Move stdnse.generate_random_string to new rand.lua

nselib/anyconnect.lua

@@ -11,8 +11,8 @@
 local http = require('http')
 local stdnse = require('stdnse')
 local url = require('url')
-local math = require('math')
 local table = require('table')
+local rand = require "rand"
 
 local args_group= stdnse.get_script_args('anyconnect.group') or "VPN"
 local args_mac= stdnse.get_script_args('anyconnect.mac')
@@ -26,11 +26,7 @@ Cisco = {
   Util = {
 
     generate_mac = function()
-      local mac = {}
+      return stdnse.format_mac(rand.random_string(6))
-      for i=1,6 do
-        mac[#mac + 1] = (("%x"):format(math.random(255))):gsub(' ', '0');
-      end
-      return table.concat(mac,':')
     end,
 
   },
@@ -47,7 +43,7 @@ Cisco = {
     -- generate a random hex-string of length 'length'
     --
     generate_random = function(length)
-      return stdnse.generate_random_string(length * 2, '0123456789ABCDEF')
+      return rand.random_string(length * 2, '0123456789ABCDEF')
     end,
 
     connect = function(self)

nselib/bittorrent.lua

@@ -99,6 +99,7 @@ local stdnse = require "stdnse"
 local string = require "string"
 local table = require "table"
 local url = require "url"
+local rand = require "rand"
 _ENV = stdnse.module("bittorrent", stdnse.seeall)
 
 --- Given a buffer and a starting position in the buffer, this function decodes
@@ -432,7 +433,7 @@ local find_node_thread = function(pnt, timeout)
       -- q = "find_node" (type of query),
       -- find_node Query = {"t":<transaction_id>, "y":"q", "q":"find_node", "a": {"id":<node_id>, "target":<info_hash>}}
       local find_node_query = "d1:ad2:id20:" .. pnt.node_id .. "6:target20:" ..
-        pnt.info_hash .. "e1:q9:find_node1:t2:" .. openssl.rand_bytes(2) .. "1:y1:qe"
+        pnt.info_hash .. "e1:q9:find_node1:t2:" .. rand.random_string(2) .. "1:y1:qe"
 
       -- add the traversed nodes to pnt.nodes_get_peers so they can be traversed by get_peers_thread
       pnt.nodes_get_peers[node_ip] = node_info
@@ -509,7 +510,7 @@ local get_peers_thread = function(pnt, timeout)
       -- and q = "get_peers" (type of query)
       -- {"t":<transaction_id>, "y":"q", "q":"get_peers", "a": {"id":<node_id>, "info_hash":<info_hash>}}
       local get_peers_query = "d1:ad2:id20:" .. pnt.node_id .. "9:info_hash20:" ..
-        pnt.info_hash .. "e1:q9:get_peers1:t2:" .. openssl.rand_bytes(2) .. "1:y1:qe"
+        pnt.info_hash .. "e1:q9:get_peers1:t2:" .. rand.random_string(2) .. "1:y1:qe"
 
       pnt.nodes[node_ip] = node_info
       pnt.nodes_get_peers[node_ip] = nil
@@ -719,7 +720,7 @@ Torrent =
     pnt.nodes_get_peers = {}
     pnt.nodes_find_node = self.nodes
 
-    pnt.node_id = openssl.rand_bytes(20)
+    pnt.node_id = rand.random_string(20)
     pnt.info_hash = self.info_hash
 
     local condvar = nmap.condvar(pnt)
@@ -868,7 +869,7 @@ Torrent =
     local fingerprint = "-KT4110-"
     local chars = {}
     -- the full length of a peer_id is 20 bytes but we already have 8 from the fingerprint
-    return fingerprint .. stdnse.generate_random_string(12,
+    return fingerprint .. rand.random_string(12,
       "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789")
   end,
 
@@ -966,7 +967,7 @@ Torrent =
     local socket = nmap.new_socket("udp")
 
     -- The initial connection parameters' variables have hello_ prefixed names
-    local hello_transaction_id = openssl.rand_bytes(4)
+    local hello_transaction_id = rand.random_string(4)
     local hello_packet = "\0\0\x04\x17\x27\x10\x19\x80" -- identification of the protocol
     .. "\0\0\0\0" -- 0 for a connection request
     .. hello_transaction_id
@@ -992,7 +993,7 @@ Torrent =
 
     -- the announce connection parameters' variables are prefixed with a_
     local a_action = 1 -- 1 for announce
-    local a_transaction_id = openssl.rand_bytes(4)
+    local a_transaction_id = rand.random_string(4)
     local a_info_hash = self.info_hash -- info_hash of the torrent
     local a_peer_id = self:generate_peer_id()
     local a_downloaded = 0 -- 0 bytes downloaded
@@ -1003,7 +1004,7 @@ Torrent =
     local a_event = 2 -- value of 2 for started torrent
     local a_ip = 0 -- not necessary to specify our ip since it's resolved
       -- by tracker automatically
-    local a_key = openssl.rand_bytes(4)
+    local a_key = rand.random_string(4)
     local a_num_want = 0xFFFFFFFF -- request for many many peers
     local a_port = 6881 -- the port "we are listening on"
     local a_extensions = 0 -- client recognizes no extensions of the bittorrent proto

nselib/ike.lua

@@ -27,6 +27,7 @@ local nmap = require "nmap"
 local stdnse = require "stdnse"
 local string = require "string"
 local table = require "table"
+local rand = require "rand"
 _ENV = stdnse.module("ike", stdnse.seeall)
 
 local ENC_METHODS = {
@@ -127,13 +128,6 @@ local function load_fingerprints()
 end
 
