mirror of
https://github.com/nmap/nmap.git
synced 2025-12-06 04:31:29 +00:00
stdnse.print_debug -> stdnse.debug
$ sed -i 's/stdnse.print_debug("[-a-z0-9]*:\s*\([^"]*\)"/stdnse.debug1("\1"/' *.nse
$ sed -i 's/stdnse.print_debug(\([0-9]*\),\s*"[-a-z0-9]*:\s*\([^"]*\)"/stdnse.debug\1("\2"/' *.nse
Except:
o eap-info.nse
o oracle-brute.nse
Modified:
o couchdb-databases.nse
o couchdb-stats.nse
o http-open-redirect.nse
This commit is contained in:
batrick
@@ -110,8 +110,8 @@ action = function(host, port)
|
||||
end
|
||||
|
||||
if ( not status ) then
|
||||
stdnse.print_debug("afp-showmount: Login failed", response)
|
||||
stdnse.print_debug(3, "afp-showmount: Login error: %s", response)
|
||||
stdnse.debug1("Login failed", response)
|
||||
stdnse.debug3("Login error: %s", response)
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
@@ -176,8 +176,8 @@ Directory traversal vulnerability in AFP Server in Apple Mac OS X before
|
||||
status, response = afp_helper:Login(nil, nil)
|
||||
end
|
||||
if ( not(status) ) then
|
||||
stdnse.print_debug("afp-path-vuln: Login failed", response)
|
||||
stdnse.print_debug(3, "afp-path-vuln: Login error: %s", response)
|
||||
stdnse.debug1("Login failed", response)
|
||||
stdnse.debug3("Login error: %s", response)
|
||||
return
|
||||
end
|
||||
|
||||
@@ -188,7 +188,7 @@ Directory traversal vulnerability in AFP Server in Apple Mac OS X before
|
||||
local status, response = afp_helper:Dir( share .. "/../", { max_depth = 2 } )
|
||||
|
||||
if ( not(status) ) then
|
||||
stdnse.print_debug(3, "afp-path-vuln: %s", response)
|
||||
stdnse.debug3("%s", response)
|
||||
else
|
||||
if ( isVulnerable( response ) ) then
|
||||
vulnerable = true
|
||||
|
||||
@@ -73,8 +73,8 @@ action = function(host, port)
|
||||
end
|
||||
|
||||
if ( not status ) then
|
||||
stdnse.print_debug("afp-showmount: Login failed", response)
|
||||
stdnse.print_debug(3, "afp-showmount: Login error: %s", response)
|
||||
stdnse.debug1("Login failed", response)
|
||||
stdnse.debug3("Login error: %s", response)
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
@@ -38,9 +38,7 @@ categories = {"discovery", "safe"}
|
||||
|
||||
portrule = shortport.port_or_service({5984})
|
||||
-- Some lazy shortcuts
|
||||
local function dbg(str,...)
|
||||
stdnse.print_debug("couchdb-get-tables:"..str, ...)
|
||||
end
|
||||
local dbg = stdnse.debug1
|
||||
|
||||
local DISCARD = {}
|
||||
--- Removes uninteresting data from the table
|
||||
|
||||
@@ -50,10 +50,7 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
|
||||
categories = {"discovery", "safe"}
|
||||
portrule = shortport.port_or_service({5984})
|
||||
-- Some lazy shortcuts
|
||||
local function dbg(str,...)
|
||||
stdnse.print_debug("couchdb-stats:"..str, ...)
|
||||
end
|
||||
|
||||
local dbg = stdnse.debug1
|
||||
|
||||
local DISCARD = {stddev=1,min=1,max=1, mean=1}
|
||||
--- Removes uninteresting data from the table
|
||||
|
||||
@@ -140,9 +140,9 @@ function parse_db2_packet(packet)
|
||||
response.info = packet.data:sub(info_offset, info_offset + response.info_length - (info_offset-info_length_offset))
|
||||
|
||||
if(nmap.debugging() > 3) then
|
||||
stdnse.print_debug("db2-das-info: version: %s", response.version)
|
||||
stdnse.print_debug("db2-das-info: info_length: %d", response.info_length)
|
||||
stdnse.print_debug("db2-das-info: response.info:len(): %d", response.info:len())
|
||||
stdnse.debug1("version: %s", response.version)
|
||||
stdnse.debug1("info_length: %d", response.info_length)
|
||||
stdnse.debug1("response.info:len(): %d", response.info:len())
|
||||
end
|
||||
|
||||
return response
|
||||
@@ -185,7 +185,7 @@ function read_db2_packet(socket)
|
||||
|
||||
if packet.header.raw:sub(1, 10) == string.char(0x00, 0x00, 0x00, 0x00, 0x44, 0x42, 0x32, 0x44, 0x41, 0x53) then
|
||||
|
||||
stdnse.print_debug("db2-das-info: Got DB2DAS packet")
|
||||
stdnse.debug1("Got DB2DAS packet")
|
||||
|
||||
local _, endian = bin.unpack( "A2", packet.header.raw, ENDIANESS_OFFSET )
|
||||
|
||||
@@ -198,20 +198,20 @@ function read_db2_packet(socket)
|
||||
total_len = header_len + packet.header.data_len
|
||||
|
||||
if(nmap.debugging() > 3) then
|
||||
stdnse.print_debug("db2-das-info: data_len: %d", packet.header.data_len)
|
||||
stdnse.print_debug("db2-das-info: buf_len: %d", buf:len())
|
||||
stdnse.print_debug("db2-das-info: total_len: %d", total_len)
|
||||
stdnse.debug1("data_len: %d", packet.header.data_len)
|
||||
stdnse.debug1("buf_len: %d", buf:len())
|
||||
stdnse.debug1("total_len: %d", total_len)
|
||||
end
|
||||
|
||||
-- do we have all data as specified by data_len?
|
||||
while total_len > buf:len() do
|
||||
-- if not read additional bytes
|
||||
if(nmap.debugging() > 3) then
|
||||
stdnse.print_debug("db2-das-info: Reading %d additional bytes", total_len - buf:len())
|
||||
stdnse.debug1("Reading %d additional bytes", total_len - buf:len())
|
||||
end
|
||||
local tmp = try( socket:receive_bytes( total_len - buf:len() ) )
|
||||
if(nmap.debugging() > 3) then
|
||||
stdnse.print_debug("db2-das-info: Read %d bytes", tmp:len())
|
||||
stdnse.debug1("Read %d bytes", tmp:len())
|
||||
end
|
||||
buf = buf .. tmp
|
||||
end
|
||||
@@ -219,7 +219,7 @@ function read_db2_packet(socket)
|
||||
packet.data = buf:sub(header_len + 1)
|
||||
|
||||
else
|
||||
stdnse.print_debug("db2-das-info: Unknown packet, aborting ...")
|
||||
stdnse.debug1("Unknown packet, aborting ...")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
@@ -95,7 +95,7 @@ local function go(host, port)
|
||||
-- Generate the MAC address, if it's random
|
||||
local mac_addr = host.mac_addr_src
|
||||
if(nmap.registry.args.randomize_mac == 'true' or nmap.registry.args.randomize_mac == '1') then
|
||||
stdnse.print_debug(2, "dhcp-discover: Generating a random MAC address")
|
||||
stdnse.debug2("Generating a random MAC address")
|
||||
mac_addr = ""
|
||||
for j=1, 6, 1 do
|
||||
mac_addr = mac_addr .. string.char(math.random(1, 255))
|
||||
@@ -109,7 +109,7 @@ local function go(host, port)
|
||||
|
||||
local status, result = dhcp.make_request(host.ip, request_type, iface.address, mac_addr)
|
||||
if( not(status) ) then
|
||||
stdnse.print_debug(1, "dhcp-discover: Couldn't send DHCP request: %s", result)
|
||||
stdnse.debug1("Couldn't send DHCP request: %s", result)
|
||||
return false, result
|
||||
end
|
||||
|
||||
|
||||
@@ -204,17 +204,17 @@ local function timed_mode(host, port, domains)
|
||||
end
|
||||
mean, stddev = mean_stddev(times)
|
||||
cutoff = mean + stddev * TIMED_MULTIPLIER
|
||||
stdnse.print_debug(1, "dns-cache-snoop: reference %s: mean %g stddev %g cutoff %g", TIMED_DUMMY_DOMAIN, mean, stddev, cutoff)
|
||||
stdnse.debug1("reference %s: mean %g stddev %g cutoff %g", TIMED_DUMMY_DOMAIN, mean, stddev, cutoff)
|
||||
|
||||
-- Now try all domains one by one.
