PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-31 03:49:01 +00:00
Code Issues Projects Releases Wiki Activity

Some string optimizations in NSE

Browse Source 
Changes fall into these categories:

1. Avoid pathological string building. Loops over x = x .. "foo" can
become very slow. Instead, use strbuf.lua, table.concat, or just one
continuous concatenation; a = x .. y .. z is one operation, better than
a = x .. y; a = a .. z

2. Use hex-escaped strings instead of string.char. I find this more
readable in many cases, and it avoids a table lookup and function call.

3. Don't duplicate code. A few libraries and scripts had re-implemented
stdnse.generate_random_string or openssl.rand_bytes.
This commit is contained in:
dmiller
2014-09-03 04:49:54 +00:00
parent 25725d369e
commit 40f36a4e3e
26 changed files with 202 additions and 243 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
scripts/broadcast-dhcp-discover.nse
View File

@@ -67,11 +67,11 @@ end
--
-- @return mac_addr string containing a random MAC
local function randomizeMAC()
local mac_addr = ""
local mac_addr = {}
for j=1, 6 do
mac_addr = mac_addr .. string.char(math.random(1, 255))
mac_addr[j] = string.char(math.random(1, 255))
end
return mac_addr
return table.concat(mac_addr)
end
-- Gets a list of available interfaces based on link and up filters
@@ -143,7 +143,7 @@ action = function()
-- randomizing the MAC could exhaust dhcp servers with small scopes
-- if ran multiple times, so we should probably refrain from doing
-- this?
local mac = string.char(0xDE,0xAD,0xC0,0xDE,0xCA,0xFE)--randomizeMAC()
local mac = "\xDE\xAD\xC0\xDE\xCA\xFE" --randomizeMAC()
local interfaces

