PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-09 14:11:29 +00:00
Code Issues Projects Releases Wiki Activity

Add the x11-access.nse script by vladz. See

Browse Source 
http://seclists.org/nmap-dev/2009/q3/0479.html.
This commit is contained in:
david
2009-08-08 19:49:05 +00:00
parent 8341de219a
commit 2f54cb191f
3 changed files with 84 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG
View File

@@ -1,4 +1,9 @@
# Nmap Changelog ($Id$); -*-text-*- # Nmap Changelog ($Id$); -*-text-*-
o Added the x11-access.nse script that checks if access to an X11
server is allowed (as with "xhost +" for example). The script was
written by vladz.
o Added explicit casts to (int)(unsigned char) for arguments to ctype function o Added explicit casts to (int)(unsigned char) for arguments to ctype function
calls in nmap, ncat and nbase. Thanks to Solar Designer for pointing out calls in nmap, ncat and nbase. Thanks to Solar Designer for pointing out
the need and fix for this. [Josh] the need and fix for this. [Josh]

2
scripts/script.db
View File

@@ -14,6 +14,7 @@ Entry { filename = "ftp-brute.nse", categories = { "auth", "intrusive", } }
Entry { filename = "html-title.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "html-title.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "http-auth.nse", categories = { "auth", "default", "intrusive", } } Entry { filename = "http-auth.nse", categories = { "auth", "default", "intrusive", } }
Entry { filename = "http-date.nse", categories = { "discovery", "safe", } } Entry { filename = "http-date.nse", categories = { "discovery", "safe", } }
Entry { filename = "http-enum.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "http-iis-webdav-vuln.nse", categories = { "intrusive", "vuln", } } Entry { filename = "http-iis-webdav-vuln.nse", categories = { "intrusive", "vuln", } }
Entry { filename = "http-open-proxy.nse", categories = { "default", "discovery", "external", "intrusive", } } Entry { filename = "http-open-proxy.nse", categories = { "default", "discovery", "external", "intrusive", } }
Entry { filename = "http-passwd.nse", categories = { "intrusive", "vuln", } } Entry { filename = "http-passwd.nse", categories = { "intrusive", "vuln", } }
@@ -59,3 +60,4 @@ Entry { filename = "sslv2.nse", categories = { "default", "safe", } }
Entry { filename = "telnet-brute.nse", categories = { "auth", "intrusive", } } Entry { filename = "telnet-brute.nse", categories = { "auth", "intrusive", } }
Entry { filename = "upnp-info.nse", categories = { "default", "safe", } } Entry { filename = "upnp-info.nse", categories = { "default", "safe", } }
Entry { filename = "whois.nse", categories = { "discovery", "external", "safe", } } Entry { filename = "whois.nse", categories = { "discovery", "external", "safe", } }
Entry { filename = "x11-access.nse", categories = { "default", "safe", } }

77
scripts/x11-access.nse Normal file
View File

@@ -0,0 +1,77 @@
-- NSE x11-access v1.3
description = [[
Checks if you're allowed to connect to the X server
If the X server is listening on TCP port 6000+n (where n is the display
number), it is possible to check if you're able to get connected to the
remote display by sending a X11 initial connection request.
In reply, the success byte (0x00 or 0x01) will determine if you are in
the "xhost +" list. In this case, script will display the message: "X
server access is granted".
]]
-- @output
-- Host script results:
-- |_ x11-access: X server access is granted
author = "vladz <vladz@devzero.fr>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "safe"}
portrule = function( host, port )
if
port.number >= 6000 and port.number <= 6009
and string.match(port.service, "^X11")
-- If port.version.product is not equal to nil, version
-- detection "-sV" has already done this X server test.
and port.version.product == nil
then
return true
end
end
action = function(host, port)
local result, socket, try, catch
socket = nmap.new_socket()
catch = function()
socket:close()
end
try = nmap.new_try(catch)
try(socket:connect(host.ip, port.number))
-- Sending the network dump of a x11 connection request (captured
-- from the XOpenDisplay() function):
--
-- 0x6c 0x00 0x0b 0x00 0x00 0x00 0x00
-- 0x00 0x00 0x00 0x00 0x00 0x00
try(socket:send("\108\000\011\000\000\000\000\000\000\000\000\000"))
-- According to the XOpenDisplay() sources, server answer is
-- stored in a xConnSetupPrefix structure [1]. The function
-- returns NULL if it does not succeed, and more precisely: When
-- the success field of this structure (stored on 1 byte) is not
-- equal to xTrue [2]. For more information, see the Xlib
-- programming Manual [3].
--
-- [1] xConnSetupPrefix structure is defined in X11/Xproto.h.
-- [2] xTrue = 0x01 according to X11/Xproto.h.
-- [3] http://www.sbin.org/doc/Xlib
result = try(socket:receive_bytes(1))
socket:close()
-- Check if first byte received is 0x01 (xTrue: succeed).
if
string.match(result, "^\001")
then
return "X server access is granted"
end
return
end