PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

Some string optimizations in NSE

Browse Source 
Changes fall into these categories:

1. Avoid pathological string building. Loops over x = x .. "foo" can
become very slow. Instead, use strbuf.lua, table.concat, or just one
continuous concatenation; a = x .. y .. z is one operation, better than
a = x .. y; a = a .. z

2. Use hex-escaped strings instead of string.char. I find this more
readable in many cases, and it avoids a table lookup and function call.

3. Don't duplicate code. A few libraries and scripts had re-implemented
stdnse.generate_random_string or openssl.rand_bytes.
This commit is contained in:
dmiller
2014-09-03 04:49:54 +00:00
parent 25725d369e
commit 40f36a4e3e
26 changed files with 202 additions and 243 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
nselib/amqp.lua
View File

@@ -40,9 +40,9 @@ AMQP = {
-- version strings the client supports
client_version_strings = {
["0-8"] = string.char(0x01) .. string.char(0x01) .. string.char(0x08) .. string.char(0x00),
["0-9"] = string.char(0x00) .. string.char(0x00) .. string.char(0x09) .. string.char(0x00),
["0-9-1"] = string.char(0x00) .. string.char(0x00) .. string.char(0x09) .. string.char(0x01)
["0-8"] = "\x01\x01\x08\x00",
["0-9"] = "\x00\x00\x09\x00",
["0-9-1"] = "\x00\x00\x09\x01"
},
new = function(self, host, port)

51
nselib/cassandra.lua
View File

@@ -25,33 +25,28 @@ _ENV = stdnse.module("cassandra", stdnse.seeall)
]]--
-- Protocol magic strings
CASSANDRAREQ = string.char(0x80,0x01,0x00,0x01)
CASSANDRARESP = string.char(0x80,0x01,0x00,0x02)
CASSLOGINMAGIC = string.char(0x00, 0x00,0x00,0x01,0x0c,0x00,0x01,0x0d,0x00,0x01,0x0b,0x0b,0x00,0x00,0x00,0x02)
LOGINSUCC = string.char(0x00,0x00,0x00,0x01,0x00)
LOGINFAIL = string.char(0x00,0x00,0x00,0x01,0x0b)
LOGINACC = string.char(0x00,0x00,0x00,0x01,0x0c)
--Returns string in format length+string itself
--@param str to format
--@return str : string in format length+string itself
function pack4str (str)
return (bin.pack(">I",string.len(str)) .. str)
end
CASSANDRAREQ = "\x80\x01\x00\x01"
CASSANDRARESP = "\x80\x01\x00\x02"
CASSLOGINMAGIC = "\x00\x00\x00\x01\x0c\x00\x01\x0d\x00\x01\x0b\x0b\x00\x00\x00\x02"
LOGINSUCC = "\x00\x00\x00\x01\x00"
LOGINFAIL = "\x00\x00\x00\x01\x0b"
LOGINACC = "\x00\x00\x00\x01\x0c"
--Returns string in cassandra format for login
--@param username to put in format
--@param password to put in format
--@return str : string in cassandra format for login
function loginstr (username, password)
local str = CASSANDRAREQ .. pack4str ("login")
str = str .. CASSLOGINMAGIC
str = str .. pack4str("username")
str = str .. pack4str(username)
str = str .. pack4str("password")
str = str .. pack4str(password)
str = str .. string.char (0x00, 0x00) -- add two null on the end
return str
return bin.pack("A>aAaaaaA",
CASSANDRAREQ,
"login",
CASSLOGINMAGIC,
"username",
username,
"password",
password,
"\x00\x00" -- add two null on the end
)
end
--Invokes command over socket and returns the response
@@ -61,10 +56,12 @@ end
--@return status : true if ok; false if bad
--@return result : value if status ok, error msg if bad
function cmdstr (command,cnt)
local str = CASSANDRAREQ .. pack4str (command)
str = str .. bin.pack(">I",cnt)
str = str .. string.char (0x00) -- add null on the end
return str
return bin.pack("A>aIA",
CASSANDRAREQ,
command,
cnt,
"\x00" -- add null on the end
)
end
--Invokes command over socket and returns the response
@@ -103,7 +100,7 @@ function sendcmd (socket, command, cnt)
end
-- magic response starts at 5th byte for 4 bytes, 4 byte for length + length of string command
if (string.sub(response,5,8+4+string.len(command)) ~= CASSANDRARESP..pack4str(command)) then
if (string.sub(response,5,8+4+string.len(command)) ~= bin.pack("A>a", CASSANDRARESP, command)) then
return false, "protocol response error"
end
@@ -190,7 +187,7 @@ function login (socket,username,password)
local _, size = bin.unpack(">I", response, 1)
local loginresp = string.sub(response,5,17)
if (loginresp ~= CASSANDRARESP..pack4str("login")) then
if (loginresp ~= bin.pack("A>a", CASSANDRARESP, "login")) then
return false, "protocol error"
end

