tftp-enum: Don't brute cisco names with custom wordlists. Fixes #117. Closes #355

2025-12-10 06:31:30 +00:00 · 2016-08-30 18:59:57 +00:00
parent 8b46e5e3c3
commit 3d377e07ee
3 changed files with 31 additions and 12 deletions
--- a/4
+++ b/4
@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [GH#117][NSE] tftp-enum now only brute-forces IP-address-based Cisco filenames when
+  the wordlist contains "{cisco}". Previously, custom wordlists would still end
+  up sending these extra 256 requests. [Sriram Raghunathan]
+
 o [NSE] Fix a crash when parsing TLS certificates that OpenSSL doesn't support,
  like DH certificates or corrupted certs. When this happens, ssl-enum-ciphers
  will label the ciphersuite strength as "unknown." Reported by Bertrand
--- a/nselib/data/tftplist.txt
+++ b/nselib/data/tftplist.txt
@@ -101,6 +101,7 @@ boot.txt
 bootrom.ld
 bridge-confg
 cfg.bin
+{cisco}
 cisco-confg
 cisco_util
 cisconet.bin
--- a/scripts/tftp-enum.nse
+++ b/scripts/tftp-enum.nse
@@ -78,15 +78,36 @@ end

 local generate_filenames = function(host)
  local customlist = stdnse.get_script_args('tftp-enum.filelist')
+  local cisco = false
  local status, default_filenames = datafiles.parse_file(customlist or "nselib/data/tftplist.txt" , {})
  if not status then
    stdnse.debug1("Can not open file with tftp file names list")
    return {}
+  else
+
+    for i, filename in ipairs(default_filenames) do
+      if filename:match('{[Mm][Aa][Cc]}') then
+        if not host.mac_addr then
+          goto next_filename
+        else
+          filename = filename:gsub('{M[Aa][Cc]}', string.upper(stdnse.tohex(host.mac_addr)))
+          filename = filename:gsub('{m[aA][cC]}', stdnse.tohex(host.mac_addr))
+        end
      end

-  local cisco_address_confg_filenames = generate_cisco_address_confg(host.ip)
+      if filename:match('{cisco}') then
+        cisco = true
+        table.remove(default_filenames,i)
+      end
+      ::next_filename::
+    end

+    if cisco == true then
+      local cisco_address_confg_filenames = generate_cisco_address_confg(host.ip)
      return array_concat(default_filenames, cisco_address_confg_filenames)
+    end
+  end
+  return default_filenames
 end


@@ -103,6 +124,7 @@ local check_file_present = function(host, port, filename)
  local socket = nmap.new_socket()
  socket:connect(host, port)
  local status, lhost, lport, rhost, rport = socket:get_info()
+  stdnse.debug1("lhost: %s, lport: %s", lhost, lport);


  if (not (status)) then
@@ -178,18 +200,10 @@ action = function(host, port)
  local filenames = generate_filenames(host)

  for i, filename in ipairs(filenames) do
-    if filename:match('{[Mm][Aa][Cc]}') then
-      if not host.mac_addr then
-        goto next_filename
-      end
-      filename = filename:gsub('{MAC}', string.upper(stdnse.tohex(host.mac_addr)))
-      filename = filename:gsub('{mac}', stdnse.tohex(host.mac_addr))
-    end
    local request_status = check_file_present(host, port, filename)
    if (request_status == FILE_FOUND) then
      table.insert(results, filename)
    end
-    ::next_filename::
  end

  return stdnse.format_output(true, results)