SMB2 dialect refactoring. Fixes #2203, closes #2208

scripts/smb-protocols.nse

@@ -7,11 +7,11 @@ Attempts to list the supported protocols and dialects of a SMB server.
 
 The script attempts to initiate a connection using the dialects:
 * NT LM 0.12 (SMBv1)
-* 2.02       (SMBv2)
-* 2.10       (SMBv2)
-* 3.00       (SMBv3)
-* 3.02       (SMBv3)
-* 3.11       (SMBv3)
+* 2.0.2      (SMBv2)
+* 2.1        (SMBv2)
+* 3.0        (SMBv3)
+* 3.0.2      (SMBv3)
+* 3.1.1      (SMBv3)
 
 Additionally if SMBv1 is found enabled, it will mark it as insecure. This
 script is the successor to the (removed) smbv2-enabled script.
@@ -25,20 +25,20 @@ script is the successor to the (removed) smbv2-enabled script.
 -- | smb-protocols:
 -- |   dialects:
 -- |     NT LM 0.12 (SMBv1) [dangerous, but default]
--- |     2.02
--- |     2.10
--- |     3.00
--- |     3.02
--- |_    3.11
+-- |     2.0.2
+-- |     2.1
+-- |     3.0
+-- |     3.0.2
+-- |_    3.1.1
 --
 -- @xmloutput
 -- <table key="dialects">
 -- <elem>NT LM 0.12 (SMBv1) [dangerous, but default]</elem>
--- <elem>2.02</elem>
--- <elem>2.10</elem>
--- <elem>3.00</elem>
--- <elem>3.02</elem>
--- <elem>3.11</elem>
+-- <elem>2.0.2</elem>
+-- <elem>2.1</elem>
+-- <elem>3.0</elem>
+-- <elem>3.0.2</elem>
+-- <elem>3.1.1</elem>
 -- </table>
 ---
 

scripts/smb2-capabilities.nse

@@ -10,11 +10,11 @@ Attempts to list the supported capabilities in a SMBv2 server for each
 
 The script sends a SMB2_COM_NEGOTIATE command and parses the response
  using the SMB dialects:
-* 2.02
-* 2.10
-* 3.00
-* 3.02
-* 3.11
+* 2.0.2
+* 2.1
+* 3.0
+* 3.0.2
+* 3.1.1
 
 References:
 * https://msdn.microsoft.com/en-us/library/cc246561.aspx
@@ -26,18 +26,18 @@ References:
 --
 -- @output
 -- | smb2-capabilities:
--- |   2.02:
+-- |   2.0.2:
 -- |     Distributed File System
--- |   2.10:
+-- |   2.1:
 -- |     Distributed File System
 -- |     Leasing
 -- |     Multi-credit operations
 --
 -- @xmloutput
--- <table key="2.02">
+-- <table key="2.0.2">
 -- <elem>Distributed File System</elem>
 -- </table>
--- <table key="2.10">
+-- <table key="2.1">
 -- <elem>Distributed File System</elem>
 -- <elem>Leasing</elem>
 -- <elem>Multi-credit operations</elem>
@@ -57,9 +57,20 @@ action = function(host,port)
   local output = stdnse.output_table()
   overrides = {}
 
-  local smb2_dialects = {0x0202, 0x0210, 0x0300, 0x0302, 0x0311}
+  -- Checking if SMB 2+ is supported in general
+  status, smbstate = smb.start(host)
+  if(status == false) then
+    return false, smbstate
+  end
+  local max_dialect
+  status, max_dialect = smb2.negotiate_v2(smbstate)
+  smb.stop(smbstate)
+  if not status then -- None of SMB2 dialects accepted by the target
+    return false, "SMB 2+ not supported"
+  end
+  stdnse.debug2("SMB2: Dialect '%s' is the highest supported", smb2.dialect_name(max_dialect))
 
-  for i, dialect in pairs(smb2_dialects) do
+  for i, dialect in pairs(smb2.dialects()) do
     -- we need a clean connection for each negotiate request
     status, smbstate = smb.start(host)
     if(status == false) then
@@ -99,10 +110,12 @@ action = function(host,port)
       if #capabilities<1 then
         table.insert(capabilities, "All capabilities are disabled")
       end
-      output[stdnse.tohex(dialect, {separator = ".", group = 2})] = capabilities
+      output[smb2.dialect_name(dialect)] = capabilities
     end
     smb.stop(smbstate)
-    status = false
+    if dialect == max_dialect then
+      break
+    end
   end
 
     if #output>0 then

scripts/smb2-security-mode.nse

@@ -22,11 +22,11 @@ References:
 --
 -- @output
 -- | smb2-security-mode:
--- |   3.11:
+-- |   3.1.1:
 -- |_    Message signing enabled but not required
 --
 -- @xmloutput
--- <table key="3.11">
+-- <table key="3.1.1">
 -- <elem>Message signing enabled but not required</elem>
 -- </table>
 ---
@@ -40,53 +40,43 @@ hostrule = function(host)
 end
 
 action = function(host,port)
-  local status, smbstate, overrides
+  local status, smbstate
   local output = stdnse.output_table()
-  overrides = overrides or {}
 