 
--- generate a random hex-string of length 'length'
---
-local function generate_random(length)
-  return stdnse.generate_random_string(length * 2, '0123456789ABCDEF')
-end
-
-
 -- convert a string to a hex-string (of the ASCII representation)
 --
 local function convert_to_hex(id)
@@ -406,16 +400,16 @@ local function generate_aggressive(port, protocol, id, diffie)
     key_length = 192
   end
 
-  return bin.pack(">SHHSSHSHCHHH",
+  return bin.pack(">SHASSASHCHHH",
     -- Key Exchange
     0x0a00, -- Next payload (Nonce)
     string.format("%04X", key_length+4), -- Length (132-bit)
-    generate_random(key_length), -- Random key data
+    rand.random_string(key_length), -- Random key data
 
     -- Nonce
     0x0500, -- Next payload (Identification)
     0x0018, -- Length (24)
-    generate_random(20), -- Nonce data
+    rand.random_string(20), -- Nonce data
 
     -- Identification
     0x0000, -- Next Payload (None)
@@ -523,8 +517,8 @@ function request(port, proto, mode, transforms, diffie, id)
   l_pro = string.format("%.4X", 8 + transform_string:len())
 
   -- Build the packet
-  local packet = bin.pack(">HLCCCCIHSHIISHCCCH",
+  local packet = bin.pack(">ALCCCCIHSHIISHCCCH",
-    generate_random(8), -- Initiator cookie
+    rand.random_string(8), -- Initiator cookie
     0x0000000000000000, -- Responder cookie
     0x01, -- Next payload (SA)
     0x10, -- Version

nselib/ipmi.lua

@@ -8,6 +8,7 @@
 local bin = require "bin"
 local stdnse = require "stdnse"
 local string = require "string"
+local rand = require "rand"
 
 _ENV = stdnse.module("ipmi", stdnse.seeall)
 
@@ -98,7 +99,7 @@ end
 
 -- Open rmcpplus_request
 session_open_cipher_zero_request = function(console_session_id)
-  console_session_id = console_session_id or stdnse.generate_random_string(4)
+  console_session_id = console_session_id or rand.random_string(4)
 
   local data = (
     "\x00\x00" .. -- Maximum Access

nselib/mqtt.lua

@@ -6,6 +6,7 @@ local stdnse = require "stdnse"
 local string = require "string"
 local table = require "table"
 local unittest = require "unittest"
+local rand = require "rand"
 
 _ENV = stdnse.module("mqtt", stdnse.seeall)
 
@@ -539,7 +540,7 @@ MQTT.packet["CONNECT"].build = function(options)
   if not client_id then
     -- We throw in randomness in case there are multiple scripts using this
     -- library on a single port.
-    client_id = "nmap" .. stdnse.generate_random_string(16)
+    client_id = "nmap" .. rand.random_alpha(16)
   end
   assert(type(client_id) == "string")
   tail = tail .. MQTT.utf8_build(client_id)

nselib/sip.lua

@@ -20,8 +20,6 @@
 --    - A class containing code for handling SIP responses
 -- * Request
 --    - A class containing code for handling SIP requests
--- * Util
---    - A class containing static utility functions
 -- * SIPAuth
 --    - A class containing code related to SIP Authentication
 -- * Helper
@@ -42,6 +40,7 @@ local stdnse = require "stdnse"
 local openssl = stdnse.silent_require "openssl"
 local string = require "string"
 local table = require "table"
+local rand = require "rand"
 _ENV = stdnse.module("sip", stdnse.seeall)
 
 -- Method constants
@@ -66,6 +65,13 @@ Error = {
   PROXY_AUTH_REQUIRED = 407,
 }
 
+-- Generates a random string of the requested length.
+-- @param length The length of the string to return
+-- @return The random string.
+local get_random_string = function(length)
+  return rand.random_string(length, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_")
+end
+
 -- The SessionData class
 SessionData = {
 
@@ -529,7 +535,7 @@ Request = {
     o.maxfwd = 70
     o.method = method
     o.length = 0
-    o.cid = Util.get_random_string(60)
+    o.cid = get_random_string(60)
     return o
   end,
 
@@ -638,9 +644,9 @@ Request = {
   -- @return ret string containing the complete request for sending over the socket
   __tostring = function(self)
     local data = {}
-    local branch = "z9hG4bK" .. Util.get_random_string(25)
+    local branch = "z9hG4bK" .. get_random_string(25)
     -- must be at least 32-bit unique
-    self.from_tag = self.from_tag or Util.get_random_string(20)
+    self.from_tag = self.from_tag or get_random_string(20)
     local sessdata = self.sessdata
     local lhost, lport = sessdata:getClient()
     local rhost, rport = sessdata:getServer()
@@ -727,21 +733,6 @@ Request = {
 
 }
 
--- A minimal Util class with supporting functions
-Util = {
-
-  --- Generates a random string of the requested length.
-  -- @name Util.get_random_string
-  -- @param length (optional) The length of the string to return. Default: 8.
-  -- @param set    (optional) The set of letters to choose from. Default: upper, lower, numbers, and underscore.
-  -- @return The random string.
-  get_random_string = function(length, set)
-    return stdnse.generate_random_string(length or 8,
-      set or "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_")
-  end,
-
-}
-
 -- The SIP authentication class, supporting MD5 digest authentication
 SipAuth = {
 

nselib/sslv2.lua

@@ -10,6 +10,7 @@ local bin = require "bin"
 local table = require "table"
 local nmap = require "nmap"
 local sslcert = require "sslcert"
+local rand = require "rand"
 _ENV = stdnse.module("sslv2", stdnse.seeall)
 
 SSL_MESSAGE_TYPES = {
@@ -230,7 +231,7 @@ function client_hello (ciphers)
     cipher_codes[#cipher_codes+1] = ck
   end
 
