diff --git a/nselib/msrpc.lua b/nselib/msrpc.lua
index ec2b78b27..821000648 100644
--- a/nselib/msrpc.lua
+++ b/nselib/msrpc.lua
@@ -61,6 +61,7 @@ local smb = require "smb"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
+local unicode = require "unicode"
_ENV = stdnse.module("msrpc", stdnse.seeall)
-- The path, UUID, and version for SAMR
@@ -3437,6 +3438,275 @@ function svcctl_queryservicestatus(smbstate, handle, control)
return true, result
end
+-- Crafts a marshalled request for sending it to the enumservicestatusw function
+--
+--@param handle The handle, opened by OpenServiceW.
+--@param typeofservice The type of services to be enumerated.
+--@param servicestate The state of the services to be enumerated.
+--@param cbbufsize The size of the buffer pointed to by the lpServices
+-- parameter, in bytes.
+--@param lpresumehandle A pointer to a variable that, on input, specifies the
+-- starting point of enumeration.
+--@return string Returns marshalled string with given arguments.
+local function enumservicestatusparams(handle, tyepofservice, servicestate, cbbufsize, lpresumehandle)
+
+ -- [in,ref] policy_handle *handle
+ return msrpctypes.marshall_policy_handle(handle)
+
+ -- [in] uint32 type
+ .. msrpctypes.marshall_int32(tyepofservice, true)
+
+ -- [in] svcctl_ServiceState
+ .. msrpctypes.marshall_int32(servicestate, true)
+
+ -- [in] [range(0,0x40000)] uint32 cbufsize
+ .. msrpctypes.marshall_int32(cbbufsize, true)
+
+ -- [in,out,unique] uint32 *resume_handle
+ .. msrpctypes.marshall_int32_ptr(lpresumehandle, true)
+
+end
+
+-- Unmarshalls the string based on offset.
+--
+--@param arguments The marshalled arguments to extract the data.
+--@param startpos The start position of the string.
+--@return startpos Returns the strating position of the string.
+--@return string Returns the unmarshalled string.
+
+-- Unmarshalls ENUM_SERVICE_STATUS structure.
+--
+-- The structure of ENUM_SERVICE_STATUS is as follows:
+--
+--
+-- typedef struct {
+-- LPTSTR lpServiceName
+-- LPTSTR lpDisplayName
+-- SERVICE_STATUS ServiceStatus
+-- }
+--
+--
+-- References:
+-- https://msdn.microsoft.com/en-us/library/windows/desktop/ms682651(v=vs.85).aspx
+--
+-- I created this function as a support for svcctl_enumservicesstatusw function.
+-- svcctl_enumservicesstatusw function returns multiple services in the buffer.
+-- In order to remember the starting and ending positions of different unmarshalled
+-- strings and SERVICE_STATUS structs I had to store the previous offset of the
+-- unmarshalled string. This previous offset will be helpful while retrieving the
+-- continous strings from the buffer.
+--
+--@param arguments The marshalled arguments to extract the data.
+--@param pos The position within arguments.
+--@return pos Returns new position in the arguments.
+--@return serviceName Returns an unmarshalled string.
+--@return displayName Returns an unmarshalled string.
+--@return serviceStatus Returns table of values
+local function unmarshall_enum_service_status(arguments, pos)
+
+ local _
+ local serviceNameOffset
+ local displayNameOffset
+ local serviceStatus
+ local serviceName
+ local displayName
+
+ pos, serviceNameOffset = msrpctypes.unmarshall_int32(arguments, pos)
+ pos, displayNameOffset = msrpctypes.unmarshall_int32(arguments, pos)
+ pos, serviceStatus = msrpctypes.unmarshall_SERVICE_STATUS(arguments, pos)
+
+ _, serviceName = msrpctypes.unmarshall_lptstr(arguments, serviceNameOffset + 5)
+ _, displayName = msrpctypes.unmarshall_lptstr(arguments, displayNameOffset + 5)
+
+ -- ServiceName and displayName are converted into UTF-8.
+ serviceName = unicode.utf16to8(serviceName)
+ displayName = unicode.utf16to8(displayName)
+
+ -- Since we are converting the string from utf16to8, an extra NULL byte is
+ -- present at the end of the string. These two lines, strip the last character
+ -- or NULL byte from the end of the string.
+ serviceName = string.sub(serviceName, 1, serviceName:len()-1)
+ displayName = string.sub(displayName, 1, displayName:len()-1)
+
+ stdnse.debug2("ServiceName = %s", serviceName)
+ stdnse.debug2("DisplayName = %s", displayName)
+
+ return pos, serviceName, displayName, serviceStatus
+
+end
+
+-- Attempts to retrieve list of services from a remote system.
