PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-07 13:11:28 +00:00
Code Issues Projects Releases Wiki Activity

Re-indent some scripts. Whitespace-only commit

Browse Source 
https://secwiki.org/w/Nmap/Code_Standards
This commit is contained in:
dmiller
2014-01-31 13:02:29 +00:00
parent 64fb5b3482
commit d36c08dcf5
137 changed files with 3977 additions and 3977 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
scripts/afp-showmount.nse
View File

@@ -45,57 +45,57 @@ portrule = shortport.portnumber(548, "tcp")
action = function(host, port)
local status, response, shares
local result = {}
local afpHelper = afp.Helper:new()
local args = nmap.registry.args
local users = nmap.registry.afp or { ['nil'] = 'nil' }
local status, response, shares
local result = {}
local afpHelper = afp.Helper:new()
local args = nmap.registry.args
local users = nmap.registry.afp or { ['nil'] = 'nil' }
if ( args['afp.username'] ) then
users = {}
users[args['afp.username']] = args['afp.password']
end
if ( args['afp.username'] ) then
users = {}
users[args['afp.username']] = args['afp.password']
end
for username, password in pairs(users) do
for username, password in pairs(users) do
status, response = afpHelper:OpenSession(host, port)
if ( not status ) then
stdnse.print_debug(response)
return
end
status, response = afpHelper:OpenSession(host, port)
if ( not status ) then
stdnse.print_debug(response)
return
end
-- if we have a username attempt to authenticate as the user
-- Attempt to use No User Authentication?
if ( username ~= 'nil' ) then
status, response = afpHelper:Login(username, password)
else
status, response = afpHelper:Login()
end
-- if we have a username attempt to authenticate as the user
-- Attempt to use No User Authentication?
if ( username ~= 'nil' ) then
status, response = afpHelper:Login(username, password)
else
status, response = afpHelper:Login()
end
if ( not status ) then
stdnse.print_debug("afp-showmount: Login failed", response)
stdnse.print_debug(3, "afp-showmount: Login error: %s", response)
return
end
if ( not status ) then
stdnse.print_debug("afp-showmount: Login failed", response)
stdnse.print_debug(3, "afp-showmount: Login error: %s", response)
return
end
status, shares = afpHelper:ListShares()
status, shares = afpHelper:ListShares()
if status then
for _, vol in ipairs( shares ) do
local status, response = afpHelper:GetSharePermissions( vol )
if status then
response.name = vol
table.insert(result, response)
end
end
end
if status then
for _, vol in ipairs( shares ) do
local status, response = afpHelper:GetSharePermissions( vol )
if status then
response.name = vol
table.insert(result, response)
end
end
end
status, response = afpHelper:Logout()
status, response = afpHelper:CloseSession()
status, response = afpHelper:Logout()
status, response = afpHelper:CloseSession()
if ( result ) then
return stdnse.format_output(true, result)
end
end
return
if ( result ) then
return stdnse.format_output(true, result)
end
end
return
end

62
scripts/ajp-auth.nse
View File

@@ -33,42 +33,42 @@ local arg_path = stdnse.get_script_args(SCRIPT_NAME .. ".path")
local function fail(err) return ("\n ERROR: %s"):format(err or "") end
action = function(host, port)
local helper = ajp.Helper:new(host, port)
local helper = ajp.Helper:new(host, port)
if ( not(helper:connect()) ) then
return fail("Failed to connect to AJP server")
end
if ( not(helper:connect()) ) then
return fail("Failed to connect to AJP server")
end
local status, answer = helper:get(arg_path or "/")
local status, answer = helper:get(arg_path or "/")
--- check for 401 response code
if ( not(status) or answer.status ~= 401 ) then
return
end
--- check for 401 response code
if ( not(status) or answer.status ~= 401 ) then
return
end
local result = { name = answer["status-line"]:match("^(.*)\r?\n$") }
local result = { name = answer["status-line"]:match("^(.*)\r?\n$") }
local www_authenticate = answer.headers["www-authenticate"]
if not www_authenticate then
table.insert( result, ("Server returned status %d but no WWW-Authenticate header."):format(answer.status) )
return stdnse.format_output(true, result)
end
local www_authenticate = answer.headers["www-authenticate"]
if not www_authenticate then
table.insert( result, ("Server returned status %d but no WWW-Authenticate header."):format(answer.status) )
return stdnse.format_output(true, result)
end
local challenges = http.parse_www_authenticate(www_authenticate)
if ( not(challenges) ) then
table.insert( result, ("Server returned status %d but the WWW-Authenticate header could not be parsed."):format(answer.status) )
table.insert( result, ("WWW-Authenticate: %s"):format(www_authenticate) )
return stdnse.format_output(true, result)
end
local challenges = http.parse_www_authenticate(www_authenticate)
if ( not(challenges) ) then
table.insert( result, ("Server returned status %d but the WWW-Authenticate header could not be parsed."):format(answer.status) )
table.insert( result, ("WWW-Authenticate: %s"):format(www_authenticate) )
return stdnse.format_output(true, result)
end
for _, challenge in ipairs(challenges) do
local line = challenge.scheme
if ( challenge.params ) then
for name, value in pairs(challenge.params) do
line = line .. (" %s=%s"):format(name, value)
end
end
table.insert(result, line)
end
return stdnse.format_output(true, result)
for _, challenge in ipairs(challenges) do
local line = challenge.scheme
if ( challenge.params ) then
for name, value in pairs(challenge.params) do
line = line .. (" %s=%s"):format(name, value)
end
end
table.insert(result, line)
end
return stdnse.format_output(true, result)
end

18
scripts/ajp-headers.nse
View File

@@ -34,15 +34,15 @@ local arg_path = stdnse.get_script_args(SCRIPT_NAME .. '.path') or "/"
local function fail(err) return ("\n ERROR: %s"):format(err or "") end
action = function(host, port)
local method
local helper = ajp.Helper:new(host, port)
helper:connect()
local method
local helper = ajp.Helper:new(host, port)
helper:connect()
local status, response = helper:get(arg_path)
helper:close()
local status, response = helper:get(arg_path)
helper:close()
if ( not(status) ) then
return fail("Failed to retrieve server headers")
end
return stdnse.format_output(true, response.rawheaders)
if ( not(status) ) then
return fail("Failed to retrieve server headers")
end
return stdnse.format_output(true, response.rawheaders)
end

52
scripts/ajp-methods.nse
View File

@@ -42,40 +42,40 @@ local arg_url = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/"
local UNINTERESTING_METHODS = { "GET", "HEAD", "POST", "OPTIONS" }
local function filter_out(t, filter)
local result = {}
for _, e in ipairs(t) do
if ( not(stdnse.contains(filter, e)) ) then
result[#result + 1] = e
end
end
return result
local result = {}
for _, e in ipairs(t) do
if ( not(stdnse.contains(filter, e)) ) then
result[#result + 1] = e
end
end
return result
end
local function fail(err) return ("\n ERROR: %s"):format(err or "") end
action = function(host, port)
local helper = ajp.Helper:new(host, port)
if ( not(helper:connect()) ) then
return fail("Failed to connect to server")
end
local helper = ajp.Helper:new(host, port)
if ( not(helper:connect()) ) then
return fail("Failed to connect to server")
end
local status, response = helper:options(arg_url)
helper:close()
if ( not(status) or response.status ~= 200 or
not(response.headers) or not(response.headers['allow']) ) then
return "Failed to get a valid response for the OPTION request"
end
local status, response = helper:options(arg_url)
helper:close()
if ( not(status) or response.status ~= 200 or
not(response.headers) or not(response.headers['allow']) ) then
return "Failed to get a valid response for the OPTION request"
end
local methods = stdnse.strsplit(",%s", response.headers['allow'])
local methods = stdnse.strsplit(",%s", response.headers['allow'])
local output = {}
table.insert(output, ("Supported methods: %s"):format(stdnse.strjoin(" ", methods)))
local output = {}
table.insert(output, ("Supported methods: %s"):format(stdnse.strjoin(" ", methods)))
local interesting = filter_out(methods, UNINTERESTING_METHODS)
if ( #interesting > 0 ) then
table.insert(output, "Potentially risky methods: " .. stdnse.strjoin(" ", interesting))
table.insert(output, "See http://nmap.org/nsedoc/scripts/ajp-methods.html")
end
return stdnse.format_output(true, output)
local interesting = filter_out(methods, UNINTERESTING_METHODS)
if ( #interesting > 0 ) then
table.insert(output, "Potentially risky methods: " .. stdnse.strjoin(" ", interesting))
table.insert(output, "See http://nmap.org/nsedoc/scripts/ajp-methods.html")
end
return stdnse.format_output(true, output)
end

76
scripts/ajp-request.nse
View File

@@ -56,47 +56,47 @@ local function fail(err) return ("\n ERROR: %s"):format(err or "") end
action = function(host, port)
local helper = ajp.Helper:new(host, port)
if ( not(helper:connect()) ) then
return fail("Failed to connect to AJP server")
end
local helper = ajp.Helper:new(host, port)
if ( not(helper:connect()) ) then
return fail("Failed to connect to AJP server")
end
local valid_methods = {
["GET"] = true,
["HEAD"] = true,
["TRACE"] = true,
["PUT"] = true,
["DELETE"] = true,
["OPTIONS"]= true,
}
local valid_methods = {
["GET"] = true,
["HEAD"] = true,
["TRACE"] = true,
["PUT"] = true,
["DELETE"] = true,
["OPTIONS"]= true,
}
local method = arg_method:upper()
if ( not(valid_methods[method]) ) then
return fail(("Method not supported: %s"):format(arg_method))
end
local method = arg_method:upper()
if ( not(valid_methods[method]) ) then
return fail(("Method not supported: %s"):format(arg_method))
end
local options = { auth = { username = arg_username, password = arg_password } }
local status, response = helper:request(arg_method, arg_path, nil, nil, options)
if ( not(status) ) then
return fail("Failed to retrieve response for request")
end
helper:close()
local options = { auth = { username = arg_username, password = arg_password } }
local status, response = helper:request(arg_method, arg_path, nil, nil, options)
if ( not(status) ) then
return fail("Failed to retrieve response for request")
end
helper:close()
if ( response ) then
local output = response['status-line'] .. "\n" ..
stdnse.strjoin("\n", response.rawheaders) ..
(response.body and "\n\n" .. response.body or "")
if ( arg_file ) then
local f = io.open(arg_file, "w")
if ( not(f) ) then
return fail(("Failed to open file %s for writing"):format(arg_file))
end
f:write(output)
f:close()
return ("Response was written to file: %s"):format(arg_file)
else
return "\n" .. output
end
end
if ( response ) then
local output = response['status-line'] .. "\n" ..
stdnse.strjoin("\n", response.rawheaders) ..
(response.body and "\n\n" .. response.body or "")
if ( arg_file ) then
local f = io.open(arg_file, "w")
if ( not(f) ) then
return fail(("Failed to open file %s for writing"):format(arg_file))
end
f:write(output)
f:close()
return ("Response was written to file: %s"):format(arg_file)
else
return "\n" .. output
end
end
end

60
scripts/auth-owners.nse
View File

@@ -32,49 +32,49 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "safe"}
portrule = function(host, port)
local auth_port = { number=113, protocol="tcp" }
local identd = nmap.get_port_state(host, auth_port)
local auth_port = { number=113, protocol="tcp" }
local identd = nmap.get_port_state(host, auth_port)
return identd ~= nil
and identd.state == "open"
and port.protocol == "tcp"
and port.state == "open"
return identd ~= nil
and identd.state == "open"
and port.protocol == "tcp"
and port.state == "open"
end
action = function(host, port)
local owner = ""
local owner = ""
local client_ident = nmap.new_socket()
local client_service = nmap.new_socket()
local client_ident = nmap.new_socket()
local client_service = nmap.new_socket()
local catch = function()
client_ident:close()
client_service:close()
end
local catch = function()
client_ident:close()
client_service:close()
end
local try = nmap.new_try(catch)
local try = nmap.new_try(catch)
try(client_ident:connect(host, 113))
try(client_service:connect(host, port))
try(client_ident:connect(host, 113))
try(client_service:connect(host, port))
local localip, localport, remoteip, remoteport =
try(client_service:get_info())
local localip, localport, remoteip, remoteport =
try(client_service:get_info())
local request = port.number .. ", " .. localport .. "\r\n"
local request = port.number .. ", " .. localport .. "\r\n"
try(client_ident:send(request))
try(client_ident:send(request))
owner = try(client_ident:receive_lines(1))
owner = try(client_ident:receive_lines(1))
if string.match(owner, "ERROR") then
owner = nil
else
owner = string.match(owner,
"%d+%s*,%s*%d+%s*:%s*USERID%s*:%s*.+%s*:%s*(.+)\r?\n")
end
if string.match(owner, "ERROR") then
owner = nil
else
owner = string.match(owner,
"%d+%s*,%s*%d+%s*:%s*USERID%s*:%s*.+%s*:%s*(.+)\r?\n")
end
try(client_ident:close())
try(client_service:close())
try(client_ident:close())
try(client_service:close())
return owner
return owner
end

10
scripts/auth-spoof.nse
View File

@@ -26,12 +26,12 @@ categories = {"malware", "safe"}
portrule = shortport.port_or_service(113, "auth")
action = function(host, port)
local status, owner = comm.get_banner(host, port, {lines=1})
local status, owner = comm.get_banner(host, port, {lines=1})
if not status then
return
end
if not status then
return
end
return "Spoofed reply: " .. owner
return "Spoofed reply: " .. owner
end

50
scripts/bitcoin-getaddr.nse
View File

@@ -40,35 +40,35 @@ portrule = shortport.port_or_service(8333, "bitcoin", "tcp" )
action = function(host, port)
local bcoin = bitcoin.Helper:new(host, port, { timeout = 20000 })
local status = bcoin:connect()
local bcoin = bitcoin.Helper:new(host, port, { timeout = 20000 })
local status = bcoin:connect()
if ( not(status) ) then
return "\n ERROR: Failed to connect to server"
end
if ( not(status) ) then
return "\n ERROR: Failed to connect to server"
end
local status, ver = bcoin:exchVersion()
if ( not(status) ) then
return "\n ERROR: Failed to extract version information"
end
local status, ver = bcoin:exchVersion()
if ( not(status) ) then
return "\n ERROR: Failed to extract version information"
end
local status, nodes = bcoin:getNodes()
if ( not(status) ) then
return "\n ERROR: Failed to extract address information"
end
bcoin:close()
local status, nodes = bcoin:getNodes()
if ( not(status) ) then
return "\n ERROR: Failed to extract address information"
end
bcoin:close()
local response = tab.new(2)
tab.addrow(response, "ip", "timestamp")
local response = tab.new(2)
tab.addrow(response, "ip", "timestamp")
for _, node in ipairs(nodes.addresses or {}) do
if ( target.ALLOW_NEW_TARGETS ) then
target.add(node.address.host)
end
tab.addrow(response, ("%s:%d"):format(node.address.host, node.address.port), os.date("%x %X", node.ts))
end
for _, node in ipairs(nodes.addresses or {}) do
if ( target.ALLOW_NEW_TARGETS ) then
target.add(node.address.host)
end
tab.addrow(response, ("%s:%d"):format(node.address.host, node.address.port), os.date("%x %X", node.ts))
end
if ( #response > 1 ) then
return stdnse.format_output(true, tab.dump(response) )
end
if ( #response > 1 ) then
return stdnse.format_output(true, tab.dump(response) )
end
end

42
scripts/bitcoin-info.nse
View File

@@ -37,30 +37,30 @@ portrule = shortport.port_or_service(8333, "bitcoin", "tcp" )
action = function(host, port)
local NETWORK = {
[3652501241] = "main",
[3669344250] = "testnet"
}
local NETWORK = {
[3652501241] = "main",
[3669344250] = "testnet"
}
local bcoin = bitcoin.Helper:new(host, port, { timeout = 10000 })
local status = bcoin:connect()
local bcoin = bitcoin.Helper:new(host, port, { timeout = 10000 })
local status = bcoin:connect()
if ( not(status) ) then
return "\n ERROR: Failed to connect to server"
end
if ( not(status) ) then
return "\n ERROR: Failed to connect to server"
end
local status, ver = bcoin:exchVersion()
if ( not(status) ) then
return "\n ERROR: Failed to extract version information"
end
bcoin:close()
local status, ver = bcoin:exchVersion()
if ( not(status) ) then
return "\n ERROR: Failed to extract version information"
end
bcoin:close()
local result = {}
table.insert(result, ("Timestamp: %s"):format(stdnse.format_timestamp(ver.timestamp)))
table.insert(result, ("Network: %s"):format(NETWORK[ver.magic]))
table.insert(result, ("Version: %s"):format(ver.ver))
table.insert(result, ("Node Id: %s"):format(ver.nodeid))
table.insert(result, ("Lastblock: %s"):format(ver.lastblock))
local result = {}
table.insert(result, ("Timestamp: %s"):format(stdnse.format_timestamp(ver.timestamp)))
table.insert(result, ("Network: %s"):format(NETWORK[ver.magic]))
table.insert(result, ("Version: %s"):format(ver.ver))
table.insert(result, ("Node Id: %s"):format(ver.nodeid))
table.insert(result, ("Lastblock: %s"):format(ver.lastblock))
return stdnse.format_output(true, result)
return stdnse.format_output(true, result)
end

24
scripts/bjnp-discover.nse
View File

@@ -35,16 +35,16 @@ local stdnse = require("stdnse")
portrule = shortport.portnumber({8611, 8612}, "udp")
action = function(host, port)
local helper = bjnp.Helper:new(host, port)
if ( not(helper:connect()) ) then
return "\n ERROR: Failed to connect to server"
end
local status, attrs
if ( port.number == 8611 ) then
status, attrs = helper:getPrinterIdentity()
else
status, attrs = helper:getScannerIdentity()
end
helper:close()
return stdnse.format_output(true, attrs)
local helper = bjnp.Helper:new(host, port)
if ( not(helper:connect()) ) then
return "\n ERROR: Failed to connect to server"
end
local status, attrs
if ( port.number == 8611 ) then
status, attrs = helper:getPrinterIdentity()
else
status, attrs = helper:getScannerIdentity()
end
helper:close()
return stdnse.format_output(true, attrs)
end

12
scripts/broadcast-avahi-dos.nse
View File

@@ -61,11 +61,11 @@ action = function()
local output, hosts, tmp = {}, {}, {}
for _, hostcfg in pairs(result) do
for k, ip in pairs(hostcfg) do
if type(k) == "string" and k == "name" then
if avahi_send_null_udp(ip) then
table.insert(hosts, ip)
tmp[ip] = true
end
if type(k) == "string" and k == "name" then
if avahi_send_null_udp(ip) then
table.insert(hosts, ip)
tmp[ip] = true
end
end
end
end
@@ -74,7 +74,7 @@ action = function()
hosts.name = "Discovered hosts:"
table.insert(output, hosts)
table.insert(output,
"After NULL UDP avahi packet DoS (CVE-2011-1002).")
"After NULL UDP avahi packet DoS (CVE-2011-1002).")
stdnse.print_debug(3, "sleeping for %d seconds", wtime)
stdnse.sleep(wtime)

