PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 12:41:29 +00:00
Code Issues Projects Releases Wiki Activity

Remove script ids. Scripts are identified by file name in output (just the

Browse Source 
basename without ".nse", or the full path with debugging level 2 or higher).
This includes documentation changes in scripting.xml.
This commit is contained in:
david
2008-11-05 00:52:55 +00:00
parent c72fb10acc
commit 4863d506c1
53 changed files with 164 additions and 222 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
docs/scripting.xml
View File

@@ -145,11 +145,11 @@ The reference manual is also
on the other hand, run no more than once against each target IP on the other hand, run no more than once against each target IP
and produce results below the port table. <xref and produce results below the port table. <xref
linkend="nse-ex1" xrefstyle="select: label nopage"/> shows a typical script scan. Examples of linkend="nse-ex1" xrefstyle="select: label nopage"/> shows a typical script scan. Examples of
service scripts producing output are: <literal>SSH protocol service scripts producing output are:
version 1</literal>, saying that SSH-1 is supported; <literal>SSHv1-support.nse</literal>, saying that SSH-1 is supported;
and <literal>HTML Title</literal>, and <literal>showHTMLTitle.nse</literal>,
which simply grabs the title of the root path of any web servers which simply grabs the title of the root path of any web servers
found. A sample host script is <literal>RIPE Query</literal>, found. A sample host script is <literal>ripeQuery.nse</literal>,
which looks up and reports target IP ownership which looks up and reports target IP ownership
information.<indexterm><primary>script names, examples of</primary></indexterm> information.<indexterm><primary>script names, examples of</primary></indexterm>
@@ -164,14 +164,14 @@ Starting Nmap ( http://nmap.org )
Interesting ports on localhost (127.0.0.1): Interesting ports on localhost (127.0.0.1):
PORT STATE SERVICE PORT STATE SERVICE
22/tcp open ssh 22/tcp open ssh
|_ SSH protocol version 1: Server supports SSHv1 |_ SSHv1-support: Server supports SSHv1
23/tcp closed telnet 23/tcp closed telnet
80/tcp open http 80/tcp open http
|_ HTML title:Test Page for Apache Installation |_ showHTMLTitle: Test Page for Apache Installation
113/tcp closed auth 113/tcp closed auth
Host script results: Host script results:
|_ RIPE Query: IP belongs to: Internet Assigned Numbers Authority |_ ripeQuery: IP belongs to: Internet Assigned Numbers Authority
Nmap done: 1 IP address (1 host up) scanned in 0.91 seconds Nmap done: 1 IP address (1 host up) scanned in 0.91 seconds
</screen> </screen>
@@ -223,9 +223,10 @@ Nmap done: 1 IP address (1 host up) scanned in 0.91 seconds
remote sysadmins. Of course (as with all other Nmap remote sysadmins. Of course (as with all other Nmap
features) we cannot guarantee that they won't ever cause features) we cannot guarantee that they won't ever cause
adverse reactions. Most of these perform general adverse reactions. Most of these perform general
network discovery. Examples are SSH-hostkey (gets an SSH network discovery. Examples are
host key) and showHTMLTitle (grabs the <literal>SSH-hostkey.nse</literal> (gets an SSH host key) and
title from a web page).</para> <literal>showHTMLTitle.nse</literal> (grabs the title from a
web page).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@@ -518,8 +519,8 @@ $ nmap -sC --script-args user=foo,pass=bar,anonFTP={pass=ftp@foobar.com}
inside your script as inside your script as
<literal>local username= nmap.registry.args.user</literal>. <literal>local username= nmap.registry.args.user</literal>.
As a general rule the subtables used to override As a general rule the subtables used to override
options for scripts should be named as the script's options for scripts should be named after the script,
<literal>id</literal>, otherwise scripts won't know where to otherwise scripts won't know where to
retrieve their arguments. retrieve their arguments.
</para> </para>
</sect2> </sect2>
@@ -559,21 +560,8 @@ $ nmap -sC --script-args user=foo,pass=bar,anonFTP={pass=ftp@foobar.com}
</sect1> </sect1>
<sect1 id="nse-script-format"> <sect1 id="nse-script-format">
<title>Script Format</title> <title>Script Format</title>
<para>NSE scripts consist of six descriptive fields along with either a port or host rule defining when the script should be executed and an action block containing the actual script instructions. Values can be assigned to these fields just as you would assign any other Lua variables. Their names must be lowercase as shown here.</para> <para>NSE scripts consist of five descriptive fields along with either a port or host rule defining when the script should be executed and an action block containing the actual script instructions. Values can be assigned to these fields just as you would assign any other Lua variables. Their names must be lowercase as shown here.</para>
<sect2 id="nse-format-id">
<title><literal>id</literal> Field</title>
<indexterm><primary sortas="id script variable">&ldquo;<varname>id</varname>&rdquo; script variable</primary></indexterm>
<para>
The script's <literal>id</literal> field is displayed in the Nmap output
table if the script produces any output. It should be unique so users
can identify exactly which script file produced a message. IDs
should be kept short to conserve space in Nmap output, while
still being meaningful enough for users to recognize. Some
good examples are <literal>RIPE query</literal>, <literal>HTML
title</literal>, and <literal>Kibuv worm</literal>.<indexterm><primary>script names, examples of</primary></indexterm>
</para>
</sect2>
<sect2 id="nse-format-description"> <sect2 id="nse-format-description">
<title><literal>description</literal> Field</title> <title><literal>description</literal> Field</title>
<indexterm><primary sortas="description script variable">&ldquo;<varname>description</varname>&rdquo; script variable</primary></indexterm> <indexterm><primary sortas="description script variable">&ldquo;<varname>description</varname>&rdquo; script variable</primary></indexterm>
@@ -686,7 +674,7 @@ or <literal>unfiltered</literal><indexterm><primary><literal>unfiltered</literal
The action is the heart of an NSE script. It contains all of the The action is the heart of an NSE script. It contains all of the
instructions to be executed when the script's port or host rule instructions to be executed when the script's port or host rule
triggers. It is a Lua function which accepts the same arguments as the triggers. It is a Lua function which accepts the same arguments as the
rule and can return either <literal>nil</literal> or a string. If a string is returned by a service script, the string and script ID are printed in the Nmap port table output. A string returned by a host script is printed below the port table. No output is produced if the rule and can return either <literal>nil</literal> or a string. If a string is returned by a service script, the string and script's filename are printed in the Nmap port table output. A string returned by a host script is printed below the port table. No output is produced if the
script returns <literal>nil</literal>. For an example of an NSE script returns <literal>nil</literal>. For an example of an NSE
action refer to <xref linkend="nse-tutorial-action"/>. action refer to <xref linkend="nse-tutorial-action"/>.
</para> </para>
@@ -1252,8 +1240,8 @@ socket:close()
on an object. Threads waiting to work on this object are put in the on an object. Threads waiting to work on this object are put in the
waiting queue until they can get a "lock" on the mutex. A solution for waiting queue until they can get a "lock" on the mutex. A solution for
the <literal>whois.nse</literal> problem above is to have each thread the <literal>whois.nse</literal> problem above is to have each thread
block on a mutex for <xref linkend="nse-format-id">script's ID field block on a mutex using a common string,
</xref>, thus ensuring only one thread is working so its results can thus ensuring only one thread is working so its results can
be shared with other scripts which may not need to run and so queries be shared with other scripts which may not need to run and so queries
to the whois servers are staggered. to the whois servers are staggered.
</para> </para>
@@ -1317,9 +1305,7 @@ socket:close()
<example id="nse-mutex-handling"> <example id="nse-mutex-handling">
<title>Mutex manipulation</title> <title>Mutex manipulation</title>
<programlisting> <programlisting>
id = "My Script's Unique ID"; local mutex = nmap.mutex("My Script's Unique ID");
local mutex = nmap.mutex(id);
function action(host, port) function action(host, port)
mutex "lock"; mutex "lock";
-- do stuff -- do stuff
@@ -1480,27 +1466,16 @@ try(socket:send(result))
The head of the script is essentially its meta information. This The head of the script is essentially its meta information. This
includes the includes the
fields: <literal>id</literal>, <literal>description</literal>, <literal>categories</literal>, <literal>runlevel</literal>, <literal>author</literal> fields: <literal>description</literal>, <literal>categories</literal>, <literal>runlevel</literal>, <literal>author</literal>
and <literal>license</literal>. We are not going to change the and <literal>license</literal>. We are not going to change the
run level, or worry about the author and license fields for now. run level, or worry about the author and license fields for now.
The <literal>id</literal> of a script should uniquely identify
it. If it is absent, the path to the script will be used as an
id. We recommend to choose an id which concisely identifies the
purpose of the script, since the ID is printed before the
script's results in Nmap output.
</para> </para>
<para> <para>
<indexterm><primary sortas="Service Owner script">&ldquo;<literal>Service Owner</literal>&rdquo; script</primary></indexterm>
<indexterm><primary sortas="id script variable">&ldquo;<varname>id</varname>&rdquo; script variable</primary></indexterm>
<programlisting>
id = "Service owner"
</programlisting>
</para>
<para>
The description field should contain a sentence or two describing what the script does. If anything about the script results might confuse or mislead users, and you can't eliminate the issue by improving the script or results text, it should be documented in the <literal>description</literal> string. The description field should contain a sentence or two describing what the script does. If anything about the script results might confuse or mislead users, and you can't eliminate the issue by improving the script or results text, it should be documented in the <literal>description</literal> string.
</para> </para>
<para> <para>
<indexterm><primary><filename>showOwner.nse</filename></primary></indexterm>
<indexterm><primary sortas="description script variable">&ldquo;<varname>description</varname>&rdquo; script variable</primary></indexterm> <indexterm><primary sortas="description script variable">&ldquo;<varname>description</varname>&rdquo; script variable</primary></indexterm>
<programlisting> <programlisting>
description = [[ description = [[
@@ -1787,7 +1762,6 @@ local localip, localport = try(client_service:get_info())
<example id="nse-documentation-script"> <example id="nse-documentation-script">
<title>An NSEDoc comment for a script</title> <title>An NSEDoc comment for a script</title>
<programlisting> <programlisting>
id = "AS Numbers"
description = [[ description = [[
Maps IP addresses to autonomous system (AS) numbers. Maps IP addresses to autonomous system (AS) numbers.
@@ -1997,7 +1971,6 @@ categories = {"discovery", "external"}
</para> </para>
<programlisting> <programlisting>
id = "Skype v2"
description = [[ description = [[
Detects the Skype version 2 service. Detects the Skype version 2 service.
]] ]]
@@ -2079,18 +2052,16 @@ end
<sect1 id="nse-example-scripts"> <sect1 id="nse-example-scripts">
<title>Example Script</title> <title>Example Script</title>
<indexterm><primary sortas="Finger Results script">&ldquo;<literal>Finger Results</literal>&rdquo; script</primary></indexterm> <indexterm><primary><filename>finger.nse</filename></primary></indexterm>
<para>The finger script (<filename>finger.nse</filename>) is a perfect <para>The finger script (<filename>finger.nse</filename>) is a perfect
example of how short typical NSE scripts are. example of how short typical NSE scripts are.
</para> </para>
<para>First the information fields are filled out, note that the <para>First the information fields are filled out.
<literal>id</literal> field is kept short, this is important since it is A detailed description of what the script
printed in Nmap's output. A detailed description of what the script
actually does should go in the <literal>description</literal> field.</para> actually does should go in the <literal>description</literal> field.</para>
<programlisting> <programlisting>
id = "Finger Results"<indexterm><primary sortas="id script variable">&ldquo;<varname>id</varname>&rdquo; script variable</primary></indexterm>
description = [[ description = [[
Attempts to get a list of usernames via the finger service. Attempts to get a list of usernames via the finger service.
]]<indexterm><primary sortas="description script variable">&ldquo;<varname>description</varname>&rdquo; script variable</primary></indexterm> ]]<indexterm><primary sortas="description script variable">&ldquo;<varname>description</varname>&rdquo; script variable</primary></indexterm>
@@ -2275,7 +2246,7 @@ thread running against a host will have only a hostrule passed to the action clo
a thread running against a port will have both a hostrule and portrule passed. Each thread a thread running against a port will have both a hostrule and portrule passed. Each thread
is stored with information relevant to the thread. This information is stored with information relevant to the thread. This information
includes the runlevel, target, target port (if applicable), host and port tables includes the runlevel, target, target port (if applicable), host and port tables
(passed to action), its type (running against a host or port), and its id. (passed to action), and its type (running against a host or port).
The mainloop function will work on each runlevel grouping of threads in order. The mainloop function will work on each runlevel grouping of threads in order.
</para> </para>