+--
+-- The structure of EnumServicesStatus is as follows:
+--
+--
+-- typedef struct {
+-- policy_handle *handle,
+-- uint32 type,
+-- svcctl_ServiceState state,
+-- uint8 *service,
+-- uint32 offered,
+-- uint32 *needed,
+-- uint32 *services_returned,
+-- uint32 *resume_handle
+-- }
+--
+--
+-- References:
+-- https://github.com/samba-team/samba/blob/d8a5565ae647352d11d622bd4e73ff4568678a7c/librpc/idl/svcctl.idl
+-- https://msdn.microsoft.com/en-us/library/windows/desktop/ms682637(v=vs.85).aspx
+--
+--@param smbstate The SMB state table.
+--@param handle The handle, opened by OpenServiceW.
+--@param dwservicetype The type of services to be enumerated.
+-- Lookup table for dwservicetype is as follows:
+-- SERVICE_DRIVER - 0x0000000B
+-- SERVICE_FILE_SYSTEM_DRIVER - 0x00000002
+-- SERVICE_KERNEL_DRIVER - 0x00000001
+-- SERVICE_WIN32 - 0x00000030
+-- SERVICE_WIN32_OWN_PROCESS - 0x00000010 (default)
+-- SERVICE_WIN32_SHARE_PROCESS - 0x00000020
+--@param dwservicestate The state of the services to be enumerated.
+-- Lookup table for dwservicetype is as follows:
+-- SERVICE_ACTIVE - 0x00000001
+-- SERVICE_INACTIVE - 0x00000002
+-- SERVICE_STATE_ALL - 0x00000003 (default)
+--@return pos Returns success or failure.
+--@return output Returns the list of services running on a remote windows system
+-- with serviceName, displayName and service status structure.
+function svcctl_enumservicesstatusw(smbstate, handle, dwservicetype, dwservicestate)
+ local status
+ local result
+ local arguments
+ local pos
+ local _
+ local serviceName
+ local displayName
+ local serviceStatus
+ local lpservices
+
+ local output = stdnse.output_table()
+
+ local DW_SERVICE_TYPE = dwservicetype or 0x00000010
+ local DW_SERVICE_STATE = dwservicestate or 0x00000003
+
+ arguments = enumservicestatusparams(handle, DW_SERVICE_TYPE, DW_SERVICE_STATE, 0x00, nil)
+
+ -- This call is made only to retrieve the pcbBytesNeeded value.
+ status, result = call_function(smbstate, 0x0e, arguments)
+
+ if status ~= true then
+ return false, result
+ end
+
+ arguments = result["arguments"]
+
+ pos = 1
+
+ -- Since the first call is made to retrieve pcbBytesNeeded, the server returns
+ -- an empty array in the response. The following line of code unpacks an
+ -- empty array.
+ lpservices, pos = string.unpack("JobAdd, which schedules a process to be run
-- on the remote machine.
--
diff --git a/nselib/msrpctypes.lua b/nselib/msrpctypes.lua
index 68e1375e7..238799f05 100644
--- a/nselib/msrpctypes.lua
+++ b/nselib/msrpctypes.lua
@@ -4438,10 +4438,15 @@ end]]--
local svcctl_State =
{
- SERVICE_STATE_ACTIVE = 0x01,
- SERVICE_STATE_INACTIVE = 0x02,
- SERVICE_STATE_ALL = 0x03
+ SERVICE_STOPPED = 0x01,
+ SERVICE_START_PENDING = 0x02,
+ SERVICE_STOP_PENDING = 0x03,
+ SERVICE_RUNNING = 0x04,
+ SERVICE_CONTINUE_PENDING = 0x05,
+ SERVICE_PAUSE_PENDING = 0x06,
+ SERVICE_PAUSED = 0x07,
}
+
---Marshall a svcctl_State. This datatype is tied to the table above with that
-- name.