74
scripts/broadcast-db2-discover.nse
View File

@@ -33,54 +33,54 @@ prerule = function() return true end
-- @param server_version string containing the product release
-- @return ver string containing the version information
local function parseVersion( server_version )
local pfx = string.sub(server_version,1,3)
local pfx = string.sub(server_version,1,3)
if pfx == "SQL" then
local major_version = string.sub(server_version,4,5)
if pfx == "SQL" then
local major_version = string.sub(server_version,4,5)
-- strip the leading 0 from the major version, for consistency with
-- nmap-service-probes results
if string.sub(major_version,1,1) == "0" then
major_version = string.sub(major_version,2)
end
local minor_version = string.sub(server_version,6,7)
local hotfix = string.sub(server_version,8)
server_version = major_version .. "." .. minor_version .. "." .. hotfix
else
return "Unknown version"
end
-- strip the leading 0 from the major version, for consistency with
-- nmap-service-probes results
if string.sub(major_version,1,1) == "0" then
major_version = string.sub(major_version,2)
end
local minor_version = string.sub(server_version,6,7)
local hotfix = string.sub(server_version,8)
server_version = major_version .. "." .. minor_version .. "." .. hotfix
else
return "Unknown version"
end
return ("IBM DB2 v%s"):format(server_version)
return ("IBM DB2 v%s"):format(server_version)
end
action = function()
local DB2GETADDR = "DB2GETADDR\0SQL09010\0"
local socket = nmap.new_socket("udp")
local result = {}
local host, port = "255.255.255.255", 523
local DB2GETADDR = "DB2GETADDR\0SQL09010\0"
local socket = nmap.new_socket("udp")
local result = {}
local host, port = "255.255.255.255", 523
socket:set_timeout(5000)
local status = socket:sendto( host, port, DB2GETADDR )
if ( not(status) ) then return end
socket:set_timeout(5000)
local status = socket:sendto( host, port, DB2GETADDR )
if ( not(status) ) then return end
while(true) do
local data
status, data = socket:receive()
if( not(status) ) then break end
while(true) do
local data
status, data = socket:receive()
if( not(status) ) then break end
local version, srvname = data:match("DB2RETADDR.(SQL%d+).(.-)\0")
local _, ip
status, _, _, ip, _ = socket:get_info()
if ( not(status) ) then return end
local version, srvname = data:match("DB2RETADDR.(SQL%d+).(.-)\0")
local _, ip
status, _, _, ip, _ = socket:get_info()
if ( not(status) ) then return end
if target.ALLOW_NEW_TARGETS then target.add(ip) end
if target.ALLOW_NEW_TARGETS then target.add(ip) end
if ( status ) then
table.insert( result, ("%s - Host: %s; Version: %s"):format(ip, srvname, parseVersion( version ) ) )
end
end
socket:close()
if ( status ) then
table.insert( result, ("%s - Host: %s; Version: %s"):format(ip, srvname, parseVersion( version ) ) )
end
end
socket:close()
return stdnse.format_output( true, result )
return stdnse.format_output( true, result )
end

12
scripts/broadcast-dns-service-discovery.nse
View File

@@ -47,11 +47,11 @@ categories = {"broadcast", "safe"}
prerule = function() return true end
action = function()
local helper = dnssd.Helper:new( )
helper:setMulticast(true)
local helper = dnssd.Helper:new( )
helper:setMulticast(true)
local status, result = helper:queryServices()
if ( status ) then
return stdnse.format_output(true, result)
end
local status, result = helper:queryServices()
if ( status ) then
return stdnse.format_output(true, result)
end
end

58
scripts/broadcast-netbios-master-browser.nse
View File

@@ -32,37 +32,37 @@ local function isGroup(flags) return ( bit.band(flags, 0x8000) == 0x8000 ) end
action = function()
-- NBNS only works over ipv4
if ( nmap.address_family() == "inet6") then return end
-- NBNS only works over ipv4
if ( nmap.address_family() == "inet6") then return end
local MASTER_BROWSER_DOMAIN = 0x1D
local STD_WORKSTATION_SERVICE = 0x00
local NBNAME = "\1\2__MSBROWSE__\2\1"
local BROADCAST_ADDR = "255.255.255.255"
local MASTER_BROWSER_DOMAIN = 0x1D
local STD_WORKSTATION_SERVICE = 0x00
local NBNAME = "\1\2__MSBROWSE__\2\1"
local BROADCAST_ADDR = "255.255.255.255"
local status, result = netbios.nbquery( { ip = BROADCAST_ADDR }, NBNAME, { multiple = true })
if ( not(status) ) then return end
local status, result = netbios.nbquery( { ip = BROADCAST_ADDR }, NBNAME, { multiple = true })
if ( not(status) ) then return end
local outtab = tab.new(3)
tab.addrow(outtab, 'ip', 'server', 'domain')
local outtab = tab.new(3)
tab.addrow(outtab, 'ip', 'server', 'domain')
for _, v in ipairs(result) do
local status, names, _ = netbios.do_nbstat(v.peer)
local srv_name, domain_name
if (status) then
for _, item in ipairs(names) do
if ( item.suffix == MASTER_BROWSER_DOMAIN and not(isGroup(item.flags)) ) then
domain_name = item.name
elseif ( item.suffix == STD_WORKSTATION_SERVICE and not(isGroup(item.flags)) ) then
srv_name = item.name
end
end
if ( srv_name and domain_name ) then
tab.addrow(outtab, v.peer, srv_name, domain_name)
else
stdnse.print_debug(3, "No server name or domain name was found")
end
end
end
return "\n" .. tab.dump(outtab)
for _, v in ipairs(result) do
local status, names, _ = netbios.do_nbstat(v.peer)
local srv_name, domain_name
if (status) then
for _, item in ipairs(names) do
if ( item.suffix == MASTER_BROWSER_DOMAIN and not(isGroup(item.flags)) ) then
domain_name = item.name
elseif ( item.suffix == STD_WORKSTATION_SERVICE and not(isGroup(item.flags)) ) then
srv_name = item.name
end
end
if ( srv_name and domain_name ) then
tab.addrow(outtab, v.peer, srv_name, domain_name)
else
stdnse.print_debug(3, "No server name or domain name was found")
end
end
end
return "\n" .. tab.dump(outtab)
end

96
scripts/broadcast-networker-discover.nse
View File

@@ -26,69 +26,69 @@ prerule = function() return true end
local function Callit( host, port, program, protocol )
local results = {}
local portmap, comm = rpc.Portmap:new(), rpc.Comm:new('rpcbind', 2)
local results = {}
local portmap, comm = rpc.Portmap:new(), rpc.Comm:new('rpcbind', 2)
local status, result = comm:Connect(host, port)
if (not(status)) then
return false, result
end
local status, result = comm:Connect(host, port)
if (not(status)) then
return false, result
end
comm.socket:set_timeout(10000)
status, result = portmap:Callit(comm, program, protocol, 2 )
if ( not(status) ) then
return false, result
end
comm.socket:set_timeout(10000)
status, result = portmap:Callit(comm, program, protocol, 2 )
if ( not(status) ) then
return false, result
end
while ( status ) do
local _, rhost
status, _, _, rhost, _ = comm:GetSocketInfo()
if (not(status)) then
return false, "Failed to get socket information"
end
while ( status ) do
local _, rhost
status, _, _, rhost, _ = comm:GetSocketInfo()
if (not(status)) then
return false, "Failed to get socket information"
end
if ( status ) then
table.insert(results, rhost)
end
if ( status ) then
table.insert(results, rhost)
end
status, result = comm:ReceivePacket()
end
status, result = comm:ReceivePacket()
end
comm:Disconnect()
return true, results
comm:Disconnect()
return true, results
end
local function fail(err) return ("\n ERROR: %s"):format(err or "") end
action = function()
local results = {}
local ip = ( nmap.address_family() == "inet" ) and "255.255.255.255" or "ff02::202"
local iface = nmap.get_interface()
local results = {}
local ip = ( nmap.address_family() == "inet" ) and "255.255.255.255" or "ff02::202"
local iface = nmap.get_interface()
-- handle problematic sends on OS X requiring the interface to be
-- supplied as part of IPv6
if ( iface and nmap.address_family() == "inet6" ) then
ip = ip .. "%" .. iface
end
-- handle problematic sends on OS X requiring the interface to be
-- supplied as part of IPv6
if ( iface and nmap.address_family() == "inet6" ) then
ip = ip .. "%" .. iface
end
for _, port in ipairs({7938,111}) do
local host, port = { ip = ip }, { number = port, protocol = "udp" }
local status
status, results = Callit( host, port, "nsrstat", "udp" )
for _, port in ipairs({7938,111}) do
local host, port = { ip = ip }, { number = port, protocol = "udp" }
local status
status, results = Callit( host, port, "nsrstat", "udp" )
-- warn about problematic sends on OS X requiring the interface to be
-- supplied as part of IPv6
if ( not(status) and results == "Portmap.Callit: Failed to send data" ) then
return fail("Failed sending data, try supplying the correct interface using -e")
end
-- warn about problematic sends on OS X requiring the interface to be
-- supplied as part of IPv6
if ( not(status) and results == "Portmap.Callit: Failed to send data" ) then
return fail("Failed sending data, try supplying the correct interface using -e")
end
if ( status ) then
break
end
end
if ( status ) then
break
end
end
if ( "table" == type(results) and 0 < #results ) then
return stdnse.format_output(true, results)
end
if ( "table" == type(results) and 0 < #results ) then
return stdnse.format_output(true, results)
end
end

74
scripts/broadcast-novell-locate.nse
View File

@@ -32,48 +32,48 @@ prerule = function() return true end
function action()
local helper = srvloc.Helper:new()
local helper = srvloc.Helper:new()
local status, bindery = helper:ServiceRequest("bindery.novell", "DEFAULT")
if ( not(status) or not(bindery) ) then
helper:close()
return
end
bindery = bindery[1]
local srvname = bindery:match("%/%/%/(.*)$")
local status, bindery = helper:ServiceRequest("bindery.novell", "DEFAULT")
if ( not(status) or not(bindery) ) then
helper:close()
return
end
bindery = bindery[1]
local srvname = bindery:match("%/%/%/(.*)$")
local status, attrib = helper:AttributeRequest(bindery, "DEFAULT", "svcaddr-ws")
helper:close()
attrib = attrib:match("^%(svcaddr%-ws=(.*)%)$")
if ( not(attrib) ) then return end
local status, attrib = helper:AttributeRequest(bindery, "DEFAULT", "svcaddr-ws")
helper:close()
attrib = attrib:match("^%(svcaddr%-ws=(.*)%)$")
if ( not(attrib) ) then return end
local attribs = stdnse.strsplit(",", attrib)
if ( not(attribs) ) then return end
local attribs = stdnse.strsplit(",", attrib)
if ( not(attribs) ) then return end
local addrs = { name = "Addresses"}
local ips = {}
for _, attr in ipairs(attribs) do
local addr = attr:match("^%d*%-%d*%-%d*%-(........)")
if ( addr ) then
local pos, dw_addr = bin.unpack( "<I", bin.pack("H", addr) )
local ip = ipOps.fromdword(dw_addr)
local addrs = { name = "Addresses"}
local ips = {}
for _, attr in ipairs(attribs) do
local addr = attr:match("^%d*%-%d*%-%d*%-(........)")
if ( addr ) then
local pos, dw_addr = bin.unpack( "<I", bin.pack("H", addr) )
local ip = ipOps.fromdword(dw_addr)
if ( not(ips[ip]) ) then
table.insert(addrs, ip)
ips[ip] = ip
end
end
end
if ( not(ips[ip]) ) then
table.insert(addrs, ip)
ips[ip] = ip
end
end
end
local output = {}
local status, treename = helper:ServiceRequest("ndap.novell", "DEFAULT")
if ( status ) then
treename = treename[1]
treename = treename:match("%/%/%/(.*)%.$")
table.insert(output, ("Tree name: %s"):format(treename))
end
table.insert(output, ("Server name: %s"):format(srvname))
table.insert(output, addrs)
local output = {}
local status, treename = helper:ServiceRequest("ndap.novell", "DEFAULT")
if ( status ) then
treename = treename[1]
treename = treename:match("%/%/%/(.*)%.$")
table.insert(output, ("Tree name: %s"):format(treename))
end
table.insert(output, ("Server name: %s"):format(srvname))
table.insert(output, addrs)
return stdnse.format_output(true, output)
return stdnse.format_output(true, output)
end

68
scripts/broadcast-pc-anywhere.nse
View File

@@ -30,43 +30,43 @@ prerule = function() return ( nmap.address_family() == "inet") end
action = function()
local host = { ip = "255.255.255.255" }
local port = { number = 5632, protocol = "udp" }
local host = { ip = "255.255.255.255" }
local port = { number = 5632, protocol = "udp" }
local socket = nmap.new_socket("udp")
socket:set_timeout(500)
local socket = nmap.new_socket("udp")
socket:set_timeout(500)
for i=1,2 do
local status = socket:sendto(host, port, "NQ")
if ( not(status) ) then
return "\n ERROR: Failed to send broadcast request"
end
end
for i=1,2 do
local status = socket:sendto(host, port, "NQ")
if ( not(status) ) then
return "\n ERROR: Failed to send broadcast request"
end
end
local timeout = TIMEOUT or ( 20 / ( nmap.timing_level() + 1 ) )
local responses = {}
local stime = os.time()
local timeout = TIMEOUT or ( 20 / ( nmap.timing_level() + 1 ) )
local responses = {}
local stime = os.time()
repeat
local status, data = socket:receive()
if ( status ) then
local srvname = data:match("^NR([^_]*)_*AHM_3___\0$")
if ( srvname ) then
local status, _, _, rhost, _ = socket:get_info()
if ( not(status) ) then
socket:close()
return false, "Failed to get socket information"
end
-- avoid duplicates
responses[rhost] = srvname
end
end
until( os.time() - stime > timeout )
socket:close()
repeat
local status, data = socket:receive()
if ( status ) then
local srvname = data:match("^NR([^_]*)_*AHM_3___\0$")
if ( srvname ) then
local status, _, _, rhost, _ = socket:get_info()
if ( not(status) ) then
socket:close()
return false, "Failed to get socket information"
end
-- avoid duplicates
responses[rhost] = srvname
end
end
until( os.time() - stime > timeout )
socket:close()
local result = {}
for ip, name in pairs(responses) do
table.insert(result, ("%s - %s"):format(ip,name))
end
return stdnse.format_output(true, result)
local result = {}
for ip, name in pairs(responses) do
table.insert(result, ("%s - %s"):format(ip,name))
end
return stdnse.format_output(true, result)
end

64
scripts/broadcast-tellstick-discover.nse
View File

@@ -30,42 +30,42 @@ prerule = function() return ( nmap.address_family() == 'inet' ) end
local function fail(err) return ("\n ERROR: %s"):format(err or "") end
action = function()
local socket = nmap.new_socket("udp")
local host, port = { ip = "255.255.255.255" }, { number = 30303, protocol = "udp" }
local socket = nmap.new_socket("udp")
local host, port = { ip = "255.255.255.255" }, { number = 30303, protocol = "udp" }
socket:set_timeout(5000)
if ( not(socket:sendto(host, port, "D")) ) then
return fail("Failed to send discovery request to server")
end
socket:set_timeout(5000)
if ( not(socket:sendto(host, port, "D")) ) then
return fail("Failed to send discovery request to server")
end
local output = {}
local output = {}
while( true ) do
local status, response = socket:receive()
if ( not(status) ) then
break
end
while( true ) do
local status, response = socket:receive()
if ( not(status) ) then
break
end
local status, _, _, ip = socket:get_info()
if ( not(status) ) then
stdnse.print_debug(2, "Failed to get socket information")
break
end
local status, _, _, ip = socket:get_info()
if ( not(status) ) then
stdnse.print_debug(2, "Failed to get socket information")
break
end
local prod, mac, activation, version = response:match("^([^:]*):([^:]*):([^:]*):([^:]*)$")
if ( prod and mac and activation and version ) then
local output_part = {
name = ip,
("Product: %s"):format(prod),
("MAC: %s"):format(mac),
("Activation code: %s"):format(activation),
("Version: %s"):format(version)
}
table.insert(output, output_part)
end
end
local prod, mac, activation, version = response:match("^([^:]*):([^:]*):([^:]*):([^:]*)$")
if ( prod and mac and activation and version ) then
local output_part = {
name = ip,
("Product: %s"):format(prod),
("MAC: %s"):format(mac),
("Activation code: %s"):format(activation),
("Version: %s"):format(version)
}
table.insert(output, output_part)
end
end
if ( 0 < #output ) then
return stdnse.format_output(true, output)
end
if ( 0 < #output ) then
return stdnse.format_output(true, output)
end
end

12
scripts/broadcast-upnp-info.nse
View File

@@ -40,12 +40,12 @@ prerule = function() return true end
-- Sends UPnP discovery packet to host,
-- and extracts service information from results
action = function()
local helper = upnp.Helper:new()
helper:setMulticast(true)
local status, result = helper:queryServices()
local helper = upnp.Helper:new()
helper:setMulticast(true)
local status, result = helper:queryServices()
if ( status ) then
return stdnse.format_output(true, result)
end
if ( status ) then
return stdnse.format_output(true, result)
end
end

18
scripts/broadcast-versant-locate.nse
View File

@@ -25,14 +25,14 @@ categories = {"broadcast", "safe"}
prerule = function() return true end
action = function()
local helper = srvloc.Helper:new()
local status, result = helper:ServiceRequest("service:odbms.versant:vod", "default")
helper:close()
local helper = srvloc.Helper:new()
local status, result = helper:ServiceRequest("service:odbms.versant:vod", "default")
helper:close()
if ( not(status) ) then return end
local output = {}
for _, v in ipairs(result) do
table.insert(output, v:match("^service:odbms.versant:vod://(.*)$"))
end
return stdnse.format_output(true, output)
if ( not(status) ) then return end
local output = {}
for _, v in ipairs(result) do
table.insert(output, v:match("^service:odbms.versant:vod://(.*)$"))
end
return stdnse.format_output(true, output)
end

54
scripts/broadcast-wake-on-lan.nse
View File

@@ -27,45 +27,45 @@ local MAC = stdnse.get_script_args("broadcast-wake-on-lan.MAC")
local address = stdnse.get_script_args("broadcast-wake-on-lan.address")
prerule = function()
-- only run if we are ipv4 and have a MAC
return (MAC ~= nil and nmap.address_family() == "inet")
-- only run if we are ipv4 and have a MAC
return (MAC ~= nil and nmap.address_family() == "inet")
end
-- Creates the WoL packet based on the remote MAC
-- @param mac string containing the MAC without delimiters
-- @return packet string containing the raw packet
local function createWOLPacket(mac)
local packet = bin.pack("H", "FFFFFFFFFFFF")
for i=1, 16 do
packet = packet .. bin.pack("H", mac)
end
return packet
local packet = bin.pack("H", "FFFFFFFFFFFF")
for i=1, 16 do
packet = packet .. bin.pack("H", mac)
end
return packet
end
action = function()
local MAC_hex
if ( MAC:match("%x%x:%x%x:%x%x:%x%x:%x%x:%x%x") ) then
MAC_hex = MAC:gsub(":", "")
elseif( MAC:match("%x%x%-%x%x%-%x%x%-%x%x%-%x%x%-%x%x") ) then
MAC_hex = MAC:gsub("-", "")
else
return "\n ERROR: Failed to process MAC address"
end
local MAC_hex
if ( MAC:match("%x%x:%x%x:%x%x:%x%x:%x%x:%x%x") ) then
MAC_hex = MAC:gsub(":", "")
elseif( MAC:match("%x%x%-%x%x%-%x%x%-%x%x%-%x%x%-%x%x") ) then
MAC_hex = MAC:gsub("-", "")
else
return "\n ERROR: Failed to process MAC address"
end
local host = { ip = address or "255.255.255.255" }
local port = { number = 9, protocol = "udp" }
local socket = nmap.new_socket("udp")
local host = { ip = address or "255.255.255.255" }
local port = { number = 9, protocol = "udp" }
local socket = nmap.new_socket("udp")
-- send two packets, just in case
for i=1,2 do
local packet = createWOLPacket(MAC_hex)
local status, err = socket:sendto(host, port, packet)
if ( not(status) ) then
return "\n ERROR: Failed to send packet"
end
end
return stdnse.format_output(true, ("Sent WOL packet to: %s"):format(MAC))
-- send two packets, just in case
for i=1,2 do
local packet = createWOLPacket(MAC_hex)
local status, err = socket:sendto(host, port, packet)
if ( not(status) ) then
return "\n ERROR: Failed to send packet"
end
end
return stdnse.format_output(true, ("Sent WOL packet to: %s"):format(MAC))
end

