PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-07 13:11:28 +00:00
Code Issues Projects Releases Wiki Activity

New script: imap-ntlm-info

Browse Source
This commit is contained in:
dmiller
2016-01-08 03:08:26 +00:00
parent 2702b4d030
commit 70798c2468
3 changed files with 171 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG
View File

@@ -1,5 +1,8 @@
# Nmap Changelog ($Id$); -*-text-*- # Nmap Changelog ($Id$); -*-text-*-
o [NSE] Added imap-ntlm-info for extracting hostname and sometimes OS version
from NTLM-auth-enabled IMAP services. [Justin Cacak]
o [NSE] Added http-vuln-cve2013-6786 for detecting a XSS and URL redirection o [NSE] Added http-vuln-cve2013-6786 for detecting a XSS and URL redirection
vulnerability in Allegro RomPager web server. Also added a fingerprint for vulnerability in Allegro RomPager web server. Also added a fingerprint for
detecting CVE-2014-4019 to http-fingerprints.lua. [Vlatko Kosturjak] detecting CVE-2014-4019 to http-fingerprints.lua. [Vlatko Kosturjak]

167
scripts/imap-ntlm-info.nse Normal file
View File

@@ -0,0 +1,167 @@
local comm = require "comm"
local bin = require "bin"
local shortport = require "shortport"
local sslcert = require "sslcert"
local stdnse = require "stdnse"
local base64 = require "base64"
local smbauth = require "smbauth"
local string = require "string"
description = [[
This script enumerates information from remote IMAP services with NTLM
authentication enabled.
Sending an IMAP NTLM authentication request with null credentials will
cause the remote service to respond with a NTLMSSP message disclosing
information to include NetBIOS, DNS, and OS build version.
]]
---
-- @usage
-- nmap -p 143,993 --script imap-ntlm-info <target>
--
-- @output
-- 143/tcp open imap
-- | imap-ntlm-info:
-- | Target_Name: ACTIVEIMAP
-- | NetBIOS_Domain_Name: ACTIVEIMAP
-- | NetBIOS_Computer_Name: IMAP-TEST2
-- | DNS_Domain_Name: somedomain.com
-- | DNS_Computer_Name: imap-test2.somedomain.com
-- | DNS_Tree_Name: somedomain.com
-- |_ Product_Version: 6.1 (Build 7601)
--
--@xmloutput
-- <elem key="Target_Name">ACTIVEIMAP</elem>
-- <elem key="NetBIOS_Domain_Name">ACTIVEIMAP</elem>
-- <elem key="NetBIOS_Computer_Name">IMAP-TEST2</elem>
-- <elem key="DNS_Domain_Name">somedomain.com</elem>
-- <elem key="DNS_Computer_Name">imap-test2.somedomain.com</elem>
-- <elem key="DNS_Tree_Name">somedomain.com</elem>
-- <elem key="Product_Version">6.1 (Build 7601)</elem>
author = "Justin Cacak"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "safe"}
local ntlm_auth_blob = base64.enc( select(2,
smbauth.get_security_blob(nil, nil, nil, nil, nil, nil, nil,
0x00000001 + -- Negotiate Unicode
0x00000002 + -- Negotiate OEM strings
0x00000004 + -- Request Target
0x00000200 + -- Negotiate NTLM
0x00008000 + -- Negotiate Always Sign
0x00080000 + -- Negotiate NTLM2 Key
0x20000000 + -- Negotiate 128
0x80000000 -- Negotiate 56
))
)
portrule = shortport.port_or_service({ 143, 993 }, { "imap", "imaps" })
action = function(host, port)
local output = stdnse.output_table()
local starttls = sslcert.isPortSupported(port)
local socket
if starttls then
local status
status, socket = starttls(host, port)
if not status then
-- could be socket problems, but more likely STARTTLS not supported.
stdnse.debug1("starttls error: %s", socket)
end
end
if not socket then
local line, bopt, first_line
socket, line, bopt, first_line = comm.tryssl(host, port, "" , {recv_before=true})
if not socket then
stdnse.debug1("connection error: %s", line)
