PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 12:41:29 +00:00
Code Issues Projects Releases Wiki Activity

Fixed a bunch of errors reported by Ron Bowes;

Browse Source 
http://seclists.org/nmap-dev/2012/q2/639
This commit is contained in:
patrik
2012-06-06 21:57:00 +00:00
parent 731e8b5302
commit c4617f8d31
7 changed files with 85 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nselib/ajp.lua
View File

@@ -521,3 +521,5 @@ Helper = {
end, end,
} }
return _ENV;

19
nselib/asn1.lua
View File

@@ -277,11 +277,12 @@ ASN1Decoder = {
-- --
ASN1Encoder = { ASN1Encoder = {
new = function(self,o) new = function(self)
o = o or {} local o = {}
setmetatable(o, self) setmetatable(o, self)
self.__index = self self.__index = self
return o o:registerBaseEncoders()
return o
end, end,
--- ---
@@ -332,6 +333,14 @@ ASN1Encoder = {
end end
end end
-- Table encoder
self.encoder['table'] = function( self, val )
assert('table' == type(val), "val is not a table")
assert(#val.type > 0, "Table is missing the type field")
assert(val.value ~= nil, "Table is missing the value field")
return bin.pack("HAA", val.type, self.encodeLength(#val.value), val.value)
end
-- Integer encoder -- Integer encoder
self.encoder['number'] = function( self, val ) self.encoder['number'] = function( self, val )
local ival = self.encodeInt(val) local ival = self.encodeInt(val)

8
nselib/json.lua
View File

@@ -32,18 +32,18 @@ _ENV = stdnse.module("json", stdnse.seeall)
--Some local shortcuts --Some local shortcuts
local function dbg(str,...) local function dbg(str,...)
stdnse.print_debug("Json:"..str, table.unpack(arg)) stdnse.print_debug("Json:"..str, ...)
end end
local function d4(str,...) local function d4(str,...)
if nmap.debugging() > 3 then dbg(str,table.unpack(arg)) end if nmap.debugging() > 3 then dbg(str,...) end
end end
local function d3(str,...) local function d3(str,...)
if nmap.debugging() > 2 then dbg(str,table.unpack(arg)) end if nmap.debugging() > 2 then dbg(str,...) end
end end
--local dbg =stdnse.print_debug --local dbg =stdnse.print_debug
local function dbg_err(str,...) local function dbg_err(str,...)
stdnse.print_debug("json-ERR:"..str, table.unpack(arg)) stdnse.print_debug("json-ERR:"..str, ...)
end end
-- Javascript null representation, see explanation above -- Javascript null representation, see explanation above