68
scripts/broadcast-wsdd-discover.nse
View File

@@ -54,49 +54,49 @@ prerule = function() return true end
-- the name should be one of the discovery functions in wsdd.Helper
-- @param result table into which the results are stored
discoverThread = function( funcname, results )
-- calculates a timeout based on the timing template (default: 5s)
local timeout = ( 20000 / ( nmap.timing_level() + 1 ) )
local condvar = nmap.condvar( results )
local helper = wsdd.Helper:new()
helper:setMulticast(true)
helper:setTimeout(timeout)
-- calculates a timeout based on the timing template (default: 5s)
local timeout = ( 20000 / ( nmap.timing_level() + 1 ) )
local condvar = nmap.condvar( results )
local helper = wsdd.Helper:new()
helper:setMulticast(true)
helper:setTimeout(timeout)
local status, result = helper[funcname](helper)
if ( status ) then table.insert(results, result) end
condvar("broadcast")
local status, result = helper[funcname](helper)
if ( status ) then table.insert(results, result) end
condvar("broadcast")
end
local function sortfunc(a,b)
if ( a and b and a.name and b.name ) and ( a.name < b.name ) then
return true
end
return false
if ( a and b and a.name and b.name ) and ( a.name < b.name ) then
return true
end
return false
end
action = function()
local threads, results = {}, {}
local condvar = nmap.condvar( results )
local threads, results = {}, {}
local condvar = nmap.condvar( results )
-- Attempt to discover both devices and WCF web services
for _, f in ipairs( {"discoverDevices", "discoverWCFServices"} ) do
threads[stdnse.new_thread( discoverThread, f, results )] = true
end
-- Attempt to discover both devices and WCF web services
for _, f in ipairs( {"discoverDevices", "discoverWCFServices"} ) do
threads[stdnse.new_thread( discoverThread, f, results )] = true
end
local done
-- wait for all threads to finish
while( not(done) ) do
done = true
for thread in pairs(threads) do
if (coroutine.status(thread) ~= "dead") then done = false end
end
if ( not(done) ) then
condvar("wait")
end
end
local done
-- wait for all threads to finish
while( not(done) ) do
done = true
for thread in pairs(threads) do
if (coroutine.status(thread) ~= "dead") then done = false end
end
if ( not(done) ) then
condvar("wait")
end
end
if ( results ) then
table.sort( results, sortfunc )
return stdnse.format_output(true, results)
end
if ( results ) then
table.sort( results, sortfunc )
return stdnse.format_output(true, results)
end
end

68
scripts/broadcast-xdmcp-discover.nse
View File

@@ -31,43 +31,43 @@ local arg_timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME ..
action = function()
local host, port = { ip = "255.255.255.255" }, { number = 177, protocol = "udp" }
local options = { timeout = 1 }
local helper = xdmcp.Helper:new(host, port, options)
local status = helper:connect()
local host, port = { ip = "255.255.255.255" }, { number = 177, protocol = "udp" }
local options = { timeout = 1 }
local helper = xdmcp.Helper:new(host, port, options)
local status = helper:connect()
local req = xdmcp.Packet[xdmcp.OpCode.BCAST_QUERY]:new(nil)
local status, err = helper:send(req)
if ( not(status) ) then
return false, err
end
local req = xdmcp.Packet[xdmcp.OpCode.BCAST_QUERY]:new(nil)
local status, err = helper:send(req)
if ( not(status) ) then
return false, err
end
local timeout = arg_timeout or 5
local start = os.time()
local result = {}
repeat
local timeout = arg_timeout or 5
local start = os.time()
local result = {}
repeat
local status, response = helper:recv()
if ( not(status) and response ~= "TIMEOUT" ) then
break
elseif ( status ) then
local status, _, _, rhost = helper.socket:get_info()
if ( response.header.opcode == xdmcp.OpCode.WILLING ) then
result[rhost] = true
else
result[rhost] = false
end
end
local status, response = helper:recv()
if ( not(status) and response ~= "TIMEOUT" ) then
break
elseif ( status ) then
local status, _, _, rhost = helper.socket:get_info()
if ( response.header.opcode == xdmcp.OpCode.WILLING ) then
result[rhost] = true
else
result[rhost] = false
end
end
until( os.time() - start > timeout )
until( os.time() - start > timeout )
local output = {}
for ip, res in pairs(result) do
if ( res ) then
table.insert(output, ("%s - Willing"):format(ip))
else
table.insert(output, ("%s - Unwilling"):format(ip))
end
end
return stdnse.format_output(true, output)
local output = {}
for ip, res in pairs(result) do
if ( res ) then
table.insert(output, ("%s - Willing"):format(ip))
else
table.insert(output, ("%s - Unwilling"):format(ip))
end
end
return stdnse.format_output(true, output)
end

86
scripts/cassandra-info.nse
View File

@@ -40,55 +40,55 @@ portrule = shortport.port_or_service({9160}, {"cassandra"})
function action(host,port)
local socket = nmap.new_socket()
local cassinc = 2 -- cmd/resp starts at 2
local socket = nmap.new_socket()
local cassinc = 2 -- cmd/resp starts at 2
-- set a reasonable timeout value
socket:set_timeout(10000)
-- do some exception / cleanup
local catch = function()
socket:close()
end
-- set a reasonable timeout value
socket:set_timeout(10000)
-- do some exception / cleanup
local catch = function()
socket:close()
end
local try = nmap.new_try(catch)
local try = nmap.new_try(catch)
try( socket:connect(host, port) )
try( socket:connect(host, port) )
local results = {}
local results = {}
-- uglyness to allow creds.cassandra to work, as the port is not recognized
-- as cassandra even when service scan was run, taken from mongodb
local ps = port.service
port.service = 'cassandra'
local c = creds.Credentials:new(creds.ALL_DATA, host, port)
for cred in c:getCredentials(creds.State.VALID + creds.State.PARAM) do
local status, err = cassandra.login(socket, cred.user, cred.pass)
table.insert(results, ("Using credentials: %s"):format(cred.user.."/"..cred.pass))
if ( not(status) ) then
return err
end
end
port.service = ps
-- uglyness to allow creds.cassandra to work, as the port is not recognized
-- as cassandra even when service scan was run, taken from mongodb
local ps = port.service
port.service = 'cassandra'
local c = creds.Credentials:new(creds.ALL_DATA, host, port)
for cred in c:getCredentials(creds.State.VALID + creds.State.PARAM) do
local status, err = cassandra.login(socket, cred.user, cred.pass)
table.insert(results, ("Using credentials: %s"):format(cred.user.."/"..cred.pass))
if ( not(status) ) then
return err
end
end
port.service = ps
local status, val = cassandra.describe_cluster_name(socket,cassinc)
if (not(status)) then
return "Error getting cluster name: " .. val
end
cassinc = cassinc + 1
port.version.name ='cassandra'
port.version.product='Cassandra'
port.version.name_confidence = 10
nmap.set_port_version(host,port)
table.insert(results, ("Cluster name: %s"):format(val))
local status, val = cassandra.describe_cluster_name(socket,cassinc)
if (not(status)) then
return "Error getting cluster name: " .. val
end
cassinc = cassinc + 1
port.version.name ='cassandra'
port.version.product='Cassandra'
port.version.name_confidence = 10
nmap.set_port_version(host,port)
table.insert(results, ("Cluster name: %s"):format(val))
local status, val = cassandra.describe_version(socket,cassinc)
if (not(status)) then
return "Error getting version: " .. val
end
cassinc = cassinc + 1
port.version.product='Cassandra ('..val..')'
nmap.set_port_version(host,port)
table.insert(results, ("Version: %s"):format(val))
local status, val = cassandra.describe_version(socket,cassinc)
if (not(status)) then
return "Error getting version: " .. val
end
cassinc = cassinc + 1
port.version.product='Cassandra ('..val..')'
nmap.set_port_version(host,port)
table.insert(results, ("Version: %s"):format(val))
return stdnse.format_output(true, results)
return stdnse.format_output(true, results)
end

56
scripts/cccam-version.nse
View File

@@ -23,43 +23,43 @@ author = "David Fifield"
local NUM_TRIALS = 2
local function trial(host, port)
local status, data, s
local status, data, s
s = nmap.new_socket()
status, data = s:connect(host, port)
if not status then
return
end
s = nmap.new_socket()
status, data = s:connect(host, port)
if not status then
return
end
status, data = s:receive_bytes(0)
if not status then
s:close()
return
end
s:close()
status, data = s:receive_bytes(0)
if not status then
s:close()
return
end
s:close()
return data
return data
end
portrule = shortport.version_port_or_service({10000, 10001, 12000, 12001, 16000, 16001}, "cccam")
function action(host, port)
local seen = {}
local seen = {}
-- Try a couple of times to see that the response isn't constant. (But
-- more trials also increase the chance that we will reject a legitimate
-- cccam service.)
for i = 1, NUM_TRIALS do
local data
-- Try a couple of times to see that the response isn't constant. (But
-- more trials also increase the chance that we will reject a legitimate
-- cccam service.)
for i = 1, NUM_TRIALS do
local data
data = trial(host, port)
if not data or seen[data] or #data ~= 16 or not formulas.looksRandom(data) then
return
end
seen[data] = true
end
data = trial(host, port)
if not data or seen[data] or #data ~= 16 or not formulas.looksRandom(data) then
return
end
seen[data] = true
end
port.version.name = "cccam"
port.version.version = "CCcam DVR card sharing system"
nmap.set_port_version(host, port)
port.version.name = "cccam"
port.version.version = "CCcam DVR card sharing system"
nmap.set_port_version(host, port)
end

14
scripts/citrix-enum-servers-xml.nse
View File

@@ -34,14 +34,14 @@ portrule = shortport.portnumber({8080,80,443}, "tcp")
action = function(host, port)
local xmldata = citrixxml.request_server_data(host.ip, port.number)
local servers = citrixxml.parse_server_data_response(xmldata)
local response = {}
local xmldata = citrixxml.request_server_data(host.ip, port.number)
local servers = citrixxml.parse_server_data_response(xmldata)
local response = {}
for _, srv in ipairs(servers) do
table.insert(response, srv)
end
for _, srv in ipairs(servers) do
table.insert(response, srv)
end
return stdnse.format_output(true, response)
return stdnse.format_output(true, response)
end

76
scripts/couchdb-databases.nse
View File

@@ -39,7 +39,7 @@ categories = {"discovery", "safe"}
portrule = shortport.port_or_service({5984})
-- Some lazy shortcuts
local function dbg(str,...)
stdnse.print_debug("couchdb-get-tables:"..str, ...)
stdnse.print_debug("couchdb-get-tables:"..str, ...)
end
local DISCARD = {}
@@ -49,51 +49,51 @@ local DISCARD = {}
-- @param data a table containg data
--@return another table containing data, with some keys removed
local function queryResultToTable(data)
local result = {}
for k,v in pairs(data) do
dbg("(%s,%s)",k,tostring(v))
if DISCARD[k] ~= 1 then
if type(v) == 'table' then
table.insert(result,k)
table.insert(result,queryResultToTable(v))
else
table.insert(result,(("%s = %s"):format(tostring(k), tostring(v))))
end
end
end
return result
local result = {}
for k,v in pairs(data) do
dbg("(%s,%s)",k,tostring(v))
if DISCARD[k] ~= 1 then
if type(v) == 'table' then
table.insert(result,k)
table.insert(result,queryResultToTable(v))
else
table.insert(result,(("%s = %s"):format(tostring(k), tostring(v))))
end
end
end
return result
end
action = function(host, port)
local data, result, err
dbg("Requesting all databases")
data = http.get( host, port, '/_all_dbs' )
local data, result, err
dbg("Requesting all databases")
data = http.get( host, port, '/_all_dbs' )
-- check that body was received
if not data.body or data.body == "" then
local msg = ("%s did not respond with any data."):format(host.targetname or host.ip )
dbg( msg )
return msg
end
-- check that body was received
if not data.body or data.body == "" then
local msg = ("%s did not respond with any data."):format(host.targetname or host.ip )
dbg( msg )
return msg
end
-- The html body should look like this :
-- ["somedatabase", "anotherdatabase"]
-- The html body should look like this :
-- ["somedatabase", "anotherdatabase"]
local status, result = json.parse(data.body)
if not status then
dbg(result)
return result
end
local status, result = json.parse(data.body)
if not status then
dbg(result)
return result
end
-- Here we know it is a couchdb
port.version.name ='httpd'
port.version.product='Apache CouchDB'
nmap.set_port_version(host,port)
-- Here we know it is a couchdb
port.version.name ='httpd'
port.version.product='Apache CouchDB'
nmap.set_port_version(host,port)
-- We have a valid table in result containing the parsed json
-- now, get all the interesting bits
-- We have a valid table in result containing the parsed json
-- now, get all the interesting bits
result = queryResultToTable(result)
result = queryResultToTable(result)
return stdnse.format_output(true, result )
return stdnse.format_output(true, result )
end

10
scripts/creds-summary.nse
View File

@@ -30,12 +30,12 @@ categories = {"auth", "default", "safe"}
postrule = function()
local all = creds.Credentials:new(creds.ALL_DATA)
local tab = all:getTable()
if ( tab and #tab > 0 ) then return true end
local all = creds.Credentials:new(creds.ALL_DATA)
local tab = all:getTable()
if ( tab and #tab > 0 ) then return true end
end
action = function()
local all = creds.Credentials:new(creds.ALL_DATA)
return (all and tostring(all) or nil)
local all = creds.Credentials:new(creds.ALL_DATA)
return (all and tostring(all) or nil)
end

56
scripts/cups-info.nse
View File

@@ -47,35 +47,35 @@ local function fail(err) return ("\n ERROR: %s"):format(err or "") end
action = function(host, port)
local helper = ipp.Helper:new(host, port)
if ( not(helper:connect()) ) then
return fail("Failed to connect to server")
end
local helper = ipp.Helper:new(host, port)
if ( not(helper:connect()) ) then
return fail("Failed to connect to server")
end
local status, printers = helper:getPrinters()
if ( not(status) ) then
return
end
local status, printers = helper:getPrinters()
if ( not(status) ) then
return
end
local output = {}
for _, printer in ipairs(printers) do
local states = {
[ipp.IPP.PrinterState.IPP_PRINTER_IDLE] = "Idle",
[ipp.IPP.PrinterState.IPP_PRINTER_PROCESSING] = "Processing",
[ipp.IPP.PrinterState.IPP_PRINTER_STOPPED] = "Stopped",
}
local pos, state = bin.unpack(">I", printer.state)
table.insert(output, {
name = printer.name,
("DNS-SD Name: %s"):format(printer.dns_sd_name or ""),
("Location: %s"):format(printer.location or ""),
("Model: %s"):format(printer.model or ""),
("State: %s"):format(states[state] or ""),
("Queue: %s print jobs"):format(tonumber(printer.queue_count) or 0),
} )
end
local output = {}
for _, printer in ipairs(printers) do
local states = {
[ipp.IPP.PrinterState.IPP_PRINTER_IDLE] = "Idle",
[ipp.IPP.PrinterState.IPP_PRINTER_PROCESSING] = "Processing",
[ipp.IPP.PrinterState.IPP_PRINTER_STOPPED] = "Stopped",
}
local pos, state = bin.unpack(">I", printer.state)
table.insert(output, {
name = printer.name,
("DNS-SD Name: %s"):format(printer.dns_sd_name or ""),
("Location: %s"):format(printer.location or ""),
("Model: %s"):format(printer.model or ""),
("State: %s"):format(states[state] or ""),
("Queue: %s print jobs"):format(tonumber(printer.queue_count) or 0),
} )
end
if ( 0 ~= #output ) then
return stdnse.format_output(true, output)
end
if ( 0 ~= #output ) then
return stdnse.format_output(true, output)
end
end

16
scripts/cups-queue-info.nse
View File

@@ -37,13 +37,13 @@ portrule = shortport.port_or_service(631, "ipp", "tcp", "open")
local function fail(err) return ("\n ERROR: %s"):format(err or "") end
action = function(host, port)
local helper = ipp.Helper:new(host, port)
if ( not(helper:connect()) ) then
return fail("Failed to connect to server")
end
local helper = ipp.Helper:new(host, port)
if ( not(helper:connect()) ) then
return fail("Failed to connect to server")
end
local output = helper:getQueueInfo()
if ( output ) then
return stdnse.format_output(true, output)
end
local output = helper:getQueueInfo()
if ( output ) then
return stdnse.format_output(true, output)
end
end

84
scripts/cvs-brute.nse
View File

@@ -43,65 +43,65 @@ portrule = shortport.port_or_service(2401, "cvspserver")
Driver =
{
new = function(self, host, port, repo)
local o = { repo = repo, helper = cvs.Helper:new(host, port) }
setmetatable(o, self)
self.__index = self
return o
end,
new = function(self, host, port, repo)
local o = { repo = repo, helper = cvs.Helper:new(host, port) }
setmetatable(o, self)
self.__index = self
return o
end,
connect = function( self )
self.helper:connect()
return true
end,
connect = function( self )
self.helper:connect()
return true
end,
login = function( self, username, password )
local status, err = self.helper:login( self.repo, username, password )
if ( status ) then
return true, brute.Account:new(username, password, creds.State.VALID)
end
login = function( self, username, password )
local status, err = self.helper:login( self.repo, username, password )
if ( status ) then
return true, brute.Account:new(username, password, creds.State.VALID)
end
-- This error seems to indicate tha the user does not exist
if ( err:match("E PAM start error%: Critical error %- immediate abort\0$") ) then
stdnse.print_debug(2, "%s: The user %s does not exist", SCRIPT_NAME, username)
local err = brute.Error:new("Account invalid")
err:setInvalidAccount(username)
return false, err
end
return false, brute.Error:new( "Incorrect password" )
end,
-- This error seems to indicate tha the user does not exist
if ( err:match("E PAM start error%: Critical error %- immediate abort\0$") ) then
stdnse.print_debug(2, "%s: The user %s does not exist", SCRIPT_NAME, username)
local err = brute.Error:new("Account invalid")
err:setInvalidAccount(username)
return false, err
end
return false, brute.Error:new( "Incorrect password" )
end,
disconnect = function( self )
self.helper:close()
end,
disconnect = function( self )
self.helper:close()
end,
}
local function getDiscoveredRepos(host)
if ( not(host.registry.cvs_repos)) then
return
end
if ( not(host.registry.cvs_repos)) then
return
end
return host.registry.cvs_repos
return host.registry.cvs_repos
end
action = function(host, port)
local repo = stdnse.get_script_args("cvs-brute.repo") and
{ stdnse.get_script_args("cvs-brute.repo") } or
getDiscoveredRepos(host)
if ( not(repo) ) then return "\n ERROR: No CVS repository specified (see cvs-brute.repo)" end
local repo = stdnse.get_script_args("cvs-brute.repo") and
{ stdnse.get_script_args("cvs-brute.repo") } or
getDiscoveredRepos(host)
if ( not(repo) ) then return "\n ERROR: No CVS repository specified (see cvs-brute.repo)" end
local status, result
local status, result
-- If repositories were discovered and not overridden by argument
-- only attempt to brute force the first one.
local engine = brute.Engine:new(Driver, host, port, repo[1])
-- If repositories were discovered and not overridden by argument
-- only attempt to brute force the first one.
local engine = brute.Engine:new(Driver, host, port, repo[1])
engine.options.script_name = SCRIPT_NAME
status, result = engine:start()
engine.options.script_name = SCRIPT_NAME
status, result = engine:start()
return result
return result
end