82
scripts/db2-das-info.nse
View File

@@ -266,12 +266,12 @@ function create_das_packet( magic, data )
packet.header = {}
packet.header.raw = string.char(0x00, 0x00, 0x00, 0x00, 0x44, 0x42, 0x32, 0x44, 0x41, 0x53, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20)
packet.header.raw = packet.header.raw .. string.char(0x01, 0x04, 0x00, 0x00, 0x00, 0x10, 0x39, 0x7a, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
packet.header.raw = packet.header.raw .. string.char(0x00, 0x00, 0x00, 0x00 )
packet.header.raw = packet.header.raw .. bin.pack("C", magic)
packet.header.raw = packet.header.raw .. bin.pack("S", data_len)
packet.header.raw = packet.header.raw .. string.char(0x00, 0x00)
packet.header.raw = "\x00\x00\x00\x00\x44\x42\x32\x44\x41\x53\x20\x20\x20\x20\x20\x20"
.. "\x01\x04\x00\x00\x00\x10\x39\x7a\x00\x05\x00\x00\x00\x00\x00\x00"
.. "\x00\x00\x00\x00"
.. bin.pack("C", magic)
.. bin.pack("S", data_len)
.. "\x00\x00"
packet.header.data_len = data_len
packet.data = data
@@ -304,7 +304,7 @@ action = function(host, port)
-- ************************************************************************************
-- Transaction block 1
-- ************************************************************************************
local data = string.char(0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4a, 0x00)
local data = "\x00\x00\x00\x0d\x00\x00\x00\x0c\x00\x00\x00\x4a\x00"
--try(socket:send(query))
local db2packet = create_das_packet(0x02, data)
@@ -315,10 +315,10 @@ action = function(host, port)
-- ************************************************************************************
-- Transaction block 2
-- ************************************************************************************
data = string.char(0x00, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x00)
data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x08, 0x59, 0xe7, 0x1f, 0x4b, 0x79, 0xf0, 0x90, 0x72, 0x85, 0xe0, 0x8f)
data = data .. string.char(0x3e, 0x38, 0x45, 0x38, 0xe3, 0xe5, 0x12, 0xc4, 0x3b, 0xe9, 0x7d, 0xe2, 0xf5, 0xf0, 0x78, 0xcc)
data = data .. string.char(0x81, 0x6f, 0x87, 0x5f, 0x91)
data = "\x00\x00\x00\x2c\x00\x00\x00"
.. "\x0c\x00\x00\x00\x08\x59\xe7\x1f\x4b\x79\xf0\x90\x72\x85\xe0\x8f"
.. "\x3e\x38\x45\x38\xe3\xe5\x12\xc4\x3b\xe9\x7d\xe2\xf5\xf0\x78\xcc"
.. "\x81\x6f\x87\x5f\x91"
db2packet = create_das_packet(0x05, data)
@@ -328,12 +328,12 @@ action = function(host, port)
-- ************************************************************************************
-- Transaction block 3
-- ************************************************************************************
data = string.char(0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4a, 0x01, 0x00, 0x00, 0x00)
data = data .. string.char(0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00)
data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x64, 0x62, 0x32)
data = data .. string.char(0x64, 0x61, 0x73, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x00, 0x00, 0x00, 0x00)
data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x64, 0x62, 0x32)
data = data .. string.char(0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x53, 0x72, 0x76, 0x00)
data = "\x00\x00\x00\x0d\x00\x00\x00\x0c\x00\x00\x00\x4a\x01\x00\x00\x00"
.. "\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00"
.. "\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x64\x62\x32"
.. "\x64\x61\x73\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x00\x00\x00\x00"
.. "\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x64\x62\x32"
.. "\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x53\x72\x76\x00"
db2packet = create_das_packet(0x0a, data)
send_db2_packet( socket, db2packet )
@@ -342,34 +342,34 @@ action = function(host, port)
-- ************************************************************************************
-- Transaction block 4
-- ************************************************************************************
data = string.char(0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4a, 0x01, 0x00, 0x00, 0x00)
data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03)
data = data .. string.char(0x48, 0x00, 0x00, 0x00, 0x00, 0x4a, 0xfb, 0x42, 0x90, 0x00, 0x00, 0x24, 0x93, 0x00, 0x00, 0x00)
data = data .. string.char(0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00)
data = data .. string.char(0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00)
data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x64, 0x62, 0x32)
data = data .. string.char(0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x53, 0x72, 0x76, 0x00, 0x00, 0x00, 0x00)
data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x64, 0x62, 0x32)
data = data .. string.char(0x64, 0x61, 0x73, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x00, 0x00, 0x00, 0x00)
data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00)
data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00)
data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00)
data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x00)
data = "\x00\x00\x00\x0d\x00\x00\x00\x0c\x00\x00\x00\x4a\x01\x00\x00\x00"
.. "\x20\x00\x00\x00\x0c\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x03"
.. "\x48\x00\x00\x00\x00\x4a\xfb\x42\x90\x00\x00\x24\x93\x00\x00\x00"
.. "\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00"
.. "\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00"
.. "\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x64\x62\x32"
.. "\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x53\x72\x76\x00\x00\x00\x00"
.. "\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x64\x62\x32"
.. "\x64\x61\x73\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x00\x00\x00\x00"
.. "\x0c\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x00\x10\x00\x00\x00"
.. "\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00\x10\x00\x00\x00"
.. "\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00\x11\x00\x00\x00"
.. "\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x00"
db2packet = create_das_packet(0x06, data)
send_db2_packet( socket, db2packet )
data = string.char( 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00)
data = data .. string.char(0x00, 0x04, 0xb8, 0x64, 0x62, 0x32, 0x64, 0x61, 0x73, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73)
data = data .. string.char(0x63, 0x76, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00)
data = data .. string.char(0x00, 0x04, 0xb8, 0x64, 0x62, 0x32, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x53)
data = data .. string.char(0x72, 0x76, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x00)
data = data .. string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x00)
data = data .. string.char(0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x00)
data = data .. string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x08, 0x00)
data = data .. string.char(0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x01, 0x00)
data = data .. string.char(0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x0c, 0x00)
data = data .. string.char(0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x18)
data = "\x00\x00\x00\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00"
.. "\x00\x04\xb8\x64\x62\x32\x64\x61\x73\x4b\x6e\x6f\x77\x6e\x44\x73"
.. "\x63\x76\x00\x00\x00\x00\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00"
.. "\x00\x04\xb8\x64\x62\x32\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x53"
.. "\x72\x76\x00\x00\x00\x00\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\x00"
.. "\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\x00"
.. "\x00\x00\x01\x00\x00\x00\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\x00"
.. "\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x0c\x00\x00\x00\x08\x00"
.. "\x00\x00\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\x00\x00\x00\x01\x00"
.. "\x00\x00\x18\x00\x00\x00\x0c\x00\x00\x00\x08\x00\x00\x00\x0c\x00"
.. "\x00\x00\x0c\x00\x00\x00\x18"
db2packet = create_das_packet(0x06, data)
send_db2_packet( socket, db2packet )