|
||||
for _, domain in ipairs(domains) do
|
||||
t = timed_query(host, port, domain)
|
||||
if t then
|
||||
if t < cutoff then
|
||||
stdnse.print_debug(1, "dns-cache-snoop: %s: %g is cached (cutoff %g)", domain, t, cutoff)
|
||||
stdnse.debug1("%s: %g is cached (cutoff %g)", domain, t, cutoff)
|
||||
cached[#cached + 1] = domain
|
||||
else
|
||||
stdnse.print_debug(1, "dns-cache-snoop: %s: %g not cached (cutoff %g)", domain, t, cutoff)
|
||||
stdnse.debug1("%s: %g not cached (cutoff %g)", domain, t, cutoff)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -152,13 +152,13 @@ action = function(host, port)
|
||||
-- We are primarily looking for 230: User logged in, proceed.
|
||||
else
|
||||
if not code then
|
||||
stdnse.print_debug(1, "ftp-anon: got socket error %q.", message)
|
||||
stdnse.debug1("got socket error %q.", message)
|
||||
elseif code == 421 or code == 530 then
|
||||
-- Don't log known error codes.
|
||||
-- 421: Service not available, closing control connection.
|
||||
-- 530: Not logged in.
|
||||
else
|
||||
stdnse.print_debug(1, "ftp-anon: got code %d %q.", code, message)
|
||||
stdnse.debug1("got code %d %q.", code, message)
|
||||
end
|
||||
return nil
|
||||
end
|
||||
|
||||
@@ -84,14 +84,14 @@ Driver = {
|
||||
while(line)do
|
||||
stdnse.print_debug("Received: %s", line)
|
||||
if(string.match(line, "^230")) then
|
||||
stdnse.print_debug(1, "ftp-brute: Successful login: %s/%s", user, pass)
|
||||
stdnse.debug1("Successful login: %s/%s", user, pass)
|
||||
return true, brute.Account:new( user, pass, creds.State.VALID)
|
||||
elseif(string.match(line, "^530")) then
|
||||
return false, brute.Error:new( "Incorrect password" )
|
||||
elseif(string.match(line, "^220")) then
|
||||
elseif(string.match(line, "^331")) then
|
||||
else
|
||||
stdnse.print_debug(1, "ftp-brute: WARNING: Unhandled response: %s", line)
|
||||
stdnse.debug1("WARNING: Unhandled response: %s", line)
|
||||
local err = brute.Error:new("Unhandled response")
|
||||
err:setRetry(true)
|
||||
return false, err
|
||||
|
||||
@@ -171,7 +171,7 @@ local function get_fingerprints(fingerprint_file, category)
|
||||
-- There might be a race condition here, where multiple scripts will read the file and set this variable, but the impact
|
||||
-- of that would be minimal (and definitely isn't security)
|
||||
if(nmap.registry.http_fingerprints ~= nil) then
|
||||
stdnse.print_debug(1, "http-enum: Using cached HTTP fingerprints")
|
||||
stdnse.debug1("Using cached HTTP fingerprints")
|
||||
return nmap.registry.http_fingerprints
|
||||
end
|
||||
|
||||
@@ -181,11 +181,11 @@ local function get_fingerprints(fingerprint_file, category)
|
||||
filename_full = fingerprint_file
|
||||
end
|
||||
|
||||
stdnse.print_debug("http-enum: Loading fingerprint database: %s", filename_full)
|
||||
stdnse.debug1("Loading fingerprint database: %s", filename_full)
|
||||
local env = setmetatable({fingerprints = {}}, {__index = _G})
|
||||
local file = loadfile(filename_full, "t", env)
|
||||
if(not(file)) then
|
||||
stdnse.print_debug("http-enum: Couldn't load configuration file: %s", filename_full)
|
||||
stdnse.debug1("Couldn't load configuration file: %s", filename_full)
|
||||
return false, "Couldn't load fingerprint file: " .. filename_full
|
||||
end
|
||||
|
||||
@@ -353,7 +353,7 @@ action = function(host, port)
|
||||
if(not(status)) then
|
||||
return stdnse.format_output(false, fingerprints)
|
||||
end
|
||||
stdnse.print_debug(1, "http-enum: Loaded %d fingerprints", #fingerprints)
|
||||
stdnse.debug1("Loaded %d fingerprints", #fingerprints)
|
||||
|
||||
-- Check what response we get for a 404
|
||||
local result, result_404, known_404 = http.identify_404(host, port)
|
||||
@@ -380,7 +380,7 @@ action = function(host, port)
|
||||
|
||||
local results_nopipeline = {}
|
||||
-- Loop through the fingerprints
|
||||
stdnse.print_debug(1, "http-enum: Searching for entries under path '%s' (change with 'http-enum.basepath' argument)", basepath)
|
||||
stdnse.debug1("Searching for entries under path '%s' (change with 'http-enum.basepath' argument)", basepath)
|
||||
for i = 1, #fingerprints, 1 do
|
||||
-- Add each path. The order very much matters here.
|
||||
for j = 1, #fingerprints[i].probes, 1 do
|
||||
@@ -402,7 +402,7 @@ action = function(host, port)
|
||||
|
||||
-- Check for http.pipeline error
|
||||
if(results == nil) then
|
||||
stdnse.print_debug(1, "http-enum: http.pipeline_go encountered an error")
|
||||
stdnse.debug1("http.pipeline_go encountered an error")
|
||||
return stdnse.format_output(false, "http.pipeline_go encountered an error")
|
||||
end
|
||||
|
||||
|
||||
@@ -186,7 +186,7 @@ function action(host, port)
|
||||
local return_table = {}
|
||||
|
||||
for _,target in ipairs(targets) do
|
||||
stdnse.print_debug(2, "http-form-fuzzer: testing path: "..target["path"])
|
||||
stdnse.debug2("testing path: "..target["path"])
|
||||
local path = target["path"]
|
||||
if path then
|
||||
local response = http.get( host, port, path )
|
||||
|
||||
@@ -74,7 +74,7 @@ local function go_single(host, port, folder)
|
||||
local vuln_response
|
||||
local check_folder
|
||||
|
||||
stdnse.print_debug(1, "http-iis-webdav-vuln: Found protected folder (401): %s", folder)
|
||||
stdnse.debug1("Found protected folder (401): %s", folder)
|
||||
|
||||
-- check for IIS 6.0 and 5.1
|
||||
-- doesn't appear to work on 5.0
|
||||
@@ -82,19 +82,19 @@ local function go_single(host, port, folder)
|
||||
check_folder = string.sub(folder, 1, 2) .. "%c0%af" .. string.sub(folder, 3)
|
||||
vuln_response = get_response(host, port, check_folder)
|
||||
if(vuln_response.status == 207) then
|
||||
stdnse.print_debug(1, "http-iis-webdav-vuln: Folder seems vulnerable: %s", folder)
|
||||
stdnse.debug1("Folder seems vulnerable: %s", folder)
|
||||
return enum_results.VULNERABLE
|
||||
else
|
||||
stdnse.print_debug(1, "http-iis-webdav-vuln: Folder does not seem vulnerable: %s", folder)
|
||||
stdnse.debug1("Folder does not seem vulnerable: %s", folder)
|
||||
return enum_results.NOT_VULNERABLE
|
||||
end
|
||||
else
|
||||
if(response['status-line'] ~= nil) then
|
||||
stdnse.print_debug(3, "http-iis-webdav-vuln: Not a protected folder (%s): %s", response['status-line'], folder)
|
||||
stdnse.debug3("Not a protected folder (%s): %s", response['status-line'], folder)
|
||||
elseif(response['status'] ~= nil) then
|
||||
stdnse.print_debug(3, "http-iis-webdav-vuln: Not a protected folder (%s): %s", response['status'], folder)
|
||||
stdnse.debug3("Not a protected folder (%s): %s", response['status'], folder)
|
||||
else
|
||||
stdnse.print_debug(3, "http-iis-webdav-vuln: Not a protected folder: %s",folder)
|
||||
stdnse.debug3("Not a protected folder: %s",folder)
|
||||
end
|
||||
return enum_results.UNKNOWN
|
||||
end
|
||||
@@ -150,29 +150,29 @@ action = function(host, port)
|
||||
-- Start by checking if '/' is protected -- if it is, we can't do the tests
|
||||
local result = go_single(host, port, "/")
|
||||
if(result == enum_results.NOT_VULNERABLE) then
|
||||
stdnse.print_debug(1, "http-iis-webdav-vuln: Root folder is password protected, aborting.")