-  local challenge = stdnse.generate_random_string(16)
+  local challenge = rand.random_string(16)
 
   local ssl_v2_hello = bin.pack(">CSSSSAA",
     1, -- MSG-CLIENT-HELLO

nselib/stdnse.lua

@@ -30,7 +30,6 @@ local pcall = pcall
 
 local ceil = math.ceil
 local max = math.max
-local random = math.random
 
 local format = string.format;
 local rep = string.rep
@@ -227,38 +226,6 @@ function strsplit(pattern, text)
   return list;
 end
 
---- Generate a random string.
---
--- You can either provide your own charset or the function will use
--- a default one which is [A-Z].
--- @param len Length of the string we want to generate.
--- @param charset Charset that will be used to generate the string. String or table
--- @return A random string of length <code>len</code> consisting of
--- characters from <code>charset</code> if one was provided, otherwise
--- <code>charset</code> defaults to [A-Z] letters.
-function generate_random_string(len, charset)
-  local t = {}
-  local ascii_A = 65
-  local ascii_Z = 90
-  if charset then
-    if type(charset) == "string" then
-      for i=1,len do
-        local r = random(#charset)
-        t[i] = sub(charset, r, r)
-      end
-    else
-      for i=1,len do
-        t[i]=charset[random(#charset)]
-      end
-    end
-  else
-    for i=1,len do
-      t[i]=char(random(ascii_A,ascii_Z))
-    end
-  end
-  return concat(t)
-end
-
 --- Return a wrapper closure around a socket that buffers socket reads into
 -- chunks separated by a pattern.
 --

nselib/tls.lua

@@ -14,6 +14,7 @@ local string = require "string"
 local math = require "math"
 local os = require "os"
 local table = require "table"
+local rand = require "rand"
 _ENV = stdnse.module("tls", stdnse.seeall)
 
 local pack = string.pack
@@ -1459,7 +1460,7 @@ function client_hello(t)
   ))
 
   -- Set the random data.
-  table.insert(b, stdnse.generate_random_string(28))
+  table.insert(b, rand.random_string(28))
 
   -- Set the session ID.
   local sid = t["session_id"] or ""

scripts/broadcast-dhcp-discover.nse

@@ -75,17 +75,6 @@ prerule = function()
   return true
 end
 
--- Creates a random MAC address
---
--- @return mac_addr string containing a random MAC
-local function randomizeMAC()
-  local mac_addr = {}
-  for j=1, 6 do
-    mac_addr[j] = string.char(math.random(1, 255))
-  end
-  return table.concat(mac_addr)
-end
-
 -- Gets a list of available interfaces based on link and up filters
 --
 -- @param link string containing the link type to filter
@@ -162,7 +151,7 @@ action = function()
   -- randomizing the MAC could exhaust dhcp servers with small scopes
   -- if ran multiple times, so we should probably refrain from doing
   -- this?
-  local mac = "\xDE\xAD\xC0\xDE\xCA\xFE" --randomizeMAC()
+  local mac = "\xDE\xAD\xC0\xDE\xCA\xFE"
 
   local interfaces
 

scripts/broadcast-jenkins-discover.nse

@@ -3,6 +3,7 @@ local stdnse = require "stdnse"
 local string = require "string"
 local os = require "os"
 local table = require "table"
+local rand = require "rand"
 
 description = [[
 Discovers Jenkins servers on a LAN by sending a discovery broadcast probe.
@@ -46,7 +47,7 @@ action = function()
   socket:set_timeout(500)
 
   -- send two packets, just in case
-  local probe = stdnse.generate_random_string(10)
+  local probe = rand.random_string(10)
   for i=1,2 do
     local status = socket:sendto(host, port, probe)
     if ( not(status) ) then

scripts/broadcast-ping.nse

@@ -7,8 +7,8 @@ local tab = require "tab"
 local string = require "string"
 local table = require "table"
 local target = require "target"
+local rand = require "rand"
 
-local openssl = stdnse.silent_require "openssl"
 
 description = [[
 Sends broadcast pings on a selected interface using raw ethernet packets and
@@ -96,7 +96,7 @@ local icmp_packet = function(srcIP, dstIP, ttl, data_length, mtu, seqNo, icmp_id
   -- ICMP Message
   local icmp_payload = nil
   if data_length and data_length>0 then
-    icmp_payload = openssl.rand_bytes(data_length)
+    icmp_payload = rand.random_string(data_length)
   else
     icmp_payload = ""
   end
@@ -170,7 +170,7 @@ local broadcast_if = function(if_table,icmp_responders)
 
   for i = 1, num_probes do
     -- ICMP packet
-    local icmp_id = openssl.rand_bytes(2)
+    local icmp_id = rand.random_string(2)
     icmp_ids[icmp_id]=true
     local icmp = icmp_packet( source_IP, destination_IP, ttl,
     data_length, mtu, sequence_number, icmp_id)

scripts/dhcp-discover.nse

@@ -1,5 +1,5 @@
 local dhcp = require "dhcp"
-local math = require "math"
+local rand = require "rand"
 local nmap = require "nmap"
 local shortport = require "shortport"
 local stdnse = require "stdnse"
@@ -110,11 +110,7 @@ local function go(host, port)
     local mac_addr = host.mac_addr_src
     if(nmap.registry.args.randomize_mac == 'true' or nmap.registry.args.randomize_mac == '1') then
       stdnse.debug2("Generating a random MAC address")
-      mac_addr = {}
+      mac_addr = rand.random_string(6)
-      for j=1, 6, 1 do
-        mac_addr[i] = string.char(math.random(1, 255))
-      end
-      mac_addr = table.concat(mac_addr)
     end
 
     local iface, err = nmap.get_interface_info(host.interface)

scripts/dns-brute.nse

@@ -7,6 +7,7 @@ local stdnse = require "stdnse"
 local string = require "string"
 local table = require "table"
 local target = require "target"
+local rand = require "rand"
 