47
nse_main.cc
View File

@@ -1,6 +1,7 @@
#include "nse_main.h" #include "nse_main.h"
#include "nse_init.h" #include "nse_init.h"
#include "nse_fs.h"
#include "nse_nsock.h" #include "nse_nsock.h"
#include "nse_nmaplib.h" #include "nse_nmaplib.h"
#include "nse_debug.h" #include "nse_debug.h"
@@ -535,27 +536,47 @@ int process_waiting2running(lua_State* L, int resume_arguments) {
return SCRIPT_ENGINE_SUCCESS; return SCRIPT_ENGINE_SUCCESS;
} }
/* Tries to get the script id and store it in the script scan result structure /* Gets the basename of a script filename and removes any ".nse" extension. */
* if no 'id' field is found, the filename field is used which we set in the static char *abbreviate_script_filename(const char *filename) {
* setup phase. If someone changed the filename field to a nonstring we complain char *abbrev;
* */
abbrev = path_get_basename(filename);
if (abbrev == NULL)
return NULL;
if (nse_check_extension(SCRIPT_ENGINE_EXTENSION, abbrev)) {
abbrev[strlen(abbrev) - strlen(SCRIPT_ENGINE_EXTENSION)] = '\0';
}
return abbrev;
}
/* Tries to get the script id and store it in the script scan result structure.
* If someone changed the filename field to a nonstring we complain. */
int process_getScriptId(lua_State* L, ScriptResult *sr) { int process_getScriptId(lua_State* L, ScriptResult *sr) {
const char *filename;
lua_getfield(L, 1, ID);
lua_getfield(L, 1, FILENAME); lua_getfield(L, 1, FILENAME);
filename = lua_tostring(L, -1);
if(lua_isstring(L, -2)) { if (filename == NULL) {
sr->set_id(lua_tostring (L, -2)); error("%s: The script's 'filename' entry was changed to:",
} else if(lua_isstring(L, -1)) {
sr->set_id(lua_tostring (L, -1));
} else {
error("%s: The script has no 'id' entry, the 'filename' entry was changed to:",
SCRIPT_ENGINE); SCRIPT_ENGINE);
l_dumpValue(L, -1); l_dumpValue(L, -1);
return SCRIPT_ENGINE_ERROR; return SCRIPT_ENGINE_ERROR;
} }
lua_pop(L, 1);
lua_pop(L, 2); if (o.debugging > 1) {
sr->set_id(filename);
} else {
/* Abbreviate the filename with low or no debugging. */
char *id = abbreviate_script_filename(filename);
if (id == NULL) {
sr->set_id(filename);
} else {
sr->set_id(id);
free(id);
}
}
return SCRIPT_ENGINE_SUCCESS; return SCRIPT_ENGINE_SUCCESS;
} }

9
scripts/ASN.nse
View File

@@ -1,4 +1,3 @@
id = "AS Numbers"
description = [[ description = [[
Maps IP addresses to autonomous system (AS) numbers. Maps IP addresses to autonomous system (AS) numbers.
@@ -27,7 +26,7 @@ server (your default DNS server, or whichever you specified with the
-- @args dns The address of a recursive nameserver to use (optional). -- @args dns The address of a recursive nameserver to use (optional).
-- @output -- @output
-- Host script results: -- Host script results:
-- | AS Numbers: -- | ASN:
-- | BGP: 64.13.128.0/21 | Country: US -- | BGP: 64.13.128.0/21 | Country: US
-- | Origin AS: 10565 SVCOLO-AS - Silicon Valley Colocation, Inc. -- | Origin AS: 10565 SVCOLO-AS - Silicon Valley Colocation, Inc.
-- | Peer AS: 3561 6461 -- | Peer AS: 3561 6461
@@ -48,7 +47,7 @@ local ipOps = require "ipOps"
local stdnse = require "stdnse" local stdnse = require "stdnse"
local mutex = nmap.mutex( id ) local mutex = nmap.mutex( "ASN" )
if not nmap.registry.asn then if not nmap.registry.asn then
nmap.registry.asn = {} nmap.registry.asn = {}
nmap.registry.asn.cache = {} nmap.registry.asn.cache = {}
@@ -216,13 +215,13 @@ function ip_to_asn( query )
-- failed to find or get a response from any dns server - fatal -- failed to find or get a response from any dns server - fatal
if not decoded_response and ( other_response == nil or other_response == 9 ) then if not decoded_response and ( other_response == nil or other_response == 9 ) then
stdnse.print_debug( "%s Failed to send dns query. Response from dns.query(): %s", id, other_response or "nil" ) stdnse.print_debug( "%s Failed to send dns query. Response from dns.query(): %s", filename, other_response or "nil" )
return false, nil return false, nil
end end
-- error codes from dns.lua -- error codes from dns.lua
if not decoded_response and type( other_response ) == "number" then if not decoded_response and type( other_response ) == "number" then
if other_response ~= 3 then stdnse.print_debug( "%s Error from dns.query() Code: %s in response to %s", id, other_response, query ) end if other_response ~= 3 then stdnse.print_debug( "%s Error from dns.query() Code: %s in response to %s", filename, other_response, query ) end
return false, err_code[other_response] or "Unknown Error" return false, err_code[other_response] or "Unknown Error"
end end

3
scripts/HTTPAuth.nse
View File

@@ -1,4 +1,3 @@
id = "HTTP Auth"
description = [[ description = [[
Gets the authentication scheme and realm of a web service that requires Gets the authentication scheme and realm of a web service that requires
authentication. authentication.
@@ -6,7 +5,7 @@ authentication.
--- ---
-- @output -- @output
-- | HTTP Auth: HTTP Service requires authentication -- | HTTPAuth: HTTP Service requires authentication
-- |_ Auth type: Basic, realm = DSL Router -- |_ Auth type: Basic, realm = DSL Router
-- HTTP authentication information gathering script -- HTTP authentication information gathering script

1
scripts/HTTP_open_proxy.nse
View File

@@ -1,4 +1,3 @@
id="Open Proxy Test"
description=[[ description=[[
Checks if an HTTP proxy is open. Checks if an HTTP proxy is open.

1
scripts/HTTPpasswd.nse
View File

@@ -1,4 +1,3 @@
id = "HTTP directory traversal passwd probe"
description = [[ description = [[
Checks if a web server is vulnerable to directory traversal by attempting to Checks if a web server is vulnerable to directory traversal by attempting to
retrieve /etc/passwd. retrieve /etc/passwd.

3
scripts/HTTPtrace.nse
View File

@@ -1,4 +1,3 @@
id = "HTTP TRACE"
description = [[ description = [[
Sends an HTTP TRACE request and shows header fields that were modified in the Sends an HTTP TRACE request and shows header fields that were modified in the
response. response.
@@ -7,7 +6,7 @@ response.
--- ---
-- @output -- @output
-- 80/tcp open http -- 80/tcp open http
-- | HTTP TRACE: Response differs from request. First 5 additional lines: -- | HTTPtrace: Response differs from request. First 5 additional lines:
-- | Cookie: UID=d4287aa38d02f409841b4e0c0050c13148a85d01c0c0a154d4ef56dfc2b4fc1b0 -- | Cookie: UID=d4287aa38d02f409841b4e0c0050c13148a85d01c0c0a154d4ef56dfc2b4fc1b0
-- | Country: us -- | Country: us
-- | Ip_is_advertise_combined: yes -- | Ip_is_advertise_combined: yes

1
scripts/MSSQLm.nse
View File

@@ -1,4 +1,3 @@
id = "MS SQL"
description = [[ description = [[
Attempts to extract information from Microsoft SQL Server. Attempts to extract information from Microsoft SQL Server.
]] ]]

3
scripts/MySQLinfo.nse
View File

@@ -1,4 +1,3 @@
id = "MySQL Server Information"
description = [[ description = [[
Connects to a MySQL server and prints information such as the protocol and Connects to a MySQL server and prints information such as the protocol and
version numbers, thread ID, status, capabilities, and the password salt. version numbers, thread ID, status, capabilities, and the password salt.
@@ -11,7 +10,7 @@ running this script (see the portrule).
--- ---
--@output --@output
-- 3306/tcp open mysql -- 3306/tcp open mysql
-- | MySQL Server Information: Protocol: 10 -- | MySQLinfo: Protocol: 10
-- | Version: 5.0.51a-3ubuntu5.1 -- | Version: 5.0.51a-3ubuntu5.1
-- | Thread ID: 7 -- | Thread ID: 7
-- | Some Capabilities: Connect with DB, Compress, Transactions, Secure Connection -- | Some Capabilities: Connect with DB, Compress, Transactions, Secure Connection

1
scripts/PPTPversion.nse
View File

@@ -1,4 +1,3 @@
id = "PPTP"
description = [[ description = [[
Attempts to extract system information from the PPTP service. Attempts to extract system information from the PPTP service.
]] ]]

1
scripts/RealVNC_auth_bypass.nse
View File

@@ -1,4 +1,3 @@
id = "RealVNC Authentication Bypass"
description = [[ description = [[
Checks if a VNC server is vulnerable to the RealVNC authentication bypass Checks if a VNC server is vulnerable to the RealVNC authentication bypass
(CVE-2006-2369). (CVE-2006-2369).