|
||||
stdnse.debug1("Root folder is password protected, aborting.")
|
||||
return nmap.verbosity() > 0 and "Could not determine vulnerability, since root folder is password protected" or nil
|
||||
end
|
||||
|
||||
stdnse.print_debug(1, "http-iis-webdav-vuln: Root folder is not password protected, continuing...")
|
||||
stdnse.debug1("Root folder is not password protected, continuing...")
|
||||
|
||||
local response = get_response(host, port, "/")
|
||||
if(response.status == 501) then
|
||||
-- WebDAV is disabled
|
||||
stdnse.print_debug(1, "http-iis-webdav-vuln: WebDAV is DISABLED (PROPFIND failed).")
|
||||
stdnse.debug1("WebDAV is DISABLED (PROPFIND failed).")
|
||||
return nmap.verbosity() > 0 and "WebDAV is DISABLED. Server is not currently vulnerable." or nil
|
||||
else
|
||||
if(response.status == 207) then
|
||||
-- PROPFIND works, WebDAV is enabled
|
||||
stdnse.print_debug(1, "http-iis-webdav-vuln: WebDAV is ENABLED (PROPFIND was successful).")
|
||||
stdnse.debug1("WebDAV is ENABLED (PROPFIND was successful).")
|
||||
else
|
||||
-- probably not running IIS 5.0/5.1/6.0
|
||||
if(response['status-line'] ~= nil) then
|
||||
stdnse.print_debug(1, "http-iis-webdav-vuln: PROPFIND request failed with \"%s\".", response['status-line'])
|
||||
stdnse.debug1("PROPFIND request failed with \"%s\".", response['status-line'])
|
||||
elseif(response['status'] ~= nil) then
|
||||
stdnse.print_debug(1, "http-iis-webdav-vuln: PROPFIND request failed with \"%s\".", response['status'])
|
||||
stdnse.debug1("PROPFIND request failed with \"%s\".", response['status'])
|
||||
else
|
||||
stdnse.print_debug(1, "http-iis-webdav-vuln: PROPFIND request failed.")
|
||||
stdnse.debug1("PROPFIND request failed.")
|
||||
end
|
||||
return nmap.verbosity() > 0 and "ERROR: This web server is not supported." or nil
|
||||
end
|
||||
|
||||
@@ -72,7 +72,7 @@ action = function(host, port)
|
||||
|
||||
response = http.generic_request(host, port, "OPTIONS", url_path)
|
||||
if not response.status then
|
||||
stdnse.print_debug("http-methods: OPTIONS %s failed.", url_path)
|
||||
stdnse.debug1("OPTIONS %s failed.", url_path)
|
||||
return
|
||||
end
|
||||
-- Cache in case retest is requested.
|
||||
|
||||
@@ -44,7 +44,7 @@ categories = {"discovery", "intrusive"}
|
||||
portrule = shortport.http
|
||||
|
||||
local function dbg(str,...)
|
||||
stdnse.print_debug(2,"http-open-redirect:"..str, ...)
|
||||
stdnse.debug2(str, ...)
|
||||
end
|
||||
local function dbgt(tbl)
|
||||
for k,v in pairs(tbl) do
|
||||
|
||||
@@ -101,7 +101,7 @@ local function check_form(form, host, port, path)
|
||||
|
||||
for _,field in ipairs(form["fields"]) do
|
||||
if rfi_field(field["type"]) then
|
||||
stdnse.print_debug(2, "http-rfi-spider: checking field %s", field["name"])
|
||||
stdnse.debug2("checking field %s", field["name"])
|
||||
postdata[field["name"]] = inclusion_url
|
||||
response = sending_function(postdata)
|
||||
if response and response.body and response.status==200 then
|
||||
|
||||
@@ -115,17 +115,17 @@ action = function(host, port)
|
||||
-- wait time: get rid of fast reconnecting annoyance
|
||||
if(stdnse.get_script_args('irc-unrealircd-backdoor.wait')) then
|
||||
local waittime = stdnse.get_script_args('irc-unrealircd-backdoor.wait')
|
||||
stdnse.print_debug(1, "irc-unrealircd-backdoor: waiting for %i seconds", waittime)
|
||||
stdnse.debug1("waiting for %i seconds", waittime)
|
||||
stdnse.sleep(waittime)
|
||||
end
|
||||
|
||||
-- Send an innocuous command as fodder for tryssl.
|
||||
stdnse.print_debug(1, "irc-unrealircd-backdoor: Sending command: %s", noop_command);
|
||||
stdnse.debug1("Sending command: %s", noop_command);
|
||||
local socket, response = comm.tryssl(host, port, noop_command .. "\n", {recv_before=false})
|
||||
|
||||
-- Make sure the socket worked
|
||||
if(not(socket) or not(response)) then
|
||||
stdnse.print_debug(1, "irc-unrealircd-backdoor: Couldn't connect to remote host")
|
||||
stdnse.debug1("Couldn't connect to remote host")
|
||||
return nil
|
||||
end
|
||||
|
||||
@@ -144,15 +144,15 @@ action = function(host, port)
|
||||
end
|
||||
|
||||
if not status then
|
||||
stdnse.print_debug(1, "irc-unrealircd-backdoor: Receive failed after %s: %s", noop_command, response)
|
||||
stdnse.debug1("Receive failed after %s: %s", noop_command, response)
|
||||
return nil
|
||||
end
|
||||
|
||||
-- Send the backdoor command.
|
||||
stdnse.print_debug(1, "irc-unrealircd-backdoor: Sending command: %s", full_command);
|
||||
stdnse.debug1("Sending command: %s", full_command);
|
||||
status, err = socket:send(full_command .. "\n")
|
||||
if not status then
|
||||
stdnse.print_debug(1, "irc-unrealircd-backdoor: Send failed: %s", err)
|
||||
stdnse.debug1("Send failed: %s", err)
|
||||
return nil
|
||||
end
|
||||
|
||||
@@ -171,7 +171,7 @@ action = function(host, port)
|
||||
-- If the server unexpectedly closes the connection, it
|
||||
-- is usually related to throttling. Therefore, we
|
||||
-- print a throttling warning.
|
||||
stdnse.print_debug(1, "irc-unrealircd-backdoor: Receive failed: %s", response)
|
||||
stdnse.debug1("Receive failed: %s", response)
|
||||
socket:close()
|
||||
return "Server closed connection, possibly due to too many reconnects. Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this message again)."
|
||||
end
|
||||
@@ -181,13 +181,13 @@ action = function(host, port)
|
||||
local elapsed = os.time(os.date('*t')) - time
|
||||
|
||||
-- Let the user know that everything's working
|
||||
stdnse.print_debug(1, "irc-unrealircd-backdoor: Received a response to our command in " .. elapsed .. " seconds")
|
||||
stdnse.debug1("Received a response to our command in " .. elapsed .. " seconds")
|
||||
|
||||
-- Determine whether or not the vulnerability is present
|
||||
if(elapsed > (delay - delay_fudge)) then
|
||||
-- Check if the user wants to kill the server.
|
||||
if(stdnse.get_script_args('irc-unrealircd-backdoor.kill')) then
|
||||
stdnse.print_debug(1, "irc-unrealircd-backdoor: Attempting to kill the Trojanned UnrealIRCd server...")
|
||||
stdnse.debug1("Attempting to kill the Trojanned UnrealIRCd server...")
|
||||
|
||||
local linux_kill = "kill `ps -e | grep ircd | awk '{ print $1 }'`"
|
||||
local windows_kill = 'wmic process where "name like \'%ircd%\'" delete'
|
||||
@@ -198,7 +198,7 @@ action = function(host, port)
|
||||
socket:send(kill_command .. "\n")
|
||||
end
|
||||
|
||||
stdnse.print_debug(1, "irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running!")