5
scripts/dhcp-discover.nse
View File

@@ -96,10 +96,11 @@ local function go(host, port)
local mac_addr = host.mac_addr_src
if(nmap.registry.args.randomize_mac == 'true' or nmap.registry.args.randomize_mac == '1') then
stdnse.debug2("Generating a random MAC address")
mac_addr = ""
mac_addr = {}
for j=1, 6, 1 do
mac_addr = mac_addr .. string.char(math.random(1, 255))
mac_addr[i] = string.char(math.random(1, 255))
end
mac_addr = table.concat(mac_addr)
end
local iface, err = nmap.get_interface_info(host.interface)

12
scripts/dns-recursion.nse
View File

@@ -29,8 +29,16 @@ portrule = shortport.portnumber(53, "udp")
action = function(host, port)
-- generate dns query, Transaction-ID 0xdead, www.wikipedia.org (type A, class IN)
local request = string.char(0xde, 0xad, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03) .. "www" .. string.char(0x09) .. "wikipedia" .. string.char(0x03) .. "org" .. string.char(0x00, 0x00, 0x01, 0x00, 0x01)
-- generate dns query
local request = "\xde\xad" -- Transaction-ID 0xdead
.. "\x01\x00" -- flags (recursion desired)
.. "\x00\x01" -- 1 question
.. "\x00\x00" -- 0 answers
.. "\x00\x00" -- 0 authority
.. "\x00\x00" -- 0 additional
.. "\x03www\x09wikipedia\x03org\x00" -- www.wikipedia.org.
.. "\x00\x01" -- type A
.. "\x00\x01" -- class IN
local status, result = comm.exchange(host, port, request, {proto="udp"})

12
scripts/http-virustotal.nse
View File

@@ -125,12 +125,12 @@ local function requestFileScan(filename)
local shortfile = filename:match("^.*[\\/](.*)$")
local boundary = "----------------------------nmapboundary"
local header = { ["Content-Type"] = ("multipart/form-data; boundary=%s"):format(boundary) }
local postdata = ("--%s\r\n"):format(boundary)
postdata = postdata .. "Content-Disposition: form-data; name=\"apikey\"\r\n\r\n"
postdata = postdata .. arg_apiKey .. "\r\n"
postdata = postdata .. ("--%s\r\n" ..
"Content-Disposition: form-data; name=\"file\"; filename=\"%s\"\r\n" ..
"Content-Type: text/plain\r\n\r\n%s\r\n--%s--\r\n"):format(boundary, shortfile, str, boundary)
local postdata = ("--%s\r\n"
.. 'Content-Disposition: form-data; name="apikey"\r\n\r\n'
.. "%s\r\n"
.. "--%s\r\n"
.. 'Content-Disposition: form-data; name="file"; filename="%s"\r\n'
.. "Content-Type: text/plain\r\n\r\n%s\r\n--%s--\r\n"):format(boundary, arg_apiKey, boundary, shortfile, str, boundary)
local host = "www.virustotal.com"
local port = { number = 80, protocol = "tcp" }