1
scripts/SMTP_openrelay_test.nse
View File

@@ -1,4 +1,3 @@
id = "Open Relay SMTP"
description = [[ description = [[
Checks if an SMTP server is an open relay. Checks if an SMTP server is an open relay.
]] ]]

1
scripts/SMTPcommands.nse
View File

@@ -1,4 +1,3 @@
id = "SMTPcommands"
description = [[ description = [[
Attempts to use EHLO and HELP to gather the Extended commands supported by an Attempts to use EHLO and HELP to gather the Extended commands supported by an
SMTP server. SMTP server.

1
scripts/SNMPcommunitybrute.nse
View File

@@ -1,4 +1,3 @@
id = "SNMPv1-communitybrute"
description = [[ description = [[
Attempts to find an SNMP community string by brute force. Attempts to find an SNMP community string by brute force.
]] ]]

3
scripts/SNMPsysdescr.nse
View File

@@ -1,11 +1,10 @@
id = "SNMPv1"
description = [[ description = [[
Attempts to extract system information from an SNMP version 1 service. Attempts to extract system information from an SNMP version 1 service.
]] ]]
--- ---
-- @output -- @output
-- | SNMPv1: HP ETHERNET MULTI-ENVIRONMENT,ROM A.25.80,JETDIRECT,JD117,EEPROM V.28.22,CIDATE 08/09/2006 -- | SNMPsysdescr: HP ETHERNET MULTI-ENVIRONMENT,ROM A.25.80,JETDIRECT,JD117,EEPROM V.28.22,CIDATE 08/09/2006
-- |_ System uptime: 28 days, 17:18:59 (248153900 timeticks) -- |_ System uptime: 28 days, 17:18:59 (248153900 timeticks)
author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>" author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"

5
scripts/SQLInject.nse
View File

@@ -1,4 +1,3 @@
id = "sql-inject"
description = [[ description = [[
Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL Spiders an HTTP server looking for URLs containing queries vulnerable to an SQL
injection attack. injection attack.
@@ -54,7 +53,7 @@ local function get_page(host, port, httpurl)
try(soc:connect(host.ip, port.number)) try(soc:connect(host.ip, port.number))
httpurl = string.gsub(httpurl, "&amp;", "&") httpurl = string.gsub(httpurl, "&amp;", "&")
--print(id .. ": " .. httpurl) --print(filename .. ": " .. httpurl)
-- request page -- request page
local query = strbuf.new() local query = strbuf.new()
@@ -232,7 +231,7 @@ action = function(host, port)
end end
if #injectable > 0 then if #injectable > 0 then
stdnse.print_debug(1, "%s: Testing %d suspicious URLs", id, #injectable ) stdnse.print_debug(1, "%s: Testing %d suspicious URLs", filename, #injectable )
end end
-- test all potentially vulnerable queries -- test all potentially vulnerable queries

15
scripts/SSH-hostkey.nse
View File

@@ -1,4 +1,3 @@
id = "SSH Hostkey"
description = [[ description = [[
Shows SSH hostkeys. Shows SSH hostkeys.
@@ -22,9 +21,9 @@ the output with the <code>ssh_hostkey</code> script argument.
-- --
--@output --@output
-- 22/tcp open ssh -- 22/tcp open ssh
-- | SSH Hostkey: 2048 f0:58:ce:f4:aa:a4:59:1c:8e:dd:4d:07:44:c8:25:11 (RSA) -- | SSH-hostkey: 2048 f0:58:ce:f4:aa:a4:59:1c:8e:dd:4d:07:44:c8:25:11 (RSA)
-- 22/tcp open ssh -- 22/tcp open ssh
-- | SSH Hostkey: 2048 f0:58:ce:f4:aa:a4:59:1c:8e:dd:4d:07:44:c8:25:11 (RSA) -- | SSH-hostkey: 2048 f0:58:ce:f4:aa:a4:59:1c:8e:dd:4d:07:44:c8:25:11 (RSA)
-- | +--[ RSA 2048]----+ -- | +--[ RSA 2048]----+
-- | | .E*+ | -- | | .E*+ |
-- | | oo | -- | | oo |
@@ -37,7 +36,7 @@ the output with the <code>ssh_hostkey</code> script argument.
-- | | o . | -- | | o . |
-- |_ +-----------------+ -- |_ +-----------------+
-- 22/tcp open ssh -- 22/tcp open ssh
-- | SSH Hostkey: 2048 xuvah-degyp-nabus-zegah-hebur-nopig-bubig-difeg-hisym-rumef-cuxex (RSA) -- | SSH-hostkey: 2048 xuvah-degyp-nabus-zegah-hebur-nopig-bubig-difeg-hisym-rumef-cuxex (RSA)
-- |_ ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwVuv2gcr0maaKQ69VVIEv2ob4OxnuI64fkeOnCXD1lUx5tTA+vefXUWEMxgMuA7iX4irJHy2zer0NQ3Z3yJvr5scPgTYIaEOp5Uo/eGFG9Agpk5wE8CoF0e47iCAPHqzlmP2V7aNURLMODb3jVZuI07A2ZRrMGrD8d888E2ORVORv1rYeTYCqcMMoVFmX9l3gWEdk4yx3w5sD8v501Iuyd1v19mPfyhrI5E1E1nl/Xjp5N0/xP2GUBrdkDMxKaxqTPMie/f0dXBUPQQN697a5q+5lBRPhKYOtn6yQKCd9s1Q22nxn72Jmi1RzbMyYJ52FosDT755Qmb46GLrDMaZMQ== -- |_ ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwVuv2gcr0maaKQ69VVIEv2ob4OxnuI64fkeOnCXD1lUx5tTA+vefXUWEMxgMuA7iX4irJHy2zer0NQ3Z3yJvr5scPgTYIaEOp5Uo/eGFG9Agpk5wE8CoF0e47iCAPHqzlmP2V7aNURLMODb3jVZuI07A2ZRrMGrD8d888E2ORVORv1rYeTYCqcMMoVFmX9l3gWEdk4yx3w5sD8v501Iuyd1v19mPfyhrI5E1E1nl/Xjp5N0/xP2GUBrdkDMxKaxqTPMie/f0dXBUPQQN697a5q+5lBRPhKYOtn6yQKCd9s1Q22nxn72Jmi1RzbMyYJ52FosDT755Qmb46GLrDMaZMQ==
author = "Sven Klemm <sven@c3d2.de>" author = "Sven Klemm <sven@c3d2.de>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html" license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
@@ -52,7 +51,7 @@ if pcall(require,"openssl") then
require("ssh2") require("ssh2")
else else
action = function() action = function()
stdnse.print_debug( 3, "Skipping %s script because OpenSSL is missing.", id ) stdnse.print_debug( 3, "Skipping %s script because OpenSSL is missing.", filename )
end end
end end
@@ -63,9 +62,9 @@ portrule = shortport.port_or_service(22, "ssh")
--@param host nmap host table --@param host nmap host table
--@param key host key table --@param key host key table
local add_key_to_registry = function( host, key ) local add_key_to_registry = function( host, key )
nmap.registry[id] = nmap.registry[id] or {} nmap.registry.sshhostkey = nmap.registry.sshhostkey or {}
nmap.registry[id][host.ip] = nmap.registry[id][host.ip] or {} nmap.registry.sshhostkey[host.ip] = nmap.registry.sshhostkey[host.ip] or {}
table.insert( nmap.registry[id][host.ip], key ) table.insert( nmap.registry.sshhostkey[host.ip], key )
end end
action = action or function(host, port) action = action or function(host, port)

1
scripts/SSHv1-support.nse
View File

@@ -1,4 +1,3 @@
id = "SSH Protocol Version 1"
description = [[ description = [[
Checks if an SSH server supports SSH Protocol Version 1. Checks if an SSH server supports SSH Protocol Version 1.
]] ]]

3
scripts/SSLv2-support.nse
View File

@@ -1,4 +1,3 @@
id = "SSLv2"
description = [[ description = [[
Determines whether the server (still) supports SSL-v2, and what ciphers it Determines whether the server (still) supports SSL-v2, and what ciphers it
offers. offers.
@@ -7,7 +6,7 @@ offers.
--- ---
--@output --@output
-- 443/tcp open https syn-ack -- 443/tcp open https syn-ack
-- | SSLv2: server still supports SSLv2 -- | SSLv2-support: server still supports SSLv2
-- | SSL2_RC4_128_WITH_MD5 -- | SSL2_RC4_128_WITH_MD5
-- | SSL2_DES_192_EDE3_CBC_WITH_MD5 -- | SSL2_DES_192_EDE3_CBC_WITH_MD5
-- | SSL2_RC2_CBC_128_CBC_WITH_MD5 -- | SSL2_RC2_CBC_128_CBC_WITH_MD5

3
scripts/UPnP-info.nse
View File

@@ -1,11 +1,10 @@
id = "UPnP"
description = [[ description = [[
Attempts to extract system information from the UPnP service. Attempts to extract system information from the UPnP service.
]] ]]
--- ---
-- @output -- @output
-- | UPnP: System/1.0 UPnP/1.0 IGD/1.0 -- | UPnP-info: System/1.0 UPnP/1.0 IGD/1.0
-- |_ Location: http://192.168.1.1:80/UPnP/IGD.xml -- |_ Location: http://192.168.1.1:80/UPnP/IGD.xml
author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>" author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"

3
scripts/anonFTP.nse
View File

@@ -1,11 +1,10 @@
id = "Anonymous FTP"
description = [[ description = [[
Checks if an FTP server allows anonymous logins. Checks if an FTP server allows anonymous logins.
]] ]]
--- ---
-- @output -- @output
-- |_ Anonymous FTP: Anonymous login allowed -- |_ anonFTP: Anonymous login allowed
author = "Eddie Bell <ejlbell@gmail.com>" author = "Eddie Bell <ejlbell@gmail.com>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html" license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

1
scripts/brutePOP3.nse
View File

@@ -1,4 +1,3 @@
id = "POP3 brute force"
description = [[ description = [[
Tries to log into a POP3 account by guessing usernames and passwords. Tries to log into a POP3 account by guessing usernames and passwords.
]] ]]

2
scripts/bruteTelnet.nse
View File

@@ -65,7 +65,7 @@ local new_auth_iter = function()
end end
i = i + 1 i = i + 1
stdnse.print_debug(3, "%s %s:%s", id, userpass[i-1][1], escape_cred(userpass[i-1][2])) stdnse.print_debug(3, "%s %s:%s", filename, userpass[i-1][1], escape_cred(userpass[i-1][2]))
return userpass[i-1][1], userpass[i-1][2] return userpass[i-1][1], userpass[i-1][2]
end end
end end

1
scripts/daytimeTest.nse
View File

@@ -1,4 +1,3 @@
id = "Daytime"
description = [[ description = [[
Retrieves the day and time from the UDP Daytime service. Retrieves the day and time from the UDP Daytime service.
]] ]]

1
scripts/dns-safe-recursion-port.nse
View File

@@ -1,4 +1,3 @@
id = "DNS source port randomness"
description = [[ description = [[
Checks a DNS server for the predictable-port recursion vulnerability. Checks a DNS server for the predictable-port recursion vulnerability.
Predictable source ports can make a DNS server vulnerable to cache poisoning Predictable source ports can make a DNS server vulnerable to cache poisoning

1
scripts/dns-safe-recursion-txid.nse
View File

@@ -1,4 +1,3 @@
id = "DNS TXID randomness"
description = [[ description = [[
Checks a DNS server for the predictable-TXID DNS recursion Checks a DNS server for the predictable-TXID DNS recursion

1
scripts/dns-test-open-recursion.nse
View File

@@ -1,4 +1,3 @@
id = "Nameserver open recursive queries"
description = [[ description = [[
Checks if a DNS server allows queries for third-party names. Checks if a DNS server allows queries for third-party names.