|
||||
stdnse.debug1("Looks like the Trojanned unrealircd is running!")
|
||||
|
||||
-- Close the socket
|
||||
socket:close()
|
||||
@@ -209,7 +209,7 @@ action = function(host, port)
|
||||
-- Close the socket
|
||||
socket:close()
|
||||
|
||||
stdnse.print_debug(1, "irc-unrealircd-backdoor: The Trojanned version of unrealircd probably isn't running.")
|
||||
stdnse.debug1("The Trojanned version of unrealircd probably isn't running.")
|
||||
|
||||
return nil
|
||||
end
|
||||
|
||||
@@ -57,7 +57,7 @@ action = function(host, port)
|
||||
data = http.get(host, port, '/', options)
|
||||
|
||||
if data.body then
|
||||
stdnse.print_debug(2, "mcafee-epo-agent: data.body:sub = %s", data.body:sub(1, 80))
|
||||
stdnse.debug2("data.body:sub = %s", data.body:sub(1, 80))
|
||||
|
||||
if data.body:StartsWith('<?xml version="1.0" encoding="UTF-8"?><?xml-stylesheet type="text/xsl" href="FrameworkLog.xsl"?><naLog>') then
|
||||
port.version.hostname = ExtractXMLElement(data.body, "ComputerName")
|
||||
|
||||
@@ -65,14 +65,14 @@ Driver =
|
||||
status, response = self.socket:receive_buf("\r?\n", false)
|
||||
|
||||
if (response == nil or string.match(response,"<name>faultString</name><value><string>authentication error</string>")) then
|
||||
stdnse.print_debug(2, "metasploit-xmlrpc-brute: Bad login: %s/%s", username, password)
|
||||
stdnse.debug2("Bad login: %s/%s", username, password)
|
||||
return false, brute.Error:new( "Bad login" )
|
||||
elseif (string.match(response,"<name>result</name><value><string>success</string></value>")) then
|
||||
|
||||
stdnse.print_debug(1, "metasploit-xmlrpc-brute: Good login: %s/%s", username, password)
|
||||
stdnse.debug1("Good login: %s/%s", username, password)
|
||||
return true, brute.Account:new(username, password, creds.State.VALID)
|
||||
end
|
||||
stdnse.print_debug(1, "metasploit-xmlrpc-brute: WARNING: Unhandled response: %s", response)
|
||||
stdnse.debug1("WARNING: Unhandled response: %s", response)
|
||||
return false, brute.Error:new( "unhandled response" )
|
||||
end,
|
||||
|
||||
|
||||
@@ -59,13 +59,13 @@ Driver =
|
||||
end
|
||||
|
||||
if (response.body == nil or response.body:match('<LoginResponse.*success="0"')) then
|
||||
stdnse.print_debug(2, "nexpose-brute: Bad login: %s/%s", username, password)
|
||||
stdnse.debug2("Bad login: %s/%s", username, password)
|
||||
return false, brute.Error:new( "Bad login" )
|
||||
elseif (response.body:match('<LoginResponse.*success="1"')) then
|
||||
stdnse.print_debug(1, "nexpose-brute: Good login: %s/%s", username, password)
|
||||
stdnse.debug1("Good login: %s/%s", username, password)
|
||||
return true, brute.Account:new(username, password, creds.State.VALID)
|
||||
end
|
||||
stdnse.print_debug(1, "nexpose-brute: WARNING: Unhandled response: %s", response.body)
|
||||
stdnse.debug1("WARNING: Unhandled response: %s", response.body)
|
||||
return false, brute.Error:new( "incorrect response from server" )
|
||||
end,
|
||||
|
||||
|
||||
@@ -85,15 +85,15 @@ Driver =
|
||||
status, line = self.socket:receive_buf("\r?\n", false)
|
||||
|
||||
if (line == nil or string.match(line,"Bad login")) then
|
||||
stdnse.print_debug(2, "openvas-otp-brute: Bad login: %s/%s", username, password)
|
||||
stdnse.debug2("Bad login: %s/%s", username, password)
|
||||
return false, brute.Error:new( "Bad login" )
|
||||
elseif (string.match(line,"SERVER <|>")) then
|
||||
|
||||
stdnse.print_debug(1, "openvas-otp-brute: Good login: %s/%s", username, password)
|
||||
stdnse.debug1("Good login: %s/%s", username, password)
|
||||
return true, brute.Account:new(username, password, creds.State.VALID)
|
||||
end
|
||||
|
||||
stdnse.print_debug(1, "openvas-otp-brute: WARNING: Unhandled response: %s", line)
|
||||
stdnse.debug1("WARNING: Unhandled response: %s", line)
|
||||
return false, brute.Error:new( "unhandled response" )
|
||||
end,
|
||||
|
||||
|
||||
@@ -82,7 +82,7 @@ action = function( host, port )
|
||||
elseif ( tonumber(nmap.registry.args['pgsql.version']) == 3 ) then
|
||||
pg = pgsql.v3
|
||||
else
|
||||
stdnse.print_debug("pgsql-brute: Unsupported version %s", nmap.registry.args['pgsql.version'])
|
||||
stdnse.debug1("Unsupported version %s", nmap.registry.args['pgsql.version'])
|
||||
return
|
||||
end
|
||||
else
|
||||
@@ -129,7 +129,7 @@ action = function( host, port )
|
||||
stdnse.print_debug("The host was denied access to db \"%s\" as user \"%s\", aborting ...", username, username )
|
||||
break
|
||||
else
|
||||
stdnse.print_debug("pgsql-brute: sendStartup returned: %s", response )
|
||||
stdnse.debug1("sendStartup returned: %s", response )
|
||||
break
|
||||
end
|
||||
end
|
||||
|
||||
@@ -267,7 +267,7 @@ local function stop_session(hostinfo)
|
||||
local status, err
|
||||
|
||||
if(hostinfo['smbstate'] ~= nil) then
|
||||
stdnse.print_debug(2, "smb-brute: Stopping the SMB session")
|
||||
stdnse.debug2("Stopping the SMB session")
|
||||
status, err = smb.stop(hostinfo['smbstate'])
|
||||
if(status == false) then
|
||||
return false, err
|
||||
@@ -290,7 +290,7 @@ local function restart_session(hostinfo)
|
||||
-- Stop the old session, if it exists
|
||||
stop_session(hostinfo)
|
||||
|
||||
stdnse.print_debug(2, "smb-brute: Starting the SMB session")
|
||||
stdnse.debug2("Starting the SMB session")
|
||||
status, smbstate = smb.start_ex(hostinfo['host'], true, nil, nil, nil, true)
|
||||
if(status == false) then
|
||||
return false, smbstate
|
||||
@@ -524,24 +524,24 @@ end
|
||||
local function bad_lockout_policy(host)
|
||||
-- If the user is ok with locking out accounts, just return
|
||||
if(stdnse.get_script_args( "smblockout" )) then
|
||||
stdnse.print_debug(1, "smb-brute: Not checking server's lockout policy")
|
||||
stdnse.debug1("Not checking server's lockout policy")
|
||||
return true, false
|
||||
end
|
||||
|
||||
local status, result = msrpc.get_domains(host)
|
||||
if(not(status)) then
|
||||
stdnse.print_debug(1, "smb-brute: Couldn't detect lockout policy: %s", result)
|
||||
stdnse.debug1("Couldn't detect lockout policy: %s", result)
|
||||
return false, "Couldn't retrieve lockout policy: " .. result
|
||||
end
|
||||
|
||||
for domain, data in pairs(result) do
|
||||
if(data and data.lockout_threshold) then
|
||||
stdnse.print_debug(1, "smb-brute: Server's lockout policy: lock out after %d attempts", data.lockout_threshold)
|
||||
stdnse.debug1("Server's lockout policy: lock out after %d attempts", data.lockout_threshold)
|
||||
return true, true
|
||||
end
|
||||
end
|
||||
|
||||
stdnse.print_debug(1, "smb-brute: Server has no lockout policy")
|
||||
stdnse.debug1("Server has no lockout policy")
|
||||
return true, false
|
||||
end
|
||||
|
||||
@@ -567,12 +567,12 @@ local function initialize(host)
|
||||
else
|
||||
hostinfo['os'] = os['os']
|
||||
end
|
||||
stdnse.print_debug(1, "smb-brute: Remote operating system: %s", hostinfo['os'])
|
||||
stdnse.debug1("Remote operating system: %s", hostinfo['os'])
|
||||
|
||||
-- Check lockout policy
|
||||
status, bad_lockout_policy_result = bad_lockout_policy(host)
|
||||
if(not(status)) then
|
||||
stdnse.print_debug(1, "smb-brute: WARNING: couldn't determine lockout policy: %s", bad_lockout_policy_result)
|
||||
stdnse.debug1("WARNING: couldn't determine lockout policy: %s", bad_lockout_policy_result)
|
||||
else
|
||||
if(bad_lockout_policy_result) then
|
||||
return false, "Account lockouts are enabled on the host. To continue (and risk lockouts), add --script-args=smblockout=1 -- for more information, run smb-enum-domains."