return nil
end
end
socket:send("000b AUTHENTICATE NTLM\r\n")
local status, response = socket:receive()
if not status then
stdnse.debug1("Socket receive failed: %s", response)
return nil
end
if not response then
stdnse.debug1("No response to AUTHENTICATE NTLM")
return nil
end
socket:send(ntlm_auth_blob .. "\r\n")
status, response = socket:receive()
if not status then
stdnse.debug1("Socket receive failed: %s", response)
return nil
end
if not response then
stdnse.debug1("No response to NTLM challenge")
return nil
end
socket:close()
if string.match(response, "^A%d%d%d%d ") then
stdnse.debug2("NTLM auth not supported.")
return nil
end
-- Continue only if a + response is returned
local response_decoded = string.match(response, "+ (.*)")
if not response_decoded then
stdnse.debug1("Unexpected response to NTLM challenge: %s", response)
return nil
end
local response_decoded = base64.dec(response_decoded)
-- Continue only if NTLMSSP response is returned
if not string.match(response_decoded, "^NTLMSSP") then
stdnse.debug1("Unexpected response to NTLM challenge: %s", response)
return nil
end
-- Leverage smbauth.get_host_info_from_security_blob() for decoding
local ntlm_decoded = smbauth.get_host_info_from_security_blob(response_decoded)
-- Target Name will always be returned under any implementation
output.Target_Name = ntlm_decoded.target_realm
-- Display information returned & ignore responses with null values
if ntlm_decoded.netbios_domain_name and #ntlm_decoded.netbios_domain_name > 0 then
output.NetBIOS_Domain_Name = ntlm_decoded.netbios_domain_name
end
if ntlm_decoded.netbios_computer_name and #ntlm_decoded.netbios_computer_name > 0 then
output.NetBIOS_Computer_Name = ntlm_decoded.netbios_computer_name
end
if ntlm_decoded.dns_domain_name and #ntlm_decoded.dns_domain_name > 0 then
output.DNS_Domain_Name = ntlm_decoded.dns_domain_name
end
if ntlm_decoded.fqdn and #ntlm_decoded.fqdn > 0 then
output.DNS_Computer_Name = ntlm_decoded.fqdn
end
if ntlm_decoded.dns_forest_name and #ntlm_decoded.dns_forest_name > 0 then
output.DNS_Tree_Name = ntlm_decoded.dns_forest_name
end
if ntlm_decoded.os_major_version then
output.Product_Version = string.format("%d.%d.%d",
ntlm_decoded.os_major_version, ntlm_decoded.os_minor_version, ntlm_decoded.os_build)
end
return output
end

1
scripts/script.db
View File

@@ -261,6 +261,7 @@ Entry { filename = "icap-info.nse", categories = { "discovery", "safe", } }
Entry { filename = "ike-version.nse", categories = { "default", "discovery", "safe", "version", } } Entry { filename = "ike-version.nse", categories = { "default", "discovery", "safe", "version", } }
Entry { filename = "imap-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "imap-brute.nse", categories = { "brute", "intrusive", } }
Entry { filename = "imap-capabilities.nse", categories = { "default", "safe", } } Entry { filename = "imap-capabilities.nse", categories = { "default", "safe", } }
Entry { filename = "imap-ntlm-info.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "informix-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "informix-brute.nse", categories = { "brute", "intrusive", } }
Entry { filename = "informix-query.nse", categories = { "auth", "intrusive", } } Entry { filename = "informix-query.nse", categories = { "auth", "intrusive", } }
Entry { filename = "informix-tables.nse", categories = { "auth", "intrusive", } } Entry { filename = "informix-tables.nse", categories = { "auth", "intrusive", } }