Add clock-skew script, datetime library

CHANGELOG

@@ -1,5 +1,12 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Added the datetime library for performing date and time calculations,
+  and as a helper to the clock-skew script.
+
+o [NSE] Added clock-skew for analyzing and reporting clock skew between Nmap
+  and services that report timestamps. Reports groups of hosts with similar
+  skews. [Daniel Miller]
+
 o [Ncat][GH#444] Added a -z option to Ncat. Just like the -z option in
   traditional netcat, it can be used to quicky check the status of a port. Port
   ranges are not supported. [Abhishek Singh]

nselib/datetime.lua

@@ -0,0 +1,33 @@
+--- Functions for dealing with dates and timestamps
+--
+-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
+-- @class module
+-- @name datetime
+-- @author Daniel Miller
+
+local stdnse = require "stdnse"
+local os = require "os"
+local math = require "math"
+_ENV = stdnse.module("datetime", stdnse.seeall)
+
+--- Record a time difference between the scanner and the target
+--
+-- The skew will be recorded in the host's registry for later retrieval and
+-- analysis. Adjusts for network distance by subtracting half the smoothed
+-- round-trip time.
+--
+--@param host The host being scanned
+--@param timestamp The target timestamp, in seconds.
+--@param received The local time the stamp was received, in seconds.
+function record_skew(host, timestamp, received)
+  local skew_tab = host.registry.datetime_skew
+  skew_tab = skew_tab or {}
+  -- No srtt? I suppose we'll ignore it, but this could cause problems
+  local srtt = host.times and host.times.srtt or 0
+  local adjusted = os.difftime(math.floor(timestamp), math.floor(received)) - srtt / 2.0
+  skew_tab[#skew_tab + 1] = adjusted
+  stdnse.debug2("record_skew: %s", adjusted)
+  host.registry.datetime_skew = skew_tab
+end
+
+return _ENV

scripts/http-date.nse

@@ -3,6 +3,7 @@ local os = require "os"
 local shortport = require "shortport"
 local stdnse = require "stdnse"
 local string = require "string"
+local datetime = require "datetime"
 
 description = [[
 Gets the date from HTTP-like services. Also prints how much the date
@@ -31,8 +32,8 @@ categories = {"discovery", "safe"}
 portrule = shortport.http
 
 action = function(host, port)
-  local request_time = os.time()
   local response = http.get(host, port, "/")
+  local request_time = os.time()
   if not response.status or not response.header["date"] then
     return
   end
@@ -47,6 +48,8 @@ action = function(host, port)
   output_tab.date = stdnse.format_timestamp(response_time, 0)
   output_tab.delta = os.difftime(response_time, request_time)
 
+  datetime.record_skew(host, response_time, request_time)
+
   local output_str = string.format("%s; %s from local time.",
     response.header["date"], stdnse.format_difftime(os.date("!*t", response_time), os.date("!*t", request_time)))
 

scripts/http-ntlm-info.nse

@@ -1,4 +1,6 @@
 local bin = require "bin"
+local os = require "os"
+local datetime = require "datetime"
 local http = require "http"
 local shortport = require "shortport"
 local stdnse = require "stdnse"
@@ -74,6 +76,7 @@ action = function(host, port)
   local opts = { header = { Authorization = "NTLM " .. auth_blob } }
 
   local response = http.get( host, port, root, opts )
+  local recvtime = os.time()
 
   -- Continue only if correct header (www-authenticate) and NTLM response are included
   if response.header["www-authenticate"] and string.match(response.header["www-authenticate"], "NTLM (.*)") then
@@ -84,6 +87,12 @@ action = function(host, port)
     -- Leverage smbauth.get_host_info_from_security_blob() for decoding
     local ntlm_decoded = smbauth.get_host_info_from_security_blob(data)
 
+    if ntlm_decoded.timestamp then
+      -- 64-bit number of 100ns clicks since 1/1/1601
+      local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600
+      datetime.record_skew(host, unixstamp, recvtime)
+    end
+
     -- Target Name will always be returned under any implementation
     output.Target_Name = ntlm_decoded.target_realm
 

scripts/imap-ntlm-info.nse

@@ -1,4 +1,6 @@
 local comm = require "comm"
+local os = require "os"
+local datetime = require "datetime"
 local bin = require "bin"
 local shortport = require "shortport"
 local sslcert = require "sslcert"
@@ -109,6 +111,7 @@ action = function(host, port)
     return nil
   end
 
+  local recvtime = os.time()
   socket:close()
 
   if string.match(response, "^A%d%d%d%d ") then
@@ -134,6 +137,12 @@ action = function(host, port)
   -- Leverage smbauth.get_host_info_from_security_blob() for decoding
   local ntlm_decoded = smbauth.get_host_info_from_security_blob(response_decoded)
 
