PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2026-01-20 13:19:01 +00:00
Code Issues Projects Releases Wiki Activity

Let http-ntlm-info use smbauth functions for generating and parsing NTLM blobs

Browse Source
This commit is contained in:
dmiller
2016-01-08 02:57:24 +00:00
parent 43dedd7b0e
commit 2702b4d030
1 changed files with 10 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
scripts/http-ntlm-info.nse
View File

@@ -34,7 +34,7 @@ available.
-- | DNS_Domain_Name: somedomain.com -- | DNS_Domain_Name: somedomain.com
-- | DNS_Computer_Name: web-test2.somedomain.com -- | DNS_Computer_Name: web-test2.somedomain.com
-- | DNS_Tree_Name: somedomain.com -- | DNS_Tree_Name: somedomain.com
-- |_ OS_Version: 6.1 (Build 7601) -- |_ Product_Version: 6.1.7601
-- --
--@xmloutput --@xmloutput
-- <elem key="Target_Name">TELME</elem> -- <elem key="Target_Name">TELME</elem>
@@ -42,7 +42,7 @@ available.
-- <elem key="NetBIOS_Computer_Name">GT4</elem> -- <elem key="NetBIOS_Computer_Name">GT4</elem>
-- <elem key="DNS_Domain_Name">telme.somedomain.com</elem> -- <elem key="DNS_Domain_Name">telme.somedomain.com</elem>
-- <elem key="DNS_Computer_Name">gt4.telme.somedomain.com</elem> -- <elem key="DNS_Computer_Name">gt4.telme.somedomain.com</elem>
-- <elem key="Product_Version">5.0 (Build 2195)</elem> -- <elem key="Product_Version">5.0.2195</elem>
author = "Justin Cacak" author = "Justin Cacak"
@@ -52,26 +52,17 @@ categories = {"default", "discovery", "safe"}
portrule = shortport.http portrule = shortport.http
-- TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== local auth_blob = base64.enc( select( 2,
-- Ref: http://davenport.sourceforge.net/ntlm.html#theType1Message smbauth.get_security_blob(nil, nil, nil, nil, nil, nil, nil,
local auth_blob = base64.enc(
"NTLMSSP\x00" ..
"\x01\x00\x00\x00" .. -- NTLM Type 1 message
bin.pack("<I", --flags
0x00000001 + -- Negotiate Unicode 0x00000001 + -- Negotiate Unicode
0x00000002 + -- Negotiate OEM strings 0x00000002 + -- Negotiate OEM strings
0x00000004 + -- Request Target 0x00000004 + -- Request Target
0x00000200 + -- Negotiate NTLM 0x00000200 + -- Negotiate NTLM
0x00008000 + -- Negotiate Always Sign 0x00008000 + -- Negotiate Always Sign
0x00080000 + -- Negotiate NTLM2 Key 0x00080000 + -- Negotiate NTLM2 Key
0x02000000 + -- Unknown
0x20000000 + -- Negotiate 128 0x20000000 + -- Negotiate 128
0x80000000 -- Negotiate 56 0x80000000 -- Negotiate 56
) .. ))
string.rep("\x00", 16) .. -- Supplied Domain and Workstation (empty)
bin.pack("CC<S", -- OS version info
6, 1, 7601) .. -- 6.1.7601, Win 7 SP1 or Server 2008 R2 SP1
"\x00\x00\x00\x0f" -- OS version info end (static 0x0000000f)
) )
action = function(host, port) action = function(host, port)
@@ -118,26 +109,11 @@ action = function(host, port)
output.DNS_Tree_Name = ntlm_decoded.dns_forest_name output.DNS_Tree_Name = ntlm_decoded.dns_forest_name
end end
-- Query product build version if available (typically OS version under Windows) if ntlm_decoded.os_major_version then
-- Use this method as certain open source HTTP NTLM implementations do not set correct flags output.Product_Version = ("%d.%d.%d"):format(
-- Compute offset for Target Name ntlm_decoded.os_major_version,
local target_offset = data:sub(17, 21) ntlm_decoded.os_minor_version,
local pos, target_offset_dec = bin.unpack("<I", target_offset) ntlm_decoded.os_build)
if #data > 48 and target_offset_dec ~= 48 then
-- Get product major version
local major_version = data:sub(49, 50)
local pos, major_version_dec = bin.unpack("C", major_version)
-- Get product minor version
local minor_version = data:sub(50, 51)
local pos, minor_version_dec = bin.unpack("C", minor_version)
-- Get product build version
local build = data:sub(51, 53)
local pos, build_dec = bin.unpack("<S", build)
output.Product_Version = major_version_dec .. "." .. minor_version_dec .. " (Build " .. build_dec .. ")"
end end
return output return output