63
nselib/smb.lua
View File

@@ -121,6 +121,7 @@
-- @author Ron Bowes <ron@skullsecurity.net> -- @author Ron Bowes <ron@skullsecurity.net>
-- @copyright Same as Nmap--See http://nmap.org/book/man-legal.html -- @copyright Same as Nmap--See http://nmap.org/book/man-legal.html
----------------------------------------------------------------------- -----------------------------------------------------------------------
local asn1 = require "asn1"
local bin = require "bin" local bin = require "bin"
local bit = require "bit" local bit = require "bit"
local coroutine = require "coroutine" local coroutine = require "coroutine"
@@ -1029,6 +1030,9 @@ function negotiate_protocol(smb, overrides)
if(smb['key_length'] == nil) then if(smb['key_length'] == nil) then
smb['key_length'] = 0 smb['key_length'] = 0
end end
if(smb['byte_count'] == nil) then
smb['byte_count'] = 0
end
-- Convert the time and timezone to more useful values -- Convert the time and timezone to more useful values
smb['time'] = (smb['time'] / 10000000) - 11644473600 smb['time'] = (smb['time'] / 10000000) - 11644473600
@@ -1053,6 +1057,11 @@ function negotiate_protocol(smb, overrides)
if(smb['server_guid'] == nil) then if(smb['server_guid'] == nil) then
return false, "SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [12]" return false, "SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [12]"
end end
-- do we have a security blob?
if ( #data - pos > 0 ) then
pos, smb['security_blob'] = bin.unpack("<A" .. #data - pos, data, pos )
end
else else
pos, smb['server_challenge'] = bin.unpack(string.format("<A%d", smb['key_length']), data) pos, smb['server_challenge'] = bin.unpack(string.format("<A%d", smb['key_length']), data)
if(smb['server_challenge'] == nil) then if(smb['server_challenge'] == nil) then
@@ -1278,7 +1287,14 @@ local function start_session_extended(smb, log_errors, overrides)
return result, username return result, username
end end
end end
-- check what kind of security blob we were given in the negotiate protocol request
local sp_nego = false
if ( smb['security_blob'] and #smb['security_blob'] > 11 ) then
local pos, oid = bin.unpack(">A6", smb['security_blob'], 5)
sp_nego = ( oid == "\x2b\x06\x01\x05\x05\x02" ) -- check for SPNEGO OID 1.3.6.1.5.5.2
end
while result ~= false do while result ~= false do
-- These are loop variables -- These are loop variables
local security_blob = nil local security_blob = nil
@@ -1287,7 +1303,42 @@ local function start_session_extended(smb, log_errors, overrides)
-- This loop takes care of the multiple packets that "extended security" requires -- This loop takes care of the multiple packets that "extended security" requires
repeat repeat
-- Get the new security blob, passing the old security blob as a parameter. If there was no previous security blob, then nil is passed, which creates a new one -- Get the new security blob, passing the old security blob as a parameter. If there was no previous security blob, then nil is passed, which creates a new one
status, security_blob, smb['mac_key'] = smbauth.get_security_blob(security_blob, smb['ip'], username, domain, password, password_hash, hash_type) if ( not(security_blob) ) then
status, security_blob, smb['mac_key'] = smbauth.get_security_blob(security_blob, smb['ip'], username, domain, password, password_hash, hash_type, (sp_nego and 0x00088215))
if ( sp_nego ) then
local enc = asn1.ASN1Encoder:new()
local mechtype = enc:encode( { type = 'A0', value = enc:encode( { type = '30', value = enc:encode( { type = '06', value = bin.pack("H", "2b06010401823702020a") } ) } ) } )
local oid = enc:encode( { type = '06', value = bin.pack("H", "2b0601050502") } )
security_blob = enc:encode(security_blob)
security_blob = enc:encode( { type = 'A2', value = security_blob } )
security_blob = mechtype .. security_blob
security_blob = enc:encode( { type = '30', value = security_blob } )
security_blob = enc:encode( { type = 'A0', value = security_blob } )
security_blob = oid .. security_blob
security_blob = enc:encode( { type = '60', value = security_blob } )
end
else
if ( sp_nego ) then
if ( smb['domain'] or smb['server'] and ( not(domain) or #domain == 0 ) ) then
domain = smb['domain'] or smb['server']
end
hash_type = "v2"
end
status, security_blob, smb['mac_key'] = smbauth.get_security_blob(security_blob, smb['ip'], username, domain, password, password_hash, hash_type, (sp_nego and 0x00088215))
if ( sp_nego ) then
local enc = asn1.ASN1Encoder:new()
security_blob = enc:encode(security_blob)
security_blob = enc:encode( { type = 'A2', value = security_blob } )
security_blob = enc:encode( { type = '30', value = security_blob } )
security_blob = enc:encode( { type = 'A1', value = security_blob } )
end
end
-- There was an error processing the security blob -- There was an error processing the security blob
if(status == false) then if(status == false) then
@@ -1351,6 +1402,12 @@ local function start_session_extended(smb, log_errors, overrides)
-- Parse the data -- Parse the data
pos, security_blob, os, lanmanager = bin.unpack(string.format("<A%dzz", security_blob_length), data) pos, security_blob, os, lanmanager = bin.unpack(string.format("<A%dzz", security_blob_length), data)
if ( status_name == "NT_STATUS_MORE_PROCESSING_REQUIRED" and sp_nego ) then
local start = security_blob:find("NTLMSSP")
security_blob = security_blob:sub(start)
end
if(security_blob == nil or lanmanager == nil) then if(security_blob == nil or lanmanager == nil) then
return false, "SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [19]" return false, "SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [19]"
end end
@@ -2682,7 +2739,7 @@ function find_files(smbstate, fname, options)
-- TODO: cleanup fe.s_fname -- TODO: cleanup fe.s_fname
pos, fe.fname = bin.unpack("A" .. f_len, response.data, pos) pos, fe.fname = bin.unpack("A" .. f_len, response.data, pos)
pos = last_pos + ne pos = last_pos + ne
-- removing trailing zero bytes from file name -- removing trailing zero bytes from file name
fe.fname = fe.fname:sub(1, -2) fe.fname = fe.fname:sub(1, -2)
last_name = fe.fname last_name = fe.fname