22
nselib/msrpc.lua
View File

@@ -64,48 +64,48 @@ _ENV = stdnse.module("msrpc", stdnse.seeall)
-- The path, UUID, and version for SAMR
SAMR_PATH = "\\samr"
SAMR_UUID = string.char(0x78, 0x57, 0x34, 0x12, 0x34, 0x12, 0xcd, 0xab, 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0x89, 0xac)
SAMR_UUID = "\x78\x57\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xac"
SAMR_VERSION = 0x01
-- The path, UUID, and version for SRVSVC
SRVSVC_PATH = "\\srvsvc"
SRVSVC_UUID = string.char(0xc8, 0x4f, 0x32, 0x4b, 0x70, 0x16, 0xd3, 0x01, 0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e, 0xe1, 0x88)
SRVSVC_UUID = "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88"
SRVSVC_VERSION = 0x03
-- The path, UUID, and version for SPOOLSS
SPOOLSS_PATH = "\\spoolss"
SPOOLSS_UUID = string.char(0x78, 0x56, 0x34, 0x12, 0x34, 0x12, 0xcd, 0xab, 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab)
SPOOLSS_UUID = "\x78\x56\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xab"
SPOOLSS_VERSION = 0x01
-- The path, UUID, and version for LSA
LSA_PATH = "\\lsarpc"
LSA_UUID = string.char(0x78, 0x57, 0x34, 0x12, 0x34, 0x12, 0xcd, 0xab, 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab)
LSA_UUID = "\x78\x57\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xab"
LSA_VERSION = 0
-- The path, UUID, and version for WINREG
WINREG_PATH = "\\winreg"
WINREG_UUID = string.char(0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31, 0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03)
WINREG_UUID = "\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03"
WINREG_VERSION = 1
-- The path, UUID, and version for SVCCTL
SVCCTL_PATH = "\\svcctl"
SVCCTL_UUID = string.char(0x81, 0xbb, 0x7a, 0x36, 0x44, 0x98, 0xf1, 0x35, 0xad, 0x32, 0x98, 0xf0, 0x38, 0x00, 0x10, 0x03)
SVCCTL_UUID = "\x81\xbb\x7a\x36\x44\x98\xf1\x35\xad\x32\x98\xf0\x38\x00\x10\x03"
SVCCTL_VERSION = 2
-- The path, UUID, and version for ATSVC
ATSVC_PATH = "\\atsvc"
ATSVC_UUID = string.char(0x82, 0x06, 0xf7, 0x1f, 0x51, 0x0a, 0xe8, 0x30, 0x07, 0x6d, 0x74, 0x0b, 0xe8, 0xce, 0xe9, 0x8b)
ATSVC_UUID = "\x82\x06\xf7\x1f\x51\x0a\xe8\x30\x07\x6d\x74\x0b\xe8\xce\xe9\x8b"
ATSVC_VERSION = 1
-- UUID and version for epmapper e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0
EPMAPPER_PATH = "\\epmapper"
EPMAPPER_UUID = string.char(0x08, 0x83, 0xaf, 0xe1, 0x1f, 0x5d, 0xc9, 0x11, 0x91, 0xa4, 0x08, 0x00, 0x2b, 0x14, 0xa0, 0xfa)
EPMAPPER_UUID = "\x08\x83\xaf\xe1\x1f\x5d\xc9\x11\x91\xa4\x08\x00\x2b\x14\xa0\xfa"
EPMAPPER_VERSION = 3
-- This is the only transfer syntax I've seen in the wild, not that I've looked hard. It seems to work well.
TRANSFER_SYNTAX = string.char(0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60)
TRANSFER_SYNTAX = "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60"
-- The 'referent_id' value is ignored, as far as I can tell, so this value is passed for it. No, it isn't random. :)
REFERENT_ID = 0x50414d4e
@@ -4791,7 +4791,7 @@ end
--# 1) RRAS RASRPC INTERFACE
--####################################################################--
ROUTER_PATH = "\\router" --also can be reached across "\\srvsvc" pipe in WinXP
RASRPC_UUID = string.char(0x36, 0x00, 0x61, 0x20, 0x22, 0xfa, 0xcf, 0x11, 0x98, 0x23, 0x00, 0xa0, 0xc9, 0x11, 0xe5, 0xdf)
RASRPC_UUID = "\x36\x00\x61\x20\x22\xfa\xcf\x11\x98\x23\x00\xa0\xc9\x11\xe5\xdf"
RASRPC_VERSION = 1
--####################################################################--
@@ -4934,7 +4934,7 @@ end
--# 1) DNS SERVER MANAGEMENT SERVICE INTERFACE
--####################################################################--
DNSSERVER_UUID_STR = "50abc2a4-574d-40b3-9d66-ee4fd5fba076"
DNSSERVER_UUID = string.char(0xa4, 0xc2,0xab, 0x50, 0x4d, 0x57, 0xb3, 0x40, 0x9d, 0x66, 0xee, 0x4f, 0xd5, 0xfb, 0xa0, 0x76)
DNSSERVER_UUID = "\xa4\xc2\xab\x50\x4d\x57\xb3\x40\x9d\x66\xee\x4f\xd5\xfb\xa0\x76"
DNSSERVER_PATH = "\\DNSSERVER"
DNSSERVER_VERSION = 5

2
nselib/mssql.lua
View File

@@ -1732,7 +1732,7 @@ LoginPacket =
library = "mssql.lua",
locale = "",
database = "master", --nil,
MAC = string.char(0x00,0x00,0x00,0x00,0x00,0x00), -- should contain client MAC, jTDS uses all zeroes
MAC = "\x00\x00\x00\x00\x00\x00", -- should contain client MAC, jTDS uses all zeroes
new = function(self,o)
o = o or {}