|
||||
@@ -580,7 +580,7 @@ local function initialize(host)
|
||||
end
|
||||
|
||||
-- Attempt to enumerate users
|
||||
stdnse.print_debug(1, "smb-brute: Trying to get user list from server")
|
||||
stdnse.debug1("Trying to get user list from server")
|
||||
local _
|
||||
hostinfo['have_user_list'], _, hostinfo['user_list'] = msrpc.get_user_list(host)
|
||||
hostinfo['user_list_index'] = 1
|
||||
@@ -590,7 +590,7 @@ local function initialize(host)
|
||||
|
||||
-- If the enumeration failed, try using the built-in list
|
||||
if(not(hostinfo['have_user_list'])) then
|
||||
stdnse.print_debug(1, "smb-brute: Couldn't enumerate users (normal for Windows XP and higher), using unpwdb initially")
|
||||
stdnse.debug1("Couldn't enumerate users (normal for Windows XP and higher), using unpwdb initially")
|
||||
status, hostinfo['user_list_default'] = unpwdb.usernames()
|
||||
if(status == false) then
|
||||
return false, "Couldn't open username file"
|
||||
@@ -598,14 +598,14 @@ local function initialize(host)
|
||||
end
|
||||
|
||||
-- Open the password file
|
||||
stdnse.print_debug(1, "smb-brute: Opening password list")
|
||||
stdnse.debug1("Opening password list")
|
||||
status, hostinfo['password_list'] = unpwdb.passwords()
|
||||
if(status == false) then
|
||||
return false, "Couldn't open password file"
|
||||
end
|
||||
|
||||
-- Start the SMB session
|
||||
stdnse.print_debug(1, "smb-brute: Starting the initial SMB session")
|
||||
stdnse.debug1("Starting the initial SMB session")
|
||||
local err
|
||||
status, err = restart_session(hostinfo)
|
||||
if(status == false) then
|
||||
@@ -619,8 +619,8 @@ local function initialize(host)
|
||||
hostinfo['invalid_username'] = check_login(hostinfo, get_random_string(8), get_random_string(8), "ntlm")
|
||||
hostinfo['invalid_password'] = check_login(hostinfo, "Administrator", get_random_string(8), "ntlm")
|
||||
|
||||
stdnse.print_debug(1, "smb-brute: Server's response to invalid usernames: %s", result_short_strings[hostinfo['invalid_username']])
|
||||
stdnse.print_debug(1, "smb-brute: Server's response to invalid passwords: %s", result_short_strings[hostinfo['invalid_password']])
|
||||
stdnse.debug1("Server's response to invalid usernames: %s", result_short_strings[hostinfo['invalid_username']])
|
||||
stdnse.debug1("Server's response to invalid passwords: %s", result_short_strings[hostinfo['invalid_password']])
|
||||
|
||||
-- If either of these comes back as success, there's no way to tell what's valid/invalid
|
||||
if(hostinfo['invalid_username'] == results.SUCCESS) then
|
||||
@@ -634,16 +634,16 @@ local function initialize(host)
|
||||
|
||||
-- Print a message to the user if we can identify passwords
|
||||
if(hostinfo['invalid_username'] ~= hostinfo['invalid_password']) then
|
||||
stdnse.print_debug(1, "smb-brute: Invalid username and password response are different, so identifying valid accounts is possible")
|
||||
stdnse.debug1("Invalid username and password response are different, so identifying valid accounts is possible")
|
||||
end
|
||||
|
||||
-- Print a warning message if invalid_username and invalid_password go to the same thing that isn't FAIL
|
||||
if(hostinfo['invalid_username'] ~= results.FAIL and hostinfo['invalid_username'] == hostinfo['invalid_password']) then
|
||||
stdnse.print_debug(1, "smb-brute: WARNING: Difficult to recognize invalid usernames/passwords; may not get good results")
|
||||
stdnse.debug1("WARNING: Difficult to recognize invalid usernames/passwords; may not get good results")
|
||||
end
|
||||
|
||||
-- Restart the SMB connection so we have a clean slate
|
||||
stdnse.print_debug(1, "smb-brute: Restarting the session before the bruteforce")
|
||||
stdnse.debug1("Restarting the session before the bruteforce")
|
||||
status, err = restart_session(hostinfo)
|
||||
if(status == false) then
|
||||
stop_session(hostinfo)
|
||||
@@ -772,7 +772,7 @@ function test_lockouts(hostinfo)
|
||||
end
|
||||
|
||||
if(canaries > 0) then
|
||||
stdnse.print_debug(1, "smb-brute: Detecting server lockout on '%s' with %d canaries", username, canaries)
|
||||
stdnse.debug1("Detecting server lockout on '%s' with %d canaries", username, canaries)
|
||||
end
|
||||
|
||||
local result
|
||||
@@ -784,14 +784,14 @@ function test_lockouts(hostinfo)
|
||||
if(result == results.LOCKED) then
|
||||
-- If the canary just became locked, we're one step from locking out every account. Loop through the usernames and invalidate them to
|
||||
-- prevent them from being locked out
|
||||
stdnse.print_debug(1, "smb-brute: Canary (%s) became locked out -- aborting")
|
||||
stdnse.debug1("Canary (%s) became locked out -- aborting")
|
||||
|
||||
-- Add it to the locked username list (so it can be reported)
|
||||
hostinfo['locked_usernames'][username] = true
|
||||
|
||||
-- Mark all the usernames as invalid (a bit of a hack, but it's safer this way)
|
||||
while(username ~= nil) do
|
||||
stdnse.print_debug(1, "smb-brute: Marking '%s' as 'invalid'", username)
|
||||
stdnse.debug1("Marking '%s' as 'invalid'", username)
|
||||
hostinfo['invalid_usernames'][username] = true
|
||||
username = get_next_username(hostinfo)
|
||||
end
|
||||
@@ -819,7 +819,7 @@ local function validate_usernames(hostinfo)
|
||||
local result
|
||||
local username, password
|
||||
|
||||
stdnse.print_debug(1, "smb-brute: Checking which account names exist (based on what goes to the 'guest' account)")
|
||||
stdnse.debug1("Checking which account names exist (based on what goes to the 'guest' account)")
|
||||
|
||||
-- Start a session
|
||||
status, err = restart_session(hostinfo)
|
||||
@@ -836,34 +836,34 @@ local function validate_usernames(hostinfo)
|
||||
|
||||
if(result ~= hostinfo['invalid_password'] and result == hostinfo['invalid_username']) then
|
||||
-- If the account matches the value of 'invalid_username', but not the value of 'invalid_password', it's invalid
|
||||
stdnse.print_debug(1, "smb-brute: Blank password for '%s' -> '%s' (invalid account)", username, result_short_strings[result])
|
||||
stdnse.debug1("Blank password for '%s' -> '%s' (invalid account)", username, result_short_strings[result])
|
||||
hostinfo['invalid_usernames'][username] = true
|
||||
|
||||
elseif(result == hostinfo['invalid_password']) then
|
||||
|
||||
-- If the account matches the value of 'invalid_password', and 'invalid_password' is reliable, it's probably valid
|
||||
if(hostinfo['invalid_username'] ~= results.FAIL and hostinfo['invalid_username'] == hostinfo['invalid_password']) then
|
||||
stdnse.print_debug(1, "smb-brute: Blank password for '%s' => '%s' (can't determine validity)", username, result_short_strings[result])
|
||||
stdnse.debug1("Blank password for '%s' => '%s' (can't determine validity)", username, result_short_strings[result])
|
||||
else
|
||||
stdnse.print_debug(1, "smb-brute: Blank password for '%s' => '%s' (probably valid)", username, result_short_strings[result])
|
||||
stdnse.debug1("Blank password for '%s' => '%s' (probably valid)", username, result_short_strings[result])
|
||||
end
|
||||
|
||||
elseif(result == results.ACCOUNT_LOCKED) then
|
||||
-- If the account is locked out, don't try it
|
||||
hostinfo['locked_usernames'][username] = true
|
||||
stdnse.print_debug(1, "smb-brute: Blank password for '%s' => '%s' (locked out)", username, result_short_strings[result])
|
||||
stdnse.debug1("Blank password for '%s' => '%s' (locked out)", username, result_short_strings[result])
|
||||
|
||||
elseif(result == results.FAIL) then
|
||||
-- If none of the standard options work, check if it's FAIL. If it's FAIL, there's an error somewhere (probably, the
|
||||
-- 'administrator' username is changed so we're getting invalid data).