 description = [[
 Attempts to enumerate DNS hostnames by brute force guessing of common
@@ -179,8 +180,8 @@ local function srv_main(domainname, srvresults, srv_iter)
 end
 
 local function detect_wildcard(domainname, record)
-  local rand_host1 = stdnse.generate_random_string(24).."."..domainname
+  local rand_host1 = rand.random_alpha(24).."."..domainname
-  local rand_host2 = stdnse.generate_random_string(24).."."..domainname
+  local rand_host2 = rand.random_alpha(24).."."..domainname
   local res1 = resolve(rand_host1, record)
 
   stdnse.debug1("Detecting wildcard for \"%s\" records using random hostname \"%s\".", record, rand_host1)

scripts/dns-nsec3-enum.nse

@@ -5,6 +5,7 @@ local base32 = require "base32"
 local nmap = require "nmap"
 local string = require "string"
 local table = require "table"
+local rand = require "rand"
 
 local openssl = stdnse.silent_require "openssl"
 
@@ -173,7 +174,7 @@ end
 -- generate a random hash with domains suffix
 -- return both domain and its hash
 local function generate_hash(domain, iter, salt)
-  local rand_str = stdnse.generate_random_string(8, "etaoinshrdlucmfw")
+  local rand_str = rand.random_string(8, "etaoinshrdlucmfw")
   local random_domain = rand_str .. "." .. domain
   local packed_domain = {}
   for word in string.gmatch(random_domain, "[^%.]+") do
@@ -237,7 +238,7 @@ local function enum(host, port, domain)
   local todo = {}
   local dnssec, status, result = false, false, "No Answer"
   local result = {}
-  local subdomain = stdnse.generate_random_string(8, "etaoinshrdlucmfw")
+  local subdomain = rand.random_string(8, "etaoinshrdlucmfw")
   local full_domain = join({subdomain, domain})
   local iter
   local salt

scripts/http-drupal-enum.nse

@@ -6,6 +6,7 @@ local shortport = require "shortport"
 local stdnse = require "stdnse"
 local string = require "string"
 local table = require "table"
+local rand = require "rand"
 
 description = [[
 Enumerates the installed Drupal modules/themes by using a list of known modules and themes.
@@ -177,7 +178,7 @@ function action (host, port)
   -- We default to HEAD requests unless the server returns
   -- non 404 (200 or other) status code
 
-  local response = http.head(host, port, modules_path .. stdnse.generate_random_string(8) .. "/LICENSE.txt")
+  local response = http.head(host, port, modules_path .. rand.random_string(8, rand.charset('a','z')) .. "/LICENSE.txt")
   if response.status ~= 404 then
     method = "GET"
   end

scripts/http-form-brute.nse

@@ -7,6 +7,7 @@ local stdnse = require "stdnse"
 local string = require "string"
 local table = require "table"
 local url = require "url"
+local rand = require "rand"
 
 description = [[
 Performs brute force password auditing against http form-based authentication.
@@ -580,8 +581,8 @@ action = function (host, port)
                   }
 
   -- validate that the form submission behaves as expected
-  local username = uservar and stdnse.generate_random_string(8)
+  local username = uservar and rand.random_alpha(8)
-  local password = stdnse.generate_random_string(8)
+  local password = rand.random_alpha(8)
   local testdrv = Driver:new(host, port, options)
   local response, success = testdrv:submit_form(username, password)
   if not response then

scripts/http-form-fuzzer.nse

@@ -58,18 +58,7 @@ local stdnse = require 'stdnse'
 local string = require 'string'
 local table = require 'table'
 local url = require 'url'
-
+local rand = require 'rand'
--- generate a charset that will be used for fuzzing
-local function generate_charset(left_bound, right_bound, ...)
-  local t = ... or {}
-  if left_bound > right_bound then
-    return t
-  end
-  for i=left_bound,right_bound do
-    table.insert(t, string.char(i))
-  end
-  return t
-end
 
 -- check if the response we got indicates that fuzzing was successful
 local function check_response(response)
@@ -105,8 +94,8 @@ end
 
 -- generate a charset of characters with ascii codes from 33 to 126
 -- you can use http://www.asciitable.com/ to see which characters those actually are
-local charset = generate_charset(33,126)
+local charset = rand.charset(33,126)
-local charset_number = generate_charset(49,57) -- ascii 49 -> 1; 57 -> 9
+local charset_number = rand.charset(49,57) -- ascii 49 -> 1; 57 -> 9
 
 local function fuzz_form(form, minlen, maxlen, host, port, path)
   local affected_fields = {}
@@ -140,10 +129,10 @@ local function fuzz_form(form, minlen, maxlen, host, port, path)
       local response_number
 
       --first try to fuzz with a string
-      postdata[field["name"]] = stdnse.generate_random_string(i, charset)
+      postdata[field["name"]] = rand.random_string(i, charset)
       response_string = sending_function(postdata)
       --then with a number
-      postdata[field["name"]] = stdnse.generate_random_string(i, charset_number)
+      postdata[field["name"]] = rand.random_string(i, charset_number)
       response_number = sending_function(postdata)
 
       if check_response(response_string) then

scripts/http-jsonp-detection.nse

@@ -7,6 +7,7 @@ local json = require "json"
 local url = require "url"
 local httpspider = require "httpspider"
 local table = require "table"
+local rand = require "rand"
 
 description = [[
 Attempts to discover JSONP endpoints in web servers. JSONP endpoints can be
@@ -64,7 +65,7 @@ end
 --Checks if the callback function is controllable from URL
 local callback_url = function(host, port, target, callback_variable)
   local path, response, report
-  local value = stdnse.generate_random_string(8)
+  local value = rand.rand_alpha(8)
   if callback_variable == nil then
     callback_variable = "callback"
   end