29
nselib/mysql.lua
View File

@@ -156,7 +156,7 @@ local function createLoginHash(pass, salt)
local hash_stage1
local hash_stage2
local hash_stage3
local reply = ""
local reply = {}
local pos, b1, b2, b3, _ = 1, 0, 0, 0
if ( not(HAVE_SSL) ) then
@@ -171,10 +171,10 @@ local function createLoginHash(pass, salt)
_, b1 = bin.unpack( "C", hash_stage1, pos )
_, b2 = bin.unpack( "C", hash_stage3, pos )
reply = reply .. string.char( bit.bxor( b2, b1 ) )
reply[pos] = string.char( bit.bxor( b2, b1 ) )
end
return reply
return table.concat(reply)
end
@@ -218,20 +218,21 @@ function loginRequest( socket, params, username, password, salt )
local extcapabilities = ExtCapabilities.SupportsMultipleStatments
extcapabilities = extcapabilities + ExtCapabilities.SupportsMultipleResults
local packet = bin.pack( "S", clicap )
packet = packet .. bin.pack( "S", extcapabilities )
packet = packet .. bin.pack( "I", MAXPACKET )
packet = packet .. bin.pack( "C", Charset.latin1_COLLATE_latin1_swedish_ci )
packet = packet .. bin.pack( "A", string.char(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0) )
packet = packet .. bin.pack( "z", username )
local hash = ""
if ( password ~= nil and password:len() > 0 ) then
local hash = createLoginHash( password, salt )
packet = packet .. bin.pack( "A", string.char( 0x14 ) .. hash )
else
packet = packet .. bin.pack( "C", 0 )
hash = createLoginHash( password, salt )
end
local packet = bin.pack( "SSICAzp",
clicap,
extcapabilities,
MAXPACKET,
Charset.latin1_COLLATE_latin1_swedish_ci,
string.rep("\0", 23),
username,
hash
)
local tmp = packet:len() + bit.lshift( packetno, 24 )
packet = bin.pack( "I", tmp ) .. packet

11
nselib/netbios.lua
View File

@@ -60,24 +60,25 @@ function name_encode(name, scope)
name = string.upper(name)
-- Do the L1 encoding
local L1_encoded = ""
local L1_encoded = {}
for i=1, #name, 1 do
local b = string.byte(name, i)
L1_encoded = L1_encoded .. string.char(bit.rshift(bit.band(b, 0xF0), 4) + 0x41)
L1_encoded = L1_encoded .. string.char(bit.rshift(bit.band(b, 0x0F), 0) + 0x41)
L1_encoded[i*2-1] = string.char(bit.rshift(bit.band(b, 0xF0), 4) + 0x41)
L1_encoded[i*2] = string.char(bit.rshift(bit.band(b, 0x0F), 0) + 0x41)
end
-- Do the L2 encoding
local L2_encoded = string.char(32) .. L1_encoded
local L2_encoded = { string.char(32), table.concat(L1_encoded) }
if scope ~= nil then
-- Split the scope at its periods
local piece
for piece in string.gmatch(scope, "[^.]+") do
L2_encoded = L2_encoded .. string.char(#piece) .. piece
L2_encoded[#L2_encoded+1] = string.char(#piece) .. piece
end
end
L2_encoded = table.concat(L2_encoded)
stdnse.debug3("=> '%s'", L2_encoded)
return L2_encoded
end

6
nselib/smb.lua
View File

@@ -2459,14 +2459,14 @@ function file_upload(host, localfile, share, remotefile, overrides, encoded)
local i = 0
local data = handle:read(chunk)
local new_data = {}
while(data ~= nil and #data > 0) do
if(encoded) then
local new_data = ""
for j = 1, #data, 1 do
new_data = new_data .. string.char(bit.bxor(0xFF, string.byte(data, j)))
new_data[j] = string.char(bit.bxor(0xFF, string.byte(data, j)))
end
data = new_data
data = table.concat(new_data, "", 1, #data)
end
status, err = write_file(smbstate, data, i)

8
scripts/broadcast-dhcp-discover.nse
View File

@@ -67,11 +67,11 @@ end
--
-- @return mac_addr string containing a random MAC
local function randomizeMAC()
local mac_addr = ""
local mac_addr = {}
for j=1, 6 do
mac_addr = mac_addr .. string.char(math.random(1, 255))
mac_addr[j] = string.char(math.random(1, 255))
end
return mac_addr
return table.concat(mac_addr)
end
-- Gets a list of available interfaces based on link and up filters
@@ -143,7 +143,7 @@ action = function()
-- randomizing the MAC could exhaust dhcp servers with small scopes
-- if ran multiple times, so we should probably refrain from doing
-- this?
local mac = string.char(0xDE,0xAD,0xC0,0xDE,0xCA,0xFE)--randomizeMAC()
local mac = "\xDE\xAD\xC0\xDE\xCA\xFE" --randomizeMAC()
local interfaces