8
scripts/daytime.nse
View File

@@ -21,9 +21,9 @@ categories = {"discovery", "safe"}
portrule = shortport.port_or_service(13, "daytime", {"tcp", "udp"})
action = function(host, port)
local status, result = comm.exchange(host, port, "dummy", {lines=1, proto=port.protocol})
local status, result = comm.exchange(host, port, "dummy", {lines=1, proto=port.protocol})
if status then
return result
end
if status then
return result
end
end

78
scripts/db2-discover.nse
View File

@@ -31,64 +31,64 @@ categories = {"discovery", "safe", "default"}
portrule = shortport.version_port_or_service(523, "ibm-db2", "udp",
{"open", "open|filtered"})
{"open", "open|filtered"})
--- Converts the prodrel server string to a version string
--
-- @param server_version string containing the product release
-- @return ver string containing the version information
local function parseVersion( server_version )
local pfx = string.sub(server_version,1,3)
local pfx = string.sub(server_version,1,3)
if pfx == "SQL" then
local major_version = string.sub(server_version,4,5)
if pfx == "SQL" then
local major_version = string.sub(server_version,4,5)
-- strip the leading 0 from the major version, for consistency with
-- nmap-service-probes results
if string.sub(major_version,1,1) == "0" then
major_version = string.sub(major_version,2)
end
local minor_version = string.sub(server_version,6,7)
local hotfix = string.sub(server_version,8)
server_version = major_version .. "." .. minor_version .. "." .. hotfix
else
return "Unknown version"
end
-- strip the leading 0 from the major version, for consistency with
-- nmap-service-probes results
if string.sub(major_version,1,1) == "0" then
major_version = string.sub(major_version,2)
end
local minor_version = string.sub(server_version,6,7)
local hotfix = string.sub(server_version,8)
server_version = major_version .. "." .. minor_version .. "." .. hotfix
else
return "Unknown version"
end
return ("IBM DB2 v%s"):format(server_version)
return ("IBM DB2 v%s"):format(server_version)
end
action = function(host, port)
local DB2GETADDR = "DB2GETADDR\0SQL09010\0"
local socket = nmap.new_socket()
local result = {}
local DB2GETADDR = "DB2GETADDR\0SQL09010\0"
local socket = nmap.new_socket()
local result = {}
socket:set_timeout(5000)
socket:set_timeout(5000)
local status, err = socket:connect( host, port, "udp")
if ( not(status) ) then return end
local status, err = socket:connect( host, port, "udp")
if ( not(status) ) then return end
status, err = socket:send( DB2GETADDR )
if ( not(status) ) then return end
status, err = socket:send( DB2GETADDR )
if ( not(status) ) then return end
local data
status, data = socket:receive()
if( not(status) ) then
socket:close()
return
end
local data
status, data = socket:receive()
if( not(status) ) then
socket:close()
return
end
local version, srvname = data:match("DB2RETADDR.(SQL%d+).(.-)\0")
local version, srvname = data:match("DB2RETADDR.(SQL%d+).(.-)\0")
if ( status ) then
table.insert( result, ("Host: %s"):format(srvname) )
table.insert( result, ("Version: %s"):format(parseVersion(version)) )
end
if ( status ) then
table.insert( result, ("Host: %s"):format(srvname) )
table.insert( result, ("Version: %s"):format(parseVersion(version)) )
end
socket:close()
-- set port to open
nmap.set_port_state(host, port, "open")
socket:close()
-- set port to open
nmap.set_port_state(host, port, "open")
return stdnse.format_output( true, result )
return stdnse.format_output( true, result )
end

58
scripts/dict-info.nse
View File

@@ -40,39 +40,39 @@ portrule = shortport.port_or_service(2628, "dict", "tcp")
local function fail(err) return ("\n ERROR: %s"):format(err or "") end
action = function(host, port)
local socket = nmap.new_socket()
if ( not(socket:connect(host, port)) ) then
return fail("Failed to connect to dictd server")
end
local socket = nmap.new_socket()
if ( not(socket:connect(host, port)) ) then
return fail("Failed to connect to dictd server")
end
local probes = {
'client "dict 1.12.0/rf on Linux 3.0.0-12-generic"',
'show server',
'quit',
}
local probes = {
'client "dict 1.12.0/rf on Linux 3.0.0-12-generic"',
'show server',
'quit',
}
if ( not(socket:send(stdnse.strjoin("\r\n", probes) .. "\r\n")) ) then
return fail("Failed to send request to server")
end
if ( not(socket:send(stdnse.strjoin("\r\n", probes) .. "\r\n")) ) then
return fail("Failed to send request to server")
end
local srvinfo
local srvinfo
repeat
local status, data = socket:receive_buf("\r\n", false)
if ( not(status) ) then
return fail("Failed to read response from server")
elseif ( data:match("^5") ) then
return fail(data)
elseif ( data:match("^114") ) then
srvinfo = {}
elseif ( srvinfo and not(data:match("^%.$")) ) then
table.insert(srvinfo, data)
end
until(not(status) or data:match("^221") or data:match("^%.$"))
socket:close()
repeat
local status, data = socket:receive_buf("\r\n", false)
if ( not(status) ) then
return fail("Failed to read response from server")
elseif ( data:match("^5") ) then
return fail(data)
elseif ( data:match("^114") ) then
srvinfo = {}
elseif ( srvinfo and not(data:match("^%.$")) ) then
table.insert(srvinfo, data)
end
until(not(status) or data:match("^221") or data:match("^%.$"))
socket:close()
-- if last item is an empty string remove it, to avoid trailing line feed
srvinfo[#srvinfo] = ( srvinfo[#srvinfo] ~= "" and srvinfo[#srvinfo] or nil )
-- if last item is an empty string remove it, to avoid trailing line feed
srvinfo[#srvinfo] = ( srvinfo[#srvinfo] ~= "" and srvinfo[#srvinfo] or nil )
return stdnse.format_output(true, srvinfo)
return stdnse.format_output(true, srvinfo)
end

86
scripts/distcc-cve2004-2687.nse
View File

@@ -53,56 +53,56 @@ local function fail(err) return ("\n ERROR: %s"):format(err or "") end
action = function(host, port)
local distcc_vuln = {
title = "distcc Daemon Command Execution",
IDS = {CVE = 'CVE-2004-2687'},
risk_factor = "High",
scores = {
CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)",
},
description = [[
local distcc_vuln = {
title = "distcc Daemon Command Execution",
IDS = {CVE = 'CVE-2004-2687'},
risk_factor = "High",
scores = {
CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)",
},
description = [[
Allows executing of arbitrary commands on systems running distccd 3.1 and
earlier. The vulnerability is the consequence of weak service configuration.
]],
references = {
'http://http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2687',
'http://http://www.osvdb.org/13378',
'http://distcc.googlecode.com/svn/trunk/doc/web/security.html',
},
dates = { disclosure = {year = '2002', month = '02', day = '01'}, },
exploit_results = {},
}
references = {
'http://http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2687',
'http://http://www.osvdb.org/13378',
'http://distcc.googlecode.com/svn/trunk/doc/web/security.html',
},
dates = { disclosure = {year = '2002', month = '02', day = '01'}, },
exploit_results = {},
}
local report = vulns.Report:new(SCRIPT_NAME, host, port)
distcc_vuln.state = vulns.STATE.NOT_VULN
local report = vulns.Report:new(SCRIPT_NAME, host, port)
distcc_vuln.state = vulns.STATE.NOT_VULN
local socket = nmap.new_socket()
if ( not(socket:connect(host, port)) ) then
return fail("Failed to connect to distcc server")
end
local socket = nmap.new_socket()
if ( not(socket:connect(host, port)) ) then
return fail("Failed to connect to distcc server")
end
local cmds = {
"DIST00000001",
("ARGC00000008ARGV00000002shARGV00000002-cARGV%08.8xsh -c " ..
"'(%s)'ARGV00000001#ARGV00000002-cARGV00000006main.cARGV00000002" ..
"-oARGV00000006main.o"):format(10 + #arg_cmd, arg_cmd),
"DOTI00000001A\n",
}
local cmds = {
"DIST00000001",
("ARGC00000008ARGV00000002shARGV00000002-cARGV%08.8xsh -c " ..
"'(%s)'ARGV00000001#ARGV00000002-cARGV00000006main.cARGV00000002" ..
"-oARGV00000006main.o"):format(10 + #arg_cmd, arg_cmd),
"DOTI00000001A\n",
}
for _, cmd in ipairs(cmds) do
if ( not(socket:send(cmd)) ) then
return fail("Failed to send data to distcc server")
end
end
for _, cmd in ipairs(cmds) do
if ( not(socket:send(cmd)) ) then
return fail("Failed to send data to distcc server")
end
end
local status, data = socket:receive_buf("DOTO00000000", false)
local status, data = socket:receive_buf("DOTO00000000", false)
if ( status ) then
local output = data:match("SOUT%w%w%w%w%w%w%w%w(.*)")
if (output and #output > 0) then
distcc_vuln.extra_info = stdnse.format_output(true, output)
distcc_vuln.state = vulns.STATE.EXPLOIT
return report:make_output(distcc_vuln)
end
end
if ( status ) then
local output = data:match("SOUT%w%w%w%w%w%w%w%w(.*)")
if (output and #output > 0) then
distcc_vuln.extra_info = stdnse.format_output(true, output)
distcc_vuln.state = vulns.STATE.EXPLOIT
return report:make_output(distcc_vuln)
end
end
end

14
scripts/dns-service-discovery.nse
View File

@@ -55,13 +55,13 @@ categories = {"default", "discovery", "safe"}
portrule = shortport.portnumber(5353, "udp")
action = function(host, port)
local helper = dnssd.Helper:new( host, port )
local status, result = helper:queryServices()
local helper = dnssd.Helper:new( host, port )
local status, result = helper:queryServices()
if ( status ) then
-- set port to open
nmap.set_port_state(host, port, "open")
return stdnse.format_output(true, result)
end
if ( status ) then
-- set port to open
nmap.set_port_state(host, port, "open")
return stdnse.format_output(true, result)
end
end

82
scripts/dns-update.nse
View File

@@ -50,55 +50,55 @@ portrule = shortport.port_or_service( 53, "dns", "udp", {"open", "open|filtered"
local function test(host, port)
local status, err = dns.update( "www.cqure.net", { host=host, port=port, dtype="A", data="10.10.10.10" } )
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
status, err = dns.update( "www2", { zone="cqure.net", host=host, port=port, dtype="A", data="10.10.10.10" } )
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
status, err = dns.update( "alias.cqure.net", { host=host, port=port, dtype="CNAME", data="www.cqure.net" } )
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
status, err = dns.update( "cqure.net", { host=host, port=port, dtype="MX", data={ pref=10, mx="mail.cqure.net"} })
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
status, err = dns.update( "_ldap._tcp.cqure.net", { host=host, port=port, dtype="SRV", data={ prio=0, weight=100, port=389, target="ldap.cqure.net" } } )
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
local status, err = dns.update( "www.cqure.net", { host=host, port=port, dtype="A", data="10.10.10.10" } )
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
status, err = dns.update( "www2", { zone="cqure.net", host=host, port=port, dtype="A", data="10.10.10.10" } )
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
status, err = dns.update( "alias.cqure.net", { host=host, port=port, dtype="CNAME", data="www.cqure.net" } )
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
status, err = dns.update( "cqure.net", { host=host, port=port, dtype="MX", data={ pref=10, mx="mail.cqure.net"} })
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
status, err = dns.update( "_ldap._tcp.cqure.net", { host=host, port=port, dtype="SRV", data={ prio=0, weight=100, port=389, target="ldap.cqure.net" } } )
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
status, err = dns.update( "www.cqure.net", { host=host, port=port, dtype="A", data="", ttl=0 } )
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
status, err = dns.update( "www2.cqure.net", { host=host, port=port, dtype="A", data="", ttl=0 } )
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
status, err = dns.update( "alias.cqure.net", { host=host, port=port, dtype="CNAME", data="", ttl=0 } )
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
status, err = dns.update( "cqure.net", { host=host, port=port, dtype="MX", data="", ttl=0 } )
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
status, err = dns.update( "_ldap._tcp.cqure.net", { host=host, port=port, dtype="SRV", data="", ttl=0 } )
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
status, err = dns.update( "www.cqure.net", { host=host, port=port, dtype="A", data="", ttl=0 } )
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
status, err = dns.update( "www2.cqure.net", { host=host, port=port, dtype="A", data="", ttl=0 } )
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
status, err = dns.update( "alias.cqure.net", { host=host, port=port, dtype="CNAME", data="", ttl=0 } )
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
status, err = dns.update( "cqure.net", { host=host, port=port, dtype="MX", data="", ttl=0 } )
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
status, err = dns.update( "_ldap._tcp.cqure.net", { host=host, port=port, dtype="SRV", data="", ttl=0 } )
if ( status ) then stdnse.print_debug("SUCCESS") else stdnse.print_debug("FAIL: " .. (err or "")) end
end
action = function(host, port)
local t = stdnse.get_script_args('dns-update.test')
local name, ip = stdnse.get_script_args('dns-update.hostname', 'dns-update.ip')
local t = stdnse.get_script_args('dns-update.test')
local name, ip = stdnse.get_script_args('dns-update.hostname', 'dns-update.ip')
if ( t ) then return test(host, port) end
if ( not(name) or not(ip) ) then return end
if ( t ) then return test(host, port) end
if ( not(name) or not(ip) ) then return end
-- we really need an ip or name to continue
-- we could attempt a random name, but we need to know at least the name of the zone
local status, err = dns.update( name, { host=host, port=port, dtype="A", data=ip } )
-- we really need an ip or name to continue
-- we could attempt a random name, but we need to know at least the name of the zone
local status, err = dns.update( name, { host=host, port=port, dtype="A", data=ip } )
if ( status ) then
local result = {}
table.insert(result, ("Successfully added the record \"%s\""):format(name))
local status = dns.update( name, { host=host, port=port, dtype="A", data="", ttl=0 } )
if ( status ) then
table.insert(result, ("Successfully deleted the record \"%s\""):format(name))
else
table.insert(result, ("Failed to delete the record \"%s\""):format(name))
end
nmap.set_port_state(host, port, "open")
return stdnse.format_output(true, result)
elseif ( err ) then
return "\n ERROR: " .. err
end
if ( status ) then
local result = {}
table.insert(result, ("Successfully added the record \"%s\""):format(name))
local status = dns.update( name, { host=host, port=port, dtype="A", data="", ttl=0 } )
if ( status ) then
table.insert(result, ("Successfully deleted the record \"%s\""):format(name))
else
table.insert(result, ("Failed to delete the record \"%s\""):format(name))
end
nmap.set_port_state(host, port, "open")
return stdnse.format_output(true, result)
elseif ( err ) then
return "\n ERROR: " .. err
end
end

50
scripts/dns-zeustracker.nse
View File

@@ -30,31 +30,31 @@ hostrule = function(host) return not(ipOps.isPrivate(host.ip)) end
action = function(host)
local levels = {
"Bulletproof hosted",
"Hacked webserver",
"Free hosting service",
"Unknown",
"Hosted on a FastFlux botnet"
}
local dname = dns.reverse(host.ip)
dname = dname:gsub ("%.in%-addr%.arpa",".ipbl.zeustracker.abuse.ch")
local status, result = dns.query(dname, {dtype='TXT', retAll=true} )
local levels = {
"Bulletproof hosted",
"Hacked webserver",
"Free hosting service",
"Unknown",
"Hosted on a FastFlux botnet"
}
local dname = dns.reverse(host.ip)
dname = dname:gsub ("%.in%-addr%.arpa",".ipbl.zeustracker.abuse.ch")
local status, result = dns.query(dname, {dtype='TXT', retAll=true} )
if ( not(status) and result == "No Such Name" ) then
return
elseif ( not(status) ) then
return stdnse.format_output(false, "DNS Query failed")
end
if ( not(status) and result == "No Such Name" ) then
return
elseif ( not(status) ) then
return stdnse.format_output(false, "DNS Query failed")
end
local output = tab.new(9)
tab.addrow(output, "Name", "IP", "SBL", "ASN", "Country", "Status", "Level",
"Files Online", "Date added")
for _, record in ipairs(result) do
local name, ip, sbl, asn, country, status, level, files_online,
dateadded = table.unpack(stdnse.strsplit("| ", record))
level = levels[tonumber(level)] or "Unknown"
tab.addrow(output, name, ip, sbl, asn, country, status, level, files_online, dateadded)
end
return stdnse.format_output(true, tab.dump(output))
local output = tab.new(9)
tab.addrow(output, "Name", "IP", "SBL", "ASN", "Country", "Status", "Level",
"Files Online", "Date added")
for _, record in ipairs(result) do
local name, ip, sbl, asn, country, status, level, files_online,
dateadded = table.unpack(stdnse.strsplit("| ", record))
level = levels[tonumber(level)] or "Unknown"
tab.addrow(output, name, ip, sbl, asn, country, status, level, files_online, dateadded)
end
return stdnse.format_output(true, tab.dump(output))
end

48
scripts/epmd-info.nse
View File

@@ -30,28 +30,28 @@ portrule = shortport.port_or_service (4369, "epmd")
local NAMESREQ = 110
action = function(host, port)
local socket = nmap.new_socket()
local status, err = socket:connect(host.ip, port.number)
if not status then
return {}
end
local payload = bin.pack("C", NAMESREQ)
local probe = bin.pack(">SA", #payload, payload)
socket:send(probe)
local status = true
local data = ""
local tmp = ""
while status do
data = data .. tmp
status, tmp = socket:receive()
end
local pos, realport = bin.unpack(">I", data)
local nodestring = string.sub(data, pos, -2)
local nodes = stdnse.strsplit("\n", nodestring)
local response = {}
table.insert(response, 'epmd running on port ' .. realport)
for _, node in ipairs(nodes) do
table.insert(response, node)
end
return stdnse.format_output(true, response)
local socket = nmap.new_socket()
local status, err = socket:connect(host.ip, port.number)
if not status then
return {}
end
local payload = bin.pack("C", NAMESREQ)
local probe = bin.pack(">SA", #payload, payload)
socket:send(probe)
local status = true
local data = ""
local tmp = ""
while status do
data = data .. tmp
status, tmp = socket:receive()
end
local pos, realport = bin.unpack(">I", data)
local nodestring = string.sub(data, pos, -2)
local nodes = stdnse.strsplit("\n", nodestring)
local response = {}
table.insert(response, 'epmd running on port ' .. realport)
for _, node in ipairs(nodes) do
table.insert(response, node)
end
return stdnse.format_output(true, response)
end