1
scripts/finger.nse
View File

@@ -1,4 +1,3 @@
id = "Finger Results"
description = [[ description = [[
Attempts to get a list of usernames via the finger service. Attempts to get a list of usernames via the finger service.
]] ]]

1
scripts/ftpbounce.nse
View File

@@ -1,4 +1,3 @@
id="FTP bounce check"
description=[[ description=[[
Checks to see if an FTP server allows port scanning using the FTP bounce method. Checks to see if an FTP server allows port scanning using the FTP bounce method.
]] ]]

1
scripts/iax2Detect.nse
View File

@@ -1,4 +1,3 @@
id = "IAX2 Service Detection"
description = [[ description = [[
Detects the UDP IAX2 service. Detects the UDP IAX2 service.

3
scripts/ircServerInfo.nse
View File

@@ -1,4 +1,3 @@
id = "IRC Server Info"
description = [[ description = [[
Gathers information from an IRC server. Gathers information from an IRC server.
@@ -8,7 +7,7 @@ It uses STATS, LUSERS, and other queries to obtain this information.
--- ---
-- @output -- @output
-- 6665/tcp open irc -- 6665/tcp open irc
-- | IRC Server Info: Server: foo.bar.net -- | ircServerInfo: Server: foo.bar.net
-- | Version: hyperion-1.0.2b(381). foo.bar.net -- | Version: hyperion-1.0.2b(381). foo.bar.net
-- | Lservers/Lusers: 0/4204 -- | Lservers/Lusers: 0/4204
-- | Uptime: 106 days, 2:46:30 -- | Uptime: 106 days, 2:46:30

1
scripts/ircZombieTest.nse
View File

@@ -1,4 +1,3 @@
id = "IRC zombie"
description = [[ description = [[
Checks for an IRC zombie. Checks for an IRC zombie.

5
scripts/nbstat.nse
View File

@@ -1,4 +1,3 @@
id = "NBSTAT"
description = [[ description = [[
Attempt's to get the target's NetBIOS names and MAC address. Attempt's to get the target's NetBIOS names and MAC address.
@@ -13,10 +12,10 @@ owns.
-- --
-- @output -- @output
-- (no verbose)\n -- (no verbose)\n
-- |_ NBSTAT: NetBIOS name: TEST1, NetBIOS user: RON, NetBIOS MAC: 00:0c:29:f9:d9:28\n -- |_ nbstat: NetBIOS name: TEST1, NetBIOS user: RON, NetBIOS MAC: 00:0c:29:f9:d9:28\n
--\n --\n
-- (verbose)\n -- (verbose)\n
-- | NBSTAT: NetBIOS name: TEST1, NetBIOS user: RON, NetBIOS MAC: 00:0c:29:f9:d9:28\n -- | nbstat: NetBIOS name: TEST1, NetBIOS user: RON, NetBIOS MAC: 00:0c:29:f9:d9:28\n
-- | Name: TEST1<00> Flags: <unique><active>\n -- | Name: TEST1<00> Flags: <unique><active>\n
-- | Name: TEST1<20> Flags: <unique><active>\n -- | Name: TEST1<20> Flags: <unique><active>\n
-- | Name: WORKGROUP<00> Flags: <group><active>\n -- | Name: WORKGROUP<00> Flags: <group><active>\n

3
scripts/popcapa.nse
View File

@@ -1,4 +1,3 @@
id = "POP3 Capabilites"
description = [[ description = [[
Retrieves POP3 server capabilities. Retrieves POP3 server capabilities.
]] ]]
@@ -6,7 +5,7 @@ Retrieves POP3 server capabilities.
--- ---
-- @output -- @output
-- 110/tcp open pop3 -- 110/tcp open pop3
-- |_ POP3 Capabilites: USER CAPA RESP-CODES UIDL PIPELINING STLS TOP SASL(PLAIN) -- |_ popcapa: USER CAPA RESP-CODES UIDL PIPELINING STLS TOP SASL(PLAIN)
author = "Philip Pickering <pgpickering@gmail.com>" author = "Philip Pickering <pgpickering@gmail.com>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html" license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

1
scripts/promiscuous.nse
View File

@@ -1,4 +1,3 @@
id = "Promiscuous detection"
description = [[ description = [[
Checks if a target on a local Ethernet has its network card in promiscuous mode. Checks if a target on a local Ethernet has its network card in promiscuous mode.

1
scripts/ripeQuery.nse
View File

@@ -1,4 +1,3 @@
id = "RIPE query"
description = [[ description = [[
Connects to the RIPE database and displays the <code>role:</code> entry for the Connects to the RIPE database and displays the <code>role:</code> entry for the
target's IP address. target's IP address.

3
scripts/robots.nse
View File

@@ -1,4 +1,3 @@
id = "robots.txt"
description = [[ description = [[
Checks for disallowed entries in <code>robots.txt</code>. Checks for disallowed entries in <code>robots.txt</code>.
@@ -8,7 +7,7 @@ The higher the verbosity or debug level, the more disallowed entries are shown.
--- ---
--@output --@output
-- 80/tcp open http syn-ack -- 80/tcp open http syn-ack
-- | robots.txt: has 156 disallowed entries (40 shown) -- | robots: has 156 disallowed entries (40 shown)
-- | /news?output=xhtml& /search /groups /images /catalogs -- | /news?output=xhtml& /search /groups /images /catalogs
-- | /catalogues /news /nwshp /news?btcid=*& /news?btaid=*& -- | /catalogues /news /nwshp /news?btcid=*& /news?btaid=*&
-- | /setnewsprefs? /index.html? /? /addurl/image? /pagead/ /relpage/ -- | /setnewsprefs? /index.html? /? /addurl/image? /pagead/ /relpage/

1
scripts/rpcinfo.nse
View File

@@ -1,4 +1,3 @@
id = "rpcinfo"
description = [[ description = [[
Connects to portmapper and fetches a list of all registered programs. Connects to portmapper and fetches a list of all registered programs.
]] ]]

3
scripts/showHTMLTitle.nse
View File

@@ -1,4 +1,3 @@
id = "HTML title"
description = [[ description = [[
Shows the title of the default page of a web server. Shows the title of the default page of a web server.
@@ -11,7 +10,7 @@ original target.
--- ---
--@output --@output
-- 80/tcp open http syn-ack -- 80/tcp open http syn-ack
-- |_ HTML title: Foo. -- |_ showHTMLTitle: Foo.
author = "Diman Todorov <diman.todorov@gmail.com>" author = "Diman Todorov <diman.todorov@gmail.com>"

1
scripts/showOwner.nse
View File

@@ -1,4 +1,3 @@
id = "Service owner"
description = [[ description = [[
Attempts to find the owner of a scanned port. Attempts to find the owner of a scanned port.

1
scripts/skype_v2-version.nse
View File

@@ -1,4 +1,3 @@
id = "Skype v2"
description = [[ description = [[
Detects the Skype version 2 service. Detects the Skype version 2 service.
]] ]]

3
scripts/smb-enumdomains.nse
View File

@@ -1,4 +1,3 @@
id = "MSRPC: List of domains"
description = [[ description = [[
Attempts to enumerate domains on a system, along with their policies. This will likely only work without credentials against Windows 2000. Attempts to enumerate domains on a system, along with their policies. This will likely only work without credentials against Windows 2000.
@@ -18,7 +17,7 @@ After the initial <code>bind()</code> to SAMR, the sequence of calls is:
-- --
--@output --@output
-- Host script results: -- Host script results:
-- | MSRPC: List of domains: -- | smb-enumdomains:
-- | Domain: LOCALSYSTEM -- | Domain: LOCALSYSTEM
-- | |_ SID: S-1-5-21-2956463495-2656032972-1271678565 -- | |_ SID: S-1-5-21-2956463495-2656032972-1271678565
-- | |_ Users: Administrator, Guest, SUPPORT_388945a0 -- | |_ Users: Administrator, Guest, SUPPORT_388945a0

3
scripts/smb-enumsessions.nse
View File

@@ -1,4 +1,3 @@
id = "MSRPC: NetSessEnum()"
description = [[ description = [[
Enumerates the users logged into a system either locally, through a remote desktop client (terminal Enumerates the users logged into a system either locally, through a remote desktop client (terminal
services), or through a SMB share. services), or through a SMB share.
@@ -31,7 +30,7 @@ idea to write this one.
-- --
--@output --@output
-- Host script results: -- Host script results:
-- | MSRPC: NetSessEnum(): -- | smb-enumsessions:
-- | Users logged in: -- | Users logged in:
-- | |_ TESTBOX\Administrator since 2008-10-21 08:17:14 -- | |_ TESTBOX\Administrator since 2008-10-21 08:17:14
-- | |_ DOMAIN\rbowes since 2008-10-20 09:03:23 -- | |_ DOMAIN\rbowes since 2008-10-20 09:03:23

5
scripts/smb-enumshares.nse
View File

@@ -1,4 +1,3 @@
id = "MSRPC: List of shares"
description = [[ description = [[
Attempts to list shares using the <code>srvsvc.NetShareEnumAll()</code> MSRPC function, then Attempts to list shares using the <code>srvsvc.NetShareEnumAll()</code> MSRPC function, then
retrieve more information about each share using <code>srvsvc.NetShareGetInfo()</code>. retrieve more information about each share using <code>srvsvc.NetShareGetInfo()</code>.
@@ -28,13 +27,13 @@ doing an authenticated test.
-- --
--@output --@output
-- Standard: -- Standard:
-- | MSRPC: List of shares: -- | smb-enumshares:
-- | Anonymous shares: IPC$ -- | Anonymous shares: IPC$
-- |_ Restricted shares: F$, ADMIN$, C$ -- |_ Restricted shares: F$, ADMIN$, C$
-- --
-- Verbose: -- Verbose:
-- Host script results: -- Host script results:
-- | MSRPC: List of shares: -- | smb-enumshares:
-- | Anonymous shares: -- | Anonymous shares:
-- | IPC$ -- | IPC$
-- | |_ Type: STYPE_IPC_HIDDEN -- | |_ Type: STYPE_IPC_HIDDEN