6
scripts/irc-brute.nse
View File

@@ -89,11 +89,7 @@ Driver = {
}
local function random_nick()
local nick = ""
for i = 0, 8, 1 do
nick = nick .. string.char(math.random(97, 122)) -- lowercase ascii
end
return nick
return stdnse.generate_random_string(9, "abcdefghijklmnopqrstuvwxyz")
end
local function needsPassword(host, port)

2
scripts/ldap-brute.nse
View File

@@ -139,7 +139,7 @@ action = function( host, port )
local clock_start = nmap.clock_ms()
local ldap_anonymous_bind = string.char( 0x30, 0x0c, 0x02, 0x01, 0x01, 0x60, 0x07, 0x02, 0x01, 0x03, 0x04, 0x00, 0x80, 0x00 )
local ldap_anonymous_bind = "\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x03\x04\x00\x80\x00"
local socket, _, opt = comm.tryssl( host, port, ldap_anonymous_bind, nil )
local base_dn = stdnse.get_script_args('ldap.base')

2
scripts/ldap-rootdse.nse
View File

@@ -105,7 +105,7 @@ function action(host,port)
-- In order to discover what protocol to use (SSL/TCP) we need to send a few bytes to the server
-- An anonymous bind should do it
local ldap_anonymous_bind = string.char( 0x30, 0x0c, 0x02, 0x01, 0x01, 0x60, 0x07, 0x02, 0x01, 0x03, 0x04, 0x00, 0x80, 0x00 )
local ldap_anonymous_bind = "\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x03\x04\x00\x80\x00"
local _
socket, _, opt = comm.tryssl( host, port, ldap_anonymous_bind, nil )

2
scripts/ldap-search.nse
View File

@@ -120,7 +120,7 @@ function action(host,port)
-- In order to discover what protocol to use (SSL/TCP) we need to send a few bytes to the server
-- An anonymous bind should do it
local ldap_anonymous_bind = string.char( 0x30, 0x0c, 0x02, 0x01, 0x01, 0x60, 0x07, 0x02, 0x01, 0x03, 0x04, 0x00, 0x80, 0x00 )
local ldap_anonymous_bind = "\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x03\x04\x00\x80\x00"
local _
socket, _, opt = comm.tryssl( host, port, ldap_anonymous_bind, nil )

12
scripts/nping-brute.nse
View File

@@ -34,14 +34,6 @@ categories = {"brute", "intrusive"}
portrule = shortport.port_or_service(9929, "nping-echo")
local function randombytes(x)
local bytes = ""
for i = 1, x do
bytes = bytes .. bin.pack("C", math.random(0x00, 0xff))
end
return bytes
end
local function readmessage(socket, length)
local msg = ""
while #msg < length do
@@ -103,8 +95,8 @@ Driver =
local NEP_CLIENT_MAC_ID = "NEPkeyforMACClient2Server"
local now = nmap.clock()
local seqb = randombytes(4)
local cnonce = randombytes(32)
local seqb = openssl.rand_bytes(4)
local cnonce = openssl.rand_bytes(32)
local nonce = snonce .. cnonce
local enckey = self:nepkey(password, nonce, NEP_CLIENT_CIPHER_ID)
local mackey = self:nepkey(password, nonce, NEP_CLIENT_MAC_ID)