82
scripts/db2-das-info.nse
View File

@@ -266,12 +266,12 @@ function create_das_packet( magic, data )
packet.header = {}
packet.header.raw = string.char(0x00, 0x00, 0x00, 0x00, 0x44, 0x42, 0x32, 0x44, 0x41, 0x53, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20)
packet.header.raw = packet.header.raw .. string.char(0x01, 0x04, 0x00, 0x00, 0x00, 0x10, 0x39, 0x7a, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
packet.header.raw = packet.header.raw .. string.char(0x00, 0x00, 0x00, 0x00 )
packet.header.raw = packet.header.raw .. bin.pack("C", magic)
packet.header.raw = packet.header.raw .. bin.pack("S", data_len)
packet.header.raw = packet.header.raw .. string.char(0x00, 0x00)
packet.header.raw = "\x00\x00\x00\x00\x44\x42\x32\x44\x41\x53\x20\x20\x20\x20\x20\x20"
.. "\x01\x04\x00\x00\x00\x10\x39\x7a\x00\x05\x00\x00\x00\x00\x00\x00"
.. "\x00\x00\x00\x00"
.. bin.pack("C", magic)
.. bin.pack("S", data_len)
.. "\x00\x00"
packet.header.data_len = data_len
packet.data = data
@@ -304,7 +304,7 @@ action = function(host, port)
-- ************************************************************************************
-- Transaction block 1
-- ************************************************************************************
local data = string.char(0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4a, 0x00)
local data = "\x00\x00\x00\x0d\x00\x00\x00\x0c\x00\x00\x00\x4a\x00"
--try(socket:send(query))
local db2packet = create_das_packet(0x02, data)
@@ -315,10 +315,10 @@ action = function(host, port)
-- ************************************************************************************
-- Transaction block 2
-- ************************************************************************************
data = string.char(0x00, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x00)
data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x08, 0x59, 0xe7, 0x1f, 0x4b, 0x79, 0xf0, 0x90, 0x72, 0x85, 0xe0, 0x8f)
data = data .. string.char(0x3e, 0x38, 0x45, 0x38, 0xe3, 0xe5, 0x12, 0xc4, 0x3b, 0xe9, 0x7d, 0xe2, 0xf5, 0xf0, 0x78, 0xcc)
data = data .. string.char(0x81, 0x6f, 0x87, 0x5f, 0x91)
data = "\x00\x00\x00\x2c\x00\x00\x00"
.. "\x0c\x00\x00\x00\x08\x59\xe7\x1f\x4b\x79\xf0\x90\x72\x85\xe0\x8f"
.. "\x3e\x38\x45\x38\xe3\xe5\x12\xc4\x3b\xe9\x7d\xe2\xf5\xf0\x78\xcc"
.. "\x81\x6f\x87\x5f\x91"
db2packet = create_das_packet(0x05, data)
@@ -328,12 +328,12 @@ action = function(host, port)
-- ************************************************************************************
-- Transaction block 3
-- ************************************************************************************
data = string.char(0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4a, 0x01, 0x00, 0x00, 0x00)
data = data .. string.char(0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00)
data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x64, 0x62, 0x32)
data = data .. string.char(0x64, 0x61, 0x73, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x00, 0x00, 0x00, 0x00)
data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x64, 0x62, 0x32)
data = data .. string.char(0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x53, 0x72, 0x76, 0x00)
data = "\x00\x00\x00\x0d\x00\x00\x00\x0c\x00\x00\x00\x4a\x01\x00\x00\x00"
.. "\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00"
.. "\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x64\x62\x32"
.. "\x64\x61\x73\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x00\x00\x00\x00"
.. "\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x64\x62\x32"
.. "\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x53\x72\x76\x00"
db2packet = create_das_packet(0x0a, data)
send_db2_packet( socket, db2packet )
@@ -342,34 +342,34 @@ action = function(host, port)
-- ************************************************************************************
-- Transaction block 4
-- ************************************************************************************
data = string.char(0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4a, 0x01, 0x00, 0x00, 0x00)
data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03)
data = data .. string.char(0x48, 0x00, 0x00, 0x00, 0x00, 0x4a, 0xfb, 0x42, 0x90, 0x00, 0x00, 0x24, 0x93, 0x00, 0x00, 0x00)
data = data .. string.char(0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00)
data = data .. string.char(0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00)
data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x64, 0x62, 0x32)
data = data .. string.char(0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x53, 0x72, 0x76, 0x00, 0x00, 0x00, 0x00)
data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x64, 0x62, 0x32)
data = data .. string.char(0x64, 0x61, 0x73, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x00, 0x00, 0x00, 0x00)
data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00)
data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00)
data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00)
data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x00)
data = "\x00\x00\x00\x0d\x00\x00\x00\x0c\x00\x00\x00\x4a\x01\x00\x00\x00"
.. "\x20\x00\x00\x00\x0c\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x03"
.. "\x48\x00\x00\x00\x00\x4a\xfb\x42\x90\x00\x00\x24\x93\x00\x00\x00"
.. "\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00"
.. "\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00"
.. "\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x64\x62\x32"
.. "\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x53\x72\x76\x00\x00\x00\x00"
.. "\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x64\x62\x32"
.. "\x64\x61\x73\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x00\x00\x00\x00"
.. "\x0c\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x00\x10\x00\x00\x00"
.. "\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00\x10\x00\x00\x00"
.. "\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00\x11\x00\x00\x00"
.. "\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x00"
db2packet = create_das_packet(0x06, data)
send_db2_packet( socket, db2packet )
data = string.char( 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00)
data = data .. string.char(0x00, 0x04, 0xb8, 0x64, 0x62, 0x32, 0x64, 0x61, 0x73, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73)
data = data .. string.char(0x63, 0x76, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00)
data = data .. string.char(0x00, 0x04, 0xb8, 0x64, 0x62, 0x32, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x53)
data = data .. string.char(0x72, 0x76, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x00)
data = data .. string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x00)
data = data .. string.char(0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x00)
data = data .. string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x08, 0x00)
data = data .. string.char(0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x01, 0x00)
data = data .. string.char(0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x0c, 0x00)
data = data .. string.char(0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x18)
data = "\x00\x00\x00\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00"
.. "\x00\x04\xb8\x64\x62\x32\x64\x61\x73\x4b\x6e\x6f\x77\x6e\x44\x73"
.. "\x63\x76\x00\x00\x00\x00\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00"
.. "\x00\x04\xb8\x64\x62\x32\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x53"
.. "\x72\x76\x00\x00\x00\x00\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\x00"
.. "\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\x00"
.. "\x00\x00\x01\x00\x00\x00\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\x00"
.. "\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x0c\x00\x00\x00\x08\x00"
.. "\x00\x00\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\x00\x00\x00\x01\x00"
.. "\x00\x00\x18\x00\x00\x00\x0c\x00\x00\x00\x08\x00\x00\x00\x0c\x00"
.. "\x00\x00\x0c\x00\x00\x00\x18"
db2packet = create_das_packet(0x06, data)
send_db2_packet( socket, db2packet )