100
scripts/eppc-enum-processes.nse
View File

@@ -40,64 +40,64 @@ portrule = shortport.port_or_service(3031, "eppc", "tcp", "open")
action = function( host, port )
local socket = nmap.new_socket()
socket:set_timeout(5000)
local socket = nmap.new_socket()
socket:set_timeout(5000)
local try = nmap.new_try(
function()
stdnse.print_debug("%s: failed", SCRIPT_NAME)
socket:close()
end
)
local try = nmap.new_try(
function()
stdnse.print_debug("%s: failed", SCRIPT_NAME)
socket:close()
end
)
-- a list of application that may or may not be running on the target
local apps = {
"Address Book",
"App Store",
"Facetime",
"Finder",
"Firefox",
"Google Chrome",
"iChat",
"iPhoto",
"Keychain Access",
"iTunes",
"Photo booth",
"QuickTime Player",
"Remote Buddy",
"Safari",
"Spotify",
"Terminal",
"TextMate",
"Transmission",
"VLC",
"VLC media player",
}
-- a list of application that may or may not be running on the target
local apps = {
"Address Book",
"App Store",
"Facetime",
"Finder",
"Firefox",
"Google Chrome",
"iChat",
"iPhoto",
"Keychain Access",
"iTunes",
"Photo booth",
"QuickTime Player",
"Remote Buddy",
"Safari",
"Spotify",
"Terminal",
"TextMate",
"Transmission",
"VLC",
"VLC media player",
}
local results = tab.new(3)
tab.addrow( results, "application", "uid", "pid" )
local results = tab.new(3)
tab.addrow( results, "application", "uid", "pid" )
for _, app in ipairs(apps) do
try( socket:connect(host, port, "tcp") )
local data
for _, app in ipairs(apps) do
try( socket:connect(host, port, "tcp") )
local data
local packets = {
"PPCT\0\0\0\1\0\0\0\1",
-- unfortunately I've found no packet specifications, so this has to do
bin.pack("HCpH", "e44c50525401e101", 225 + #app, app, "dfdbe302013ddfdfdfdfd500")
}
local packets = {
"PPCT\0\0\0\1\0\0\0\1",
-- unfortunately I've found no packet specifications, so this has to do
bin.pack("HCpH", "e44c50525401e101", 225 + #app, app, "dfdbe302013ddfdfdfdfd500")
}
for _, v in ipairs(packets) do
try( socket:send(v) )
data = try( socket:receive() )
end
for _, v in ipairs(packets) do
try( socket:send(v) )
data = try( socket:receive() )
end
local uid, pid = data:match("uid=(%d+)&pid=(%d+)")
if ( uid and pid ) then tab.addrow( results, app, uid, pid ) end
local uid, pid = data:match("uid=(%d+)&pid=(%d+)")
if ( uid and pid ) then tab.addrow( results, app, uid, pid ) end
try( socket:close() )
end
try( socket:close() )
end
return "\n" .. tab.dump(results)
return "\n" .. tab.dump(results)
end

6
scripts/finger.nse
View File

@@ -30,8 +30,8 @@ categories = {"default", "discovery", "safe"}
portrule = shortport.port_or_service(79, "finger")
action = function(host, port)
local try = nmap.new_try()
local try = nmap.new_try()
return try(comm.exchange(host, port, "\r\n",
{lines=100, proto=port.protocol, timeout=5000}))
return try(comm.exchange(host, port, "\r\n",
{lines=100, proto=port.protocol, timeout=5000}))
end

86
scripts/freelancer-info.nse
View File

@@ -48,57 +48,57 @@ categories = { "default", "discovery", "safe", "version" }
portrule = shortport.version_port_or_service({2302}, "freelancer", "udp")
action = function(host, port)
local status, data = comm.exchange(host, port.number,
"\x00\x02\xf1\x26\x01\x26\xf0\x90\xa6\xf0\x26\x57\x4e\xac\xa0\xec\xf8\x68\xe4\x8d\x21",
{ proto = "udp", timeout = 3000 })
if not status then
return
end
local status, data = comm.exchange(host, port.number,
"\x00\x02\xf1\x26\x01\x26\xf0\x90\xa6\xf0\x26\x57\x4e\xac\xa0\xec\xf8\x68\xe4\x8d\x21",
{ proto = "udp", timeout = 3000 })
if not status then
return
end
-- port is open
nmap.set_port_state(host, port, "open")
-- port is open
nmap.set_port_state(host, port, "open")
local passwordbyte, maxplayers, numplayers, name, pvpallow, newplayersallow, description =
string.match(data, "^\x00\x03\xf1\x26............(.)...(.)...(.)...................................................................(.*)\0\0(.):(.):.*:.*:.*:(.*)\0\0$")
if not passwordbyte then
return
end
local passwordbyte, maxplayers, numplayers, name, pvpallow, newplayersallow, description =
string.match(data, "^\x00\x03\xf1\x26............(.)...(.)...(.)...................................................................(.*)\0\0(.):(.):.*:.*:.*:(.*)\0\0$")
if not passwordbyte then
return
end
local o = stdnse.output_table()
local o = stdnse.output_table()
o["server name"] = string.gsub(name, "[^%g%s]", "")
o["server description"] = string.gsub(description, "[^%g%s]", "")
o["players"] = numplayers:byte(1) - 1
o["max. players"] = maxplayers:byte(1) - 1
o["server name"] = string.gsub(name, "[^%g%s]", "")
o["server description"] = string.gsub(description, "[^%g%s]", "")
o["players"] = numplayers:byte(1) - 1
o["max. players"] = maxplayers:byte(1) - 1
passwordbyte = passwordbyte:byte(1)
if bit.band(passwordbyte, 128) ~= 0 then
o["password"] = "yes"
else
o["password"] = "no"
end
passwordbyte = passwordbyte:byte(1)
if bit.band(passwordbyte, 128) ~= 0 then
o["password"] = "yes"
else
o["password"] = "no"
end
o["allow players to harm other players"] = "n/a"
if pvpallow == "1" then
o["allow players to harm other players"] = "yes"
elseif pvpallow == "0" then
o["allow players to harm other players"] = "no"
end
o["allow players to harm other players"] = "n/a"
if pvpallow == "1" then
o["allow players to harm other players"] = "yes"
elseif pvpallow == "0" then
o["allow players to harm other players"] = "no"
end
o["allow new players"] = "n/a"
if newplayersallow == "1" then
o["allow new players"] = "yes"
elseif newplayersallow == "0" then
o["allow new players"] = "no"
end
o["allow new players"] = "n/a"
if newplayersallow == "1" then
o["allow new players"] = "yes"
elseif newplayersallow == "0" then
o["allow new players"] = "no"
end
port.version.name = "freelancer"
port.version.name_confidence = 10
port.version.product = "Freelancer"
port.version.extrainfo = "name: " .. o["server name"] .. "; players: " ..
o["players"] .. "/" .. o["max. players"] .. "; password: " .. o["password"]
port.version.name = "freelancer"
port.version.name_confidence = 10
port.version.product = "Freelancer"
port.version.extrainfo = "name: " .. o["server name"] .. "; players: " ..
o["players"] .. "/" .. o["max. players"] .. "; password: " .. o["password"]
nmap.set_port_version(host, port, "hardmatched")
nmap.set_port_version(host, port, "hardmatched")
return o
return o
end

90
scripts/ftp-libopie.nse
View File

@@ -41,61 +41,61 @@ categories = {"vuln","intrusive"}
portrule = shortport.port_or_service(21, "ftp")
action = function(host, port)
local opie_vuln = {
title = "OPIE off-by-one stack overflow",
IDS = {CVE = 'CVE-2010-1938', OSVDB = '64949'},
risk_factor = "High",
scores = {
CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)",
},
description = [[
local opie_vuln = {
title = "OPIE off-by-one stack overflow",
IDS = {CVE = 'CVE-2010-1938', OSVDB = '64949'},
risk_factor = "High",
scores = {
CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)",
},
description = [[
An off-by-one error in OPIE library 2.4.1-test1 and earlier, allows remote
attackers to cause a denial of service or possibly execute arbitrary code
via a long username.]],
references = {
'http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc',
'http://site.pi3.com.pl/adv/libopie-adv.txt',
},
dates = {
disclosure = {year = '2010', month = '05', day = '27'},
},
}
references = {
'http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc',
'http://site.pi3.com.pl/adv/libopie-adv.txt',
},
dates = {
disclosure = {year = '2010', month = '05', day = '27'},
},
}
local report = vulns.Report:new(SCRIPT_NAME, host, port)
local report = vulns.Report:new(SCRIPT_NAME, host, port)
local socket = nmap.new_socket()
local result
-- If we use more that 31 chars for username, ftpd will crash (quoted from the advisory).
local user_account = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
local status = true
local socket = nmap.new_socket()
local result
-- If we use more that 31 chars for username, ftpd will crash (quoted from the advisory).
local user_account = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
local status = true
local err_catch = function()
socket:close()
end
local err_catch = function()
socket:close()
end
local try = nmap.new_try(err_catch)
local try = nmap.new_try(err_catch)
socket:set_timeout(10000)
try(socket:connect(host, port))
socket:set_timeout(10000)
try(socket:connect(host, port))
-- First, try a safe User so that we are sure that everything is ok
local payload = "USER opie\r\n"
try(socket:send(payload))
-- First, try a safe User so that we are sure that everything is ok
local payload = "USER opie\r\n"
try(socket:send(payload))
status, result = socket:receive_lines(1);
if status and not (string.match(result,"^421")) then
status, result = socket:receive_lines(1);
if status and not (string.match(result,"^421")) then
-- Second, try the vulnerable user account
local payload = "USER " .. user_account .. "\r\n"
try(socket:send(payload))
-- Second, try the vulnerable user account
local payload = "USER " .. user_account .. "\r\n"
try(socket:send(payload))
status, result = socket:receive_lines(1);
if status then
opie_vuln.state = vulns.STATE.NOT_VULN
else
-- if the server does not answer anymore we may have reached a stack overflow condition
opie_vuln.state = vulns.STATE.LIKELY_VULN
end
end
return report:make_output(opie_vuln)
status, result = socket:receive_lines(1);
if status then
opie_vuln.state = vulns.STATE.NOT_VULN
else
-- if the server does not answer anymore we may have reached a stack overflow condition
opie_vuln.state = vulns.STATE.LIKELY_VULN
end
end
return report:make_output(opie_vuln)
end

42
scripts/giop-info.nse
View File

@@ -30,32 +30,32 @@ portrule = shortport.port_or_service( {2809,1050,1049} , "giop", "tcp", "open")
action = function(host, port)
local helper = giop.Helper:new( host, port )
local ctx, objs, status, err
local result = {}
local helper = giop.Helper:new( host, port )
local ctx, objs, status, err
local result = {}
status, err = helper:Connect()
if ( not(status) ) then return err end
status, err = helper:Connect()
if ( not(status) ) then return err end
status, ctx = helper:GetNamingContext()
if ( not(status) ) then return " \n ERROR: " .. ctx end
status, ctx = helper:GetNamingContext()
if ( not(status) ) then return " \n ERROR: " .. ctx end
status, objs = helper:ListObjects(ctx)
if ( not(status) ) then return " \n ERROR: " .. objs end
status, objs = helper:ListObjects(ctx)
if ( not(status) ) then return " \n ERROR: " .. objs end
for _, obj in ipairs( objs ) do
local tmp = ""
for _, obj in ipairs( objs ) do
local tmp = ""
if ( obj.enum == 0 ) then
tmp = "Object: "
elseif( obj.enum == 1 ) then
tmp = "Context: "
else
tmp = "Unknown: "
end
if ( obj.enum == 0 ) then
tmp = "Object: "
elseif( obj.enum == 1 ) then
tmp = "Context: "
else
tmp = "Unknown: "
end
table.insert(result, tmp .. obj.id )
end
table.insert(result, tmp .. obj.id )
end
return stdnse.format_output(true, result)
return stdnse.format_output(true, result)
end

92
scripts/gopher-ls.nse
View File

@@ -32,60 +32,60 @@ categories = {"default", "discovery", "safe"}
portrule = shortport.port_or_service (70, "gopher", {"tcp"})
local function typelabel(gtype)
if gtype == "0" then
return "[txt]"
end
if gtype == "1" then
return "[dir]"
end
return string.format("[%s]", gtype)
if gtype == "0" then
return "[txt]"
end
if gtype == "1" then
return "[dir]"
end
return string.format("[%s]", gtype)
end
action = function( host, port )
local INFO = "i"
local maxfiles = stdnse.get_script_args(SCRIPT_NAME..".maxfiles")
if not maxfiles then
maxfiles = 10
else
maxfiles = tonumber(maxfiles)
end
if maxfiles < 1 then
maxfiles = nil
end
local INFO = "i"
local maxfiles = stdnse.get_script_args(SCRIPT_NAME..".maxfiles")
if not maxfiles then
maxfiles = 10
else
maxfiles = tonumber(maxfiles)
end
if maxfiles < 1 then
maxfiles = nil
end
local socket = nmap.new_socket()
local status, err = socket:connect(host.ip, port.number)
if not status then
return
end
local socket = nmap.new_socket()
local status, err = socket:connect(host.ip, port.number)
if not status then
return
end
socket:send("\r\n")
socket:send("\r\n")
local buffer, _ = stdnse.make_buffer(socket, "\r\n")
local line = buffer()
local files = {}
local buffer, _ = stdnse.make_buffer(socket, "\r\n")
local line = buffer()
local files = {}
while line ~= nil do
if #line > 1 then
local gtype = string.sub(line, 1, 1)
local fields = stdnse.strsplit("\t", string.sub(line, 2))
if #fields > 1 then
local label = fields[1]
local filename = fields[2]
if gtype ~= INFO then
if maxfiles and #files >= maxfiles then
table.insert(files, string.format('Only %d shown. Use --script-args %s.maxfiles=-1 to see all.', maxfiles, SCRIPT_NAME))
break
else
table.insert(files, string.format('%s %s "%s"', typelabel(gtype), filename, label))
end
end
end
end
line = buffer()
end
return "\n" .. stdnse.strjoin("\n", files)
while line ~= nil do
if #line > 1 then
local gtype = string.sub(line, 1, 1)
local fields = stdnse.strsplit("\t", string.sub(line, 2))
if #fields > 1 then
local label = fields[1]
local filename = fields[2]
if gtype ~= INFO then
if maxfiles and #files >= maxfiles then
table.insert(files, string.format('Only %d shown. Use --script-args %s.maxfiles=-1 to see all.', maxfiles, SCRIPT_NAME))
break
else
table.insert(files, string.format('%s %s "%s"', typelabel(gtype), filename, label))
end
end
end
end
line = buffer()
end
return "\n" .. stdnse.strjoin("\n", files)
end

96
scripts/gpsd-info.nse
View File

@@ -34,70 +34,70 @@ local arg_timeout = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME ..
arg_timeout = arg_timeout or 10
local function updateData(gpsinfo, entry)
for k, v in pairs(gpsinfo) do
if ( entry[k] and 0 < #tostring(entry[k]) ) then
gpsinfo[k] = entry[k]
end
end
for k, v in pairs(gpsinfo) do
if ( entry[k] and 0 < #tostring(entry[k]) ) then
gpsinfo[k] = entry[k]
end
end
end
local function hasAllData(gpsinfo)
for k, v in pairs(gpsinfo) do
if ( k ~= "speed" and v == '-' ) then
return false
end
end
return true
for k, v in pairs(gpsinfo) do
if ( k ~= "speed" and v == '-' ) then
return false
end
end
return true
end
local function fail(err) return ("\n ERROR: %s"):format(err or "") end
action = function(host, port)
local gpsinfo = {
longitude = "-",
latitude = "-",
speed = "-",
time = "-",
date = "-",
}
local gpsinfo = {
longitude = "-",
latitude = "-",
speed = "-",
time = "-",
date = "-",
}
local socket = nmap.new_socket()
socket:set_timeout(1000)
local socket = nmap.new_socket()
socket:set_timeout(1000)
local status = socket:connect(host, port)
local status = socket:connect(host, port)
if ( not(status) ) then
return fail("Failed to connect to server")
end
if ( not(status) ) then
return fail("Failed to connect to server")
end
-- get the banner
local status, line = socket:receive_lines(1)
socket:send('?WATCH={"enable":true,"nmea":true}\r\n')
-- get the banner
local status, line = socket:receive_lines(1)
socket:send('?WATCH={"enable":true,"nmea":true}\r\n')
local start_time = os.time()
local start_time = os.time()
repeat
local entry
status, line = socket:receive_buf("\r\n", false)
if ( status ) then
status, entry = gps.NMEA.parse(line)
if ( status ) then
updateData(gpsinfo, entry)
end
end
until( os.time() - start_time > arg_timeout or hasAllData(gpsinfo) )
repeat
local entry
status, line = socket:receive_buf("\r\n", false)
if ( status ) then
status, entry = gps.NMEA.parse(line)
if ( status ) then
updateData(gpsinfo, entry)
end
end
until( os.time() - start_time > arg_timeout or hasAllData(gpsinfo) )
socket:send('?WATCH={"enable":false}\r\n')
socket:send('?WATCH={"enable":false}\r\n')
if ( not(hasAllData(gpsinfo)) ) then
return
end
if ( not(hasAllData(gpsinfo)) ) then
return
end
local output = {
("Time of fix: %s"):format(stdnse.format_timestamp(gps.Util.convertTime(gpsinfo.date, gpsinfo.time))),
("Coordinates: %.4f,%.4f"):format(tonumber(gpsinfo.latitude), tonumber(gpsinfo.longitude)),
("Speed: %s knots"):format(gpsinfo.speed)
}
return stdnse.format_output(true, output)
local output = {
("Time of fix: %s"):format(stdnse.format_timestamp(gps.Util.convertTime(gpsinfo.date, gpsinfo.time))),
("Coordinates: %.4f,%.4f"):format(tonumber(gpsinfo.latitude), tonumber(gpsinfo.longitude)),
("Speed: %s knots"):format(gpsinfo.speed)
}
return stdnse.format_output(true, output)
end