25
scripts/ntp-monlist.nse
View File

@@ -250,16 +250,15 @@ function getPrivateMode(impl, requestCode)
-- Request Code 8bits: e.g. 0x2a (MON_GETLIST_1)
-- Err 4bits: 0, Number of Data Items 12bits: 0
-- MBZ 4bits: 0, Size of Data Items 12bits: 0
pay = string.char(
return string.char(
0x17, 0x00, impl or 0x03, requestCode or 0x2a,
0x00, 0x00, 0x00, 0x00
)
-- Data 40 Octets: 0
pay = pay .. string.char(0x00):rep(40)
.. string.char(0x00):rep(40)
-- The following are optional if the Authenticated bit is set:
-- Encryption Keyid 4 Octets: 0
-- Message Authentication Code 16 Octets (MD5): 0
return pay
end
@@ -495,16 +494,16 @@ function make_udp_packet(response)
-- dummy headers
-- ip
local dh = string.char(0x45, 0x00)
dh = dh .. bin.pack('S', iplen)
dh = dh .. string.char(
0x00, 0x00, 0x40, 0x00, 0x40, 0x11, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-- udp
0x00, 0x00, 0x00, 0x00
)
dh = dh .. bin.pack('S', udplen)
dh = dh .. string.char(0x00, 0x00)
local dh = "\x45\x00" -- IPv4, 20-byte header, no DSCP, no ECN
.. bin.pack('>S', iplen) -- total length
.. "\x00\x00" -- IPID 0
.. "\x40\x00" -- DF
.. "\x40\x11" -- TTL 0x40, UDP (proto 17)
.. "\x00\x00" -- checksum 0
.. "\x00\x00\x00\x00\x00\x00\x00\x00" -- Source, destination 0.0.0.0
.. "\x00\x00\x00\x00" -- UDP source, dest port 0
.. bin.pack('S', udplen) -- UDP length
.. "\x00\x00" -- UDP checksum 0
return packet.Packet:new(dh .. response, iplen)

6
scripts/p2p-conficker.nse
View File

@@ -301,7 +301,7 @@ end
--@return The encrypted (or decrypted) data.
local function p2p_cipher(packet, key1, key2)
local i
local buf = ""
local buf = {}
for i = 1, #packet, 1 do
-- Do a 64-bit rotate on key1:key2
@@ -311,7 +311,7 @@ local function p2p_cipher(packet, key1, key2)
local k = bit.band(key1, 0x0FF)
-- Xor the current character and add it to the encrypted buffer
buf = buf .. string.char(bit.bxor(string.byte(packet, i), k))
buf[i] = string.char(bit.bxor(string.byte(packet, i), k))
-- Update the key with 'k'
key1 = key1 + k
@@ -323,7 +323,7 @@ local function p2p_cipher(packet, key1, key2)
end
end
return buf
return table.concat(buf)
end
---Decrypt the packet, verify it, and parse it. This function will fail with an error if the packet can't be

30
scripts/smb-check-vulns.nse
View File

@@ -357,21 +357,21 @@ local function check_smbv2_dos(host)
end
-- From http://seclists.org/fulldisclosure/2009/Sep/0039.html with one change on the last line.
local buf = string.char(0x00, 0x00, 0x00, 0x90) .. -- Begin SMB header: Session message
string.char(0xff, 0x53, 0x4d, 0x42) .. -- Server Component: SMB
string.char(0x72, 0x00, 0x00, 0x00) .. -- Negociate Protocol
string.char(0x00, 0x18, 0x53, 0xc8) .. -- Operation 0x18 & sub 0xc853
string.char(0x00, 0x26) .. -- Process ID High: --> :) normal value should be ", 0x00, 0x00"
string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xfe) ..
string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x6d, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54) ..
string.char(0x57, 0x4f, 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, 0x41, 0x4d, 0x20, 0x31) ..
string.char(0x2e, 0x30, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, 0x30, 0x00) ..
string.char(0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57) ..
string.char(0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61) ..
string.char(0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x4c) ..
string.char(0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c) ..
string.char(0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00, 0x02, 0x53, 0x4d, 0x42, 0x20, 0x32, 0x2e) ..
string.char(0x30, 0x30, 0x32, 0x00)
local buf = "\x00\x00\x00\x90" .. -- Begin SMB header: Session message
"\xff\x53\x4d\x42" .. -- Server Component: SMB
"\x72\x00\x00\x00" .. -- Negociate Protocol
"\x00\x18\x53\xc8" .. -- Operation 0x18 & sub 0xc853
"\x00\x26" .. -- Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe" ..
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54" ..
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31" ..
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" ..
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" ..
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" ..
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" ..
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" ..
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" ..
"\x30\x30\x32\x00"
local socket = nmap.new_socket()
if(socket == nil) then