5
scripts/dhcp-discover.nse
View File

@@ -96,10 +96,11 @@ local function go(host, port)
local mac_addr = host.mac_addr_src
if(nmap.registry.args.randomize_mac == 'true' or nmap.registry.args.randomize_mac == '1') then
stdnse.debug2("Generating a random MAC address")
mac_addr = ""
mac_addr = {}
for j=1, 6, 1 do
mac_addr = mac_addr .. string.char(math.random(1, 255))
mac_addr[i] = string.char(math.random(1, 255))
end
mac_addr = table.concat(mac_addr)
end
local iface, err = nmap.get_interface_info(host.interface)

12
scripts/dns-recursion.nse
View File

@@ -29,8 +29,16 @@ portrule = shortport.portnumber(53, "udp")
action = function(host, port)
-- generate dns query, Transaction-ID 0xdead, www.wikipedia.org (type A, class IN)
local request = string.char(0xde, 0xad, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03) .. "www" .. string.char(0x09) .. "wikipedia" .. string.char(0x03) .. "org" .. string.char(0x00, 0x00, 0x01, 0x00, 0x01)
-- generate dns query
local request = "\xde\xad" -- Transaction-ID 0xdead
.. "\x01\x00" -- flags (recursion desired)
.. "\x00\x01" -- 1 question
.. "\x00\x00" -- 0 answers
.. "\x00\x00" -- 0 authority
.. "\x00\x00" -- 0 additional
.. "\x03www\x09wikipedia\x03org\x00" -- www.wikipedia.org.
.. "\x00\x01" -- type A
.. "\x00\x01" -- class IN
local status, result = comm.exchange(host, port, request, {proto="udp"})

12
scripts/http-virustotal.nse
View File

@@ -125,12 +125,12 @@ local function requestFileScan(filename)
local shortfile = filename:match("^.*[\\/](.*)$")
local boundary = "----------------------------nmapboundary"
local header = { ["Content-Type"] = ("multipart/form-data; boundary=%s"):format(boundary) }
local postdata = ("--%s\r\n"):format(boundary)
postdata = postdata .. "Content-Disposition: form-data; name=\"apikey\"\r\n\r\n"
postdata = postdata .. arg_apiKey .. "\r\n"
postdata = postdata .. ("--%s\r\n" ..
"Content-Disposition: form-data; name=\"file\"; filename=\"%s\"\r\n" ..
"Content-Type: text/plain\r\n\r\n%s\r\n--%s--\r\n"):format(boundary, shortfile, str, boundary)
local postdata = ("--%s\r\n"
.. 'Content-Disposition: form-data; name="apikey"\r\n\r\n'
.. "%s\r\n"
.. "--%s\r\n"
.. 'Content-Disposition: form-data; name="file"; filename="%s"\r\n'
.. "Content-Type: text/plain\r\n\r\n%s\r\n--%s--\r\n"):format(boundary, arg_apiKey, boundary, shortfile, str, boundary)
local host = "www.virustotal.com"
local port = { number = 80, protocol = "tcp" }

6
scripts/irc-brute.nse
View File

@@ -89,11 +89,7 @@ Driver = {
}
local function random_nick()
local nick = ""
for i = 0, 8, 1 do
nick = nick .. string.char(math.random(97, 122)) -- lowercase ascii
end
return nick
return stdnse.generate_random_string(9, "abcdefghijklmnopqrstuvwxyz")
end
local function needsPassword(host, port)

