate that the form submission behaves as expected - local username = uservar and stdnse.generate_random_string(8) - local password = stdnse.generate_random_string(8) + local username = uservar and rand.random_alpha(8) + local password = rand.random_alpha(8) local testdrv = Driver:new(host, port, options) local response, success = testdrv:submit_form(username, password) if not response then diff --git a/scripts/http-form-fuzzer.nse b/scripts/http-form-fuzzer.nse index ad8736ea9..6c1e3ccfa 100644 --- a/scripts/http-form-fuzzer.nse +++ b/scripts/http-form-fuzzer.nse @@ -58,18 +58,7 @@ local stdnse = require 'stdnse' local string = require 'string' local table = require 'table' local url = require 'url' - --- generate a charset that will be used for fuzzing -local function generate_charset(left_bound, right_bound, ...) - local t = ... or {} - if left_bound > right_bound then - return t - end - for i=left_bound,right_bound do - table.insert(t, string.char(i)) - end - return t -end +local rand = require 'rand' -- check if the response we got indicates that fuzzing was successful local function check_response(response) @@ -105,8 +94,8 @@ end -- generate a charset of characters with ascii codes from 33 to 126 -- you can use http://www.asciitable.com/ to see which characters those actually are -local charset = generate_charset(33,126) -local charset_number = generate_charset(49,57) -- ascii 49 -> 1; 57 -> 9 +local charset = rand.charset(33,126) +local charset_number = rand.charset(49,57) -- ascii 49 -> 1; 57 -> 9 local function fuzz_form(form, minlen, maxlen, host, port, path) local affected_fields = {} @@ -140,10 +129,10 @@ local function fuzz_form(form, minlen, maxlen, host, port, path) local response_number --first try to fuzz with a string - postdata[field["name"]] = stdnse.generate_random_string(i, charset) + postdata[field["name"]] = rand.random_string(i, charset) response_string = sending_function(postdata) --then with a number - postdata[field["name"]] = stdnse.generate_random_string(i, charset_number) + postdata[field["name"]] = rand.random_string(i, charset_number) response_number = sending_function(postdata) if check_response(response_string) then diff --git a/scripts/http-jsonp-detection.nse b/scripts/http-jsonp-detection.nse index d390a290c..d75f535e2 100644 --- a/scripts/http-jsonp-detection.nse +++ b/scripts/http-jsonp-detection.nse @@ -7,6 +7,7 @@ local json = require "json" local url = require "url" local httpspider = require "httpspider" local table = require "table" +local rand = require "rand" description = [[ Attempts to discover JSONP endpoints in web servers. JSONP endpoints can be @@ -64,7 +65,7 @@ end --Checks if the callback function is controllable from URL local callback_url = function(host, port, target, callback_variable) local path, response, report - local value = stdnse.generate_random_string(8) + local value = rand.rand_alpha(8) if callback_variable == nil then callback_variable = "callback" end diff --git a/scripts/http-method-tamper.nse b/scripts/http-method-tamper.nse index a7f891847..06ec87ea7 100644 --- a/scripts/http-method-tamper.nse +++ b/scripts/http-method-tamper.nse @@ -65,6 +65,7 @@ local httpspider = require "httpspider" local vulns = require "vulns" local url = require "url" local string = require "string" +local rand = require "rand" portrule = shortport.http @@ -83,7 +84,7 @@ local function probe_http_verbs(host, port, uri) return true, "POST" end --With a random generated verb we look for 400 and 501 status - local random_verb_req = http.generic_request(host, port, stdnse.generate_random_string(4), uri) + local random_verb_req = http.generic_request(host, port, rand.random_alpha(4):upper(), uri) local retcodes = { [400] = true, -- Bad Request [401] = true, -- Authentication needed diff --git a/scripts/http-methods.nse b/scripts/http-methods.nse index 0d58b13d3..6abb57575 100644 --- a/scripts/http-methods.nse +++ b/scripts/http-methods.nse @@ -4,6 +4,7 @@ local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" local table = require "table" +local rand = require "rand" description = [[ Finds out what options are supported by an