11
scripts/smb-psexec.nse
View File

@@ -824,10 +824,11 @@ local function get_config(host, config)
elseif(nmap.registry.args.key) then
config.key = nmap.registry.args.key
else
config.key = ""
local tmp = {}
for i = 1, 127, 1 do
config.key = config.key .. string.char(math.random(0x20, 0x7F))
tmp[i] = string.char(math.random(0x20, 0x7F))
end
config.key = table.concat(tmp)
config.key_index = 0
end
@@ -1044,7 +1045,7 @@ end
--@args config The config file for this host (stores the encryption key).
--@return The decrypted string.
local function cipher(str, config)
local result = ""
local result = {}
if(config.key == "") then
return str
end
@@ -1056,10 +1057,10 @@ local function cipher(str, config)
config.key_index = config.key_index + 1
config.key_index = config.key_index % #config.key
result = result .. c
result[i] = c
end
return result
return table.concat(result)
end
local function get_overrides()

20
scripts/sniffer-detect.nse
View File

@@ -101,20 +101,20 @@ action = function(host)
pcap:pcap_open(host.interface, 64, false, "arp")
local test_static = host.mac_addr_src ..
string.char(0x08,0x06, 0x00,0x01, 0x08,0x00, 0x06,0x04, 0x00,0x01) ..
"\x08\x06\x00\x01\x08\x00\x06\x04\x00\x01" ..
host.mac_addr_src ..
host.bin_ip_src ..
string.char(0x00,0x00, 0x00,0x00, 0x00,0x00) ..
"\x00\x00\x00\x00\x00\x00" ..
host.bin_ip
local t = {
string.char(0xff,0xff, 0xff,0xff, 0xff,0xff), -- B32 no meaning?
string.char(0xff,0xff, 0xff,0xff, 0xff,0xfe), -- B31
string.char(0xff,0xff, 0x00,0x00, 0x00,0x00), -- B16
string.char(0xff,0x00, 0x00,0x00, 0x00,0x00), -- B8
string.char(0x01,0x00, 0x00,0x00, 0x00,0x00), -- G
string.char(0x01,0x00, 0x5e,0x00, 0x00,0x00), -- M0
string.char(0x01,0x00, 0x5e,0x00, 0x00,0x01), -- M1 no meaning?
string.char(0x01,0x00, 0x5e,0x00, 0x00,0x03), -- M3
"\xff\xff\xff\xff\xff\xff", -- B32 no meaning?
"\xff\xff\xff\xff\xff\xfe", -- B31
"\xff\xff\x00\x00\x00\x00", -- B16
"\xff\x00\x00\x00\x00\x00", -- B8
"\x01\x00\x00\x00\x00\x00", -- G
"\x01\x00\x5e\x00\x00\x00", -- M0
"\x01\x00\x5e\x00\x00\x01", -- M1 no meaning?
"\x01\x00\x5e\x00\x00\x03", -- M3
}
local v
local out = ""

38
scripts/sslv2.nse
View File

@@ -144,26 +144,24 @@ action = function(host, port)
-- build client hello packet (contents inspired by
-- http://mail.nessus.org/pipermail/plugins-writers/2004-October/msg00041.html )
local t = {};
table.insert(t, string.char(0x80, 0x31));
table.insert(t, string.char(0x01));
table.insert(t, string.char(0x00, 0x02));
table.insert(t, string.char(0x00, 0x18));
table.insert(t, string.char(0x00, 0x00));
table.insert(t, string.char(0x00, 0x10));
table.insert(t, string.char(0x07, 0x00, 0xc0));
table.insert(t, string.char(0x05, 0x00, 0x80));
table.insert(t, string.char(0x03, 0x00, 0x80));
table.insert(t, string.char(0x01, 0x00, 0x80));
table.insert(t, string.char(0x08, 0x00, 0x80));
table.insert(t, string.char(0x06, 0x00, 0x40));
table.insert(t, string.char(0x04, 0x00, 0x80));
table.insert(t, string.char(0x02, 0x00, 0x80));
table.insert(t, string.char(0xe4, 0xbd, 0x00, 0x00));
table.insert(t, string.char(0xa4, 0x41, 0xb6, 0x74));
table.insert(t, string.char(0x71, 0x2b, 0x27, 0x95));
table.insert(t, string.char(0x44, 0xc0, 0x3d, 0xc0));
ssl_v2_hello = table.concat(t, "")
ssl_v2_hello = "\x80\x31"
.. "\x01"
.. "\x00\x02"
.. "\x00\x18"
.. "\x00\x00"
.. "\x00\x10"
.. "\x07\x00\xc0"
.. "\x05\x00\x80"
.. "\x03\x00\x80"
.. "\x01\x00\x80"
.. "\x08\x00\x80"
.. "\x06\x00\x40"
.. "\x04\x00\x80"
.. "\x02\x00\x80"
.. "\xe4\xbd\x00\x00"
.. "\xa4\x41\xb6\x74"
.. "\x71\x2b\x27\x95"
.. "\x44\xc0\x3d\xc0"
socket:connect(host, port, "tcp");
socket:send(ssl_v2_hello);