+  if ntlm_decoded.timestamp then
+    -- 64-bit number of 100ns clicks since 1/1/1601
+    local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600
+    datetime.record_skew(host, unixstamp, recvtime)
+  end
+
   -- Target Name will always be returned under any implementation
   output.Target_Name = ntlm_decoded.target_realm
 

scripts/ms-sql-ntlm-info.nse

@@ -1,4 +1,6 @@
 local bin = require "bin"
+local os = require "os"
+local datetime = require "datetime"
 local mssql = require "mssql"
 local shortport = require "shortport"
 local stdnse = require "stdnse"
@@ -72,6 +74,7 @@ action = function(host, port)
   end
 
   local status, response, errorDetail = tdsstream:Receive()
+  local recvtime = os.time()
   tdsstream:Disconnect()
 
   local pos, ttype = bin.unpack("C", response)
@@ -87,6 +90,12 @@ action = function(host, port)
   -- Leverage smbauth.get_host_info_from_security_blob() for decoding
   local ntlm_decoded = smbauth.get_host_info_from_security_blob(data)
 
+  if ntlm_decoded.timestamp then
+    -- 64-bit number of 100ns clicks since 1/1/1601
+    local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600
+    datetime.record_skew(host, unixstamp, recvtime)
+  end
+
   -- Target Name will always be returned under any implementation
   output.Target_Name = ntlm_decoded.target_realm
 

scripts/nntp-ntlm-info.nse

@@ -1,4 +1,6 @@
 local comm = require "comm"
+local os = require "os"
+local datetime = require "datetime"
 local shortport = require "shortport"
 local stdnse = require "stdnse"
 local base64 = require "base64"
@@ -101,6 +103,7 @@ action = function(host, port)
     end
   end
 
+  local recvtime = os.time()
   socket:close()
 
   -- Continue only if a 381 response is returned
@@ -119,6 +122,12 @@ action = function(host, port)
   -- Leverage smbauth.get_host_info_from_security_blob() for decoding
   local ntlm_decoded = smbauth.get_host_info_from_security_blob(response_decoded)
 
+  if ntlm_decoded.timestamp then
+    -- 64-bit number of 100ns clicks since 1/1/1601
+    local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600
+    datetime.record_skew(host, unixstamp, recvtime)
+  end
+
   -- Target Name will always be returned under any implementation
   output.Target_Name = ntlm_decoded.target_realm
 

scripts/ntp-info.nse

@@ -1,5 +1,8 @@
 local bin = require "bin"
 local comm = require "comm"
+local datetime = require "datetime"
+local os = require "os"
+local math = require "math"
 local nmap = require "nmap"
 local shortport = require "shortport"
 local stdnse = require "stdnse"
@@ -100,13 +103,15 @@ action = function(host, port)
 
   status, buftres = comm.exchange(host, port, treq, {timeout=TIMEOUT})
   if status then
-    local _, sec, frac, tstamp
+    local recvtime = os.time()
 
-    _, sec, frac = bin.unpack(">II", buftres, 33)
+    local _, sec, frac = bin.unpack(">II", buftres, 33)
     -- The NTP epoch is 1900-01-01, so subtract 70 years to bring the date into
     -- the range Lua expects. The number of seconds at 1970-01-01 is taken from
     -- the NTP4 reference above.
-    tstamp = sec - 2208988800 + frac / 0x10000000
+    local tstamp = sec - 2208988800 + frac / 0x10000000
+
+    datetime.record_skew(host, tstamp, recvtime)
 
     output["receive time stamp"] = stdnse.format_timestamp(tstamp)
   end

scripts/pop3-ntlm-info.nse

@@ -1,4 +1,6 @@
 local comm = require "comm"
+local os = require "os"
+local datetime = require "datetime"
 local bin = require "bin"
 local shortport = require "shortport"
 local stdnse = require "stdnse"
@@ -102,6 +104,7 @@ action = function(host, port)
     return
   end
 
+  local recvtime = os.time()
   socket:close()
 
   -- Continue only if a + response is returned
@@ -119,6 +122,12 @@ action = function(host, port)
   -- Leverage smbauth.get_host_info_from_security_blob() for decoding
   local ntlm_decoded = smbauth.get_host_info_from_security_blob(response_decoded)
 
+  if ntlm_decoded.timestamp then
+    -- 64-bit number of 100ns clicks since 1/1/1601
+    local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600
+    datetime.record_skew(host, unixstamp, recvtime)
+  end
+
   -- Target Name will always be returned under any implementation
   output.Target_Name = ntlm_decoded.target_realm
 

scripts/rfc868-time.nse

@@ -1,4 +1,5 @@
 local comm = require "comm"
+local datetime = require "datetime"
 local shortport = require "shortport"
 local stdnse = require "stdnse"
 local bin = require "bin"
@@ -46,12 +47,14 @@ action = function(host, port)
 