2
scripts/ldap-brute.nse
View File

@@ -139,7 +139,7 @@ action = function( host, port )
local clock_start = nmap.clock_ms()
local ldap_anonymous_bind = string.char( 0x30, 0x0c, 0x02, 0x01, 0x01, 0x60, 0x07, 0x02, 0x01, 0x03, 0x04, 0x00, 0x80, 0x00 )
local ldap_anonymous_bind = "\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x03\x04\x00\x80\x00"
local socket, _, opt = comm.tryssl( host, port, ldap_anonymous_bind, nil )
local base_dn = stdnse.get_script_args('ldap.base')

2
scripts/ldap-rootdse.nse
View File

@@ -105,7 +105,7 @@ function action(host,port)
-- In order to discover what protocol to use (SSL/TCP) we need to send a few bytes to the server
-- An anonymous bind should do it
local ldap_anonymous_bind = string.char( 0x30, 0x0c, 0x02, 0x01, 0x01, 0x60, 0x07, 0x02, 0x01, 0x03, 0x04, 0x00, 0x80, 0x00 )
local ldap_anonymous_bind = "\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x03\x04\x00\x80\x00"
local _
socket, _, opt = comm.tryssl( host, port, ldap_anonymous_bind, nil )

2
scripts/ldap-search.nse
View File

@@ -120,7 +120,7 @@ function action(host,port)
-- In order to discover what protocol to use (SSL/TCP) we need to send a few bytes to the server
-- An anonymous bind should do it
local ldap_anonymous_bind = string.char( 0x30, 0x0c, 0x02, 0x01, 0x01, 0x60, 0x07, 0x02, 0x01, 0x03, 0x04, 0x00, 0x80, 0x00 )
local ldap_anonymous_bind = "\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x03\x04\x00\x80\x00"
local _
socket, _, opt = comm.tryssl( host, port, ldap_anonymous_bind, nil )

12
scripts/nping-brute.nse
View File

@@ -34,14 +34,6 @@ categories = {"brute", "intrusive"}
portrule = shortport.port_or_service(9929, "nping-echo")
local function randombytes(x)
local bytes = ""
for i = 1, x do
bytes = bytes .. bin.pack("C", math.random(0x00, 0xff))
end
return bytes
end
local function readmessage(socket, length)
local msg = ""
while #msg < length do
@@ -103,8 +95,8 @@ Driver =
local NEP_CLIENT_MAC_ID = "NEPkeyforMACClient2Server"
local now = nmap.clock()
local seqb = randombytes(4)
local cnonce = randombytes(32)
local seqb = openssl.rand_bytes(4)
local cnonce = openssl.rand_bytes(32)
local nonce = snonce .. cnonce
local enckey = self:nepkey(password, nonce, NEP_CLIENT_CIPHER_ID)
local mackey = self:nepkey(password, nonce, NEP_CLIENT_MAC_ID)

25
scripts/ntp-monlist.nse
View File

@@ -250,16 +250,15 @@ function getPrivateMode(impl, requestCode)
-- Request Code 8bits: e.g. 0x2a (MON_GETLIST_1)
-- Err 4bits: 0, Number of Data Items 12bits: 0
-- MBZ 4bits: 0, Size of Data Items 12bits: 0
pay = string.char(
return string.char(
0x17, 0x00, impl or 0x03, requestCode or 0x2a,
0x00, 0x00, 0x00, 0x00
)
-- Data 40 Octets: 0
pay = pay .. string.char(0x00):rep(40)
.. string.char(0x00):rep(40)
-- The following are optional if the Authenticated bit is set:
-- Encryption Keyid 4 Octets: 0
-- Message Authentication Code 16 Octets (MD5): 0
return pay
end
@@ -495,16 +494,16 @@ function make_udp_packet(response)
-- dummy headers
-- ip
local dh = string.char(0x45, 0x00)
dh = dh .. bin.pack('S', iplen)
dh = dh .. string.char(
0x00, 0x00, 0x40, 0x00, 0x40, 0x11, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-- udp
0x00, 0x00, 0x00, 0x00
)
dh = dh .. bin.pack('S', udplen)
dh = dh .. string.char(0x00, 0x00)
local dh = "\x45\x00" -- IPv4, 20-byte header, no DSCP, no ECN
.. bin.pack('>S', iplen) -- total length
.. "\x00\x00" -- IPID 0
.. "\x40\x00" -- DF
.. "\x40\x11" -- TTL 0x40, UDP (proto 17)
.. "\x00\x00" -- checksum 0
.. "\x00\x00\x00\x00\x00\x00\x00\x00" -- Source, destination 0.0.0.0
.. "\x00\x00\x00\x00" -- UDP source, dest port 0
.. bin.pack('S', udplen) -- UDP length
.. "\x00\x00" -- UDP checksum 0
return packet.Packet:new(dh .. response, iplen)