2
scripts/stuxnet-detect.nse
View File

@@ -35,7 +35,7 @@ categories = {"discovery", "intrusive"}
local STUXNET_PATHS = {"\\\\browser", "\\\\ntsvcs", "\\\\pipe\\browser", "\\\\pipe\\ntsvcs"}
local STUXNET_UUID = string.char(0xe1, 0x04, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46)
local STUXNET_UUID = "\xe1\x04\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46"
local STUXNET_VERSION = 0x01
local RPC_GET_VERSION = 0x00

10
scripts/targets-ipv6-multicast-invalid-dst.nse
View File

@@ -45,12 +45,8 @@ local function build_invalid_extension_header(nxt_hdr)
-- bits; that instructs the receiver to send a Parameter Problem.
-- Option type 0x80 is unallocated; see
-- http://www.iana.org/assignments/ipv6-parameters/.
local ex_invalid_opt = string.char(0x80,0x01,0x00,0x00,0x00,0x00)
local ext_header =
string.char(nxt_hdr) .. --next header
string.char(0) .. -- length 8
ex_invalid_opt
return ext_header
return string.char(nxt_hdr, 0) .. --next header, length 8
"\x80\x01\x00\x00\x00\x00"
end
local function get_interfaces()
@@ -117,7 +113,7 @@ local function single_interface_broadcast(if_nfo, results)
probe.icmpv6_type = 254
probe.icmpv6_code = 0
-- Add a non-empty payload too.
probe.icmpv6_payload = string.char(0x00, 0x00, 0x00, 0x00)
probe.icmpv6_payload = "\x00\x00\x00\x00"
probe:build_icmpv6_header()
probe.exheader = build_invalid_extension_header(packet.IPPROTO_ICMPV6)

33
scripts/tftp-enum.nse
View File

@@ -155,39 +155,8 @@ local check_file_present = function(host, port, filename)
return FILE_NOT_FOUND
end
--- Generates a random string of the requested length. This can be used to check how hosts react to
-- weird username/password combinations.
-- @param length (optional) The length of the string to return. Default: 8.
-- @param set (optional) The set of letters to choose from. Default: upper, lower, numbers, and underscore.
-- @return The random string.
local function get_random_string(length, set)
if (length == nil) then
length = 8
end
if (set == nil) then
set = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_"
end
local str = ""
-- Seed the random number, if we haven't already
if (not (nmap.registry.oracle_enum_users) or not (nmap.registry.oracle_enum_users.seeded)) then
math.randomseed(os.time())
nmap.registry.oracle_enum_users = {}
nmap.registry.oracle_enum_users.seeded = true
end
for i = 1, length, 1 do
local random = math.random(#set)
str = str .. string.sub(set, random, random)
end
return str
end
local check_open_tftp = function(host, port)
local random_name = get_random_string()
local random_name = stdnse.generate_random_string(8, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_")
local ret_value = check_file_present(host, port, random_name)
if (ret_value == FILE_FOUND or ret_value == FILE_NOT_FOUND) then
return true