5
scripts/smb-enumusers.nse
View File

@@ -1,4 +1,3 @@
id = "MSRPC: List of user accounts"
description = [[ description = [[
Attempts to enumerate the users on a remote Windows system, with as much Attempts to enumerate the users on a remote Windows system, with as much
information as possible, through a variety of techniques (over SMB and MSRPC, information as possible, through a variety of techniques (over SMB and MSRPC,
@@ -73,11 +72,11 @@ the code I wrote for this is largely based on the techniques used by them.
-- --
-- @output -- @output
-- Host script results: -- Host script results:
-- | MSRPC: List of user accounts: -- | smb-enumusers:
-- |_ TESTBOX\Administrator, EXTERNAL\DnsAdmins, TESTBOX\Guest, EXTERNAL\HelpServicesGroup, EXTERNAL\PARTNERS$, TESTBOX\SUPPORT_388945a0 -- |_ TESTBOX\Administrator, EXTERNAL\DnsAdmins, TESTBOX\Guest, EXTERNAL\HelpServicesGroup, EXTERNAL\PARTNERS$, TESTBOX\SUPPORT_388945a0
-- --
-- Host script results: -- Host script results:
-- | MSRPC: List of user accounts: -- | smb-enumusers:
-- | Administrator -- | Administrator
-- | |_ Type: User -- | |_ Type: User
-- | |_ Domain: LOCALSYSTEM -- | |_ Domain: LOCALSYSTEM

3
scripts/smb-os-discovery.nse
View File

@@ -1,4 +1,3 @@
id = "OS from SMB"
description = [[ description = [[
Attempts to determine the operating system over the SMB protocol (ports 445 and Attempts to determine the operating system over the SMB protocol (ports 445 and
139). 139).
@@ -13,7 +12,7 @@ they likely won't change the outcome in any meaningful way.
-- sudo nmap -sU -sS --script smb-os-discovery.nse -p U:137,T:139 127.0.0.1 -- sudo nmap -sU -sS --script smb-os-discovery.nse -p U:137,T:139 127.0.0.1
-- --
--@output --@output
-- | OS from SMB: Windows 2000 -- | smb-os-discovery: Windows 2000
-- | LAN Manager: Windows 2000 LAN Manager -- | LAN Manager: Windows 2000 LAN Manager
-- | Name: WORKGROUP\TEST1 -- | Name: WORKGROUP\TEST1
-- |_ System time: 2008-09-09 20:55:55 UTC-5 -- |_ System time: 2008-09-09 20:55:55 UTC-5

7
scripts/smb-security-mode.nse
View File

@@ -1,4 +1,3 @@
id = "SMB Security"
description = [[ description = [[
Returns information about the SMB security level determined by SMB. Returns information about the SMB security level determined by SMB.
@@ -44,9 +43,9 @@ set the username and password, etc.), but it probably won't ever require them.
-- sudo nmap -sU -sS --script smb-security-mode.nse -p U:137,T:139 127.0.0.1 -- sudo nmap -sU -sS --script smb-security-mode.nse -p U:137,T:139 127.0.0.1
-- --
--@output --@output
-- | SMB Security: User-level authentication -- | smb-security-mode: User-level authentication
-- | SMB Security: Challenge/response passwords supported -- | smb-security-mode: Challenge/response passwords supported
-- |_ SMB Security: Message signing supported -- |_ smb-security-mode: Message signing supported
-- --
-- @args smb* This script supports the <code>smbusername</code>, -- @args smb* This script supports the <code>smbusername</code>,
-- <code>smbpassword</code>, <code>smbhash</code>, <code>smbguest</code>, and -- <code>smbpassword</code>, <code>smbhash</code>, <code>smbguest</code>, and

3
scripts/smb-serverstats.nse
View File

@@ -1,4 +1,3 @@
id = "MSRPC: Server statistics"
description = [[ description = [[
Attempts to grab the server's statistics over SMB and MSRPC, which uses TCP Attempts to grab the server's statistics over SMB and MSRPC, which uses TCP
ports 445 or 139. ports 445 or 139.
@@ -17,7 +16,7 @@ the numbers that Windows returns. Take the values here with a grain of salt.
-- --
-- @output -- @output
-- Host script results: -- Host script results:
-- | MSRPC: Server statistics: -- | smb-serverstats:
-- | Server statistics collected since 2008-10-17 09:32:41 (4d0h24m29s): -- | Server statistics collected since 2008-10-17 09:32:41 (4d0h24m29s):
-- | |_ Traffic 133467 bytes (0.38b/s) sent, 167696 bytes (0.48b/s) received -- | |_ Traffic 133467 bytes (0.38b/s) sent, 167696 bytes (0.48b/s) received
-- | |_ Failed logins: 5 -- | |_ Failed logins: 5

3
scripts/smb-systeminfo.nse
View File

@@ -1,4 +1,3 @@
id = "System info"
description = [[ description = [[
Pulls back information about the remote system from the registry. Getting all Pulls back information about the remote system from the registry. Getting all
@@ -17,7 +16,7 @@ I don't know it), so this doesn't support Vista at all.
-- --
-- @output -- @output
-- Host script results: -- Host script results:
-- | System info: -- | smb-systeminfo:
-- | OS Details -- | OS Details
-- | |_ Microsoft Windows Server 2003 Service Pack 2 (ServerNT 5.2 build 3790) -- | |_ Microsoft Windows Server 2003 Service Pack 2 (ServerNT 5.2 build 3790)
-- | |_ Installed on 2007-11-26 23:40:40 -- | |_ Installed on 2007-11-26 23:40:40

3
scripts/strangeSMTPport.nse
View File

@@ -1,4 +1,3 @@
id = "Unexpected SMTP"
description = [[ description = [[
Checks if SMTP is running on a non-standard port. Checks if SMTP is running on a non-standard port.
@@ -9,7 +8,7 @@ system to send spam or control your machine.
--- ---
-- @output -- @output
-- 22/tcp open ssh -- 22/tcp open ssh
-- |_ Unexpected SMTP: Warning: smtp is running on a strange port -- |_ strangeSMTPport: Warning: smtp is running on a strange port
author = "Diman Todorov <diman.todorov@gmail.com>" author = "Diman Todorov <diman.todorov@gmail.com>"