HTTP server by sending an @@ -171,7 +172,7 @@ action = function(host, port) end end - local random_resp = http.generic_request(host, port, stdnse.generate_random_string(4), path) + local random_resp = http.generic_request(host, port, rand.random_alpha(4):upper(), path) if random_resp.status then stdnse.debug1("Response Code to Random Method is %d", random_resp.status) diff --git a/scripts/http-shellshock.nse b/scripts/http-shellshock.nse index fa8c09df0..59a2f4ae2 100644 --- a/scripts/http-shellshock.nse +++ b/scripts/http-shellshock.nse @@ -3,6 +3,7 @@ local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" local vulns = require "vulns" +local rand = require "rand" description = [[ Attempts to exploit the "shellshock" vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications. @@ -85,7 +86,7 @@ function generate_http_req(host, port, uri, custom_header, cmd) if cmd ~= nil then cmd = '() { :;}; '..cmd else - rnd = stdnse.generate_random_string(15) + rnd = rand.random_alpha(15) cmd = '() { :;}; echo; echo "'..rnd..'"' end -- Plant the payload in the HTTP headers diff --git a/scripts/http-vuln-cve2011-3368.nse b/scripts/http-vuln-cve2011-3368.nse index 82bf31943..eb2f239e4 100644 --- a/scripts/http-vuln-cve2011-3368.nse +++ b/scripts/http-vuln-cve2011-3368.nse @@ -4,8 +4,7 @@ local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" local vulns = require "vulns" - -local openssl = stdnse.silent_require "openssl" +local rand = require "rand" description = [[ Tests for the CVE-2011-3368 (Reverse Proxy Bypass) vulnerability in Apache HTTP server's reverse proxy mode. @@ -72,7 +71,7 @@ servers to remote users who send carefully crafted requests.]], -- Take a reference chrono for a 404 local start = os.time(os.date('*t')) - local random_page = stdnse.tohex(openssl.sha1(openssl.rand_pseudo_bytes(512))) + local random_page = rand.rand_alpha(20) local reference = http.get(host,port,("%s/%s.htm"):format(prefix,random_page)) local chrono_404 = os.time(os.date('*t'))-start diff --git a/scripts/http-vuln-cve2013-6786.nse b/scripts/http-vuln-cve2013-6786.nse index 6696fae81..ba8f94ced 100644 --- a/scripts/http-vuln-cve2013-6786.nse +++ b/scripts/http-vuln-cve2013-6786.nse @@ -39,6 +39,7 @@ local nmap = require "nmap" local shortport = require "shortport" local vulns = require "vulns" local stdnse = require "stdnse" +local rand = require "rand" portrule = shortport.http @@ -65,7 +66,7 @@ untrusted website and XSS injection.]], local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) local header = { ["Referer"] = '"><"' } - local open_session = http.get(host, port, "/"..stdnse.generate_random_string(16), { header = header }) + local open_session = http.get(host, port, "/"..rand.random_alpha(16), { header = header }) if open_session and open_session.status == 404 then stdnse.debug2("got 404-that's good!") if open_session.body:match('"><"') then diff --git a/scripts/http-vuln-cve2014-3704.nse b/scripts/http-vuln-cve2014-3704.nse index 84812b40b..2091a90bd 100644 --- a/scripts/http-vuln-cve2014-3704.nse +++ b/scripts/http-vuln-cve2014-3704.nse @@ -6,6 +6,7 @@ local table = require "table" local url = require "url" local vulns = require "vulns" local openssl = require "openssl" +local rand = require "rand" description = [[ Exploits CVE-2014-3704 also known as 'Drupageddon' in Drupal. Versions < 7.32 @@ -162,7 +163,7 @@ local function gen_passwd_hash(passwd) local iter = 15 local iter_char = itoa64(iter) local iter_count = 1<" - local boundary = stdnse.generate_random_string(16) + local boundary = rand.random_alpha(16) opt['header'] = {} opt['header']["Content-Type"] = "multipart/form-data" .. "; boundary=" .. boundary diff --git a/scripts/http-vuln-cve2014-8877.nse b/scripts/http-vuln-cve2014-8877.nse index 08b2c9640..1b9be3eb7 100644 --- a/scripts/http-vuln-cve2014-8877.nse +++ b/scripts/http-vuln-cve2014-8877.nse @@ -5,6 +5,7 @@ local string = require "string" local url = require "url" local vulns = require "vulns" local base64 = require "base64" +local rand = require "rand" description = [[ Exploits a remote code injection vulnerability (CVE-2014-8877) in Wordpress CM @@ -61,7 +62,7 @@ function genHttpReq(host, port, uri, cmd) if cmd ~= nil then payload = '".system("'..cmd..'")