-  local smb2_dialects = {0x0202, 0x0210, 0x0300, 0x0302, 0x0311}
-
-  for i, dialect in pairs(smb2_dialects) do
-    -- we need a clean connection for each negotiate request
-    status, smbstate = smb.start(host)
-    if(status == false) then
-      return false, smbstate
-    end
-    overrides['Dialects'] = {dialect}
-    status, dialect = smb2.negotiate_v2(smbstate, overrides)
-    if status then
-      local message_signing = {}
-
-      -- Signing configuration. SMBv2 servers support two flags:
-      -- * Message signing enabled
-      -- * Message signing required
-      local signing_enabled, signing_required
-      if smbstate['security_mode'] & 0x01 == 0x01 then
-        signing_enabled = true
-      end
-      if smbstate['security_mode'] & 0x02 == 0x02 then
-        signing_required = true
-      end
-
-      if signing_enabled and signing_required then
-        table.insert(message_signing, "Message signing enabled and required")
-      elseif signing_enabled and not(signing_required) then
-        table.insert(message_signing, "Message signing enabled but not required")
-      elseif not(signing_enabled) and not(signing_required) then
-        table.insert(message_signing, "Message signing is disabled and not required!")
-      elseif not(signing_enabled) and signing_required then
-        table.insert(message_signing, "Message signing is disabled!")
-      end
-      output[stdnse.tohex(dialect, {separator = ".", group = 2})] = message_signing
-      -- We exit after first accepted dialect,
-      --  SMB signing configuration appears to be global so
-      --  there is no point of trying other dialects.
-      break
-    end
-
-    smb.stop(smbstate)
-    status = false
+  status, smbstate = smb.start(host)
+  if(status == false) then
+    return false, smbstate
   end
+  --  SMB signing configuration appears to be global so
+  --  there is no point of trying different dialects.
+  status, dialect = smb2.negotiate_v2(smbstate)
+  if status then
+    local message_signing = {}
+    -- Signing configuration. SMBv2 servers support two flags:
+    -- * Message signing enabled
+    -- * Message signing required
+    local signing_enabled, signing_required
+    if smbstate['security_mode'] & 0x01 == 0x01 then
+      signing_enabled = true
+    end
+    if smbstate['security_mode'] & 0x02 == 0x02 then
+      signing_required = true
+    end
+    if signing_enabled and signing_required then
+      table.insert(message_signing, "Message signing enabled and required")
+    elseif signing_enabled and not(signing_required) then
+      table.insert(message_signing, "Message signing enabled but not required")
+    elseif not(signing_enabled) and not(signing_required) then
+      table.insert(message_signing, "Message signing is disabled and not required!")
+    elseif not(signing_enabled) and signing_required then
+      table.insert(message_signing, "Message signing is disabled!")
+    end
+    output[smb2.dialect_name(dialect)] = message_signing
+    -- We exit after first accepted dialect,
+  end
+
+  smb.stop(smbstate)
+  status = false
 
   if #output>0 then
     return output

scripts/smb2-time.nse

@@ -31,11 +31,10 @@ hostrule = function(host)
 end
 
 action = function(host,port)
-  local smbstate, status, overrides
+  local smbstate, status
   local output = stdnse.output_table()
-  overrides = {}
   status, smbstate = smb.start(host)
-  status = smb2.negotiate_v2(smbstate, overrides)
+  status = smb2.negotiate_v2(smbstate)
 
   if status then
     datetime.record_skew(host, smbstate.time, os.time())

scripts/smb2-vuln-uptime.nse

@@ -107,13 +107,11 @@ This security update resolves a privately reported vulnerability in Microsoft
 }
 
 local function check_vulns(host, port)
-  local smbstate, status, overrides
+  local smbstate, status
   local vulns_detected = {}
 
-  overrides = {}
-  overrides['Dialects'] = {0x0202}
   status, smbstate = smb.start(host)
-  status = smb2.negotiate_v2(smbstate, overrides)
+  status = smb2.negotiate_v2(smbstate)
 
   if not status then
     stdnse.debug2("Negotiation failed")