8
nselib/smbauth.lua
View File

@@ -667,10 +667,10 @@ function get_password_response(ip, username, domain, password, password_hash, ha
return lm_response, ntlm_response, mac_key return lm_response, ntlm_response, mac_key
end end
function get_security_blob(security_blob, ip, username, domain, password, password_hash, hash_type) function get_security_blob(security_blob, ip, username, domain, password, password_hash, hash_type, flags)
local pos = 1 local pos = 1
local new_blob local new_blob
local flags = 0x00008215 -- (NEGOTIATE_SIGN_ALWAYS | NEGOTIATE_NTLM | NEGOTIATE_SIGN | REQUEST_TARGET | NEGOTIATE_UNICODE) local flags = flags or 0x00008215 -- (NEGOTIATE_SIGN_ALWAYS | NEGOTIATE_NTLM | NEGOTIATE_SIGN | REQUEST_TARGET | NEGOTIATE_UNICODE)
if(security_blob == nil) then if(security_blob == nil) then
-- If security_blob is nil, this is the initial packet -- If security_blob is nil, this is the initial packet
@@ -684,10 +684,8 @@ function get_security_blob(security_blob, ip, username, domain, password, passwo
return true, new_blob, "", "" return true, new_blob, "", ""
else else
local identifier, message_type, domain_length, domain_max, domain_offset, server_flags, challenge, reserved
-- Parse the old security blob -- Parse the old security blob
pos, identifier, message_type, domain_length, domain_max, domain_offset, server_flags, challenge, reserved = bin.unpack("<LISSIIA8A8", security_blob, 1) local pos, identifier, message_type, domain_length, domain_max, domain_offset, server_flags, challenge, reserved = bin.unpack("<LISSIIA8A8", security_blob, 1)
-- Get the information for the current login -- Get the information for the current login
local lanman, ntlm, mac_key = get_password_response(ip, username, domain, password, password_hash, hash_type, challenge, true) local lanman, ntlm, mac_key = get_password_response(ip, username, domain, password, password_hash, hash_type, challenge, true)

2
nselib/xmpp.lua
View File

@@ -121,7 +121,7 @@ XMPP = {
options = options or {}, options = options or {},
auth = { mechs = {} } } auth = { mechs = {} } }
o.options.timeout = o.options.timeout and o.options.timeout or 10 o.options.timeout = o.options.timeout and o.options.timeout or 10
o.servername = host.targetname or o.options.servername o.servername = stdnse.get_hostname(host) or o.options.servername
setmetatable(o, self) setmetatable(o, self)
self.__index = self self.__index = self
return o return o

2
scripts/afp-serverinfo.nse
View File

@@ -73,7 +73,7 @@ action = function(host, port)
-- get our data -- get our data
afp_proto = afp.Proto:new( { socket=socket } ) afp_proto = afp.Proto:new( { socket=socket } )
response = afp_proto:fp_get_server_info( socket ) local response = afp_proto:fp_get_server_info( socket )
response = response.result response = response.result
-- all the server information is output in the order it occurs in the server -- all the server information is output in the order it occurs in the server