6
scripts/p2p-conficker.nse
View File

@@ -301,7 +301,7 @@ end
--@return The encrypted (or decrypted) data.
local function p2p_cipher(packet, key1, key2)
local i
local buf = ""
local buf = {}
for i = 1, #packet, 1 do
-- Do a 64-bit rotate on key1:key2
@@ -311,7 +311,7 @@ local function p2p_cipher(packet, key1, key2)
local k = bit.band(key1, 0x0FF)
-- Xor the current character and add it to the encrypted buffer
buf = buf .. string.char(bit.bxor(string.byte(packet, i), k))
buf[i] = string.char(bit.bxor(string.byte(packet, i), k))
-- Update the key with 'k'
key1 = key1 + k
@@ -323,7 +323,7 @@ local function p2p_cipher(packet, key1, key2)
end
end
return buf
return table.concat(buf)
end
---Decrypt the packet, verify it, and parse it. This function will fail with an error if the packet can't be

30
scripts/smb-check-vulns.nse
View File

@@ -357,21 +357,21 @@ local function check_smbv2_dos(host)
end
-- From http://seclists.org/fulldisclosure/2009/Sep/0039.html with one change on the last line.
local buf = string.char(0x00, 0x00, 0x00, 0x90) .. -- Begin SMB header: Session message
string.char(0xff, 0x53, 0x4d, 0x42) .. -- Server Component: SMB
string.char(0x72, 0x00, 0x00, 0x00) .. -- Negociate Protocol
string.char(0x00, 0x18, 0x53, 0xc8) .. -- Operation 0x18 & sub 0xc853
string.char(0x00, 0x26) .. -- Process ID High: --> :) normal value should be ", 0x00, 0x00"
string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xfe) ..
string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x6d, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54) ..
string.char(0x57, 0x4f, 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, 0x41, 0x4d, 0x20, 0x31) ..
string.char(0x2e, 0x30, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, 0x30, 0x00) ..
string.char(0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57) ..
string.char(0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61) ..
string.char(0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x4c) ..
string.char(0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c) ..
string.char(0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00, 0x02, 0x53, 0x4d, 0x42, 0x20, 0x32, 0x2e) ..
string.char(0x30, 0x30, 0x32, 0x00)
local buf = "\x00\x00\x00\x90" .. -- Begin SMB header: Session message
"\xff\x53\x4d\x42" .. -- Server Component: SMB
"\x72\x00\x00\x00" .. -- Negociate Protocol
"\x00\x18\x53\xc8" .. -- Operation 0x18 & sub 0xc853
"\x00\x26" .. -- Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe" ..
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54" ..
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31" ..
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" ..
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" ..
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" ..
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" ..
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" ..
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" ..
"\x30\x30\x32\x00"
local socket = nmap.new_socket()
if(socket == nil) then

11
scripts/smb-psexec.nse
View File

@@ -824,10 +824,11 @@ local function get_config(host, config)
elseif(nmap.registry.args.key) then
config.key = nmap.registry.args.key
else
config.key = ""
local tmp = {}
for i = 1, 127, 1 do
config.key = config.key .. string.char(math.random(0x20, 0x7F))
tmp[i] = string.char(math.random(0x20, 0x7F))
end
config.key = table.concat(tmp)
config.key_index = 0
end
@@ -1044,7 +1045,7 @@ end
--@args config The config file for this host (stores the encryption key).
--@return The decrypted string.
local function cipher(str, config)
local result = ""
local result = {}
if(config.key == "") then
return str
end
@@ -1056,10 +1057,10 @@ local function cipher(str, config)
config.key_index = config.key_index + 1
config.key_index = config.key_index % #config.key
result = result .. c
result[i] = c
end
return result
return table.concat(result)
end
local function get_overrides()

20
scripts/sniffer-detect.nse
View File

@@ -101,20 +101,20 @@ action = function(host)
pcap:pcap_open(host.interface, 64, false, "arp")
local test_static = host.mac_addr_src ..
string.char(0x08,0x06, 0x00,0x01, 0x08,0x00, 0x06,0x04, 0x00,0x01) ..
"\x08\x06\x00\x01\x08\x00\x06\x04\x00\x01" ..
host.mac_addr_src ..
host.bin_ip_src ..
string.char(0x00,0x00, 0x00,0x00, 0x00,0x00) ..
"\x00\x00\x00\x00\x00\x00" ..
host.bin_ip
local t = {
string.char(0xff,0xff, 0xff,0xff, 0xff,0xff), -- B32 no meaning?
string.char(0xff,0xff, 0xff,0xff, 0xff,0xfe), -- B31
string.char(0xff,0xff, 0x00,0x00, 0x00,0x00), -- B16
string.char(0xff,0x00, 0x00,0x00, 0x00,0x00), -- B8
string.char(0x01,0x00, 0x00,0x00, 0x00,0x00), -- G
string.char(0x01,0x00, 0x5e,0x00, 0x00,0x00), -- M0
string.char(0x01,0x00, 0x5e,0x00, 0x00,0x01), -- M1 no meaning?
string.char(0x01,0x00, 0x5e,0x00, 0x00,0x03), -- M3
"\xff\xff\xff\xff\xff\xff", -- B32 no meaning?
"\xff\xff\xff\xff\xff\xfe", -- B31
"\xff\xff\x00\x00\x00\x00", -- B16
"\xff\x00\x00\x00\x00\x00", -- B8
"\x01\x00\x00\x00\x00\x00", -- G
"\x01\x00\x5e\x00\x00\x00", -- M0
"\x01\x00\x5e\x00\x00\x01", -- M1 no meaning?
"\x01\x00\x5e\x00\x00\x03", -- M3
}
local v
local out = ""