scripts/http-method-tamper.nse

@@ -65,6 +65,7 @@ local httpspider = require "httpspider"
 local vulns = require "vulns"
 local url = require "url"
 local string = require "string"
+local rand = require "rand"
 
 portrule = shortport.http
 
@@ -83,7 +84,7 @@ local function probe_http_verbs(host, port, uri)
     return true, "POST"
   end
   --With a random generated verb we look for 400 and 501 status
-  local random_verb_req = http.generic_request(host, port, stdnse.generate_random_string(4), uri)
+  local random_verb_req = http.generic_request(host, port, rand.random_alpha(4):upper(), uri)
   local retcodes = {
     [400] = true, -- Bad Request
     [401] = true, -- Authentication needed

scripts/http-methods.nse

@@ -4,6 +4,7 @@ local shortport = require "shortport"
 local stdnse = require "stdnse"
 local string = require "string"
 local table = require "table"
+local rand = require "rand"
 
 description = [[
 Finds out what options are supported by an HTTP server by sending an
@@ -171,7 +172,7 @@ action = function(host, port)
     end
   end
 
-  local random_resp = http.generic_request(host, port, stdnse.generate_random_string(4), path)
+  local random_resp = http.generic_request(host, port, rand.random_alpha(4):upper(), path)
 
   if random_resp.status then
     stdnse.debug1("Response Code to Random Method is %d", random_resp.status)

scripts/http-shellshock.nse

@@ -3,6 +3,7 @@ local shortport = require "shortport"
 local stdnse = require "stdnse"
 local string = require "string"
 local vulns = require "vulns"
+local rand = require "rand"
 
 description = [[
 Attempts to exploit the "shellshock" vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications.
@@ -85,7 +86,7 @@ function generate_http_req(host, port, uri, custom_header, cmd)
   if cmd ~= nil then
     cmd = '() { :;}; '..cmd
  else
-    rnd = stdnse.generate_random_string(15)
+    rnd = rand.random_alpha(15)
     cmd = '() { :;}; echo; echo "'..rnd..'"'
   end
   -- Plant the payload in the HTTP headers

scripts/http-vuln-cve2011-3368.nse

@@ -4,8 +4,7 @@ local shortport = require "shortport"
 local stdnse = require "stdnse"
 local string = require "string"
 local vulns = require "vulns"
-
+local rand = require "rand"
-local openssl = stdnse.silent_require "openssl"
 
 description = [[
 Tests for the CVE-2011-3368 (Reverse Proxy Bypass) vulnerability in Apache HTTP server's reverse proxy mode.
@@ -72,7 +71,7 @@ servers to remote users who send carefully crafted requests.]],
 
   -- Take a reference chrono for a 404
   local start = os.time(os.date('*t'))
-  local random_page = stdnse.tohex(openssl.sha1(openssl.rand_pseudo_bytes(512)))
+  local random_page = rand.rand_alpha(20)
   local reference = http.get(host,port,("%s/%s.htm"):format(prefix,random_page))
   local chrono_404 = os.time(os.date('*t'))-start
 

scripts/http-vuln-cve2013-6786.nse

@@ -39,6 +39,7 @@ local nmap = require "nmap"
 local shortport = require "shortport"
 local vulns = require "vulns"
 local stdnse = require "stdnse"
+local rand = require "rand"
 
 portrule = shortport.http
 
@@ -65,7 +66,7 @@ untrusted website and XSS injection.]],
 
   local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
   local header = { ["Referer"] = '"><script>alert("XSS")</script><"' }
-  local open_session = http.get(host, port, "/"..stdnse.generate_random_string(16), { header = header })
+  local open_session = http.get(host, port, "/"..rand.random_alpha(16), { header = header })
   if open_session and open_session.status == 404 then
     stdnse.debug2("got 404-that's good!")
     if open_session.body:match('"><script>alert%("XSS"%)</script><"') then

scripts/http-vuln-cve2014-3704.nse

@@ -6,6 +6,7 @@ local table = require "table"
 local url = require "url"
 local vulns = require "vulns"
 local openssl = require "openssl"
+local rand = require "rand"
 
 description = [[
 Exploits CVE-2014-3704 also known as 'Drupageddon' in Drupal. Versions < 7.32
@@ -162,7 +163,7 @@ local function gen_passwd_hash(passwd)
   local iter = 15
   local iter_char = itoa64(iter)
   local iter_count = 1<<iter
-  local salt = stdnse.generate_random_string(8)
+  local salt = rand.random_alpha(8)
 
   local md5 = openssl.md5(salt .. passwd)
   for i = 1, iter_count do
@@ -185,10 +186,10 @@ local function do_sql_query(host, port, uri, user)
   local query
 
   if user == nil then
-    user = stdnse.generate_random_string(10)
+    user = rand.random_alpha(10)
-    passwd = stdnse.generate_random_string(10)
+    passwd = rand.random_alpha(10)
     passHash = gen_passwd_hash(passwd)
-    email = stdnse.generate_random_string(8) .. '@' .. stdnse.generate_random_string(5) .. '.' .. stdnse.generate_random_string(3)
+    email = rand.random_alpha(8) .. '@' .. rand.random_alpha(5) .. '.' .. rand.random_alpha(3)
 
     stdnse.debug(1, string.format("adding admin user (username: '%s'; passwd: '%s')", user, passwd))
     sql_user = url.escape("insert into users (uid,name,pass,mail,status) select max(uid)+1,'" .. user .. "','" .. passHash .. "','" .. email .. "',1 from users;")
@@ -206,7 +207,7 @@ local function do_sql_query(host, port, uri, user)
     query = sql_admin .. sql_user
   end
 