."' else - rnd = stdnse.generate_random_string(15) + rnd = rand.random_alpha(15) local encRnd = base64.enc(rnd) payload = '".base64_decode("'..encRnd..'")."' end @@ -111,7 +112,7 @@ CMDsearch parameter to cmdownloads/, which is processed by the PHP -- exploit the vulnerability if cmd ~= nil then -- wrap cmd with pattern which is used to filter out only relevant output from the response - local pattern = stdnse.generate_random_string(5) + local pattern = rand.random_alpha(5) req = genHttpReq(host, port, uri, 'echo '..pattern..';'..cmd..';echo '..pattern..';') if req.status == 200 then diff --git a/scripts/http-vuln-cve2015-1427.nse b/scripts/http-vuln-cve2015-1427.nse index 832eeef3c..342df6f34 100644 --- a/scripts/http-vuln-cve2015-1427.nse +++ b/scripts/http-vuln-cve2015-1427.nse @@ -5,6 +5,7 @@ local string = require "string" local vulns = require "vulns" local json = require "json" local nmap = require "nmap" +local rand = require "rand" description = [[ This script attempts to detect a vulnerability, CVE-2015-1427, which allows attackers @@ -160,7 +161,7 @@ action = function(host, port) return report:make_output(vuln_table) elseif response.body == '' then if invasive then - local rand = string.lower(stdnse.generate_random_string(8)) + local rand = rand.random_alpha(8) cleanup = function() local r = http.generic_request(host, port, "DELETE", ("/%s"):format(rand)) if r.status ~= 200 or not r.body:match('"acknowledged":true') then diff --git a/scripts/http-vuln-cve2015-1635.nse b/scripts/http-vuln-cve2015-1635.nse index 55970afad..23814e620 100644 --- a/scripts/http-vuln-cve2015-1635.nse +++ b/scripts/http-vuln-cve2015-1635.nse @@ -3,6 +3,7 @@ local http = require "http" local stdnse = require "stdnse" local string = require "string" local vulns = require "vulns" +local rand = require "rand" description = [[ Checks for a remote code execution vulnerability (MS15-034) in Microsoft Windows systems (CVE2015-2015-1635). @@ -67,7 +68,7 @@ successfully exploited this vulnerability could execute arbitrary code in the co } } local options = {header={}} - options['header']['Host'] = stdnse.generate_random_string(8) + options['header']['Host'] = rand.random_alpha(8) options['header']['Range'] = "bytes=0-18446744073709551615" local response = http.get(host, port, uri, options) diff --git a/scripts/http-vuln-cve2017-5638.nse b/scripts/http-vuln-cve2017-5638.nse index 8a1318875..c986387a0 100644 --- a/scripts/http-vuln-cve2017-5638.nse +++ b/scripts/http-vuln-cve2017-5638.nse @@ -8,6 +8,7 @@ local shortport = require "shortport" local vulns = require "vulns" local stdnse = require "stdnse" local string = require "string" +local rand = require "rand" --- -- @usage @@ -61,7 +62,7 @@ vulnerability via the Content-Type header. local method = stdnse.get_script_args(SCRIPT_NAME..".method") or "GET" local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/" - local value = stdnse.generate_random_string(8) + local value = rand.rand_alpha(8) local header = { ["Content-Type"] = string.format("%%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Check-Struts', '%s')}.multipart/form-data", value) diff --git a/scripts/http-vuln-cve2017-5689.nse b/scripts/http-vuln-cve2017-5689.nse index e11b703b4..e4fa930cb 100644 --- a/scripts/http-vuln-cve2017-5689.nse +++ b/scripts/http-vuln-cve2017-5689.nse @@ -14,6 +14,7 @@ local http = require "http" local shortport = require "shortport" local vulns = require "vulns" local stdnse = require "stdnse" +local rand = require "rand" --- -- @usage @@ -114,7 +115,7 @@ digest parameter. if www_authenticate[1]['params'] and www_authenticate[1]['params']['realm'] and www_authenticate[1]['params']['nonce'] then local auth_header = string.format("Digest username=\"admin\", realm=\"%s\", nonce=\"%s\", uri=\"index.htm\"," .. "cnonce=\"%s\", nc=1, qop=\"auth\", response=\"\"", www_authenticate[1]['params']['realm'], - www_authenticate[1]['params']['nonce'], stdnse.generate_random_string(10)) + www_authenticate[1]['params']['nonce'], rand.random_alpha(10)) local opt = { header = { ['Authorization'] = auth_header } } response = http.get(host, port, '/index.htm', opt) if response.status and response.status == 200 then diff --git a/scripts/ipmi-brute.nse b/scripts/ipmi-brute.nse index bf0f098df..fd0509d20 100644 --- a/scripts/ipmi-brute.nse +++ b/scripts/ipmi-brute.nse @@ -4,6 +4,7 @@ local ipmi = require "ipmi" local nmap = require "nmap" local shortport = require "shortport" local stdnse = require "stdnse" +local rand = require "rand" description = [[ Performs brute force password auditing against IPMI RPC server. @@ -48,8 +49,8 @@ Driver = { end, login = function(self, username, password) - local console_session_id = stdnse.generate_random_string(4) - local console_random_id = stdnse.generate_random_string(16) + local console_session_id = rand.random_string(4) + local console_random_id = rand.random_string(16) local request = ipmi.session_open_request(console_session_id) local status, reply diff --git a/scripts/ipv6-ra-flood.nse b/scripts/ipv6-ra-flood.nse index 6b7397f1b..582f24ccd 100644 --- a/scripts/ipv6-ra-flood.nse +++ b/scripts/ipv6-ra-flood.nse @@ -5,6 +5,7 @@ local stdnse = require "stdnse" local math = require "math" local string = require "string" local os = require "os" +local rand = require "rand" description = [[ Generates a flood of Router Advertisements (RA) with random source MAC @@ -81,17 +82,13 @@ end --- Generates random MAC address -- @return mac string containing random MAC address local function random_mac() - - local mac = string.format("%02x:%02x:%02x:%02x:%02x:%02x", 00, 180, math.random(256)-1, math.random(256)-1, math.random(256)-1, math.random(256)-1) - return mac + return "\x00\xb4" .. rand.random_string(4) end --- Generates random IPv6 prefix -- @return prefix string containing random IPv6 /64 prefix local function get_random_prefix() - local prefix = string.format("2a01:%02x%02x:%02x%02x:%02x%02x::", math.random(256)-1, math.random(256)-1, math.random(256)-1, math.random(256)-1, math.random(256)-1, math.random(256)-1) - - return prefix + return "\x2a\x01" .. rand.random_string(6) .. ("\0"):rep(8) end --- Build an ICMPv6 payload of Router Advertisement. @@ -158,10 +155,10 @@ local function broadcast_on_interface(iface) while true do - local src_mac = packet.mactobin(random_mac()) + local src_mac = random_mac() local src_ip6_addr = packet.mac_to_lladdr(src_mac) - local prefix = ipOps.ip_to_str(get_random_prefix()) + local prefix = get_random_prefix() local packet = packet.Frame:new() diff --git a/scripts/irc-botnet-channels.nse b/scripts/irc-botnet-channels.nse index f4168edc3..a56c83ed4 100644 --- a/scripts/irc-botnet-channels.nse +++ b/scripts/irc-botnet-channels.nse @@ -3,6 +3,7 @@ local irc = require "irc" local stdnse = require "stdnse" local string = require "string" local table = require "table" +local rand = require "rand" description = [[ Checks an IRC server for channels that are commonly used by malicious botnets. @@ -160,10 +161,6 @@ local function irc_compose_message(prefix, command, ...) return stdnse.strjoin(" ", parts) .. "\r\n" end -local function random_nick() - return stdnse.generate_random_string(9, "abcdefghijklmnopqrstuvwxyz") -end - local function splitlines(s) local lines = {} local _, i, j @@ -190,7 +187,7 @@ local function irc_connect(host, port, nick, user, pass) if pass then commands[#commands + 1] = irc_compose_message(nil, "PASS", pass) end - nick = nick or random_nick() + nick = nick or rand.random_alpha(9) commands[#commands + 1] = irc_compose_message(nil, "NICK", nick) user = user or nick commands[#commands + 1] = irc_compose_message(nil, "USER", user, "8", "*", user) diff --git a/scripts/irc-brute.nse b/scripts/irc-brute.nse index 0e12a1ded..3082ed931 100644 --- a/scripts/irc-brute.nse +++ b/scripts/irc-brute.nse @@ -4,6 +4,7 @@ local creds = require "creds" local match = require "match" local irc = require "irc" local stdnse = require "stdnse" +local rand = require "rand" description=[[ Performs brute force password auditing against IRC (Internet Relay Chat) servers. @@ -87,12 +88,8 @@ Driver = { disconnect = function(self) return self.socket:close() end, } -local function