38
scripts/sslv2.nse
View File

@@ -144,26 +144,24 @@ action = function(host, port)
-- build client hello packet (contents inspired by
-- http://mail.nessus.org/pipermail/plugins-writers/2004-October/msg00041.html )
local t = {};
table.insert(t, string.char(0x80, 0x31));
table.insert(t, string.char(0x01));
table.insert(t, string.char(0x00, 0x02));
table.insert(t, string.char(0x00, 0x18));
table.insert(t, string.char(0x00, 0x00));
table.insert(t, string.char(0x00, 0x10));
table.insert(t, string.char(0x07, 0x00, 0xc0));
table.insert(t, string.char(0x05, 0x00, 0x80));
table.insert(t, string.char(0x03, 0x00, 0x80));
table.insert(t, string.char(0x01, 0x00, 0x80));
table.insert(t, string.char(0x08, 0x00, 0x80));
table.insert(t, string.char(0x06, 0x00, 0x40));
table.insert(t, string.char(0x04, 0x00, 0x80));
table.insert(t, string.char(0x02, 0x00, 0x80));
table.insert(t, string.char(0xe4, 0xbd, 0x00, 0x00));
table.insert(t, string.char(0xa4, 0x41, 0xb6, 0x74));
table.insert(t, string.char(0x71, 0x2b, 0x27, 0x95));
table.insert(t, string.char(0x44, 0xc0, 0x3d, 0xc0));
ssl_v2_hello = table.concat(t, "")
ssl_v2_hello = "\x80\x31"
.. "\x01"
.. "\x00\x02"
.. "\x00\x18"
.. "\x00\x00"
.. "\x00\x10"
.. "\x07\x00\xc0"
.. "\x05\x00\x80"
.. "\x03\x00\x80"
.. "\x01\x00\x80"
.. "\x08\x00\x80"
.. "\x06\x00\x40"
.. "\x04\x00\x80"
.. "\x02\x00\x80"
.. "\xe4\xbd\x00\x00"
.. "\xa4\x41\xb6\x74"
.. "\x71\x2b\x27\x95"
.. "\x44\xc0\x3d\xc0"
socket:connect(host, port, "tcp");
socket:send(ssl_v2_hello);

2
scripts/stuxnet-detect.nse
View File

@@ -35,7 +35,7 @@ categories = {"discovery", "intrusive"}
local STUXNET_PATHS = {"\\\\browser", "\\\\ntsvcs", "\\\\pipe\\browser", "\\\\pipe\\ntsvcs"}
local STUXNET_UUID = string.char(0xe1, 0x04, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46)
local STUXNET_UUID = "\xe1\x04\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46"
local STUXNET_VERSION = 0x01
local RPC_GET_VERSION = 0x00

10
scripts/targets-ipv6-multicast-invalid-dst.nse
View File

@@ -45,12 +45,8 @@ local function build_invalid_extension_header(nxt_hdr)
-- bits; that instructs the receiver to send a Parameter Problem.
-- Option type 0x80 is unallocated; see
-- http://www.iana.org/assignments/ipv6-parameters/.
local ex_invalid_opt = string.char(0x80,0x01,0x00,0x00,0x00,0x00)
local ext_header =
string.char(nxt_hdr) .. --next header
string.char(0) .. -- length 8
ex_invalid_opt
return ext_header
return string.char(nxt_hdr, 0) .. --next header, length 8
"\x80\x01\x00\x00\x00\x00"
end
local function get_interfaces()
@@ -117,7 +113,7 @@ local function single_interface_broadcast(if_nfo, results)
probe.icmpv6_type = 254
probe.icmpv6_code = 0
-- Add a non-empty payload too.
probe.icmpv6_payload = string.char(0x00, 0x00, 0x00, 0x00)
probe.icmpv6_payload = "\x00\x00\x00\x00"
probe:build_icmpv6_header()
probe.exheader = build_invalid_extension_header(packet.IPPROTO_ICMPV6)

33
scripts/tftp-enum.nse
View File

@@ -155,39 +155,8 @@ local check_file_present = function(host, port, filename)
return FILE_NOT_FOUND
end
--- Generates a random string of the requested length. This can be used to check how hosts react to
-- weird username/password combinations.
-- @param length (optional) The length of the string to return. Default: 8.
-- @param set (optional) The set of letters to choose from. Default: upper, lower, numbers, and underscore.
-- @return The random string.
local function get_random_string(length, set)
if (length == nil) then
length = 8
end
if (set == nil) then
set = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_"
end
local str = ""
-- Seed the random number, if we haven't already
if (not (nmap.registry.oracle_enum_users) or not (nmap.registry.oracle_enum_users.seeded)) then
math.randomseed(os.time())
nmap.registry.oracle_enum_users = {}
nmap.registry.oracle_enum_users.seeded = true
end
for i = 1, length, 1 do
local random = math.random(#set)
str = str .. string.sub(set, random, random)
end
return str
end
local check_open_tftp = function(host, port)
local random_name = get_random_string()
local random_name = stdnse.generate_random_string(8, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_")
local ret_value = check_file_present(host, port, random_name)
if (ret_value == FILE_FOUND or ret_value == FILE_NOT_FOUND) then
return true