|
||||
stdnse.print_debug(1, "smb-brute: Blank password for '%s' => '%s' (may be valid)", username, result_short_strings[result])
|
||||
stdnse.debug1("Blank password for '%s' => '%s' (may be valid)", username, result_short_strings[result])
|
||||
|
||||
else
|
||||
-- If none of those came up, either the password is legitimately blank, or any account works. Figure out what!
|
||||
local new_result = check_login(hostinfo, username, get_random_string(14), "ntlm")
|
||||
if(new_result == result) then
|
||||
-- Any password works (often happens with 'guest' account)
|
||||
stdnse.print_debug(1, "smb-brute: All passwords accepted for %s (goes to %s)", username, result_short_strings[result])
|
||||
stdnse.debug1("All passwords accepted for %s (goes to %s)", username, result_short_strings[result])
|
||||
status, err = found_account(hostinfo, username, "<anything>", result)
|
||||
if(status == false) then
|
||||
return false, err
|
||||
@@ -932,7 +932,7 @@ function found_account(hostinfo, username, password, result)
|
||||
-- Check lockout policy
|
||||
local status, bad_lockout_policy_result = bad_lockout_policy(hostinfo['host'])
|
||||
if(not(status)) then
|
||||
stdnse.print_debug(1, "smb-brute: WARNING: couldn't determine lockout policy: %s", bad_lockout_policy_result)
|
||||
stdnse.debug1("WARNING: couldn't determine lockout policy: %s", bad_lockout_policy_result)
|
||||
else
|
||||
if(bad_lockout_policy_result) then
|
||||
return false, "Account lockouts are enabled on the host. To continue (and risk lockouts), add --script-args=smblockout=1 -- for more information, run smb-enum-domains."
|
||||
@@ -942,7 +942,7 @@ function found_account(hostinfo, username, password, result)
|
||||
-- If we haven't retrieved the real user list yet, do so
|
||||
if(hostinfo['have_user_list'] == false) then
|
||||
-- Attempt to enumerate users
|
||||
stdnse.print_debug(1, "smb-brute: Trying to get user list from server using newly discovered account")
|
||||
stdnse.debug1("Trying to get user list from server using newly discovered account")
|
||||
local _
|
||||
hostinfo['have_user_list'], _, hostinfo['user_list'] = msrpc.get_user_list(hostinfo['host'])
|
||||
hostinfo['user_list_index'] = 1
|
||||
@@ -952,7 +952,7 @@ function found_account(hostinfo, username, password, result)
|
||||
|
||||
-- If the list was found, let the user know and reset the password list
|
||||
if(hostinfo['have_user_list']) then
|
||||
stdnse.print_debug(1, "smb-brute: Found %d accounts to check!", #hostinfo['user_list'])
|
||||
stdnse.debug1("Found %d accounts to check!", #hostinfo['user_list'])
|
||||
reset_password(hostinfo)
|
||||
|
||||
-- Validate them (pick out the ones that can't possibly log in)
|
||||
@@ -1035,17 +1035,17 @@ local function go(host)
|
||||
end
|
||||
|
||||
-- Let the user know that it went badly
|
||||
stdnse.print_debug(1, "smb-brute: '%s' became locked out; stopping", username)
|
||||
stdnse.debug1("'%s' became locked out; stopping", username)
|
||||
|
||||
return true, hostinfo['accounts'], hostinfo['locked_usernames']
|
||||
else
|
||||
stdnse.print_debug(1, "smb-brute: '%s' became locked out; continuing", username)
|
||||
stdnse.debug1("'%s' became locked out; continuing", username)
|
||||
end
|
||||
end
|
||||
|
||||
if(is_positive_result(hostinfo, result)) then
|
||||
-- Reset the connection
|
||||
stdnse.print_debug(2, "smb-brute: Found an account; resetting connection")
|
||||
stdnse.debug2("Found an account; resetting connection")
|
||||
status, err = restart_session(hostinfo)
|
||||
if(status == false) then
|
||||
return false, err
|
||||
@@ -1054,9 +1054,9 @@ local function go(host)
|
||||
-- Find the case of the password, unless it's a hash
|
||||
local case_password
|
||||
if(not(#password == 32 or #password == 64 or #password == 65)) then
|
||||
stdnse.print_debug(1, "smb-brute: Determining password's case (%s)", format_result(username, password))
|
||||
stdnse.debug1("Determining password's case (%s)", format_result(username, password))
|
||||
case_password = find_password_case(hostinfo, username, password, result)
|
||||
stdnse.print_debug(1, "smb-brute: Result: %s", format_result(username, case_password))
|
||||
stdnse.debug1("Result: %s", format_result(username, case_password))
|
||||
else
|
||||
case_password = password
|
||||
end
|
||||
|
||||
@@ -394,7 +394,7 @@ local function check_smbv2_dos(host)
|
||||
socket:close()
|
||||
|
||||
-- Give it some time to crash
|
||||
stdnse.print_debug(1, "smb-check-vulns: Waiting 5 seconds to see if Windows crashed")
|
||||
stdnse.debug1("Waiting 5 seconds to see if Windows crashed")
|
||||
stdnse.sleep(5)
|
||||
|
||||
-- Create a new socket
|
||||
@@ -404,27 +404,27 @@ local function check_smbv2_dos(host)
|
||||
end
|
||||
|
||||
-- Try and do something simple
|
||||
stdnse.print_debug(1, "smb-check-vulns: Attempting to connect to the host")
|
||||
stdnse.debug1("Attempting to connect to the host")
|
||||
socket:set_timeout(5000)
|
||||
status, result = socket:connect(host, 445)
|
||||
|
||||
-- Check the result
|
||||
if(status == false or status == nil) then
|
||||
stdnse.print_debug(1, "smb-check-vulns: Connect failed, host is likely vulnerable!")
|
||||
stdnse.debug1("Connect failed, host is likely vulnerable!")
|
||||
socket:close()
|
||||
return true, VULNERABLE
|
||||
end
|
||||
|
||||
-- Try sending something
|
||||
stdnse.print_debug(1, "smb-check-vulns: Attempting to send data to the host")
|
||||
stdnse.debug1("Attempting to send data to the host")
|
||||
status, result = socket:send("AAAA")
|
||||
if(status == false or status == nil) then
|
||||
stdnse.print_debug(1, "smb-check-vulns: Send failed, host is likely vulnerable!")
|
||||
stdnse.debug1("Send failed, host is likely vulnerable!")
|
||||
socket:close()
|
||||
return true, VULNERABLE
|
||||
end
|
||||
|
||||
stdnse.print_debug(1, "smb-check-vulns: Checks finished; host is likely not vulnerable.")
|
||||
stdnse.debug1("Checks finished; host is likely not vulnerable.")