--
diff --git a/scripts/script.db b/scripts/script.db
index cbacd6b74..1ae24b738 100644
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -457,6 +457,7 @@ Entry { filename = "smb-double-pulsar-backdoor.nse", categories = { "malware", "
Entry { filename = "smb-enum-domains.nse", categories = { "discovery", "intrusive", } }
Entry { filename = "smb-enum-groups.nse", categories = { "discovery", "intrusive", } }
Entry { filename = "smb-enum-processes.nse", categories = { "discovery", "intrusive", } }
+Entry { filename = "smb-enum-services.nse", categories = { "discovery", "intrusive", "safe", } }
Entry { filename = "smb-enum-sessions.nse", categories = { "discovery", "intrusive", } }
Entry { filename = "smb-enum-shares.nse", categories = { "discovery", "intrusive", } }
Entry { filename = "smb-enum-users.nse", categories = { "auth", "intrusive", } }
diff --git a/scripts/smb-enum-services.nse b/scripts/smb-enum-services.nse
new file mode 100755
index 000000000..ebfb6354f
--- /dev/null
+++ b/scripts/smb-enum-services.nse
@@ -0,0 +1,917 @@
+local msrpc = require "msrpc"
+local smb = require "smb"
+local stdnse = require "stdnse"
+local shortport = require "shortport"
+
+description = [[
+Retrieves the list of services running on a remote Windows system.
+Each service attribute contains service name, display name and service status of
+each service.
+
+Note: Modern Windows systems requires a privileged domain account in order to
+list the services.
+
+References:
+* https://technet.microsoft.com/en-us/library/bb490995.aspx
+* https://en.wikipedia.org/wiki/Windows_service
+]]
+
+---
+-- @usage
+-- nmap --script smb-enum-services.nse -p445
+-- nmap --script smb-enum-services.nse --script-args smbusername=,smbpass= -p445
+--
+-- @output
+-- | smb-enum-services:
+-- |
+-- | ALG:
+-- | display_name: Application Layer Gateway Service
+-- | state:
+-- | SERVICE_PAUSE_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_RUNNING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- | SERVICE_CONTROL_CONTINUE
+-- | SERVICE_CONTROL_NETBINDADD
+-- | SERVICE_CONTROL_STOP
+-- | SERVICE_CONTROL_NETBINDENABLE
+-- | ClipSrv:
+-- | display_name: ClipBook
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | COMSysApp:
+-- | display_name: COM+ System Application
+-- | state:
+-- | SERVICE_PAUSE_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_RUNNING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- | SERVICE_CONTROL_CONTINUE
+-- | SERVICE_CONTROL_NETBINDADD
+-- | SERVICE_CONTROL_STOP
+-- | SERVICE_CONTROL_NETBINDENABLE
+-- | Dfs:
+-- | display_name: Distributed File System
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | ImapiService:
+-- | display_name: IMAPI CD-Burning COM Service
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | IsmServ:
+-- | display_name: Intersite Messaging
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | LicenseService:
+-- | display_name: License Logging
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | mnmsrvc:
+-- | display_name: NetMeeting Remote Desktop Sharing
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | MSDTC:
+-- | display_name: Distributed Transaction Coordinator
+-- | state:
+-- | SERVICE_PAUSE_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_RUNNING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- | SERVICE_CONTROL_CONTINUE
+-- | SERVICE_CONTROL_INTERROGATE
+-- | SERVICE_CONTROL_NETBINDADD
+-- | SERVICE_CONTROL_PARAMCHANGE
+-- | SERVICE_CONTROL_STOP
+-- | SERVICE_CONTROL_NETBINDENABLE
+-- | NtFrs:
+-- | display_name: File Replication
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | RDSessMgr:
+-- | display_name: Remote Desktop Help Session Manager
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | rpcapd:
+-- | display_name: Remote Packet Capture Protocol v.0 (experimental)
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | RpcLocator:
+-- | display_name: Remote Procedure Call (RPC) Locator
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | Spooler:
+-- | display_name: Print Spooler
+-- | state:
+-- | SERVICE_PAUSE_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_RUNNING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- | SERVICE_CONTROL_CONTINUE
+-- | SERVICE_CONTROL_INTERROGATE
+-- | SERVICE_CONTROL_NETBINDADD
+-- | SERVICE_CONTROL_PARAMCHANGE
+-- | SERVICE_CONTROL_STOP
+-- | SERVICE_CONTROL_NETBINDENABLE