129
scripts/whois.nse
View File

@@ -1,4 +1,3 @@
id = "Whois"
description = [[ description = [[
Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address
Assignment which contains the Target IP Address. Assignment which contains the Target IP Address.
@@ -67,7 +66,7 @@ the RIRs.
-- nmap target --script whois --script-args whois={whodb=nocache} -- nmap target --script whois --script-args whois={whodb=nocache}
-- @output -- @output
-- Host script results: -- Host script results:
-- | Whois: Record found at whois.arin.net -- | whois: Record found at whois.arin.net
-- | netrange: 64.13.134.0 - 64.13.134.63 -- | netrange: 64.13.134.0 - 64.13.134.63
-- | netname: NET-64-13-143-0-26 -- | netname: NET-64-13-143-0-26
-- | orgname: Titan Networks -- | orgname: Titan Networks
@@ -97,7 +96,7 @@ hostrule = function( host )
local is_private, err = ipOps.isPrivate( host.ip ) local is_private, err = ipOps.isPrivate( host.ip )
if err then if err then
stdnse.print_debug( "%s Error in Hostrule: %s.", id, err ) stdnse.print_debug( "%s Error in Hostrule: %s.", filename, err )
return false return false
end end
@@ -143,7 +142,7 @@ action = function( host )
end end
-- script initialisation - threads must wait until this has been completed before continuing -- script initialisation - threads must wait until this has been completed before continuing
local mutex = nmap.mutex( id ) local mutex = nmap.mutex( "whois" )
mutex "lock" mutex "lock"
if not nmap.registry.whois.init_done then if not nmap.registry.whois.init_done then
script_init( host.ip ) script_init( host.ip )
@@ -192,7 +191,7 @@ action = function( host )
status, retval = pcall( get_next_action, tracking, host.ip ) status, retval = pcall( get_next_action, tracking, host.ip )
if not status then if not status then
stdnse.print_debug( "%s %s pcall caught an exception in get_next_action: %s.", id, ip, retval ) stdnse.print_debug( "%s %s pcall caught an exception in get_next_action: %s.", filename, ip, retval )
else tracking = retval end else tracking = retval end
if tracking.this_db then if tracking.this_db then
@@ -203,13 +202,13 @@ action = function( host )
-- analyse data -- analyse data
status, retval = pcall( analyse_response, tracking, host.ip, response, data ) status, retval = pcall( analyse_response, tracking, host.ip, response, data )
if not status then if not status then
stdnse.print_debug( "%s %s pcall caught an exception in analyse_response: %s.", id, ip, retval ) stdnse.print_debug( "%s %s pcall caught an exception in analyse_response: %s.", filename, ip, retval )
else data = retval end else data = retval end
-- get next action -- get next action
status, retval = pcall( get_next_action, tracking, host.ip ) status, retval = pcall( get_next_action, tracking, host.ip )
if not status then if not status then
stdnse.print_debug( "%s %s pcall caught an exception in get_next_action: %s.", id, ip, retval ) stdnse.print_debug( "%s %s pcall caught an exception in get_next_action: %s.", filename, ip, retval )
if not tracking.last_db then tracking.last_db, tracking.this_db = tracking.this_db or tracking.next_db, nil end if not tracking.last_db then tracking.last_db, tracking.this_db = tracking.this_db or tracking.next_db, nil end
else tracking = retval end else tracking = retval end
end end
@@ -342,7 +341,7 @@ function check_response_cache( ip )
-- record found in cache -- record found in cache
return true, nil return true, nil
else else
stdnse.print_debug( 1, "%s %s Error in check_response_cache: %s.", id, ip, err ) stdnse.print_debug( 1, "%s %s Error in check_response_cache: %s.", filename, ip, err )
end end
return false, nil return false, nil
@@ -463,7 +462,7 @@ function get_db_from_assignments( ip )
end end
if not nmap.registry.whois.local_assignments_data or not nmap.registry.whois.local_assignments_data[af] then if not nmap.registry.whois.local_assignments_data or not nmap.registry.whois.local_assignments_data[af] then
stdnse.print_debug( 1, "%s Error in get_db_from_assignments: Missing assignments data in registry.", id ) stdnse.print_debug( 1, "%s Error in get_db_from_assignments: Missing assignments data in registry.", filename )
return nil return nil
end end
@@ -490,14 +489,14 @@ end
function do_query(db, ip) function do_query(db, ip)
if type( db ) ~= "string" or not nmap.registry.whois.whoisdb[db] then if type( db ) ~= "string" or not nmap.registry.whois.whoisdb[db] then
stdnse.print_debug("%s %s Error in do_query: %s is not a defined Whois service.", id, ip, db) stdnse.print_debug("%s %s Error in do_query: %s is not a defined Whois service.", filename, ip, db)
return nil return nil
end end
local service = nmap.registry.whois.whoisdb[db] local service = nmap.registry.whois.whoisdb[db]
if type( service.hostname ) ~= "string" or service.hostname == "" then if type( service.hostname ) ~= "string" or service.hostname == "" then
stdnse.print_debug("%s %s Error in do_query: Invalid hostname for %s.", id, ip, db) stdnse.print_debug("%s %s Error in do_query: Invalid hostname for %s.", filename, ip, db)
return nil return nil
end end
@@ -513,7 +512,7 @@ function do_query(db, ip)
local socket = nmap.new_socket() local socket = nmap.new_socket()
local catch = function() local catch = function()
stdnse.print_debug( "%s %s Connection to %s failed or was aborted! No Output for this Target.", id, ip, db ) stdnse.print_debug( "%s %s Connection to %s failed or was aborted! No Output for this Target.", filename, ip, db )
nmap.registry.whois.mutex[db] "done" nmap.registry.whois.mutex[db] "done"
socket:close() socket:close()
end end
@@ -536,7 +535,7 @@ function do_query(db, ip)
socket:close() socket:close()
stdnse.print_debug(3, "%s %s Ended Query at %s.", id, ip, db) stdnse.print_debug(3, "%s %s Ended Query at %s.", filename, ip, db)
if #result == 0 then if #result == 0 then
return nil return nil
@@ -588,13 +587,13 @@ function analyse_response( tracking, ip, response, data )
if type( meta ) == "table" and type( meta.fieldreq ) == "table" and type( meta.fieldreq.ob_exist ) == "string" then if type( meta ) == "table" and type( meta.fieldreq ) == "table" and type( meta.fieldreq.ob_exist ) == "string" then
have_objects = response:match( meta.fieldreq.ob_exist ) have_objects = response:match( meta.fieldreq.ob_exist )
else else
stdnse.print_debug( 2, "%s %s Could not check for objects, problem with meta data.", id, ip ) stdnse.print_debug( 2, "%s %s Could not check for objects, problem with meta data.", filename, ip )
have_objects = false have_objects = false
end end
-- if we do not recognise objects check for an known error/non-object message -- if we do not recognise objects check for an known error/non-object message
if not have_objects then if not have_objects then
stdnse.print_debug( 4, "%s %s %s has not responded with the expected objects.", id, ip, this_db ) stdnse.print_debug( 4, "%s %s %s has not responded with the expected objects.", filename, ip, this_db )
local tmp, msg local tmp, msg
-- may have found our record saying something similar to "No Record Found" -- may have found our record saying something similar to "No Record Found"
for _, pattern in ipairs( nmap.registry.whois.m_none ) do for _, pattern in ipairs( nmap.registry.whois.m_none ) do
@@ -602,7 +601,7 @@ function analyse_response( tracking, ip, response, data )
pattern_u = pattern:gsub( "$addr", ip:upper() ) pattern_u = pattern:gsub( "$addr", ip:upper() )
msg = response:match( pattern_l ) or response:match( pattern_u ) msg = response:match( pattern_l ) or response:match( pattern_u )
if msg then if msg then
stdnse.print_debug( 4, "%s %s %s responded with a message which is assumed to be authoritative (but may not be).", id, ip, this_db ) stdnse.print_debug( 4, "%s %s %s responded with a message which is assumed to be authoritative (but may not be).", filename, ip, this_db )
break break
end end
end end
@@ -611,7 +610,7 @@ function analyse_response( tracking, ip, response, data )
for _, pattern in ipairs( nmap.registry.whois.m_err ) do for _, pattern in ipairs( nmap.registry.whois.m_err ) do
msg = response:match( pattern ) msg = response:match( pattern )
if msg then if msg then
stdnse.print_debug( 4, "%s %s %s responded with an ERROR message.", id, ip, this_db ) stdnse.print_debug( 4, "%s %s %s responded with an ERROR message.", filename, ip, this_db )
break break
end end
end end
@@ -630,7 +629,7 @@ function analyse_response( tracking, ip, response, data )
for setname, set in pairs( nmap.registry.whois.fields_meta ) do for setname, set in pairs( nmap.registry.whois.fields_meta ) do
if set ~= nmap.registry.whois.whoisdb[this_db].fieldreq and response:match(set.ob_exist) then if set ~= nmap.registry.whois.whoisdb[this_db].fieldreq and response:match(set.ob_exist) then
foreign_obj = setname foreign_obj = setname
stdnse.print_debug( 4, "%s %s %s seems to have responded using the set of objects named: %s.", id, ip, this_db, foreign_obj ) stdnse.print_debug( 4, "%s %s %s seems to have responded using the set of objects named: %s.", filename, ip, this_db, foreign_obj )
break break
end end
end end
@@ -639,7 +638,7 @@ function analyse_response( tracking, ip, response, data )
meta = nmap.registry.whois.whoisdb.ripe meta = nmap.registry.whois.whoisdb.ripe
meta.redirects = nil meta.redirects = nil
have_objects = true have_objects = true
stdnse.print_debug( 4, "%s %s %s will use the display properties of ripe.", id, ip, this_db ) stdnse.print_debug( 4, "%s %s %s will use the display properties of ripe.", filename, ip, this_db )
elseif foreign_obj then elseif foreign_obj then
-- find a display to match the objects. -- find a display to match the objects.
for some_db, db_props in pairs( nmap.registry.whois.whoisdb ) do for some_db, db_props in pairs( nmap.registry.whois.whoisdb ) do
@@ -648,7 +647,7 @@ function analyse_response( tracking, ip, response, data )
meta = nmap.registry.whois.whoisdb[some_db] meta = nmap.registry.whois.whoisdb[some_db]
meta.redirects = nil meta.redirects = nil
have_objects = true have_objects = true
stdnse.print_debug( 4, "%s %s %s will use the display properties of %s.", id, ip, this_db, some_db ) stdnse.print_debug( 4, "%s %s %s will use the display properties of %s.", filename, ip, this_db, some_db )
break break
end end
end end
@@ -657,7 +656,7 @@ function analyse_response( tracking, ip, response, data )
-- extract fields from the entire response for record/redirect discovery -- extract fields from the entire response for record/redirect discovery
if have_objects then if have_objects then
stdnse.print_debug( 4, "%s %s Parsing Query response from %s.", id, ip, this_db ) stdnse.print_debug( 4, "%s %s Parsing Query response from %s.", filename, ip, this_db )
data[this_db] = extract_objects_from_response( response, this_db, ip, meta ) data[this_db] = extract_objects_from_response( response, this_db, ip, meta )
end end
@@ -665,7 +664,7 @@ function analyse_response( tracking, ip, response, data )
-- do record/redirect discovery, cache found redirect -- do record/redirect discovery, cache found redirect
if not nmap.registry.whois.nofollow and have_objects and meta.redirects then if not nmap.registry.whois.nofollow and have_objects and meta.redirects then
stdnse.print_debug( 4, "%s %s Testing response for redirection.", id, ip ) stdnse.print_debug( 4, "%s %s Testing response for redirection.", filename, ip )
found, nextdb, data.iana = redirection_rules( this_db, ip, data, meta ) found, nextdb, data.iana = redirection_rules( this_db, ip, data, meta )
end end
@@ -673,7 +672,7 @@ function analyse_response( tracking, ip, response, data )
-- modify the data table depending on whether we're redirecting or quitting -- modify the data table depending on whether we're redirecting or quitting
if have_objects then if have_objects then
stdnse.print_debug( 5, "%s %s Extracting Fields from response.", id, ip ) stdnse.print_debug( 5, "%s %s Extracting Fields from response.", filename, ip )
-- optionally constrain response to a more focused area -- optionally constrain response to a more focused area
-- discarding previous extraction -- discarding previous extraction
@@ -685,7 +684,7 @@ function analyse_response( tracking, ip, response, data )
end end
if offset > 1 and meta.unordered then if offset > 1 and meta.unordered then
-- fetch an object immediately in front of inetnum -- fetch an object immediately in front of inetnum
stdnse.print_debug( 5, "%s %s %s Searching for an object group immediately before this range.", id, ip, this_db ) stdnse.print_debug( 5, "%s %s %s Searching for an object group immediately before this range.", filename, ip, this_db )
-- split objects from the record, up to offset. Last object should be the one we want. -- split objects from the record, up to offset. Last object should be the one we want.
local obj_sel = stdnse.strsplit( "\r?\n\r?\n", response:sub( 1, offset ) ) local obj_sel = stdnse.strsplit( "\r?\n\r?\n", response:sub( 1, offset ) )
response_chunk = "\n" .. obj_sel[#obj_sel] .. "\n" response_chunk = "\n" .. obj_sel[#obj_sel] .. "\n"
@@ -717,10 +716,10 @@ function analyse_response( tracking, ip, response, data )
end end
-- DEBUG -- DEBUG
stdnse.print_debug( 6, "%s %s %s Fields captured :", id, ip, this_db ) stdnse.print_debug( 6, "%s %s %s Fields captured :", filename, ip, this_db )
for ob, t in pairs( data[this_db] ) do for ob, t in pairs( data[this_db] ) do
for fieldname, fieldvalue in pairs( t ) do for fieldname, fieldvalue in pairs( t ) do
stdnse.print_debug( 6, "%s %s %s %s.%s %s.", id, ip, this_db, ob, fieldname, fieldvalue ) stdnse.print_debug( 6, "%s %s %s %s.%s %s.", filename, ip, this_db, ob, fieldname, fieldvalue )
end end
end end
@@ -806,15 +805,15 @@ function extract_objects_from_response( response_string, db, ip, meta, specific_
-- we either receive a table for one object or for all objects -- we either receive a table for one object or for all objects
if type( specific_object ) == "string" and meta.fieldreq[specific_object] then if type( specific_object ) == "string" and meta.fieldreq[specific_object] then
objects_to_extract[specific_object] = meta.fieldreq[specific_object] objects_to_extract[specific_object] = meta.fieldreq[specific_object]
stdnse.print_debug( 5, "%s %s Extracting a single object: %s.", id, ip, specific_object ) stdnse.print_debug( 5, "%s %s Extracting a single object: %s.", filename, ip, specific_object )
else else
stdnse.print_debug( 5, "%s %s Extracting all objects.", id, ip ) stdnse.print_debug( 5, "%s %s Extracting all objects.", filename, ip )
objects_to_extract = meta.fieldreq objects_to_extract = meta.fieldreq
end end
for object_name, object in pairs( objects_to_extract ) do for object_name, object in pairs( objects_to_extract ) do
if object_name and object_name ~= "ob_exist" then if object_name and object_name ~= "ob_exist" then
stdnse.print_debug(5, "%s %s Seeking object group: %s.", id, ip, object_name) stdnse.print_debug(5, "%s %s Seeking object group: %s.", filename, ip, object_name)
extracted_objects[object_name] = {} extracted_objects[object_name] = {}
extracted_objects[object_name].for_compare = {} -- this will allow us to compare two tables extracted_objects[object_name].for_compare = {} -- this will allow us to compare two tables
-- get a substr of response_string that corresponds to a single object -- get a substr of response_string that corresponds to a single object
@@ -823,7 +822,7 @@ function extract_objects_from_response( response_string, db, ip, meta, specific_
-- if we could not find the end, make the end EOF -- if we could not find the end, make the end EOF
ob_end = ob_end or -1 ob_end = ob_end or -1
if ob_start and ob_end then if ob_start and ob_end then
stdnse.print_debug(5, "%s %s Capturing: %s with indices %s and %s.", id, ip, object_name, ob_start, ob_end ) stdnse.print_debug(5, "%s %s Capturing: %s with indices %s and %s.", filename, ip, object_name, ob_start, ob_end )
local obj_string = response_string:sub( ob_start, ob_end ) local obj_string = response_string:sub( ob_start, ob_end )
for fieldname, pattern in pairs( object ) do for fieldname, pattern in pairs( object ) do
if fieldname ~= "ob_start" and fieldname ~= "ob_end" then if fieldname ~= "ob_start" and fieldname ~= "ob_end" then
@@ -896,19 +895,19 @@ function redirection_rules( db, ip, data, meta )
-- arin record points to iana so we won't follow and we assume we have our record -- arin record points to iana so we won't follow and we assume we have our record
if directed_to == iana and directed_from == arin then if directed_to == iana and directed_from == arin then
stdnse.print_debug( 4, "%s %s %s Accept arin record (matched IANA).", id, ip, directed_from ) stdnse.print_debug( 4, "%s %s %s Accept arin record (matched IANA).", filename, ip, directed_from )
return true, nil, ( icnt+1 ) return true, nil, ( icnt+1 )
end end
-- non-arin record points to iana so we query arin next -- non-arin record points to iana so we query arin next
if directed_to == iana then if directed_to == iana then
stdnse.print_debug( 4, "%s %s Redirecting to arin (matched IANA).", id, ip ) stdnse.print_debug( 4, "%s %s Redirecting to arin (matched IANA).", filename, ip )
return false, arin, ( icnt+1 ) return false, arin, ( icnt+1 )
end end
-- a redirect, but not to iana or to self, so we follow it. -- a redirect, but not to iana or to self, so we follow it.
if directed_to ~= nmap.registry.whois.whoisdb[directed_from].id then if directed_to ~= nmap.registry.whois.whoisdb[directed_from].id then