44
scripts/hadoop-datanode-info.nse
View File

@@ -34,30 +34,30 @@ categories = {"default", "discovery", "safe"}
portrule = function(host, port)
-- Run for the special port number, or for any HTTP-like service that is
-- not on a usual HTTP port.
return shortport.port_or_service({50075}, "hadoop-datanode")(host, port)
or (shortport.service(shortport.LIKELY_HTTP_SERVICES)(host, port) and not shortport.portnumber(shortport.LIKELY_HTTP_PORTS)(host, port))
-- Run for the special port number, or for any HTTP-like service that is
-- not on a usual HTTP port.
return shortport.port_or_service({50075}, "hadoop-datanode")(host, port)
or (shortport.service(shortport.LIKELY_HTTP_SERVICES)(host, port) and not shortport.portnumber(shortport.LIKELY_HTTP_PORTS)(host, port))
end
action = function( host, port )
local result = {}
local uri = "/browseDirectory.jsp"
stdnse.print_debug(1, ("%s:HTTP GET %s:%s%s"):format(SCRIPT_NAME, host.targetname or host.ip, port.number, uri))
local response = http.get( host, port, uri )
stdnse.print_debug(1, ("%s: Status %s"):format(SCRIPT_NAME,response['status-line'] or "No Response"))
if response['status-line'] and response['status-line']:match("200%s+OK") and response['body'] then
local body = response['body']:gsub("%%","%%%%")
stdnse.print_debug(2, ("%s: Body %s\n"):format(SCRIPT_NAME,body))
if body:match("([^][\"]+)\">Log") then
port.version.name = "hadoop-datanode"
port.version.product = "Apache Hadoop"
nmap.set_port_version(host, port)
local logs = body:match("([^][\"]+)\">Log")
stdnse.print_debug(1, ("%s: Logs %s"):format(SCRIPT_NAME,logs))
table.insert(result, ("Logs: %s"):format(logs))
end
return stdnse.format_output(true, result)
end
local result = {}
local uri = "/browseDirectory.jsp"
stdnse.print_debug(1, ("%s:HTTP GET %s:%s%s"):format(SCRIPT_NAME, host.targetname or host.ip, port.number, uri))
local response = http.get( host, port, uri )
stdnse.print_debug(1, ("%s: Status %s"):format(SCRIPT_NAME,response['status-line'] or "No Response"))
if response['status-line'] and response['status-line']:match("200%s+OK") and response['body'] then
local body = response['body']:gsub("%%","%%%%")
stdnse.print_debug(2, ("%s: Body %s\n"):format(SCRIPT_NAME,body))
if body:match("([^][\"]+)\">Log") then
port.version.name = "hadoop-datanode"
port.version.product = "Apache Hadoop"
nmap.set_port_version(host, port)
local logs = body:match("([^][\"]+)\">Log")
stdnse.print_debug(1, ("%s: Logs %s"):format(SCRIPT_NAME,logs))
table.insert(result, ("Logs: %s"):format(logs))
end
return stdnse.format_output(true, result)
end
end

74
scripts/hadoop-tasktracker-info.nse
View File

@@ -38,45 +38,45 @@ categories = {"default", "discovery", "safe"}
portrule = function(host, port)
-- Run for the special port number, or for any HTTP-like service that is
-- not on a usual HTTP port.
return shortport.port_or_service ({50060}, "hadoop-tasktracker")(host, port)
or (shortport.service(shortport.LIKELY_HTTP_SERVICES)(host, port) and not shortport.portnumber(shortport.LIKELY_HTTP_PORTS)(host, port))
-- Run for the special port number, or for any HTTP-like service that is
-- not on a usual HTTP port.
return shortport.port_or_service ({50060}, "hadoop-tasktracker")(host, port)
or (shortport.service(shortport.LIKELY_HTTP_SERVICES)(host, port) and not shortport.portnumber(shortport.LIKELY_HTTP_PORTS)(host, port))
end
action = function( host, port )
local result = {}
local uri = "/tasktracker.jsp"
stdnse.print_debug(1, ("%s:HTTP GET %s:%s%s"):format(SCRIPT_NAME, host.targetname or host.ip, port.number, uri))
local response = http.get( host, port, uri )
stdnse.print_debug(1, ("%s: Status %s"):format(SCRIPT_NAME,response['status-line'] or "No Response"))
if response['status-line'] and response['status-line']:match("200%s+OK") and response['body'] then
local body = response['body']:gsub("%%","%%%%")
stdnse.print_debug(2, ("%s: Body %s\n"):format(SCRIPT_NAME,body))
if response['body']:match("Version:</b>%s*([^][<]+)") then
local version = response['body']:match("Version:</b>%s*([^][<]+)")
local versionNo = version:match("([^][,]+)")
local versionHash = version:match("[^][,]+%s+(%w+)")
stdnse.print_debug(1, ("%s: Version %s (%s)"):format(SCRIPT_NAME,versionNo,versionHash))
table.insert(result, ("Version: %s (%s)"):format(versionNo,versionHash))
port.version.version = version
end
if response['body']:match("Compiled:</b>%s*([^][<]+)") then
local compiled = response['body']:match("Compiled:</b>%s*([^][<]+)"):gsub("%s+", " ")
stdnse.print_debug(1, ("%s: Compiled %s"):format(SCRIPT_NAME,compiled))
table.insert(result, ("Compiled: %s"):format(compiled))
end
if body:match("([^][\"]+)\">Log") then
local logs = body:match("([^][\"]+)\">Log")
stdnse.print_debug(1, ("%s: Logs %s"):format(SCRIPT_NAME,logs))
table.insert(result, ("Logs: %s"):format(logs))
end
if #result > 0 then
port.version.name = "hadoop-tasktracker"
port.version.product = "Apache Hadoop"
nmap.set_port_version(host, port)
end
return stdnse.format_output(true, result)
end
local result = {}
local uri = "/tasktracker.jsp"
stdnse.print_debug(1, ("%s:HTTP GET %s:%s%s"):format(SCRIPT_NAME, host.targetname or host.ip, port.number, uri))
local response = http.get( host, port, uri )
stdnse.print_debug(1, ("%s: Status %s"):format(SCRIPT_NAME,response['status-line'] or "No Response"))
if response['status-line'] and response['status-line']:match("200%s+OK") and response['body'] then
local body = response['body']:gsub("%%","%%%%")
stdnse.print_debug(2, ("%s: Body %s\n"):format(SCRIPT_NAME,body))
if response['body']:match("Version:</b>%s*([^][<]+)") then
local version = response['body']:match("Version:</b>%s*([^][<]+)")
local versionNo = version:match("([^][,]+)")
local versionHash = version:match("[^][,]+%s+(%w+)")
stdnse.print_debug(1, ("%s: Version %s (%s)"):format(SCRIPT_NAME,versionNo,versionHash))
table.insert(result, ("Version: %s (%s)"):format(versionNo,versionHash))
port.version.version = version
end
if response['body']:match("Compiled:</b>%s*([^][<]+)") then
local compiled = response['body']:match("Compiled:</b>%s*([^][<]+)"):gsub("%s+", " ")
stdnse.print_debug(1, ("%s: Compiled %s"):format(SCRIPT_NAME,compiled))
table.insert(result, ("Compiled: %s"):format(compiled))
end
if body:match("([^][\"]+)\">Log") then
local logs = body:match("([^][\"]+)\">Log")
stdnse.print_debug(1, ("%s: Logs %s"):format(SCRIPT_NAME,logs))
table.insert(result, ("Logs: %s"):format(logs))
end
if #result > 0 then
port.version.name = "hadoop-tasktracker"
port.version.product = "Apache Hadoop"
nmap.set_port_version(host, port)
end
return stdnse.format_output(true, result)
end
end

100
scripts/hbase-region-info.nse
View File

@@ -43,58 +43,58 @@ categories = {"default", "discovery", "safe"}
portrule = function(host, port)
-- Run for the special port number, or for any HTTP-like service that is
-- not on a usual HTTP port.
return shortport.port_or_service ({60030}, "hbase-region")(host, port)
or (shortport.service(shortport.LIKELY_HTTP_SERVICES)(host, port) and not shortport.portnumber(shortport.LIKELY_HTTP_PORTS)(host, port))
-- Run for the special port number, or for any HTTP-like service that is
-- not on a usual HTTP port.
return shortport.port_or_service ({60030}, "hbase-region")(host, port)
or (shortport.service(shortport.LIKELY_HTTP_SERVICES)(host, port) and not shortport.portnumber(shortport.LIKELY_HTTP_PORTS)(host, port))
end
action = function( host, port )
local result = {}
local region_servers = {}
-- uri was previously "/regionserver.jsp". See
-- http://seclists.org/nmap-dev/2012/q3/903.
local uri = "/rs-status"
stdnse.print_debug(1, ("%s:HTTP GET %s:%s%s"):format(SCRIPT_NAME, host.targetname or host.ip, port.number, uri))
local response = http.get( host, port, uri )
stdnse.print_debug(1, ("%s: Status %s"):format(SCRIPT_NAME,response['status-line'] or "No Response"))
if response['status-line'] and response['status-line']:match("200%s+OK") and response['body'] then
local body = response['body']:gsub("%%","%%%%")
stdnse.print_debug(2, ("%s: Body %s\n"):format(SCRIPT_NAME,body))
if body:match("HBase%s+Version</td><td>([^][<]+)") then
local version = body:match("HBase%s+Version</td><td>([^][<]+)"):gsub("%s+", " ")
stdnse.print_debug(1, ("%s:Hbase Version %s"):format(SCRIPT_NAME,version))
table.insert(result, ("Hbase Version: %s"):format(version))
port.version.version = version
end
if body:match("HBase%s+Compiled</td><td>([^][<]+)") then
local compiled = body:match("HBase%s+Compiled</td><td>([^][<]+)"):gsub("%s+", " ")
stdnse.print_debug(1, ("%s: Hbase Compiled %s"):format(SCRIPT_NAME,compiled))
table.insert(result, ("Hbase Compiled: %s"):format(compiled))
end
if body:match("Metrics</td><td>([^][<]+)") then
local metrics = body:match("Metrics</td><td>([^][<]+)"):gsub("%s+", " ")
stdnse.print_debug(1, ("%s: Metrics %s"):format(SCRIPT_NAME,metrics))
table.insert(result, ("Metrics %s"):format(metrics))
end
if body:match("Quorum</td><td>([^][<]+)") then
local quorum = body:match("Quorum</td><td>([^][<]+)"):gsub("%s+", " ")
stdnse.print_debug(1, ("%s: Zookeeper Quorum %s"):format(SCRIPT_NAME,quorum))
table.insert(result, ("Zookeeper Quorum: %s"):format(quorum))
if target.ALLOW_NEW_TARGETS then
if quorum:match("([%w%.]+)") then
local newtarget = quorum:match("([%w%.]+)")
stdnse.print_debug(1, ("%s: Added target: %s"):format(SCRIPT_NAME, newtarget))
local status,err = target.add(newtarget)
end
end
end
if #result > 0 then
port.version.name = "hbase-region"
port.version.product = "Apache Hadoop Hbase"
nmap.set_port_version(host, port)
end
return stdnse.format_output(true, result)
end
local result = {}
local region_servers = {}
-- uri was previously "/regionserver.jsp". See
-- http://seclists.org/nmap-dev/2012/q3/903.
local uri = "/rs-status"
stdnse.print_debug(1, ("%s:HTTP GET %s:%s%s"):format(SCRIPT_NAME, host.targetname or host.ip, port.number, uri))
local response = http.get( host, port, uri )
stdnse.print_debug(1, ("%s: Status %s"):format(SCRIPT_NAME,response['status-line'] or "No Response"))
if response['status-line'] and response['status-line']:match("200%s+OK") and response['body'] then
local body = response['body']:gsub("%%","%%%%")
stdnse.print_debug(2, ("%s: Body %s\n"):format(SCRIPT_NAME,body))
if body:match("HBase%s+Version</td><td>([^][<]+)") then
local version = body:match("HBase%s+Version</td><td>([^][<]+)"):gsub("%s+", " ")
stdnse.print_debug(1, ("%s:Hbase Version %s"):format(SCRIPT_NAME,version))
table.insert(result, ("Hbase Version: %s"):format(version))
port.version.version = version
end
if body:match("HBase%s+Compiled</td><td>([^][<]+)") then
local compiled = body:match("HBase%s+Compiled</td><td>([^][<]+)"):gsub("%s+", " ")
stdnse.print_debug(1, ("%s: Hbase Compiled %s"):format(SCRIPT_NAME,compiled))
table.insert(result, ("Hbase Compiled: %s"):format(compiled))
end
if body:match("Metrics</td><td>([^][<]+)") then
local metrics = body:match("Metrics</td><td>([^][<]+)"):gsub("%s+", " ")
stdnse.print_debug(1, ("%s: Metrics %s"):format(SCRIPT_NAME,metrics))
table.insert(result, ("Metrics %s"):format(metrics))
end
if body:match("Quorum</td><td>([^][<]+)") then
local quorum = body:match("Quorum</td><td>([^][<]+)"):gsub("%s+", " ")
stdnse.print_debug(1, ("%s: Zookeeper Quorum %s"):format(SCRIPT_NAME,quorum))
table.insert(result, ("Zookeeper Quorum: %s"):format(quorum))
if target.ALLOW_NEW_TARGETS then
if quorum:match("([%w%.]+)") then
local newtarget = quorum:match("([%w%.]+)")
stdnse.print_debug(1, ("%s: Added target: %s"):format(SCRIPT_NAME, newtarget))
local status,err = target.add(newtarget)
end
end
end
if #result > 0 then
port.version.name = "hbase-region"
port.version.product = "Apache Hadoop Hbase"
nmap.set_port_version(host, port)
end
return stdnse.format_output(true, result)
end
end

38
scripts/hddtemp-info.nse
View File

@@ -25,23 +25,23 @@ categories = {"default", "discovery", "safe"}
portrule = shortport.port_or_service (7634, "hddtemp", {"tcp"})
action = function( host, port )
-- 5000B should be enough for 100 disks
local status, data = comm.get_banner(host, port, {bytes=5000})
if not status then
return
end
local separator = string.sub(data, 1, 1)
local fields = stdnse.strsplit(separator, data)
local info = {}
local disks = math.floor((# fields) / 5)
for i = 0, (disks - 1) do
local start = i * 5
local device = fields[start + 2]
local label = fields[start + 3]
local temperature = fields[start + 4]
local unit = fields[start + 5]
local formatted = string.format("%s: %s: %s %s", device, label, temperature, unit)
table.insert(info, formatted)
end
return stdnse.format_output(true, info)
-- 5000B should be enough for 100 disks
local status, data = comm.get_banner(host, port, {bytes=5000})
if not status then
return
end
local separator = string.sub(data, 1, 1)
local fields = stdnse.strsplit(separator, data)
local info = {}
local disks = math.floor((# fields) / 5)
for i = 0, (disks - 1) do
local start = i * 5
local device = fields[start + 2]
local label = fields[start + 3]
local temperature = fields[start + 4]
local unit = fields[start + 5]
local formatted = string.format("%s: %s: %s %s", device, label, temperature, unit)
table.insert(info, formatted)
end
return stdnse.format_output(true, info)
end

32
scripts/http-apache-negotiation.nse
View File

@@ -43,24 +43,24 @@ portrule = shortport.http
action = function(host, port)
local root = stdnse.get_script_args("http-apache-negotiation.root") or "/"
local root = stdnse.get_script_args("http-apache-negotiation.root") or "/"
-- Common default file names. Could add a couple more.
local files = {
'robots',
'index',
'home',
'blog'
}
-- Common default file names. Could add a couple more.
local files = {
'robots',
'index',
'home',
'blog'
}
for _, file in ipairs(files) do
local header = http.get(host, port, root .. file).header
for _, file in ipairs(files) do
local header = http.get(host, port, root .. file).header
-- Matching file. in content-location header
-- or negotiate in vary header.
if header["content-location"] and string.find(header["content-location"], file ..".")
or header["vary"] and string.find(header["vary"], "negotiate") then
return "mod_negotiation enabled."
end
-- Matching file. in content-location header
-- or negotiate in vary header.
if header["content-location"] and string.find(header["content-location"], file ..".")
or header["vary"] and string.find(header["vary"], "negotiate") then
return "mod_negotiation enabled."
end
end
end

112
scripts/http-cakephp-version.nse
View File

@@ -42,66 +42,66 @@ local VENDORS_QUERY = "/js/vendors.php"
-- Cakephp's stylesheets hashes
local CAKEPHP_STYLESHEET_HASHES = {
["aaf0340c16415585554a7aefde2778c4"] = {"1.1.12"},
["8f8a877d924aa26ccd66c84ff8f8c8fe"] = {"1.1.14"},
["02a661c167affd9deda2a45f4341297e"] = {"1.1.17", "1.1.20"},
["1776a7c1b3255b07c6b9f43b9f50f05e"] = {"1.2.0 - 1.2.5", "1.3.0 Alpha"},
["1ffc970c5eae684bebc0e0133c4e1f01"] = {"1.2.6"},
["2e7f5372931a7f6f86786e95871ac947"] = {"1.2.7 - 1.2.9"},
["3422eded2fcceb3c89cabb5156b5d4e2"] = {"1.3.0 beta"},
["3c31e4674f42a49108b5300f8e73be26"] = {"1.3.0 RC1 - 1.3.7"}
["aaf0340c16415585554a7aefde2778c4"] = {"1.1.12"},
["8f8a877d924aa26ccd66c84ff8f8c8fe"] = {"1.1.14"},
["02a661c167affd9deda2a45f4341297e"] = {"1.1.17", "1.1.20"},
["1776a7c1b3255b07c6b9f43b9f50f05e"] = {"1.2.0 - 1.2.5", "1.3.0 Alpha"},
["1ffc970c5eae684bebc0e0133c4e1f01"] = {"1.2.6"},
["2e7f5372931a7f6f86786e95871ac947"] = {"1.2.7 - 1.2.9"},
["3422eded2fcceb3c89cabb5156b5d4e2"] = {"1.3.0 beta"},
["3c31e4674f42a49108b5300f8e73be26"] = {"1.3.0 RC1 - 1.3.7"}
}
action = function(host, port)
local response, png_icon_response, gif_icon_response
local icon_versions, stylesheet_versions
local icon_hash, stylesheet_hash
local output_lines
local installation_version
local response, png_icon_response, gif_icon_response
local icon_versions, stylesheet_versions
local icon_hash, stylesheet_hash
local output_lines
local installation_version
-- Identify servers that answer 200 to invalid HTTP requests and exit as these would invalidate the tests
local _, http_status, _ = http.identify_404(host,port)
if ( http_status == 200 ) then
stdnse.print_debug(1, "%s: Exiting due to ambiguous response from web server on %s:%s. All URIs return status 200.", SCRIPT_NAME, host.ip, port.number)
return false
end
-- Identify servers that answer 200 to invalid HTTP requests and exit as these would invalidate the tests
local _, http_status, _ = http.identify_404(host,port)
if ( http_status == 200 ) then
stdnse.print_debug(1, "%s: Exiting due to ambiguous response from web server on %s:%s. All URIs return status 200.", SCRIPT_NAME, host.ip, port.number)
return false
end
-- Are the default icons there?
png_icon_response = http.get(host, port, PNG_ICON_QUERY)
gif_icon_response = http.get(host, port, GIF_ICON_QUERY)
if png_icon_response.body and png_icon_response.status == 200 then
icon_versions = {"1.3.x"}
elseif gif_icon_response.body and gif_icon_response.status == 200 then
icon_versions = {"1.2.x"}
end
-- Are the default icons there?
png_icon_response = http.get(host, port, PNG_ICON_QUERY)
gif_icon_response = http.get(host, port, GIF_ICON_QUERY)
if png_icon_response.body and png_icon_response.status == 200 then
icon_versions = {"1.3.x"}
elseif gif_icon_response.body and gif_icon_response.status == 200 then
icon_versions = {"1.2.x"}
end
-- Download cake.generic.css and fingerprint
response = http.get(host, port, STYLESHEET_QUERY)
if response.body and response.status == 200 then
stylesheet_hash = stdnse.tohex(openssl.md5(response.body))
stylesheet_versions = CAKEPHP_STYLESHEET_HASHES[stylesheet_hash]
end
-- Is /js/vendors.php there?
response = http.get(host, port, VENDORS_QUERY)
if response.body and response.status == 200 then
installation_version = {"1.1.x","1.2.x"}
elseif response.status ~= 200 and (icon_versions or stylesheet_versions) then
installation_version = {"1.3.x"}
end
-- Prepare output
output_lines = {}
if installation_version then
output_lines[#output_lines + 1] = "Version of codebase: " .. stdnse.strjoin(", ", installation_version)
end
if icon_versions then
output_lines[#output_lines + 1] = "Version of icons: " .. stdnse.strjoin(", ", icon_versions)
end
if stylesheet_versions then
output_lines[#output_lines + 1] = "Version of stylesheet: " .. stdnse.strjoin(", ", stylesheet_versions)
elseif stylesheet_hash and nmap.verbosity() >= 2 then
output_lines[#output_lines + 1] = "Default stylesheet has an unknown hash: " .. stylesheet_hash
end
if #output_lines > 0 then
return stdnse.strjoin("\n", output_lines)
end
-- Download cake.generic.css and fingerprint
response = http.get(host, port, STYLESHEET_QUERY)
if response.body and response.status == 200 then
stylesheet_hash = stdnse.tohex(openssl.md5(response.body))
stylesheet_versions = CAKEPHP_STYLESHEET_HASHES[stylesheet_hash]
end
-- Is /js/vendors.php there?
response = http.get(host, port, VENDORS_QUERY)
if response.body and response.status == 200 then
installation_version = {"1.1.x","1.2.x"}
elseif response.status ~= 200 and (icon_versions or stylesheet_versions) then
installation_version = {"1.3.x"}
end
-- Prepare output
output_lines = {}
if installation_version then
output_lines[#output_lines + 1] = "Version of codebase: " .. stdnse.strjoin(", ", installation_version)
end
if icon_versions then
output_lines[#output_lines + 1] = "Version of icons: " .. stdnse.strjoin(", ", icon_versions)
end
if stylesheet_versions then
output_lines[#output_lines + 1] = "Version of stylesheet: " .. stdnse.strjoin(", ", stylesheet_versions)
elseif stylesheet_hash and nmap.verbosity() >= 2 then
output_lines[#output_lines + 1] = "Default stylesheet has an unknown hash: " .. stylesheet_hash
end
if #output_lines > 0 then
return stdnse.strjoin("\n", output_lines)
end
end