random_nick() - return stdnse.generate_random_string(9, "abcdefghijklmnopqrstuvwxyz") -end - local function needsPassword(host, port) - local msg = ("NICK %s\r\nUSER anonymous 0 * :Nmap brute\r\n"):format(random_nick()) + local msg = ("NICK %s\r\nUSER anonymous 0 * :Nmap brute\r\n"):format(rand.random_alpha(9)) local s, r, opts, _ = comm.tryssl(host, port, msg, { timeout = 15000 } ) local err, code diff --git a/scripts/irc-info.nse b/scripts/irc-info.nse index 1f75b38ac..697a33ed9 100644 --- a/scripts/irc-info.nse +++ b/scripts/irc-info.nse @@ -3,6 +3,7 @@ local nmap = require "nmap" local math = require "math" local irc = require "irc" local stdnse = require "stdnse" +local rand = require "rand" description = [[ Gathers information from an IRC server. @@ -48,12 +49,8 @@ portrule = irc.portrule local banner_timeout = 60 -local function random_nick () - return stdnse.generate_random_string(9, "abcdefghijklmnopqrstuvwxyz") -end - function action (host, port) - local nick = random_nick() + local nick = rand.random_alpha(9) local output = stdnse.output_table() @@ -85,7 +82,7 @@ function action (host, port) -- NICK already in use info = line:match "^:([%w-_.]+) 433" if info then - nick = random_nick() + nick = rand.random_alpha(9) sd:send("NICK " .. nick .. "\n") end diff --git a/scripts/oracle-enum-users.nse b/scripts/oracle-enum-users.nse index 65248b32f..524c6b9ff 100644 --- a/scripts/oracle-enum-users.nse +++ b/scripts/oracle-enum-users.nse @@ -4,6 +4,7 @@ local stdnse = require "stdnse" local table = require "table" local tns = require "tns" local unpwdb = require "unpwdb" +local rand = require "rand" local openssl = stdnse.silent_require "openssl" @@ -103,7 +104,7 @@ action = function( host, port ) -- Check for some known bad accounts count = 0 for i=1, 10 do - local user = stdnse.generate_random_string(10, + local user = rand.random_string(10, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_") status, salt = checkAccount(host, port, user) if( not(status) ) then return salt end diff --git a/scripts/rtsp-url-brute.nse b/scripts/rtsp-url-brute.nse index 7748d70cd..f2e7773be 100644 --- a/scripts/rtsp-url-brute.nse +++ b/scripts/rtsp-url-brute.nse @@ -5,6 +5,7 @@ local rtsp = require "rtsp" local shortport = require "shortport" local stdnse = require "stdnse" local table = require "table" +local rand = require "rand" description = [[ Attempts to enumerate RTSP media URLS by testing for common paths on devices such as surveillance IP cameras. @@ -140,7 +141,7 @@ action = function(host, port) -- Try to see what a nonexistent URL looks like local status, response = fetch_url( host, port, ("rtsp://%s/%s"):format( - stdnse.get_hostname(host), stdnse.generate_random_string(14)) + stdnse.get_hostname(host), rand.rand_alpha(14)) ) local status_404 = 404 if status then diff --git a/scripts/smb-brute.nse b/scripts/smb-brute.nse index e538cff8b..8261e3484 100644 --- a/scripts/smb-brute.nse +++ b/scripts/smb-brute.nse @@ -5,6 +5,7 @@ local stdnse = require "stdnse" local string = require "string" local table = require "table" local unpwdb = require "unpwdb" +local rand = require "rand" description = [[ Attempts to guess username/password combinations over SMB, storing discovered combinations @@ -172,9 +173,8 @@ local special_passwords = { USERNAME, USERNAME_REVERSED } --@param length (optional) The length of the string to return. Default: 8. --@param set (optional) The set of letters to choose from. Default: upper, lower, numbers, and underscore. --@return The random string. -local function get_random_string(length, set) - return stdnse.generate_random_string(length or 8, - set or "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_") +local function get_random_string(length) + return rand.random_string(length, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_") end ---Splits a string in the form "domain\user" into domain and user. diff --git a/scripts/smb-vuln-ms06-025.nse b/scripts/smb-vuln-ms06-025.nse index cd80bdae2..02906c37a 100644 --- a/scripts/smb-vuln-ms06-025.nse +++ b/scripts/smb-vuln-ms06-025.nse @@ -3,6 +3,7 @@ local nmap = require "nmap" local smb = require "smb" local stdnse = require "stdnse" local vulns = require "vulns" +local rand = require "rand" description = [[ Detects Microsoft Windows systems with Ras RPC service vulnerable to MS06-025. @@ -103,7 +104,7 @@ function check_ms06_025(host) req = msrpc.RRAS_marshall_RequestBuffer( 0x01, msrpc.RRAS_RegTypes['GETDEVCONFIG'], - stdnse.generate_random_string(3000, "0123456789abcdefghijklmnoprstuvzxwyABCDEFGHIJKLMNOPRSTUVZXWY")) + rand.random_string(3000, "0123456789abcdefghijklmnoprstuvzxwyABCDEFGHIJKLMNOPRSTUVZXWY")) status, sr_result = msrpc.RRAS_SubmitRequest(smbstate, req) msrpc.stop_smb(smbstate) --sanity check diff --git a/scripts/ssh-auth-methods.nse b/scripts/ssh-auth-methods.nse index 47b817fd4..61249eb93 100644 --- a/scripts/ssh-auth-methods.nse +++ b/scripts/ssh-auth-methods.nse @@ -1,6 +1,7 @@ local shortport = require "shortport" local stdnse = require "stdnse" local libssh2_util = require "libssh2-utility" +local rand = require "rand" description = [[ Returns authentication methods that a SSH server supports. @@ -24,7 +25,7 @@ author = "Devin Bjelland" license = "Same as Nmap--See https://nmap.org/book/man-legal.html" categories = {"auth", "intrusive"} -local username = stdnse.get_script_args("ssh.user") or stdnse.generate_random_string(5) +local username = stdnse.get_script_args("ssh.user") or rand.random_alpha(5) portrule = shortport.port_or_service(22, 'ssh') function action (host, port) diff --git a/scripts/targets-ipv6-multicast-slaac.nse b/scripts/targets-ipv6-multicast-slaac.nse index 4bf01c6ef..09457623c 100644 --- a/scripts/targets-ipv6-multicast-slaac.nse +++ b/scripts/targets-ipv6-multicast-slaac.nse @@ -1,6 +1,5 @@ local coroutine = require "coroutine" local ipOps = require "ipOps" -local math = require "math" local nmap = require "nmap" local packet = require "packet" local stdnse = require "stdnse" @@ -8,6 +7,7 @@ local string = require "string" local tab = require "tab" local table = require "table" local target = require "target" +local rand = require "rand" description = [[ Performs IPv6 host discovery by triggering stateless address auto-configuration @@ -59,7 +59,7 @@ end -- @return A 16-byte string of IPv6 address, and the length of the prefix. local function get_random_ula_prefix(local_scope) local ula_prefix - local global_id = string.char(math.random(256)-1,math.random(256)-1,math.random(256)-1,math.random(256)-1,math.random(256)-1) + local global_id = rand.random_string(5) if local_scope then ula_prefix = ipOps.ip_to_str("fd00::") diff --git a/scripts/tftp-enum.nse b/scripts/tftp-enum.nse index 88ee1c38e..257575247 100644 --- a/scripts/tftp-enum.nse +++ b/scripts/tftp-enum.nse @@ -4,6 +4,7 @@ local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" local table = require "table" +local rand = require "rand" description = [[ Enumerates TFTP (trivial file transfer protocol) filenames by testing @@ -175,7 +176,7 @@ local check_file_present = function(host, port, filename) end local check_open_tftp = function(host, port) - local random_name = stdnse.generate_random_string(8, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_") + local random_name = rand.random_string(8, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_") local ret_value = check_file_present(host, port, random_name) if (ret_value == FILE_FOUND or ret_value == FILE_NOT_FOUND) then return true diff --git a/scripts/tls-ticketbleed.nse b/scripts/tls-ticketbleed.nse index 74450a716..d492d2de6 100644 --- a/scripts/tls-ticketbleed.nse +++ b/scripts/tls-ticketbleed.nse @@ -6,6 +6,7 @@ local stdnse = require("stdnse") local table = require("table") local tls = require "tls" local vulns = require("vulns") +local rand = require "rand" description = [[ Detects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244). @@ -207,7 +208,7 @@ local function is_vuln(host, port, version) -- reduces the chance of a false positive caused by the server -- issuing us a new, valid session ID that just happens to match the -- random one we provided. - local sid_old = stdnse.generate_random_string(16) + local sid_old = rand.random_string(16) local hello = tls.client_hello({ ["protocol"] = version,