stdnse.print_debug( 4, "%s %s %s redirects us to %s.", id, ip, directed_from, directed_to ) stdnse.print_debug( 4, "%s %s %s redirects us to %s.", filename, ip, directed_from, directed_to )
return false, directed_to, icnt return false, directed_to, icnt
end end
@@ -924,14 +923,14 @@ function redirection_rules( db, ip, data, meta )
-- if a field has been captured for the given redirect info -- if a field has been captured for the given redirect info
if data[db][obj] and data[db][obj][fld] then if data[db][obj] and data[db][obj][fld] then
stdnse.print_debug( 5, "%s %s Seek redirect in object: %s.%s for %s.", id, ip, obj, fld, pattern ) stdnse.print_debug( 5, "%s %s Seek redirect in object: %s.%s for %s.", filename, ip, obj, fld, pattern )
-- iterate over nmap.registry.whois.whoisdb to find pattern (from each service) in the designated field -- iterate over nmap.registry.whois.whoisdb to find pattern (from each service) in the designated field
for member, mem_properties in pairs( nmap.registry.whois.whoisdb ) do for member, mem_properties in pairs( nmap.registry.whois.whoisdb ) do
-- if pattern if found in the field, we have a redirect to member -- if pattern if found in the field, we have a redirect to member
if type( mem_properties[pattern] ) == "string" and string.lower( data[db][obj][fld] ):match( mem_properties[pattern] ) then if type( mem_properties[pattern] ) == "string" and string.lower( data[db][obj][fld] ):match( mem_properties[pattern] ) then
stdnse.print_debug( 5, "%s %s Matched %s in %s.%s.", id, ip, pattern, obj, fld ) stdnse.print_debug( 5, "%s %s Matched %s in %s.%s.", filename, ip, pattern, obj, fld )
return redirection_validation( nmap.registry.whois.whoisdb[member].id, db, iana_count ) return redirection_validation( nmap.registry.whois.whoisdb[member].id, db, iana_count )
elseif type( mem_properties[pattern] ) == "table" then elseif type( mem_properties[pattern] ) == "table" then
@@ -939,7 +938,7 @@ function redirection_rules( db, ip, data, meta )
-- pattern is an array of patterns -- pattern is an array of patterns
for _, pattn in ipairs( mem_properties[pattern] ) do for _, pattn in ipairs( mem_properties[pattern] ) do
if type( pattn ) == "string" and string.lower( data[db][obj][fld] ):match( pattn ) then if type( pattn ) == "string" and string.lower( data[db][obj][fld] ):match( pattn ) then
stdnse.print_debug( 5, "%s %s Matched %s in %s.%s.", id, ip, pattern, obj, fld ) stdnse.print_debug( 5, "%s %s Matched %s in %s.%s.", filename, ip, pattern, obj, fld )
return redirection_validation( nmap.registry.whois.whoisdb[member].id, db, iana_count ) return redirection_validation( nmap.registry.whois.whoisdb[member].id, db, iana_count )
end end
end end
@@ -993,7 +992,7 @@ function constrain_response( response, db, ip, meta )
if # mptr > 1 then if # mptr > 1 then
-- find the closest one to host.ip and constrain the response to it -- find the closest one to host.ip and constrain the response to it
stdnse.print_debug( 5, "%s %s %s Focusing on the smallest of %s address ranges.", id, ip, db, #mptr ) stdnse.print_debug( 5, "%s %s %s Focusing on the smallest of %s address ranges.", filename, ip, db, #mptr )
-- sort the table mptr into nets ascending -- sort the table mptr into nets ascending
table.sort( mptr, smallest_range ) table.sort( mptr, smallest_range )
-- select the first net that includes host.ip -- select the first net that includes host.ip
@@ -1011,15 +1010,15 @@ function constrain_response( response, db, ip, meta )
if mptr[index+1] and ( mptr[index+1].pointer > mptr[index].pointer ) then if mptr[index+1] and ( mptr[index+1].pointer > mptr[index].pointer ) then
bound = mptr[index+1].pointer bound = mptr[index+1].pointer
end end
stdnse.print_debug(5, "%s %s %s Smallest range containing target IP addr. is %s.", id, ip, db, trim( str_net ) ) stdnse.print_debug(5, "%s %s %s Smallest range containing target IP addr. is %s.", filename, ip, db, trim( str_net ) )
local dbg = "%s %s %s smallest range is offset from %s to %s." local dbg = "%s %s %s smallest range is offset from %s to %s."
-- isolate inetnum and associated objects -- isolate inetnum and associated objects
if bound then if bound then
stdnse.print_debug(5, dbg, id, ip, db, ptr, bound) stdnse.print_debug(5, dbg, filename, ip, db, ptr, bound)
-- get from pointer to bound -- get from pointer to bound
return response:sub(ptr,bound), ptr return response:sub(ptr,bound), ptr
else else
stdnse.print_debug(5, dbg, id, ip, db, ptr, "the end") stdnse.print_debug(5, dbg, filename, ip, db, ptr, "the end")
-- or get the whole thing from the pointer onwards -- or get the whole thing from the pointer onwards
return response:sub(ptr), ptr return response:sub(ptr), ptr
end end
@@ -1061,7 +1060,7 @@ function not_short_prefix( ip, range, redirect )
first, last, err[#err+1] = ipOps.get_ips_from_range( range ) first, last, err[#err+1] = ipOps.get_ips_from_range( range )
if #err > 0 then if #err > 0 then
stdnse.print_debug( 1, "%s Error in not_short_prefix: s%.", id, table.concat( err, " " ) ) stdnse.print_debug( 1, "%s Error in not_short_prefix: s%.", filename, table.concat( err, " " ) )
return nil return nil
end end
@@ -1105,7 +1104,7 @@ function add_to_cache( ip, range, redirect, data )
-- we need to cache some range so we'll cache the small assignment that includes ip. -- we need to cache some range so we'll cache the small assignment that includes ip.
if type( range ) ~= "string" or type( get_prefix_length( range ) ) ~= "number" then if type( range ) ~= "string" or type( get_prefix_length( range ) ) ~= "number" then
range = get_assignment( ip, longest_prefix ) range = get_assignment( ip, longest_prefix )
stdnse.print_debug(5, "%s %s Caching an assumed Range: %s", id, ip, range) stdnse.print_debug(5, "%s %s Caching an assumed Range: %s", filename, ip, range)
end end
nmap.registry.whois.cache[ip] = {} -- destroy any previous cache entry for this target. nmap.registry.whois.cache[ip] = {} -- destroy any previous cache entry for this target.
@@ -1195,13 +1194,13 @@ function output( ip, services_queried )
end end
if type( services_queried ) ~= "table" then if type( services_queried ) ~= "table" then
stdnse.print_debug( "%s %s Error in output(): No data found.", id, ip ) stdnse.print_debug( "%s %s Error in output(): No data found.", filename, ip )
return nil return nil
elseif #services_queried == 0 then elseif #services_queried == 0 then
stdnse.print_debug( "%s %s Error in output(): No data found, no queries were completed.", id, ip ) stdnse.print_debug( "%s %s Error in output(): No data found, no queries were completed.", filename, ip )
return nil return nil
elseif #services_queried > 0 then elseif #services_queried > 0 then
stdnse.print_debug( "%s %s Error in output(): No data found - could not understand query responses.", id, ip ) stdnse.print_debug( "%s %s Error in output(): No data found - could not understand query responses.", filename, ip )
return nil return nil
end end
@@ -1222,7 +1221,7 @@ function get_output_from_cache( ip )
local ip_key = get_cache_key( ip ) local ip_key = get_cache_key( ip )
if not ip_key then if not ip_key then
stdnse.print_debug( 1, "%s %s Error in get_output_from_cache().", id, ip ) stdnse.print_debug( 1, "%s %s Error in get_output_from_cache().", filename, ip )
return nil return nil
end end
@@ -1669,7 +1668,7 @@ function get_args()
nmap.registry.whois.using_cache = false nmap.registry.whois.using_cache = false
elseif ( db == "nofile" ) then elseif ( db == "nofile" ) then
nmap.registry.whois.using_local_assignments_file = false nmap.registry.whois.using_local_assignments_file = false
stdnse.print_debug( 2, "%s: Not using local assignments data.", id ) stdnse.print_debug( 2, "%s: Not using local assignments data.", filename )
end end
elseif not ( string.match( table.concat( t, " " ), db ) ) then elseif not ( string.match( table.concat( t, " " ), db ) ) then
-- we have a unique valid whois db -- we have a unique valid whois db
@@ -1680,18 +1679,18 @@ function get_args()
if ( #t > 0 ) and nmap.registry.whois.using_local_assignments_file then if ( #t > 0 ) and nmap.registry.whois.using_local_assignments_file then
-- "nofile" was not explicitly supplied, but it is implied by supplying custom whoisdb_default_order -- "nofile" was not explicitly supplied, but it is implied by supplying custom whoisdb_default_order
nmap.registry.whois.using_local_assignments_file = false nmap.registry.whois.using_local_assignments_file = false
stdnse.print_debug(3, "%s: Not using local assignments data because custom whoisdb_default_order was supplied.", id) stdnse.print_debug(3, "%s: Not using local assignments data because custom whoisdb_default_order was supplied.", filename)
end end
if ( #t > 1 ) and nmap.registry.whois.nofollow then if ( #t > 1 ) and nmap.registry.whois.nofollow then
-- using nofollow, we do not follow redirects and can only accept what we find as a record therefore we only accept the first db supplied -- using nofollow, we do not follow redirects and can only accept what we find as a record therefore we only accept the first db supplied
t = {t[1]} t = {t[1]}
stdnse.print_debug( 1, "%s: Too many args supplied with 'nofollow', only using %s.", id, t[1] ) stdnse.print_debug( 1, "%s: Too many args supplied with 'nofollow', only using %s.", filename, t[1] )
end end
if ( #t > 0 ) then if ( #t > 0 ) then
nmap.registry.whois.whoisdb_default_order = t nmap.registry.whois.whoisdb_default_order = t
stdnse.print_debug( 2, "%s: whoisdb_default_order: %s.", id, table.concat( t, " " ) ) stdnse.print_debug( 2, "%s: whoisdb_default_order: %s.", filename, table.concat( t, " " ) )
end end
end end
@@ -1720,7 +1719,7 @@ function get_local_assignments_data()
local fetchfile = "nmap-services" local fetchfile = "nmap-services"
local directory_path, err = get_parentpath( fetchfile ) local directory_path, err = get_parentpath( fetchfile )
if err then if err then
stdnse.print_debug( 1, "%s: Nmap.fetchfile() failed to get a path to %s: %s.", id, fetchfile, err ) stdnse.print_debug( 1, "%s: Nmap.fetchfile() failed to get a path to %s: %s.", filename, fetchfile, err )
return nil, err return nil, err
end end
@@ -1736,10 +1735,10 @@ function get_local_assignments_data()
local file, exists = directory_path .. assignment_data_spec.local_resource local file, exists = directory_path .. assignment_data_spec.local_resource
exists, err = file_exists( file ) exists, err = file_exists( file )
if not exists and err then if not exists and err then
stdnse.print_debug( 1, "%s: Error accessing %s: %s.", id, file, err ) stdnse.print_debug( 1, "%s: Error accessing %s: %s.", filename, file, err )
elseif not exists then elseif not exists then
update_required = true update_required = true
stdnse.print_debug( 2, "%s: %s does not exist or is empty. Fetching it now...", id, file ) stdnse.print_debug( 2, "%s: %s does not exist or is empty. Fetching it now...", filename, file )
elseif exists then elseif exists then
update_required, modified_date, entity_tag = requires_updating( file ) update_required, modified_date, entity_tag = requires_updating( file )
end end
@@ -1748,7 +1747,7 @@ function get_local_assignments_data()
-- read an existing and up-to-date file into file_content. -- read an existing and up-to-date file into file_content.
if exists and not update_required then if exists and not update_required then
stdnse.print_debug( 2, "%s: %s was cached less than %s ago. Reading...", id, file, nmap.registry.whois.local_assignments_file_expiry ) stdnse.print_debug( 2, "%s: %s was cached less than %s ago. Reading...", filename, file, nmap.registry.whois.local_assignments_file_expiry )
file_content = read_from_file( file ) file_content = read_from_file( file )
end end
@@ -1757,10 +1756,10 @@ function get_local_assignments_data()
if update_required then if update_required then
http_response = ( conditional_download( assignment_data_spec.remote_resource, modified_date, entity_tag ) ) http_response = ( conditional_download( assignment_data_spec.remote_resource, modified_date, entity_tag ) )
if not http_response or type( http_response.status ) ~= "number" then if not http_response or type( http_response.status ) ~= "number" then
stdnse.print_debug( 1, "%s: Failed whilst requesting %s.", id, assignment_data_spec.remote_resource ) stdnse.print_debug( 1, "%s: Failed whilst requesting %s.", filename, assignment_data_spec.remote_resource )
elseif http_response.status == 200 then elseif http_response.status == 200 then
-- prepend our file header -- prepend our file header
stdnse.print_debug( 2, "%s: Retrieved %s.", id, assignment_data_spec.remote_resource ) stdnse.print_debug( 2, "%s: Retrieved %s.", filename, assignment_data_spec.remote_resource )
file_content = stdnse.strsplit( "\r?\n", http_response.body ) file_content = stdnse.strsplit( "\r?\n", http_response.body )
table.insert( file_content, 1, "** Do Not Alter This Line or The Following Line **" ) table.insert( file_content, 1, "** Do Not Alter This Line or The Following Line **" )
local hline = {} local hline = {}
@@ -1770,19 +1769,19 @@ function get_local_assignments_data()
table.insert( file_content, 2, table.concat( hline ) ) table.insert( file_content, 2, table.concat( hline ) )
write_success, err = write_to_file( file, file_content ) write_success, err = write_to_file( file, file_content )
if err then if err then
stdnse.print_debug( 1, "%s: Error writing %s to %s: %s.", id, assignment_data_spec.remote_resource, file, err ) stdnse.print_debug( 1, "%s: Error writing %s to %s: %s.", filename, assignment_data_spec.remote_resource, file, err )
end end
elseif http_response.status == 304 then elseif http_response.status == 304 then
-- update our file header with a new timestamp -- update our file header with a new timestamp
stdnse.print_debug( 1, "%s: %s is up-to-date.", id, file ) stdnse.print_debug( 1, "%s: %s is up-to-date.", filename, file )
file_content = read_from_file( file ) file_content = read_from_file( file )
file_content[2] = file_content[2]:gsub("^<[\-\+]?%d+>(.*)$", "<" .. os.time() .. ">%1") file_content[2] = file_content[2]:gsub("^<[\-\+]?%d+>(.*)$", "<" .. os.time() .. ">%1")
write_success, err = write_to_file( file, file_content ) write_success, err = write_to_file( file, file_content )
if err then if err then
stdnse.print_debug( 1, "%s: Error writing to %s: %s.", id, file, err ) stdnse.print_debug( 1, "%s: Error writing to %s: %s.", filename, file, err )
end end
else else
stdnse.print_debug( 1, "%s: HTTP %s whilst requesting %s.", id, http_response.status, assignment_data_spec.remote_resource ) stdnse.print_debug( 1, "%s: HTTP %s whilst requesting %s.", filename, http_response.status, assignment_data_spec.remote_resource )
end end
end end
@@ -1796,7 +1795,7 @@ function get_local_assignments_data()
if #t == 0 or err then if #t == 0 or err then
-- good header, but bad file? Kill the file! -- good header, but bad file? Kill the file!
write_to_file( file, "" ) write_to_file( file, "" )
stdnse.print_debug( 1, "%s: Problem with the data in %s.", id, file ) stdnse.print_debug( 1, "%s: Problem with the data in %s.", filename, file )
else else
for i, v in pairs( t ) do for i, v in pairs( t ) do
ret[address_family][#ret[address_family]+1] = v ret[address_family][#ret[address_family]+1] = v
@@ -1815,7 +1814,7 @@ function get_local_assignments_data()
for af, t in pairs( ret ) do for af, t in pairs( ret ) do
if #t == 0 then if #t == 0 then
ret[af] = nil ret[af] = nil
stdnse.print_debug( 1, "%s: Cannot use local assignments file for address family %s.", id, af ) stdnse.print_debug( 1, "%s: Cannot use local assignments file for address family %s.", filename, af )
end end
end end
@@ -1937,7 +1936,7 @@ function read_from_file( file )
local f, err, _ = io.open( file, "r" ) local f, err, _ = io.open( file, "r" )
if not f then if not f then
stdnse.print_debug( 1, "%s: Error opening %s for reading: %s", id, file, err ) stdnse.print_debug( 1, "%s: Error opening %s for reading: %s", filename, file, err )
return nil, err return nil, err
end end
@@ -1995,7 +1994,7 @@ function conditional_download( url, mod_date, e_tag )
-- follow one redirection -- follow one redirection
if request_response.status ~= 304 and ( tostring( request_response.status ):match( "30%d" ) and if request_response.status ~= 304 and ( tostring( request_response.status ):match( "30%d" ) and
type( request_response.header.location ) == "string" and request_response.header.location ~= "" ) then type( request_response.header.location ) == "string" and request_response.header.location ~= "" ) then
stdnse.print_debug( 2, "%s: HTTP Status:%d New Location: %s.", id, request_response.status, request_response.header.location ) stdnse.print_debug( 2, "%s: HTTP Status:%d New Location: %s.", filename, request_response.status, request_response.header.location )
request_response = http.get_url( request_response.header.location, request_options ) request_response = http.get_url( request_response.header.location, request_options )
end end
@@ -2024,7 +2023,7 @@ function write_to_file( file, content )
local f, err, _ = io.open( file, "w" ) local f, err, _ = io.open( file, "w" )
if not f then if not f then
stdnse.print_debug( 1, "%s: Error opening %s for writing: %s.", id, file, err ) stdnse.print_debug( 1, "%s: Error opening %s for writing: %s.", filename, file, err )
return nil, err return nil, err
end end