-  local r = "name[0;" .. query .. "#%20%20]=" .. stdnse.generate_random_string(10) .. "&name[0]=" .. stdnse.generate_random_string(10) .. "&pass=" .. stdnse.generate_random_string(10) .. "&form_id=user_login&op=Log+in"
+  local r = "name[0;" .. query .. "#%20%20]=" .. rand.random_alpha(10) .. "&name[0]=" .. rand.random_alpha(10) .. "&pass=" .. rand.random_alpha(10) .. "&form_id=user_login&op=Log+in"
 
   local opt = {
     header = {
@@ -311,9 +312,9 @@ local function trigger_exploit(host, port, uri, session, cmd)
   local csrfToken = extract_CSRFtoken(res.body)
 
   stdnse.debug(1, string.format("%s", "calling preview article page & triggering exploit"))
-  local pattern = '"' .. stdnse.generate_random_string(5)
+  local pattern = '"' .. rand.random_alpha(5)
   local payload = "<?php echo '" .. pattern .. " '; system('" .. cmd .. "'); echo '".. pattern .. " '; ?>"
-  local boundary = stdnse.generate_random_string(16)
+  local boundary = rand.random_alpha(16)
   opt['header'] = {}
   opt['header']["Content-Type"] = "multipart/form-data" .. "; boundary=" .. boundary
 

scripts/http-vuln-cve2014-8877.nse

@@ -5,6 +5,7 @@ local string = require "string"
 local url = require "url"
 local vulns = require "vulns"
 local base64 = require "base64"
+local rand = require "rand"
 
 description = [[
 Exploits a remote code injection vulnerability (CVE-2014-8877) in Wordpress CM
@@ -61,7 +62,7 @@ function genHttpReq(host, port, uri, cmd)
   if cmd ~= nil then
     payload = '".system("'..cmd..'")."'
   else
-    rnd = stdnse.generate_random_string(15)
+    rnd = rand.random_alpha(15)
     local encRnd = base64.enc(rnd)
     payload = '".base64_decode("'..encRnd..'")."'
   end
@@ -111,7 +112,7 @@ CMDsearch parameter to cmdownloads/, which is processed by the PHP
     -- exploit the vulnerability
     if cmd ~= nil then
        -- wrap cmd with pattern which is used to filter out only relevant output from the response
-       local pattern = stdnse.generate_random_string(5)
+       local pattern = rand.random_alpha(5)
        req = genHttpReq(host, port, uri, 'echo '..pattern..';'..cmd..';echo '..pattern..';')
 
        if req.status == 200 then

scripts/http-vuln-cve2015-1427.nse

@@ -5,6 +5,7 @@ local string = require "string"
 local vulns = require "vulns"
 local json = require "json"
 local nmap = require "nmap"
+local rand = require "rand"
 
 description = [[
 This script attempts to detect a vulnerability, CVE-2015-1427, which  allows attackers
@@ -160,7 +161,7 @@ action = function(host, port)
     return report:make_output(vuln_table)
   elseif response.body == '' then
     if invasive then
-      local rand = string.lower(stdnse.generate_random_string(8))
+      local rand = rand.random_alpha(8)
       cleanup = function()
         local r = http.generic_request(host, port, "DELETE", ("/%s"):format(rand))
         if r.status ~= 200 or not r.body:match('"acknowledged":true') then

scripts/http-vuln-cve2015-1635.nse

@@ -3,6 +3,7 @@ local http = require "http"
 local stdnse = require "stdnse"
 local string = require "string"
 local vulns = require "vulns"
+local rand = require "rand"
 
 description = [[
 Checks for a remote code execution vulnerability (MS15-034) in Microsoft Windows systems (CVE2015-2015-1635).
@@ -67,7 +68,7 @@ successfully exploited this vulnerability could execute arbitrary code in the co
     }
   }
   local options = {header={}}
-  options['header']['Host'] = stdnse.generate_random_string(8)
+  options['header']['Host'] = rand.random_alpha(8)
   options['header']['Range'] = "bytes=0-18446744073709551615"
 
   local response = http.get(host, port, uri, options)

scripts/http-vuln-cve2017-5638.nse

@@ -8,6 +8,7 @@ local shortport = require "shortport"
 local vulns = require "vulns"
 local stdnse = require "stdnse"
 local string = require "string"
+local rand = require "rand"
 
 ---
 -- @usage
@@ -61,7 +62,7 @@ vulnerability via the Content-Type header.
 
   local method = stdnse.get_script_args(SCRIPT_NAME..".method") or "GET"
   local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/"
-  local value = stdnse.generate_random_string(8)
+  local value = rand.rand_alpha(8)
 
   local header = {
     ["Content-Type"] = string.format("%%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Check-Struts', '%s')}.multipart/form-data", value)

scripts/http-vuln-cve2017-5689.nse

@@ -14,6 +14,7 @@ local http = require "http"
 local shortport = require "shortport"
 local vulns = require "vulns"
 local stdnse = require "stdnse"
+local rand = require "rand"
 
 ---
 -- @usage
@@ -114,7 +115,7 @@ digest parameter.
       if www_authenticate[1]['params'] and www_authenticate[1]['params']['realm'] and www_authenticate[1]['params']['nonce'] then
         local auth_header = string.format("Digest username=\"admin\", realm=\"%s\", nonce=\"%s\", uri=\"index.htm\"," ..
           "cnonce=\"%s\", nc=1, qop=\"auth\", response=\"\"", www_authenticate[1]['params']['realm'],
-          www_authenticate[1]['params']['nonce'], stdnse.generate_random_string(10))
+          www_authenticate[1]['params']['nonce'], rand.random_alpha(10))
         local opt = { header = { ['Authorization'] = auth_header } }
         response = http.get(host, port, '/index.htm', opt)
         if response.status and response.status == 200 then

scripts/ipmi-brute.nse

@@ -4,6 +4,7 @@ local ipmi = require "ipmi"
 local nmap = require "nmap"
 local shortport = require "shortport"
 local stdnse = require "stdnse"
+local rand = require "rand"
 