98
scripts/http-cors.nse
View File

@@ -39,62 +39,62 @@ portrule = shortport.http
local methods = {"HEAD", "GET", "POST", "PUT", "DELETE", "TRACE", "OPTIONS", "CONNECT", "PATCH"}
local function origin_ok(raw, origin)
if not raw then
return false
end
if raw == "*" then
return true
end
if raw == "null" then
return false
end
local allowed = stdnse.strsplit(" ", raw)
for _, ao in ipairs(allowed) do
if origin == ao then
return true
end
end
return false
if not raw then
return false
end
if raw == "*" then
return true
end
if raw == "null" then
return false
end
local allowed = stdnse.strsplit(" ", raw)
for _, ao in ipairs(allowed) do
if origin == ao then
return true
end
end
return false
end
local function method_ok(raw, method)
if not raw then
return false
end
local stuff = stdnse.strsplit(" ", raw)
local nospace = stdnse.strjoin("", stuff)
local allowed = stdnse.strsplit(",", nospace)
for _, am in ipairs(allowed) do
if method == am then
return true
end
end
return false
if not raw then
return false
end
local stuff = stdnse.strsplit(" ", raw)
local nospace = stdnse.strjoin("", stuff)
local allowed = stdnse.strsplit(",", nospace)
for _, am in ipairs(allowed) do
if method == am then
return true
end
end
return false
end
local function test(host, port, method, origin)
local header = {
["Origin"] = origin,
["Access-Control-Request-Method"] = method,
}
local response = http.generic_request(host, port, "OPTIONS", "/", {header = header})
local aorigins = response.header["access-control-allow-origin"]
local amethods = response.header["access-control-allow-methods"]
local ook = origin_ok(aorigins, response)
local mok = method_ok(amethods, method)
return ook and mok
local header = {
["Origin"] = origin,
["Access-Control-Request-Method"] = method,
}
local response = http.generic_request(host, port, "OPTIONS", "/", {header = header})
local aorigins = response.header["access-control-allow-origin"]
local amethods = response.header["access-control-allow-methods"]
local ook = origin_ok(aorigins, response)
local mok = method_ok(amethods, method)
return ook and mok
end
action = function(host, port)
local path = nmap.registry.args["http-cors.path"] or "/"
local origin = nmap.registry.args["http-cors.origin"] or "example.com"
local allowed = {}
for _, method in ipairs(methods) do
if test(host, port, method, origin) then
table.insert(allowed, method)
end
end
if #allowed > 0 then
return stdnse.strjoin(" ", allowed)
end
local path = nmap.registry.args["http-cors.path"] or "/"
local origin = nmap.registry.args["http-cors.origin"] or "example.com"
local allowed = {}
for _, method in ipairs(methods) do
if test(host, port, method, origin) then
table.insert(allowed, method)
end
end
if #allowed > 0 then
return stdnse.strjoin(" ", allowed)
end
end

32
scripts/http-date.nse
View File

@@ -31,24 +31,24 @@ categories = {"discovery", "safe"}
portrule = shortport.http
action = function(host, port)
local request_time = os.time()
local response = http.get(host, port, "/")
if not response.status or not response.header["date"] then
return
end
local request_time = os.time()
local response = http.get(host, port, "/")
if not response.status or not response.header["date"] then
return
end
local response_date = http.parse_date(response.header["date"])
if not response_date then
return
end
local response_time = stdnse.date_to_timestamp(response_date)
local response_date = http.parse_date(response.header["date"])
if not response_date then
return
end
local response_time = stdnse.date_to_timestamp(response_date)
local output_tab = stdnse.output_table()
output_tab.date = stdnse.format_timestamp(response_time, 0)
output_tab.delta = os.difftime(response_time, request_time)
local output_tab = stdnse.output_table()
output_tab.date = stdnse.format_timestamp(response_time, 0)
output_tab.delta = os.difftime(response_time, request_time)
local output_str = string.format("%s; %s from local time.",
response.header["date"], stdnse.format_difftime(os.date("!*t", response_time), os.date("!*t", request_time)))
local output_str = string.format("%s; %s from local time.",
response.header["date"], stdnse.format_difftime(os.date("!*t", response_time), os.date("!*t", request_time)))
return output_tab, output_str
return output_tab, output_str
end

42
scripts/http-dlink-backdoor.nse
View File

@@ -44,28 +44,28 @@ local vulns = require "vulns"
portrule = shortport.http
action = function(host, port)
local response = http.get(host, port, "/", { redirect_ok = false, no_cache = true })
local server = response.header and response.header['server'] or ""
local vuln_table = {
title = "Firmware backdoor in some models of D-Link routers allow for admin password bypass",
state = vulns.STATE.NOT_VULN,
risk_factor = "High",
description = [[
local response = http.get(host, port, "/", { redirect_ok = false, no_cache = true })
local server = response.header and response.header['server'] or ""
local vuln_table = {
title = "Firmware backdoor in some models of D-Link routers allow for admin password bypass",
state = vulns.STATE.NOT_VULN,
risk_factor = "High",
description = [[
D-Link routers have been found with a firmware backdoor allowing for admin password bypass using a "secret" User-Agent string.
]],
references = {
'http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/',
}
}
if ( response.status == 401 and server:match("^thttpd%-alphanetworks") ) or
( response.status == 302 and server:match("^Alpha_webserv") ) then
response = http.get(host, port, "/", { header = { ["User-Agent"] = "xmlset_roodkcableoj28840ybtide" } })
references = {
'http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/',
}
}
if ( response.status == 401 and server:match("^thttpd%-alphanetworks") ) or
( response.status == 302 and server:match("^Alpha_webserv") ) then
response = http.get(host, port, "/", { header = { ["User-Agent"] = "xmlset_roodkcableoj28840ybtide" } })
if ( response.status == 200 ) then
vuln_table.state = vulns.STATE.VULN
local report = vulns.Report:new(SCRIPT_NAME, host, port)
return report:make_output(vuln_table)
end
end
return
if ( response.status == 200 ) then
vuln_table.state = vulns.STATE.VULN
local report = vulns.Report:new(SCRIPT_NAME, host, port)
return report:make_output(vuln_table)
end
end
return
end

2
scripts/http-drupal-enum-users.nse
View File

@@ -45,7 +45,7 @@ action = function(host, port)
-- ensure that root ends with a trailing slash
if ( not(root:match(".*/$")) ) then
root = root .. "/"
root = root .. "/"
end
-- characters that usernames may begin with

62
scripts/http-email-harvest.nse
View File

@@ -41,48 +41,48 @@ categories = {"discovery", "safe"}
portrule = shortport.http
function action(host, port)
local EMAIL_PATTERN = "[A-Za-z0-9%.%%%+%-]+@[A-Za-z0-9%.%%%+%-]+%.%w%w%w?%w?"
local EMAIL_PATTERN = "[A-Za-z0-9%.%%%+%-]+@[A-Za-z0-9%.%%%+%-]+%.%w%w%w?%w?"
local crawler = httpspider.Crawler:new(host, port, nil, {
scriptname = SCRIPT_NAME
}
)
local crawler = httpspider.Crawler:new(host, port, nil, {
scriptname = SCRIPT_NAME
}
)
if ( not(crawler) ) then
return
end
crawler:set_timeout(10000)
if ( not(crawler) ) then
return
end
crawler:set_timeout(10000)
local emails = {}
while(true) do
local status, r = crawler:crawl()
-- if the crawler fails it can be due to a number of different reasons
-- most of them are "legitimate" and should not be reason to abort
if ( not(status) ) then
if ( r.err ) then
return stdnse.format_output(true, ("ERROR: %s"):format(r.reason))
else
break
end
end
local emails = {}
while(true) do
local status, r = crawler:crawl()
-- if the crawler fails it can be due to a number of different reasons
-- most of them are "legitimate" and should not be reason to abort
if ( not(status) ) then
if ( r.err ) then
return stdnse.format_output(true, ("ERROR: %s"):format(r.reason))
else
break
end
end
-- Collect each e-mail address and build a unique index of them
-- Collect each e-mail address and build a unique index of them
if r.response.body then
for email in r.response.body:gmatch(EMAIL_PATTERN) do
emails[email] = true
end
end
end
end
-- if no email addresses were collected abort
if ( not(emails) ) then return end
-- if no email addresses were collected abort
if ( not(emails) ) then return end
local results = {}
for email, _ in pairs(emails) do
table.insert(results, email)
end
local results = {}
for email, _ in pairs(emails) do
table.insert(results, email)
end
results.name = crawler:getLimitations()
results.name = crawler:getLimitations()
return stdnse.format_output(true, results)
return stdnse.format_output(true, results)
end

74
scripts/http-frontpage-login.nse
View File

@@ -43,47 +43,47 @@ categories = {"vuln", "safe"}
portrule = shortport.http
action = function(host, port)
local path = stdnse.get_script_args('http-frontpage-login.path') or "/"
local data
local frontpage_vuln = {
title = "Frontpage extension anonymous login",
local path = stdnse.get_script_args('http-frontpage-login.path') or "/"
local data
local frontpage_vuln = {
title = "Frontpage extension anonymous login",
description = [[
description = [[
Default installations of older versions of frontpage extensions allow anonymous logins which can lead to server compromise.
]],
references = {
'http://insecure.org/sploits/Microsoft.frontpage.insecurities.html',
},
exploit_results = {},
};
references = {
'http://insecure.org/sploits/Microsoft.frontpage.insecurities.html',
},
exploit_results = {},
};
local report = vulns.Report:new(SCRIPT_NAME, host, port);
frontpage_vuln.state = vulns.STATE.NOT_VULN;
local report = vulns.Report:new(SCRIPT_NAME, host, port);
frontpage_vuln.state = vulns.STATE.NOT_VULN;
data = http.get( host, port, path .. "/_vti_inf.html" )
data = http.get( host, port, path .. "/_vti_inf.html" )
if data and data.status and data.status == 200 then
--server does support frontpage extensions
local fp_version = string.match(data.body,"FPVersion=\"[%d%.]*\"")
if fp_version then
-- do post request http://msdn.microsoft.com/en-us/library/ms446353
local postdata = "method=open+service:".. fp_version .."&service_name=/"
data = http.post(host,port,path .. "/_vti_bin/_vti_aut/author.dll",nil,nil,postdata)
if data and data.status then
if data.status == 200 then
stdnse.print_debug("Frontpage returned 200 OK, server vulnerable.")
frontpage_vuln.state = vulns.STATE.VULN;
return report:make_output(frontpage_vuln);
elseif data.status == 401 then
stdnse.print_debug("Frontpage returned 401, password protected.")
return false
else
stdnse.print_debug("Frontpage returned unknown response.")
return false
end
end
end
end
stdnse.print_debug("Frontpage probably not installed.")
return false
if data and data.status and data.status == 200 then
--server does support frontpage extensions
local fp_version = string.match(data.body,"FPVersion=\"[%d%.]*\"")
if fp_version then
-- do post request http://msdn.microsoft.com/en-us/library/ms446353
local postdata = "method=open+service:".. fp_version .."&service_name=/"
data = http.post(host,port,path .. "/_vti_bin/_vti_aut/author.dll",nil,nil,postdata)
if data and data.status then
if data.status == 200 then
stdnse.print_debug("Frontpage returned 200 OK, server vulnerable.")
frontpage_vuln.state = vulns.STATE.VULN;
return report:make_output(frontpage_vuln);
elseif data.status == 401 then
stdnse.print_debug("Frontpage returned 401, password protected.")
return false
else
stdnse.print_debug("Frontpage returned unknown response.")
return false
end
end
end
end
stdnse.print_debug("Frontpage probably not installed.")
return false
end

94
scripts/http-gitweb-projects-enum.nse
View File

@@ -40,68 +40,68 @@ portrule = shortport.http
-- @return author name filtred from html entities
---
get_owner = function(res)
local result=res
local _
if ( res:match('<span') ) then
_,_,result=string.find(res,'title="(.-)"')
end
return result
local result=res
local _
if ( res:match('<span') ) then
_,_,result=string.find(res,'title="(.-)"')
end
return result
end
action = function(host, port)
local path = stdnse.get_script_args(SCRIPT_NAME .. '.path') or '/'
local response = http.get(host,port,path)
local result, result_stats = {}, {}
local path = stdnse.get_script_args(SCRIPT_NAME .. '.path') or '/'
local response = http.get(host,port,path)
local result, result_stats = {}, {}
if not response or not response.status or response.status ~= 200 or
not response.body then
stdnse.print_debug(1, "%s: Failed to retrieve file: %s",
SCRIPT_NAME, path)
return
end
if not response or not response.status or response.status ~= 200 or
not response.body then
stdnse.print_debug(1, "%s: Failed to retrieve file: %s",
SCRIPT_NAME, path)
return
end
local html = response.body
local repo=tab.new()
tab.addrow(repo,'PROJECT','AUTHOR','DESCRIPTION')
local html = response.body
local repo=tab.new()
tab.addrow(repo,'PROJECT','AUTHOR','DESCRIPTION')
-- verif generator
if (html:match('meta name="generator" content="gitweb(.-)"')) then
result['name'] = string.format("Projects from %s:", host.targetname or host.ip)
-- verif generator
if (html:match('meta name="generator" content="gitweb(.-)"')) then
result['name'] = string.format("Projects from %s:", host.targetname or host.ip)
local owners, projects_counter, owners_counter = {}, 0, 0
local owners, projects_counter, owners_counter = {}, 0, 0
for tr_code in html:gmatch('(%<tr[^<>]*%>(.-)%</tr%>)') do
local regx='<a[^<>]*href="(.-)">(.-)</a>(.-)title="(.-)"(.-)<i>(.-)</i>'
for _, project, _, desc, _, owner in tr_code:gmatch(regx) do
for tr_code in html:gmatch('(%<tr[^<>]*%>(.-)%</tr%>)') do
local regx='<a[^<>]*href="(.-)">(.-)</a>(.-)title="(.-)"(.-)<i>(.-)</i>'
for _, project, _, desc, _, owner in tr_code:gmatch(regx) do
--if desc result return default text of gitweb replace it by no description
if(string.find(desc,'Unnamed repository')) then
desc='no description'
end
--if desc result return default text of gitweb replace it by no description
if(string.find(desc,'Unnamed repository')) then
desc='no description'
end
tab.addrow(repo, project, get_owner(owner), desc)
tab.addrow(repo, project, get_owner(owner), desc)
-- Protect from parsing errors or long owners
-- just an arbitrary value
if owner:len() < 128 and not owners[owner] then
owners[owner] = true
owners_counter = owners_counter + 1
end
if owner:len() < 128 and not owners[owner] then
owners[owner] = true
owners_counter = owners_counter + 1
end
projects_counter = projects_counter + 1
end
end
projects_counter = projects_counter + 1
end
end
table.insert(result,tab.dump(repo))
table.insert(result, "")
table.insert(result,
string.format("Number of projects: %d", projects_counter))
if (owners_counter > 0 ) then
table.insert(result,
string.format("Number of owners: %d", owners_counter))
end
table.insert(result,tab.dump(repo))
table.insert(result, "")
table.insert(result,
string.format("Number of projects: %d", projects_counter))
if (owners_counter > 0 ) then
table.insert(result,
string.format("Number of owners: %d", owners_counter))
end
end
return stdnse.format_output(true,result)
end
return stdnse.format_output(true,result)
end

6
scripts/http-google-malware.nse
View File

@@ -77,9 +77,9 @@ action = function(host, port)
local req = http.get_url(qry)
stdnse.print_debug(2, "%s", qry)
if ( req.status > 400 ) then
return "[ERROR] Request failed (invalid API key?)"
end
if ( req.status > 400 ) then
return "[ERROR] Request failed (invalid API key?)"
end
--The Safe Lookup API responds with a type when site is on the lists
if req.body then

64
scripts/http-headers.nse
View File

@@ -34,42 +34,42 @@ categories = {"discovery", "safe"}
portrule = shortport.http
action = function(host, port)
local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/"
local useget = stdnse.get_script_args(SCRIPT_NAME..".useget")
local request_type = "HEAD"
local status = false
local result
local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/"
local useget = stdnse.get_script_args(SCRIPT_NAME..".useget")
local request_type = "HEAD"
local status = false
local result
-- Check if the user didn't want HEAD to be used
if(useget == nil) then
-- Try using HEAD first
status, result = http.can_use_head(host, port, nil, path)
end
-- Check if the user didn't want HEAD to be used
if(useget == nil) then
-- Try using HEAD first
status, result = http.can_use_head(host, port, nil, path)
end
-- If head failed, try using GET
if(status == false) then
stdnse.print_debug(1, "http-headers.nse: HEAD request failed, falling back to GET")
result = http.get(host, port, path)
request_type = "GET"
end
-- If head failed, try using GET
if(status == false) then
stdnse.print_debug(1, "http-headers.nse: HEAD request failed, falling back to GET")
result = http.get(host, port, path)
request_type = "GET"
end
if(result == nil) then
if(nmap.debugging() > 0) then
return "ERROR: Header request failed"
else
return nil
end
end
if(result == nil) then
if(nmap.debugging() > 0) then
return "ERROR: Header request failed"
else
return nil
end
end
if(result.rawheader == nil) then
if(nmap.debugging() > 0) then
return "ERROR: Header request didn't return a proper header"
else
return nil
end
end
if(result.rawheader == nil) then
if(nmap.debugging() > 0) then
return "ERROR: Header request didn't return a proper header"
else
return nil
end
end
table.insert(result.rawheader, "(Request type: " .. request_type .. ")")
table.insert(result.rawheader, "(Request type: " .. request_type .. ")")
return stdnse.format_output(true, result.rawheader)
return stdnse.format_output(true, result.rawheader)
end