3
scripts/xamppDefaultPass.nse
View File

@@ -1,4 +1,3 @@
id = "XAMPP default pwd"
description = [[ description = [[
Check if an XAMP or XAMPP FTP server uses a default username and password. Check if an XAMP or XAMPP FTP server uses a default username and password.
@@ -9,7 +8,7 @@ administration.
--- ---
-- @output -- @output
-- 21/tcp open ftp -- 21/tcp open ftp
-- |_ XAMPP default pwd: Login success with u/p: nobody/xampp -- |_ xamppDefaultPass: Login success with u/p: nobody/xampp
author = "Diman Todorov <diman.todorov@gmail.com>" author = "Diman Todorov <diman.todorov@gmail.com>"

3
scripts/zoneTrans.nse
View File

@@ -1,4 +1,3 @@
id = "zone-transfer"
description = [[ description = [[
Requests a zone transfer (AXFR) from a DNS server. Requests a zone transfer (AXFR) from a DNS server.
@@ -21,7 +20,7 @@ Useful resources
-- @args zoneTrans.domain Domain to transfer. -- @args zoneTrans.domain Domain to transfer.
-- @output -- @output
-- 53/tcp open domain -- 53/tcp open domain
-- | zone-transfer: -- | zoneTrans:
-- | foo.com. SOA ns2.foo.com. piou.foo.com. -- | foo.com. SOA ns2.foo.com. piou.foo.com.
-- | foo.com. TXT -- | foo.com. TXT
-- | foo.com. NS ns1.foo.com. -- | foo.com. NS ns1.foo.com.