+-- | swprv:
+-- | display_name: Microsoft Software Shadow Copy Provider
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | SysmonLog:
+-- | display_name: Performance Logs and Alerts
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | TlntSvr:
+-- | display_name: Telnet
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | TPVCGateway:
+-- | display_name: TP VC Gateway Service
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | Tssdis:
+-- | display_name: Terminal Services Session Directory
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | UMWdf:
+-- | display_name: Windows User Mode Driver Framework
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | UPS:
+-- | display_name: Uninterruptible Power Supply
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | vds:
+-- | display_name: Virtual Disk Service
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | VGAuthService:
+-- | display_name: VMware Alias Manager and Ticket Service
+-- | state:
+-- | SERVICE_PAUSE_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_RUNNING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- | SERVICE_CONTROL_CONTINUE
+-- | SERVICE_CONTROL_NETBINDADD
+-- | SERVICE_CONTROL_STOP
+-- | SERVICE_CONTROL_NETBINDENABLE
+-- | VMTools:
+-- | display_name: VMware Tools
+-- | state:
+-- | SERVICE_PAUSE_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_RUNNING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- | SERVICE_CONTROL_CONTINUE
+-- | SERVICE_CONTROL_INTERROGATE
+-- | SERVICE_CONTROL_NETBINDDISABLE
+-- | SERVICE_CONTROL_PAUSE
+-- | SERVICE_CONTROL_NETBINDADD
+-- | SERVICE_CONTROL_PARAMCHANGE
+-- | SERVICE_CONTROL_STOP
+-- | SERVICE_CONTROL_NETBINDENABLE
+-- | vmvss:
+-- | display_name: VMware Snapshot Provider
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | VMware Physical Disk Helper Service:
+-- | display_name: VMware Physical Disk Helper Service
+-- | state:
+-- | SERVICE_PAUSE_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_RUNNING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- | SERVICE_CONTROL_CONTINUE
+-- | SERVICE_CONTROL_NETBINDADD
+-- | SERVICE_CONTROL_STOP
+-- | SERVICE_CONTROL_NETBINDENABLE
+-- | VSS:
+-- | display_name: Volume Shadow Copy
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- | controls_accepted:
+-- |
+-- | WmiApSrv:
+-- | display_name: WMI Performance Adapter
+-- | state:
+-- | SERVICE_STOPPED
+-- | SERVICE_STOP_PENDING
+-- | SERVICE_CONTINUE_PENDING
+-- | SERVICE_PAUSED
+-- | type:
+-- | SERVICE_TYPE_WIN32
+-- | SERVICE_TYPE_WIN32_OWN_PROCESS
+-- |_ controls_accepted:
+--
+-- @xmloutput
+--
+--
+-- Application Layer Gateway Service
+--
+-- SERVICE_PAUSED
+-- SERVICE_PAUSE_PENDING
+-- SERVICE_RUNNING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+-- SERVICE_CONTROL_NETBINDADD
+-- SERVICE_CONTROL_CONTINUE
+-- SERVICE_CONTROL_NETBINDENABLE
+-- SERVICE_CONTROL_STOP
+--
+--
+--
+-- ClipBook
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- COM+ System Application
+--
+-- SERVICE_PAUSED
+-- SERVICE_PAUSE_PENDING
+-- SERVICE_RUNNING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+-- SERVICE_CONTROL_NETBINDADD
+-- SERVICE_CONTROL_CONTINUE
+-- SERVICE_CONTROL_NETBINDENABLE
+-- SERVICE_CONTROL_STOP
+--
+--
+--
+-- Distributed File System
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- IMAPI CD-Burning COM Service
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- Intersite Messaging
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- License Logging
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- NetMeeting Remote Desktop Sharing
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- Distributed Transaction Coordinator
+--
+-- SERVICE_PAUSED
+-- SERVICE_PAUSE_PENDING
+-- SERVICE_RUNNING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+-- SERVICE_CONTROL_NETBINDADD
+-- SERVICE_CONTROL_CONTINUE
+-- SERVICE_CONTROL_INTERROGATE
+-- SERVICE_CONTROL_NETBINDENABLE
+-- SERVICE_CONTROL_STOP
+-- SERVICE_CONTROL_PARAMCHANGE
+--
+--
+--
+-- File Replication
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- Remote Desktop Help Session Manager
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- Remote Packet Capture Protocol v.0 (experimental)
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- Remote Procedure Call (RPC) Locator
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- Print Spooler