|
||||
socket:close()
|
||||
return true, PATCHED
|
||||
end
|
||||
|
||||
@@ -47,10 +47,10 @@ action = function(host)
|
||||
local status, result = smb.start_ex(host, true, true)
|
||||
if(status) then
|
||||
table.insert(states, result) -- Keep the result so it doesn't get garbage cleaned
|
||||
stdnse.print_debug(1, "smb-flood: Connection successfully opened")
|
||||
stdnse.debug1("Connection successfully opened")
|
||||
stdnse.sleep(.1)
|
||||
else
|
||||
stdnse.print_debug(1, "smb-flood: Connection failed: %s", result)
|
||||
stdnse.debug1("Connection failed: %s", result)
|
||||
stdnse.sleep(1)
|
||||
end
|
||||
until false
|
||||
|
||||
@@ -562,28 +562,28 @@ local function get_service_files(host)
|
||||
if(status == false) then
|
||||
return false, string.format("Error generating service name: %s", service_name)
|
||||
end
|
||||
stdnse.print_debug("smb-psexec: Generated static service name: %s", service_name)
|
||||
stdnse.debug1("Generated static service name: %s", service_name)
|
||||
|
||||
-- Get the name and service's executable file (with a .txt extension for fun)
|
||||
status, service_file = smb.get_uniqueish_name(host, "txt")
|
||||
if(status == false) then
|
||||
return false, string.format("Error generating remote filename: %s", service_file)
|
||||
end
|
||||
stdnse.print_debug("smb-psexec: Generated static service name: %s", service_name)
|
||||
stdnse.debug1("Generated static service name: %s", service_name)
|
||||
|
||||
-- Get the temporary output file
|
||||
status, temp_output_file = smb.get_uniqueish_name(host, "out.tmp")
|
||||
if(status == false) then
|
||||
return false, string.format("Error generating remote filename: %s", temp_output_file)
|
||||
end
|
||||
stdnse.print_debug("smb-psexec: Generated static service filename: %s", temp_output_file)
|
||||
stdnse.debug1("Generated static service filename: %s", temp_output_file)
|
||||
|
||||
-- Get the actual output file
|
||||
status, output_file = smb.get_uniqueish_name(host, "out")
|
||||
if(status == false) then
|
||||
return false, string.format("Error generating remote output file: %s", output_file)
|
||||
end
|
||||
stdnse.print_debug("smb-psexec: Generated static output filename: %s", output_file)
|
||||
stdnse.debug1("Generated static output filename: %s", output_file)
|
||||
|
||||
-- Return everything
|
||||
return true, service_name, service_file, temp_output_file, output_file
|
||||
@@ -605,17 +605,17 @@ function cleanup(host, config)
|
||||
return
|
||||
end
|
||||
|
||||
stdnse.print_debug(1, "smb-psexec: Entering cleanup() -- errors here can generally be ignored")
|
||||
stdnse.debug1("Entering cleanup() -- errors here can generally be ignored")
|
||||
-- Try stopping the service
|
||||
status, err = msrpc.service_stop(host, config.service_name)
|
||||
if(status == false) then
|
||||
stdnse.print_debug(1, "smb-psexec: [cleanup] Couldn't stop service: %s", err)
|
||||
stdnse.debug1("[cleanup] Couldn't stop service: %s", err)
|
||||
end
|
||||
|
||||
-- Try deleting the service
|
||||
status, err = msrpc.service_delete(host, config.service_name)
|
||||
if(status == false) then
|
||||
stdnse.print_debug(1, "smb-psexec: [cleanup] Couldn't delete service: %s", err)
|
||||
stdnse.debug1("[cleanup] Couldn't delete service: %s", err)
|
||||
end
|
||||
|
||||
-- Delete the files
|
||||
@@ -623,7 +623,7 @@ function cleanup(host, config)
|
||||
status, err = smb.file_delete(host, share, config.all_files)
|
||||
end
|
||||
|
||||
stdnse.print_debug(1, "smb-psexec: Leaving cleanup()")
|
||||
stdnse.debug1("Leaving cleanup()")
|
||||
|
||||
return true
|
||||
end
|
||||
@@ -635,7 +635,7 @@ end
|
||||
--@param extension The extension of the file (filename without the extension is tried first).
|
||||
--@return The full filename, or nil if it couldn't be found.
|
||||
local function locate_file(filename, extension)
|
||||
stdnse.print_debug(1, "smb-psexec: Attempting to find file: %s", filename)
|
||||
stdnse.debug1("Attempting to find file: %s", filename)
|
||||
|
||||
extension = extension or ""
|
||||
|
||||
@@ -723,7 +723,7 @@ local function find_share(host)
|
||||
return false, "Setting the 'share' script-arg requires the 'sharepath' to be set as well."
|
||||
end
|
||||
|
||||
stdnse.print_debug(1, "smb-psexec: Using share chosen by the user: %s (%s)", share, path)
|
||||
stdnse.debug1("Using share chosen by the user: %s (%s)", share, path)
|
||||
else
|
||||
-- Try and find a share to use.
|
||||
status, share, path, shares = smb.share_find_writable(host)
|
||||
@@ -733,7 +733,7 @@ local function find_share(host)
|
||||
if(path == nil) then
|
||||
return false, string.format("Couldn't find path to writable share (we probably don't have admin access): '%s'", share)
|
||||
end
|
||||
stdnse.print_debug(1, "smb-psexec: Found usable share %s (%s) (all writable shares: %s)", share, path, stdnse.strjoin(", ", shares))
|
||||
stdnse.debug1("Found usable share %s (%s) (all writable shares: %s)", share, path, stdnse.strjoin(", ", shares))
|
||||
end
|
||||
|
||||
return true, share, path, shares
|
||||
@@ -807,7 +807,7 @@ local function get_config(host, config)
|
||||
|
||||
-- Load the config file
|
||||
local env = setmetatable({modules = {}; overrides = {}; module = function() stdnse.print_debug(1, "WARNING: Selected config file contains an unnecessary call to module()") end}, {__index = _G})
|
||||
stdnse.print_debug(1, "smb-psexec: Attempting to load config file: %s", filename)
|
||||
stdnse.debug1("Attempting to load config file: %s", filename)
|
||||
local file = loadfile(filename, "t", env)
|
||||
if(not(file)) then
|
||||
return false, "Couldn't load module file:\n" .. filename
|
||||
@@ -869,7 +869,7 @@ local function get_config(host, config)
|
||||
end
|
||||
|
||||
-- Loop through the modules for some pre-processing
|
||||
stdnse.print_debug(1, "smb-psexec: Verifying uploadable executables exist")
|
||||
stdnse.debug1("Verifying uploadable executables exist")
|
||||
for i, mod in ipairs(modules) do
|
||||
local enabled = true
|
||||
-- Do some sanity checking
|
||||
@@ -959,7 +959,7 @@ local function get_config(host, config)
|
||||
-- Checks for the uploadable modules
|
||||
if(mod.upload) then
|
||||
-- Check if the module actually exists
|
||||
stdnse.print_debug(1, "smb-psexec: Looking for uploadable module: %s or %s.exe", mod.program, mod.program)
|
||||
stdnse.debug1("Looking for uploadable module: %s or %s.exe", mod.program, mod.program)
|
||||
mod.filename = locate_file(mod.program, "exe")
|
||||
if(mod.filename == nil) then
|
||||
enabled = false
|
||||
@@ -972,14 +972,14 @@ local function get_config(host, config)
|
||||
end
|
||||
else
|
||||
-- We found it
|
||||
stdnse.print_debug(1, "smb-psexec: Found: %s", mod.filename)
|
||||
stdnse.debug1("Found: %s", mod.filename)
|
||||
|
||||
-- Generate a name to upload them as (we don't upload with the original names)
|
||||
status, mod.upload_name = smb.get_uniqueish_name(host, "txt", mod.filename)
|
||||
if(not(status)) then
|
||||
return false, "Couldn't generate name for uploaded file: " .. mod.upload_name
|
||||
end
|
||||
stdnse.print_debug("smb-psexec: Will upload %s as %s", mod.filename, mod.upload_name)
|
||||
stdnse.debug1("Will upload %s as %s", mod.filename, mod.upload_name)
|
||||
end
|
||||
end
|
||||
|
||||