 description = [[
 Performs brute force password auditing against IPMI RPC server.
@@ -48,8 +49,8 @@ Driver = {
   end,
 
   login = function(self, username, password)
-    local console_session_id = stdnse.generate_random_string(4)
+    local console_session_id = rand.random_string(4)
-    local console_random_id = stdnse.generate_random_string(16)
+    local console_random_id = rand.random_string(16)
 
     local request = ipmi.session_open_request(console_session_id)
     local status, reply

scripts/ipv6-ra-flood.nse

@@ -5,6 +5,7 @@ local stdnse = require "stdnse"
 local math = require "math"
 local string = require "string"
 local os = require "os"
+local rand = require "rand"
 
 description = [[
 Generates a flood of Router Advertisements (RA) with random source MAC
@@ -81,17 +82,13 @@ end
 --- Generates random MAC address
 -- @return mac string containing random MAC address
 local function random_mac()
-
+  return "\x00\xb4" .. rand.random_string(4)
-  local mac = string.format("%02x:%02x:%02x:%02x:%02x:%02x", 00, 180, math.random(256)-1, math.random(256)-1, math.random(256)-1, math.random(256)-1)
-  return mac
 end
 
 --- Generates random IPv6 prefix
 -- @return prefix string containing random IPv6 /64 prefix
 local function get_random_prefix()
-  local prefix = string.format("2a01:%02x%02x:%02x%02x:%02x%02x::", math.random(256)-1, math.random(256)-1, math.random(256)-1, math.random(256)-1, math.random(256)-1, math.random(256)-1)
+  return "\x2a\x01" .. rand.random_string(6) .. ("\0"):rep(8)
-
-  return prefix
 end
 
 --- Build an ICMPv6 payload of Router Advertisement.
@@ -158,10 +155,10 @@ local function broadcast_on_interface(iface)
 
   while true do
 
-    local src_mac = packet.mactobin(random_mac())
+    local src_mac = random_mac()
     local src_ip6_addr = packet.mac_to_lladdr(src_mac)
 
-    local prefix = ipOps.ip_to_str(get_random_prefix())
+    local prefix = get_random_prefix()
 
     local packet = packet.Frame:new()
 

scripts/irc-botnet-channels.nse

@@ -3,6 +3,7 @@ local irc = require "irc"
 local stdnse = require "stdnse"
 local string = require "string"
 local table = require "table"
+local rand = require "rand"
 
 description = [[
 Checks an IRC server for channels that are commonly used by malicious botnets.
@@ -160,10 +161,6 @@ local function irc_compose_message(prefix, command, ...)
   return stdnse.strjoin(" ", parts) .. "\r\n"
 end
 
-local function random_nick()
-  return stdnse.generate_random_string(9, "abcdefghijklmnopqrstuvwxyz")
-end
-
 local function splitlines(s)
   local lines = {}
   local _, i, j
@@ -190,7 +187,7 @@ local function irc_connect(host, port, nick, user, pass)
   if pass then
     commands[#commands + 1] = irc_compose_message(nil, "PASS", pass)
   end
-  nick = nick or random_nick()
+  nick = nick or rand.random_alpha(9)
   commands[#commands + 1] = irc_compose_message(nil, "NICK", nick)
   user = user or nick
   commands[#commands + 1] = irc_compose_message(nil, "USER", user, "8", "*", user)

scripts/irc-brute.nse

@@ -4,6 +4,7 @@ local creds = require "creds"
 local match = require "match"
 local irc = require "irc"
 local stdnse = require "stdnse"
+local rand = require "rand"
 
 description=[[
 Performs brute force password auditing against IRC (Internet Relay Chat) servers.
@@ -87,12 +88,8 @@ Driver = {
   disconnect = function(self) return self.socket:close() end,
 }
 
-local function random_nick()
-  return stdnse.generate_random_string(9, "abcdefghijklmnopqrstuvwxyz")
-end
-
 local function needsPassword(host, port)
-  local msg = ("NICK %s\r\nUSER anonymous 0 * :Nmap brute\r\n"):format(random_nick())
+  local msg = ("NICK %s\r\nUSER anonymous 0 * :Nmap brute\r\n"):format(rand.random_alpha(9))
   local s, r, opts, _ = comm.tryssl(host, port, msg, { timeout = 15000 } )
   local err, code
 

scripts/irc-info.nse

@@ -3,6 +3,7 @@ local nmap = require "nmap"
 local math = require "math"
 local irc = require "irc"
 local stdnse = require "stdnse"
+local rand = require "rand"
 
 description = [[
 Gathers information from an IRC server.
@@ -48,12 +49,8 @@ portrule = irc.portrule
 
 local banner_timeout = 60
 
-local function random_nick ()
-  return stdnse.generate_random_string(9, "abcdefghijklmnopqrstuvwxyz")
-end
-
 function action (host, port)
-  local nick = random_nick()
+  local nick = rand.random_alpha(9)
 
   local output = stdnse.output_table()
 
@@ -85,7 +82,7 @@ function action (host, port)
     -- NICK already in use
     info = line:match "^:([%w-_.]+) 433"
     if info then
-      nick = random_nick()
+      nick = rand.random_alpha(9)
       sd:send("NICK " .. nick .. "\n")
     end
 

scripts/oracle-enum-users.nse

@@ -4,6 +4,7 @@ local stdnse = require "stdnse"
 local table = require "table"
 local tns = require "tns"
 local unpwdb = require "unpwdb"
+local rand = require "rand"
 
 local openssl = stdnse.silent_require "openssl"
 