+--
+-- SERVICE_PAUSED
+-- SERVICE_PAUSE_PENDING
+-- SERVICE_RUNNING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+-- SERVICE_CONTROL_NETBINDADD
+-- SERVICE_CONTROL_CONTINUE
+-- SERVICE_CONTROL_INTERROGATE
+-- SERVICE_CONTROL_NETBINDENABLE
+-- SERVICE_CONTROL_STOP
+-- SERVICE_CONTROL_PARAMCHANGE
+--
+--
+--
+-- Microsoft Software Shadow Copy Provider
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- Performance Logs and Alerts
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- Telnet
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- TP VC Gateway Service
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- Terminal Services Session Directory
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- Windows User Mode Driver Framework
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- Uninterruptible Power Supply
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- Virtual Disk Service
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- VMware Alias Manager and Ticket Service
+--
+-- SERVICE_PAUSED
+-- SERVICE_PAUSE_PENDING
+-- SERVICE_RUNNING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+-- SERVICE_CONTROL_NETBINDADD
+-- SERVICE_CONTROL_CONTINUE
+-- SERVICE_CONTROL_NETBINDENABLE
+-- SERVICE_CONTROL_STOP
+--
+--
+--
+-- VMware Tools
+--
+-- SERVICE_PAUSED
+-- SERVICE_PAUSE_PENDING
+-- SERVICE_RUNNING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+-- SERVICE_CONTROL_NETBINDADD
+-- SERVICE_CONTROL_CONTINUE
+-- SERVICE_CONTROL_INTERROGATE
+-- SERVICE_CONTROL_NETBINDDISABLE
+-- SERVICE_CONTROL_NETBINDENABLE
+-- SERVICE_CONTROL_STOP
+-- SERVICE_CONTROL_PAUSE
+-- SERVICE_CONTROL_PARAMCHANGE
+--
+--
+--
+-- VMware Snapshot Provider
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- VMware Physical Disk Helper Service
+--
+-- SERVICE_PAUSED
+-- SERVICE_PAUSE_PENDING
+-- SERVICE_RUNNING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+-- SERVICE_CONTROL_NETBINDADD
+-- SERVICE_CONTROL_CONTINUE
+-- SERVICE_CONTROL_NETBINDENABLE
+-- SERVICE_CONTROL_STOP
+--
+--
+--
+-- Volume Shadow Copy
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+--
+-- WMI Performance Adapter
+--
+-- SERVICE_STOPPED
+-- SERVICE_PAUSED
+-- SERVICE_STOP_PENDING
+-- SERVICE_CONTINUE_PENDING
+--
+--
+-- SERVICE_TYPE_WIN32_OWN_PROCESS
+-- SERVICE_TYPE_WIN32
+--
+--
+--
+
+author = "Rewanth Cool"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"discovery","intrusive","safe"}
+
+portrule = shortport.port_or_service({445, 139}, "microsoft-ds", "tcp", "open")
+
+action = function(host, port)
+
+ local open_result
+ local close_result
+ local bind_result
+ local result
+
+ local status, smbstate = msrpc.start_smb(host, msrpc.SVCCTL_PATH)
+ status, bind_result = msrpc.bind(smbstate, msrpc.SVCCTL_UUID, msrpc.SVCCTL_VERSION, nil)
+
+ if(status == false) then
+ smb.stop(smbstate)
+ return nil, stdnse.format_output(false, bind_result)
+ end
+
+ -- Open the service manager
+ stdnse.debug2("Opening the remote service manager")
+
+ status, open_result = msrpc.svcctl_openscmanagerw(smbstate, host.ip)
+
+ if(status == false) then
+ smb.stop(smbstate)
+ return nil, stdnse.format_output(false, open_result)
+ end
+
+
+ --@param dwservicetype The type of services to be enumerated.
+ -- Lookup table for dwservicetype is as follows:
+ -- SERVICE_DRIVER - 0x0000000B
+ -- SERVICE_FILE_SYSTEM_DRIVER - 0x00000002
+ -- SERVICE_KERNEL_DRIVER - 0x00000001
+ -- SERVICE_WIN32 - 0x00000030
+ -- SERVICE_WIN32_OWN_PROCESS - 0x00000010 (default)
+ -- SERVICE_WIN32_SHARE_PROCESS - 0x00000020
+ local dwservicetype = 0x00000010
+
+ --@param dwservicestate The state of the services to be enumerated.
+ -- Lookup table for dwservicetype is as follows:
+ -- SERVICE_ACTIVE - 0x00000001
+ -- SERVICE_INACTIVE - 0x00000002
+ -- SERVICE_STATE_ALL - 0x00000003 (default)
+ local dwservicestate = 0x00000001
+
+ -- Fetches service name, display name and service status of every service.
+ status, result = msrpc.svcctl_enumservicesstatusw(smbstate, open_result["handle"], dwservicetype, dwservicestate)
+
+ if(status == false) then
+ smb.stop(smbstate)
+ return nil, stdnse.format_output(false, result)
+ end
+
+ -- Close the service manager
+ stdnse.debug2("Closing the remote service manager")
+
+ status, close_result = msrpc.svcctl_closeservicehandle(smbstate, open_result['handle'])
+
+ smb.stop(smbstate)
+
+ return result
+
+end