     -- Make sure we don't stomp a more-likely service detection.
     if port.version.name == "time" then
-      local diff = os.difftime(stamp,os.time())
+      local recvtime = os.time()
+      local diff = os.difftime(stamp,recvtime)
       if diff < 0 then diff = -diff end
       -- confidence decreases by 1 for each year the time is off.
       stdnse.debug1("Time difference: %d seconds (%0.2f years)", diff, diff / 31556926)
       local confidence = 10 - diff / 31556926
       if confidence < 0 then confidence = 0 end
+      datetime.record_skew(host, stamp, recvtime)
       port.version.name_confidence = confidence
       nmap.set_port_version(host, port, "hardmatched")
     end

scripts/script.db

@@ -64,6 +64,7 @@ Entry { filename = "citrix-enum-apps.nse", categories = { "discovery", "safe", }
 Entry { filename = "citrix-enum-servers-xml.nse", categories = { "discovery", "safe", } }
 Entry { filename = "citrix-enum-servers.nse", categories = { "discovery", "safe", } }
 Entry { filename = "clamav-exec.nse", categories = { "exploit", "vuln", } }
+Entry { filename = "clock-skew.nse", categories = { "default", "safe", } }
 Entry { filename = "couchdb-databases.nse", categories = { "discovery", "safe", } }
 Entry { filename = "couchdb-stats.nse", categories = { "discovery", "safe", } }
 Entry { filename = "creds-summary.nse", categories = { "auth", "default", "safe", } }

scripts/smb-security-mode.nse

@@ -1,4 +1,6 @@
 local bit = require "bit"
+local os = require "os"
+local datetime = require "datetime"
 local smb = require "smb"
 local stdnse = require "stdnse"
 local string = require "string"
@@ -101,6 +103,9 @@ action = function(host)
     smb.stop(state)
     return stdnse.format_output(false, err)
   end
+  if state.time then
+    datetime.record_skew(host, state.time, os.time())
+  end
 
   local security_mode = state['security_mode']
 

scripts/smtp-ntlm-info.nse

@@ -1,3 +1,5 @@
+local datetime = require "datetime"
+local os = require "os"
 local smtp = require "smtp"
 local bin = require "bin"
 local shortport = require "shortport"
@@ -125,6 +127,7 @@ action = function(host, port)
   if not response then
     return
   end
+  local recvtime = os.time()
 
   socket:close()
 
@@ -143,6 +146,13 @@ action = function(host, port)
 
   local ntlm_decoded = smbauth.get_host_info_from_security_blob(response_decoded)
 
+  if ntlm_decoded.timestamp and ntlm_decoded.timestamp > 0 then
+    stdnse.debug1("timestamp is %s", ntlm_decoded.timestamp)
+    -- 64-bit number of 100ns clicks since 1/1/1601
+    local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600
+    datetime.record_skew(host, unixstamp, recvtime)
+  end
+
   -- Target Name will always be returned under any implementation
   output.Target_Name = ntlm_decoded.target_realm
 

scripts/ssl-date.nse

@@ -7,6 +7,7 @@ local os = require "os"
 local string = require "string"
 local sslcert = require "sslcert"
 local tls = require "tls"
+local datetime = require "datetime"
 
 description = [[
 Retrieves a target host's time and date from its TLS ServerHello response.
@@ -201,6 +202,7 @@ action = function(host, port)
     end
   end
 
+  datetime.record_skew(host, tm.target, tm.scanner)
   local output = {
                  date = stdnse.format_timestamp(tm.target, 0),
                  delta = tm.delta,

scripts/telnet-ntlm-info.nse

@@ -1,3 +1,5 @@
+local datetime = require "datetime"
+local os = require "os"
 local bin = require "bin"
 local comm = require "comm"
 local shortport = require "shortport"
@@ -87,6 +89,7 @@ action = function(host, port)
     return nil
   end
 
+  local recvtime = os.time()
   socket:close()
 
   -- Continue only if NTLMSSP response is returned.
@@ -100,6 +103,12 @@ action = function(host, port)
   -- Leverage smbauth.get_host_info_from_security_blob() for decoding
   local ntlm_decoded = smbauth.get_host_info_from_security_blob(data)
 
+  if ntlm_decoded.timestamp then
+    -- 64-bit number of 100ns clicks since 1/1/1601
+    local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600
+    datetime.record_skew(host, unixstamp, recvtime)
+  end
+
   -- Target Name will always be returned under any implementation
   output.Target_Name = ntlm_decoded.target_realm