@@ -994,12 +994,12 @@ local function get_config(host, config)
|
||||
-- Loop through all of the extra files
|
||||
mod.extrafiles_paths = {}
|
||||
for i, extrafile in ipairs(mod.extrafiles) do
|
||||
stdnse.print_debug(1, "smb-psexec: Looking for extra module: %s", extrafile)
|
||||
stdnse.debug1("Looking for extra module: %s", extrafile)
|
||||
mod.extrafiles_paths[i] = locate_file(extrafile)
|
||||
if(mod.extrafiles_paths[i] == nil) then
|
||||
return false, string.format("Couldn't find required file to upload: %s", extrafile)
|
||||
end
|
||||
stdnse.print_debug(1, "smb-psexec: Found: %s", mod.extrafiles_paths[i])
|
||||
stdnse.debug1("Found: %s", mod.extrafiles_paths[i])
|
||||
end
|
||||
end
|
||||
|
||||
@@ -1020,7 +1020,7 @@ local function get_config(host, config)
|
||||
-- Finalize the timeout
|
||||
local max_timeout = nmap.registry.args.timeout or 15
|
||||
config.timeout = math.max(config.timeout, max_timeout)
|
||||
stdnse.print_debug(1, "smb-psexec: Timeout waiting for a response is %d seconds", config.timeout)
|
||||
stdnse.debug1("Timeout waiting for a response is %d seconds", config.timeout)
|
||||
|
||||
-- Do config overrides
|
||||
if(overrides) then
|
||||
@@ -1028,7 +1028,7 @@ local function get_config(host, config)
|
||||
end
|
||||
|
||||
-- Replace variable values in the configuration (this has to go last)
|
||||
stdnse.print_debug(1, "smb-psexec: Replacing variables in the modules' fields")
|
||||
stdnse.debug1("Replacing variables in the modules' fields")
|
||||
for i, mod in ipairs(config.enabled_modules) do
|
||||
for k, v in pairs(mod) do
|
||||
mod[k] = replace_variables(config, v)
|
||||
@@ -1128,21 +1128,21 @@ local function upload_everything(host, config)
|
||||
end
|
||||
|
||||
-- Upload the service file
|
||||
stdnse.print_debug(1, "smb-psexec: Uploading: %s => \\\\%s\\%s", config.local_service_file, config.share, config.service_file)
|
||||
stdnse.debug1("Uploading: %s => \\\\%s\\%s", config.local_service_file, config.share, config.service_file)
|
||||
local status, err
|
||||
status, err = smb.file_upload(host, config.local_service_file, config.share, "\\" .. config.service_file, overrides, is_xor_encoded)
|
||||
if(status == false) then
|
||||
cleanup(host, config)
|
||||
return false, string.format("Couldn't upload the service file: %s\n", err)
|
||||
end
|
||||
stdnse.print_debug(1, "smb-psexec: Service file successfully uploaded!")
|
||||
stdnse.debug1("Service file successfully uploaded!")
|
||||
|
||||
-- Upload the modules and all their extras
|
||||
stdnse.print_debug(1, "smb-psexec: Attempting to upload the modules")
|
||||
stdnse.debug1("Attempting to upload the modules")
|
||||
for _, mod in ipairs(config.enabled_modules) do
|
||||
-- If it's an uploadable module, upload it
|
||||
if(mod.upload) then
|
||||
stdnse.print_debug(1, "smb-psexec: Uploading: %s => \\\\%s\\%s", mod.filename, config.share, mod.upload_name)
|
||||
stdnse.debug1("Uploading: %s => \\\\%s\\%s", mod.filename, config.share, mod.upload_name)
|
||||
status, err = smb.file_upload(host, mod.filename, config.share, "\\" .. mod.upload_name, overrides)
|
||||
if(status == false) then
|
||||
cleanup(host, config)
|
||||
@@ -1161,7 +1161,7 @@ local function upload_everything(host, config)
|
||||
for i, extrafile in ipairs(mod.extrafiles) do
|
||||
local extrafile_local = mod.extrafiles_paths[i]
|
||||
|
||||
stdnse.print_debug(1, "smb-psexec: Uploading extra file: %s => \\\\%s\\%s", extrafile_local, config.share, extrafile)
|
||||
stdnse.debug1("Uploading extra file: %s => \\\\%s\\%s", extrafile_local, config.share, extrafile)
|
||||
status, err = smb.file_upload(host, extrafile_local, config.share, extrafile, overrides)
|
||||
if(status == false) then
|
||||
cleanup(host, config)
|
||||
@@ -1170,7 +1170,7 @@ local function upload_everything(host, config)
|
||||
end
|
||||
end
|
||||
end
|
||||
stdnse.print_debug(1, "smb-psexec: Modules successfully uploaded!")
|
||||
stdnse.debug1("Modules successfully uploaded!")
|
||||
|
||||
return true
|
||||
end
|
||||
@@ -1183,7 +1183,7 @@ end
|
||||
local function create_service(host, config)
|
||||
local status, err = msrpc.service_create(host, config.service_name, config.path .. "\\" .. config.service_file)
|
||||
if(status == false) then
|
||||
stdnse.print_debug(1, "smb-psexec: Couldn't create the service: %s", err)
|
||||
stdnse.debug1("Couldn't create the service: %s", err)
|
||||
cleanup(host, config)
|
||||
|
||||
if(string.find(err, "MARKED_FOR_DELETE")) then
|
||||
@@ -1240,7 +1240,7 @@ end
|
||||
local function start_service(host, config, params)
|
||||
local status, err = msrpc.service_start(host, config.service_name, params)
|
||||
if(status == false) then
|
||||
stdnse.print_debug(1, "smb-psexec: Couldn't start the service: %s", err)
|
||||
stdnse.debug1("Couldn't start the service: %s", err)
|
||||
return false, string.format("Couldn't start the service on the remote machine: %s", err)
|
||||
end
|
||||
|
||||
@@ -1256,7 +1256,7 @@ end
|
||||
--@return result The file if status is true, or an error message if status is false.
|
||||
|
||||
local function get_output_file(host, config)
|
||||
stdnse.print_debug(1, "smb-psexec: Waiting for output file to be created (timeout = %d seconds)", config.timeout)
|
||||
stdnse.debug1("Waiting for output file to be created (timeout = %d seconds)", config.timeout)
|
||||
local status, result
|
||||
|
||||
local i = config.timeout
|
||||
@@ -1265,7 +1265,7 @@ local function get_output_file(host, config)
|
||||
|
||||
if(not(status) and result ~= "NT_STATUS_OBJECT_NAME_NOT_FOUND") then
|
||||
-- An unexpected error occurred
|
||||
stdnse.print_debug(1, "smb-psexec: Couldn't read the file: %s", result)
|
||||
stdnse.debug1("Couldn't read the file: %s", result)
|
||||
cleanup(host, config)
|
||||
|
||||
return false, string.format("Couldn't read the file from the remote machine: %s", result)
|
||||
@@ -1274,13 +1274,13 @@ local function get_output_file(host, config)
|
||||
if(not(status) and result == "NT_STATUS_OBJECT_NAME_NOT_FOUND") then
|
||||
-- An expected error occurred; if this happens, we just wait
|
||||
if(i == 0) then
|
||||
stdnse.print_debug(1, "smb-psexec: Error in remote service: output file was never created!")
|
||||
stdnse.debug1("Error in remote service: output file was never created!")
|
||||
cleanup(host, config)
|
||||
|
||||
return false, string.format("Error in remote service: output file was never created")
|
||||
end
|
||||
|
||||
stdnse.print_debug(1, "smb-psexec: Output file %s doesn't exist yet, waiting for %d more seconds", config.output_file, i)
|
||||
stdnse.debug1("Output file %s doesn't exist yet, waiting for %d more seconds", config.output_file, i)
|
||||
stdnse.sleep(1)
|
||||
i = i - 1
|
||||
end
|
||||
@@ -1474,7 +1474,7 @@ action = function(host)
|
||||
local files
|
||||
|
||||
-- First check for nmap_service.exe; we can't do anything without it.
|
||||
stdnse.print_debug(1, "smb-psexec: Looking for the service file: nmap_service or nmap_service.exe")
|
||||
stdnse.debug1("Looking for the service file: nmap_service or nmap_service.exe")
|
||||
config.local_service_file = locate_file("nmap_service", "exe")
|
||||
if (config.local_service_file == nil) then
|
||||
if nmap.verbosity() > 0 then
|
||||
|
||||
Reference in New Issue
Block a user