@@ -103,7 +104,7 @@ action = function( host, port )
   -- Check for some known bad accounts
   count = 0
   for i=1, 10 do
-    local user = stdnse.generate_random_string(10,
+    local user = rand.random_string(10,
       "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_")
     status, salt = checkAccount(host, port, user)
     if( not(status) ) then return salt  end

scripts/rtsp-url-brute.nse

@@ -5,6 +5,7 @@ local rtsp = require "rtsp"
 local shortport = require "shortport"
 local stdnse = require "stdnse"
 local table = require "table"
+local rand = require "rand"
 
 description = [[
 Attempts to enumerate RTSP media URLS by testing for common paths on devices such as surveillance IP cameras.
@@ -140,7 +141,7 @@ action = function(host, port)
   -- Try to see what a nonexistent URL looks like
   local status, response = fetch_url(
     host, port, ("rtsp://%s/%s"):format(
-      stdnse.get_hostname(host), stdnse.generate_random_string(14))
+      stdnse.get_hostname(host), rand.rand_alpha(14))
     )
   local status_404 = 404
   if status then

scripts/smb-brute.nse

@@ -5,6 +5,7 @@ local stdnse = require "stdnse"
 local string = require "string"
 local table = require "table"
 local unpwdb = require "unpwdb"
+local rand = require "rand"
 
 description = [[
 Attempts to guess username/password combinations over SMB, storing discovered combinations
@@ -172,9 +173,8 @@ local special_passwords = { USERNAME, USERNAME_REVERSED }
 --@param length (optional) The length of the string to return. Default: 8.
 --@param set    (optional) The set of letters to choose from. Default: upper, lower, numbers, and underscore.
 --@return The random string.
-local function get_random_string(length, set)
+local function get_random_string(length)
-  return stdnse.generate_random_string(length or 8,
+  return rand.random_string(length, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_")
-    set or "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_")
 end
 
 ---Splits a string in the form "domain\user" into domain and user.

scripts/smb-vuln-ms06-025.nse

@@ -3,6 +3,7 @@ local nmap = require "nmap"
 local smb = require "smb"
 local stdnse = require "stdnse"
 local vulns = require "vulns"
+local rand = require "rand"
 
 description = [[
 Detects Microsoft Windows systems with Ras RPC service vulnerable to MS06-025.
@@ -103,7 +104,7 @@ function check_ms06_025(host)
   req = msrpc.RRAS_marshall_RequestBuffer(
     0x01,
     msrpc.RRAS_RegTypes['GETDEVCONFIG'],
-    stdnse.generate_random_string(3000, "0123456789abcdefghijklmnoprstuvzxwyABCDEFGHIJKLMNOPRSTUVZXWY"))
+    rand.random_string(3000, "0123456789abcdefghijklmnoprstuvzxwyABCDEFGHIJKLMNOPRSTUVZXWY"))
   status, sr_result = msrpc.RRAS_SubmitRequest(smbstate, req)
   msrpc.stop_smb(smbstate)
   --sanity check

scripts/ssh-auth-methods.nse

@@ -1,6 +1,7 @@
 local shortport = require "shortport"
 local stdnse = require "stdnse"
 local libssh2_util = require "libssh2-utility"
+local rand = require "rand"
 
 description = [[
 Returns authentication methods that a SSH server supports.
@@ -24,7 +25,7 @@ author = "Devin Bjelland"
 license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 categories = {"auth", "intrusive"}
 
-local username = stdnse.get_script_args("ssh.user") or stdnse.generate_random_string(5)
+local username = stdnse.get_script_args("ssh.user") or rand.random_alpha(5)
 portrule = shortport.port_or_service(22, 'ssh')
 
 function action (host, port)

scripts/targets-ipv6-multicast-slaac.nse

@@ -1,6 +1,5 @@
 local coroutine = require "coroutine"
 local ipOps = require "ipOps"
-local math = require "math"
 local nmap = require "nmap"
 local packet = require "packet"
 local stdnse = require "stdnse"
@@ -8,6 +7,7 @@ local string = require "string"
 local tab = require "tab"
 local table = require "table"
 local target = require "target"
+local rand = require "rand"
 
 description = [[
 Performs IPv6 host discovery by triggering stateless address auto-configuration
@@ -59,7 +59,7 @@ end
 -- @return A 16-byte string of IPv6 address, and the length of the prefix.
 local function get_random_ula_prefix(local_scope)
   local ula_prefix
-  local global_id = string.char(math.random(256)-1,math.random(256)-1,math.random(256)-1,math.random(256)-1,math.random(256)-1)
+  local global_id = rand.random_string(5)
 
   if local_scope then
     ula_prefix = ipOps.ip_to_str("fd00::")

scripts/tftp-enum.nse

@@ -4,6 +4,7 @@ local shortport = require "shortport"
 local stdnse = require "stdnse"
 local string = require "string"
 local table = require "table"
+local rand = require "rand"
 
 description = [[
 Enumerates TFTP (trivial file transfer protocol) filenames by testing
@@ -175,7 +176,7 @@ local check_file_present = function(host, port, filename)
 end
 
 local check_open_tftp = function(host, port)
-  local random_name = stdnse.generate_random_string(8, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_")
+  local random_name = rand.random_string(8, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_")
   local ret_value = check_file_present(host, port, random_name)
   if (ret_value == FILE_FOUND or ret_value == FILE_NOT_FOUND) then
     return true

scripts/tls-ticketbleed.nse

@@ -6,6 +6,7 @@ local stdnse = require("stdnse")
 local table = require("table")
 local tls = require "tls"
 local vulns = require("vulns")
+local rand = require "rand"
 
 description = [[
 Detects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244).
@@ -207,7 +208,7 @@ local function is_vuln(host, port, version)
   -- reduces the chance of a false positive caused by the server
   -- issuing us a new, valid session ID that just happens to match the
   -- random one we provided.
-  local sid_old = stdnse.generate_random_string(16)
+  local sid_old = rand.random_string(16)
 
   local hello = tls.client_hello({
     ["protocol"] = version,