64
scripts/http-icloud-findmyiphone.nse
View File

@@ -42,46 +42,46 @@ prerule = function() return true end
-- This function decodes the single quote as a start and should really
-- be replaced with a proper UTF-8 decoder in the future
local function decodeString(str)
return str:gsub("\226\128\153", "'")
return str:gsub("\226\128\153", "'")
end
local function fail(err) return ("\n ERROR: %s"):format(err or "") end
action = function()
if ( not(arg_username) or not(arg_password) ) then
return fail("No username or password was supplied")
end
if ( not(arg_username) or not(arg_password) ) then
return fail("No username or password was supplied")
end
local mobileme = mobileme.Helper:new(arg_username, arg_password)
local status, response = mobileme:getLocation()
local mobileme = mobileme.Helper:new(arg_username, arg_password)
local status, response = mobileme:getLocation()
if ( not(status) ) then
stdnse.print_debug(2, "%s: %s", SCRIPT_NAME, response)
return fail("Failed to retrieve location information")
end
if ( not(status) ) then
stdnse.print_debug(2, "%s: %s", SCRIPT_NAME, response)
return fail("Failed to retrieve location information")
end
local output = tab.new(4)
tab.addrow(output, "name", "location", "accuracy", "date", "type")
for name, info in pairs(response) do
local loc
if ( info.latitude and info.longitude ) then
loc = ("%.3f,%.3f"):format(
tonumber(info.latitude) or "-",
tonumber(info.longitude) or "-")
else
loc = "-,-"
end
local ts
if ( info.timestamp and 1000 < info.timestamp ) then
ts = os.date("%x %X", info.timestamp/1000)
else
ts = "-"
end
tab.addrow(output, decodeString(name), loc, info.accuracy or "-", ts, info.postype or "-")
end
local output = tab.new(4)
tab.addrow(output, "name", "location", "accuracy", "date", "type")
for name, info in pairs(response) do
local loc
if ( info.latitude and info.longitude ) then
loc = ("%.3f,%.3f"):format(
tonumber(info.latitude) or "-",
tonumber(info.longitude) or "-")
else
loc = "-,-"
end
local ts
if ( info.timestamp and 1000 < info.timestamp ) then
ts = os.date("%x %X", info.timestamp/1000)
else
ts = "-"
end
tab.addrow(output, decodeString(name), loc, info.accuracy or "-", ts, info.postype or "-")
end
if ( 1 < #output ) then
return stdnse.format_output(true, tab.dump(output))
end
if ( 1 < #output ) then
return stdnse.format_output(true, tab.dump(output))
end
end

70
scripts/http-malware-host.nse
View File

@@ -38,44 +38,44 @@ categories = {"malware", "safe"}
portrule = shortport.http
action = function(host, port)
-- Check what response we get for a 404
local result, result_404, known_404 = http.identify_404(host, port)
if(result == false) then
return stdnse.format_output(false, "Couldn't identify 404 message: " .. result_404)
end
-- Check what response we get for a 404
local result, result_404, known_404 = http.identify_404(host, port)
if(result == false) then
return stdnse.format_output(false, "Couldn't identify 404 message: " .. result_404)
end
-- If the 404 result is a 302, we're going to have trouble
if(result_404 == 302) then
return stdnse.format_output(false, "Unknown pages return a 302 response; unable to check")
end
-- If the 404 result is a 302, we're going to have trouble
if(result_404 == 302) then
return stdnse.format_output(false, "Unknown pages return a 302 response; unable to check")
end
-- Identify servers that answer 200 to invalid HTTP requests and exit as these would invalidate the test
if ( result_404 == 200 ) then
stdnse.print_debug(1, "%s: Exiting due to ambiguous response from web server on %s:%s. All URIs return status 200.", SCRIPT_NAME, host.ip, port.number)
return false
end
-- Identify servers that answer 200 to invalid HTTP requests and exit as these would invalidate the test
if ( result_404 == 200 ) then
stdnse.print_debug(1, "%s: Exiting due to ambiguous response from web server on %s:%s. All URIs return status 200.", SCRIPT_NAME, host.ip, port.number)
return false
end
-- Perform a GET request on the file
result = http.get_url("http://" .. host.ip .. ":" .. port.number .. "/ts/in.cgi?open2")
if(not(result)) then
return stdnse.format_output(false, "Couldn't perform GET request")
end
-- Perform a GET request on the file
result = http.get_url("http://" .. host.ip .. ":" .. port.number .. "/ts/in.cgi?open2")
if(not(result)) then
return stdnse.format_output(false, "Couldn't perform GET request")
end
if(result.status == 302) then
local response = {}
if(result.header.location) then
table.insert(response, string.format("Host appears to be infected (/ts/in.cgi?open2 redirects to %s)", result.header.location))
else
table.insert(response, "Host appears to be infected (/ts/in.cgi?open2 return a redirect")
end
table.insert(response, "See: http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/")
return stdnse.format_output(true, response)
end
if(result.status == 302) then
local response = {}
if(result.header.location) then
table.insert(response, string.format("Host appears to be infected (/ts/in.cgi?open2 redirects to %s)", result.header.location))
else
table.insert(response, "Host appears to be infected (/ts/in.cgi?open2 return a redirect")
end
table.insert(response, "See: http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/")
return stdnse.format_output(true, response)
end
-- Not infected
if(nmap.verbosity() > 0) then
return "Host appears to be clean"
else
return nil
end
-- Not infected
if(nmap.verbosity() > 0) then
return "Host appears to be clean"
else
return nil
end
end

30
scripts/http-put.nse
View File

@@ -37,23 +37,23 @@ portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open
action = function( host, port )
local fname, url = stdnse.get_script_args('http-put.file', 'http-put.url')
if ( not(fname) or not(url) ) then
return
end
local fname, url = stdnse.get_script_args('http-put.file', 'http-put.url')
if ( not(fname) or not(url) ) then
return
end
local f = io.open(fname, "r")
if ( not(f) ) then
return stdnse.format_output(true, ("ERROR: Failed to open file: %s"):format(fname))
end
local content = f:read("*all")
f:close()
local f = io.open(fname, "r")
if ( not(f) ) then
return stdnse.format_output(true, ("ERROR: Failed to open file: %s"):format(fname))
end
local content = f:read("*all")
f:close()
local response = http.put(host, port, url, nil, content)
local response = http.put(host, port, url, nil, content)
if ( response.status == 200 or response.status == 204 ) then
return stdnse.format_output(true, ("%s was successfully created"):format(url))
end
if ( response.status == 200 or response.status == 204 ) then
return stdnse.format_output(true, ("%s was successfully created"):format(url))
end
return stdnse.format_output(true, ("ERROR: %s could not be created"):format(url))
return stdnse.format_output(true, ("ERROR: %s could not be created"):format(url))
end

86
scripts/http-referer-checker.nse
View File

@@ -35,57 +35,57 @@ portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open
action = function(host, port)
local crawler = httpspider.Crawler:new(host, port, '/', { scriptname = SCRIPT_NAME,
maxpagecount = 30,
maxdepth = -1,
withinhost = 0,
withindomain = 0
})
local crawler = httpspider.Crawler:new(host, port, '/', { scriptname = SCRIPT_NAME,
maxpagecount = 30,
maxdepth = -1,
withinhost = 0,
withindomain = 0
})
crawler.options.doscraping = function(url)
if crawler:iswithinhost(url)
and not crawler:isresource(url, "js")
and not crawler:isresource(url, "css") then
return true
end
crawler.options.doscraping = function(url)
if crawler:iswithinhost(url)
and not crawler:isresource(url, "js")
and not crawler:isresource(url, "css") then
return true
end
end
crawler:set_timeout(10000)
if (not(crawler)) then
return
end
local scripts = {}
while(true) do
local status, r = crawler:crawl()
if (not(status)) then
if (r.err) then
return stdnse.format_output(true, ("ERROR: %s"):format(r.reason))
else
break
end
end
crawler:set_timeout(10000)
if (not(crawler)) then
return
if crawler:isresource(r.url, "js") and not crawler:iswithinhost(r.url) then
scripts[tostring(r.url)] = true
end
local scripts = {}
end
while(true) do
if next(scripts) == nil then
return "Couldn't find any cross-domain scripts."
end
local status, r = crawler:crawl()
if (not(status)) then
if (r.err) then
return stdnse.format_output(true, ("ERROR: %s"):format(r.reason))
else
break
end
end
local results = {}
for s, _ in pairs(scripts) do
table.insert(results, s)
end
if crawler:isresource(r.url, "js") and not crawler:iswithinhost(r.url) then
scripts[tostring(r.url)] = true
end
results.name = crawler:getLimitations()
end
if next(scripts) == nil then
return "Couldn't find any cross-domain scripts."
end
local results = {}
for s, _ in pairs(scripts) do
table.insert(results, s)
end
results.name = crawler:getLimitations()
return stdnse.format_output(true, results)
return stdnse.format_output(true, results)
end

34
scripts/http-robtex-reverse-ip.nse
View File

@@ -46,28 +46,28 @@ categories = {"discovery", "safe", "external"}
-- @param data string containing the retrieved web page
-- @return table containing the resolved host names
function parse_robtex_response(data)
local data = string.gsub(data,"\r?\n","")
local result = {}
for href, link in string.gmatch(data,"<li><a href=\"([^\"^']-)\" >([^\"^']-)</a></li>") do
table.insert(result, link)
end
return result
local data = string.gsub(data,"\r?\n","")
local result = {}
for href, link in string.gmatch(data,"<li><a href=\"([^\"^']-)\" >([^\"^']-)</a></li>") do
table.insert(result, link)
end
return result
end
prerule = function() return stdnse.get_script_args("http-robtex-reverse-ip.host") ~= nil end
action = function(host, port)
local target = stdnse.get_script_args("http-robtex-reverse-ip.host")
local ip = ipOps.ip_to_str(target)
if ( not(ip) or #ip ~= 4 ) then
return stdnse.format_output(false, "The argument \"http-robtex-reverse-ip.host\" did not contain a valid IPv4 address")
end
local target = stdnse.get_script_args("http-robtex-reverse-ip.host")
local ip = ipOps.ip_to_str(target)
if ( not(ip) or #ip ~= 4 ) then
return stdnse.format_output(false, "The argument \"http-robtex-reverse-ip.host\" did not contain a valid IPv4 address")
end
local link = "https://www.robtex.com/ip/"..target..".html"
local htmldata = http.get_url(link)
local domains = parse_robtex_response(htmldata.body)
if ( #domains > 0 ) then
return stdnse.format_output(true, domains)
end
local link = "https://www.robtex.com/ip/"..target..".html"
local htmldata = http.get_url(link)
local domains = parse_robtex_response(htmldata.body)
if ( #domains > 0 ) then
return stdnse.format_output(true, domains)
end
end

64
scripts/http-robtex-shared-ns.nse
View File

@@ -43,56 +43,56 @@ end
function parse_robtex_response(data)
local result = {}
if ( not(data) ) then
return
end
if ( not(data) ) then
return
end
-- cut out the section we're interested in
data = data:match("<span id=\"sharednss\">.-<ul.->(.-)</ul>")
-- cut out the section we're interested in
data = data:match("<span id=\"sharednss\">.-<ul.->(.-)</ul>")
-- process each html list item
for li in data:gmatch("<li>(.-)</li>") do
local domain = li:match("<a.->(.*)</a>")
if ( domain ) then
table.insert(result, domain)
end
end
-- process each html list item
for li in data:gmatch("<li>(.-)</li>") do
local domain = li:match("<a.->(.*)</a>")
if ( domain ) then
table.insert(result, domain)
end
end
return result
end
local function lookup_dns_server(data)
return data:match("The primary name server is <a.->(.-)</a>.")
return data:match("The primary name server is <a.->(.-)</a>.")
end
local function fetch_robtex_data(url)
local htmldata = http.get("www.robtex.com", 443, url)
if ( not(htmldata) or not(htmldata.body) ) then
return
end
local htmldata = http.get("www.robtex.com", 443, url)
if ( not(htmldata) or not(htmldata.body) ) then
return
end
-- fixup hex encodings
return unescape(htmldata.body)
-- fixup hex encodings
return unescape(htmldata.body)
end
hostrule = function (host) return host.targetname end
action = function(host)
local base_url = "/dns/" .. host.targetname .. ".html"
local data = fetch_robtex_data(base_url)
local domains = parse_robtex_response(data)
local base_url = "/dns/" .. host.targetname .. ".html"
local data = fetch_robtex_data(base_url)
local domains = parse_robtex_response(data)
if ( not(domains) ) then
local server = lookup_dns_server(data)
if ( not(server) ) then
return
end
local url = base_url:format(server)
stdnse.print_debug(2, "%s: Querying URL: %s", SCRIPT_NAME, url)
data = fetch_robtex_data(url)
if ( not(domains) ) then
local server = lookup_dns_server(data)
if ( not(server) ) then
return
end
local url = base_url:format(server)
stdnse.print_debug(2, "%s: Querying URL: %s", SCRIPT_NAME, url)
data = fetch_robtex_data(url)
domains = parse_robtex_response(data)
end
domains = parse_robtex_response(data)
end
if (domains and #domains > 0) then
return stdnse.format_output(true, domains)

42
scripts/http-vlcstreamer-ls.nse
View File

@@ -58,29 +58,29 @@ local function fail(err) return ("\n ERROR: %s"):format(err or "") end
action = function(host, port)
local response = http.get(host, port, ("/secure?command=browse&dir=%s"):format(arg_dir))
local response = http.get(host, port, ("/secure?command=browse&dir=%s"):format(arg_dir))
if ( response.status ~= 200 or not(response.body) or 0 == #response.body ) then
if ( response.status == 401 ) then
return fail("Server requires authentication")
else
return
end
end
if ( response.status ~= 200 or not(response.body) or 0 == #response.body ) then
if ( response.status == 401 ) then
return fail("Server requires authentication")
else
return
end
end
local status, parsed = json.parse(response.body)
if ( not(status) ) then
return fail("Failed to parse response")
end
local status, parsed = json.parse(response.body)
if ( not(status) ) then
return fail("Failed to parse response")
end
if ( parsed.errorMessage ) then
return fail(parsed.errorMessage)
end
if ( parsed.errorMessage ) then
return fail(parsed.errorMessage)
end
local output = {}
for _, entry in pairs(parsed.files or {}) do
table.insert(output,entry.path)
end
table.sort(output, function(a,b) return a<b end)
return stdnse.format_output(true, output)
local output = {}
for _, entry in pairs(parsed.files or {}) do
table.insert(output,entry.path)
end
table.sort(output, function(a,b) return a<b end)
return stdnse.format_output(true, output)
end

62
scripts/http-vuln-cve2010-0738.nse
View File

@@ -38,42 +38,42 @@ portrule = shortport.http
action = function(host, port)
local paths = stdnse.get_script_args(SCRIPT_NAME..".paths")
local result = {}
local result = {}
-- convert single string entry to table
if ( "string" == type(paths) ) then
paths = { paths }
end
-- convert single string entry to table
if ( "string" == type(paths) ) then
paths = { paths }
end
-- Identify servers that answer 200 to invalid HTTP requests and exit as these would invalidate the tests
local _, http_status, _ = http.identify_404(host,port)
if ( http_status == 200 ) then
stdnse.print_debug(1, "%s: Exiting due to ambiguous response from web server on %s:%s. All URIs return status 200.", SCRIPT_NAME, host.ip, port.number)
return false
end
-- Identify servers that answer 200 to invalid HTTP requests and exit as these would invalidate the tests
local _, http_status, _ = http.identify_404(host,port)
if ( http_status == 200 ) then
stdnse.print_debug(1, "%s: Exiting due to ambiguous response from web server on %s:%s. All URIs return status 200.", SCRIPT_NAME, host.ip, port.number)
return false
end
-- fallback to jmx-console
paths = paths or {"/jmx-console/"}
-- fallback to jmx-console
paths = paths or {"/jmx-console/"}
for _, path in ipairs(paths) do
local getstatus = http.get(host, port, path).status
for _, path in ipairs(paths) do
local getstatus = http.get(host, port, path).status
-- Checks if HTTP authentication or a redirection to a login page is applied.
if getstatus == 401 or getstatus == 302 then
local headstatus = http.head(host, port, path).status
if headstatus == 500 and path == "/jmx-console/" then
-- JBoss authentication bypass.
table.insert(result, ("%s: Vulnerable to CVE-2010-0738."):format(path))
elseif headstatus == 200 then
-- Vulnerable to authentication bypass.
table.insert(result, ("%s: Authentication bypass possible"):format(path))
end
-- Checks if no authentication is required for Jmx console
-- which is default configuration and common.
elseif getstatus == 200 then
table.insert(result, ("%s: Authentication was not required"):format(path))
end
-- Checks if HTTP authentication or a redirection to a login page is applied.
if getstatus == 401 or getstatus == 302 then
local headstatus = http.head(host, port, path).status
if headstatus == 500 and path == "/jmx-console/" then
-- JBoss authentication bypass.
table.insert(result, ("%s: Vulnerable to CVE-2010-0738."):format(path))
elseif headstatus == 200 then
-- Vulnerable to authentication bypass.
table.insert(result, ("%s: Authentication bypass possible"):format(path))
end
-- Checks if no authentication is required for Jmx console
-- which is default configuration and common.
elseif getstatus == 200 then
table.insert(result, ("%s: Authentication was not required"):format(path))
end
end
return stdnse.format_output(true, result)
return stdnse.format_output(true, result)
end

54
scripts/iax2-brute.nse
View File

@@ -37,40 +37,40 @@ portrule = shortport.port_or_service(4569, "iax2", {"udp", "tcp"})
Driver = {
new = function(self, host, port)
local o = { host = host, port = port }
setmetatable(o, self)
self.__index = self
return o
end,
new = function(self, host, port)
local o = { host = host, port = port }
setmetatable(o, self)
self.__index = self
return o
end,
connect = function(self)
self.helper = iax2.Helper:new(self.host, self.port)
return self.helper:connect()
end,
connect = function(self)
self.helper = iax2.Helper:new(self.host, self.port)
return self.helper:connect()
end,
login = function(self, username, password)
local status, resp = self.helper:regRelease(username, password)
if ( status ) then
return true, brute.Account:new( username, password, creds.State.VALID )
elseif ( resp == "Release failed" ) then
return false, brute.Error:new( "Incorrect password" )
else
local err = brute.Error:new(resp)
err:setRetry(true)
return false, err
end
end,
login = function(self, username, password)
local status, resp = self.helper:regRelease(username, password)
if ( status ) then
return true, brute.Account:new( username, password, creds.State.VALID )
elseif ( resp == "Release failed" ) then
return false, brute.Error:new( "Incorrect password" )
else
local err = brute.Error:new(resp)
err:setRetry(true)
return false, err
end
end,
disconnect = function(self) return self.helper:close() end,
disconnect = function(self) return self.helper:close() end,
}
action = function(host, port)
local engine = brute.Engine:new(Driver, host, port)
engine.options.script_name = SCRIPT_NAME
local status, result = engine:start()
return result
local engine = brute.Engine:new(Driver, host, port)
engine.options.script_name = SCRIPT_NAME
local status, result = engine:start()
return result
end

20
scripts/imap-capabilities.nse
View File

@@ -35,17 +35,17 @@ action = function(host, port)
helper:close()
if type(capa) == "table" then
-- Convert the capabilities table into an array of strings.
local capstrings = {}
local cap, args
for cap, args in pairs(capa) do
table.insert(capstrings, cap)
end
return stdnse.strjoin(" ", capstrings)
-- Convert the capabilities table into an array of strings.
local capstrings = {}
local cap, args
for cap, args in pairs(capa) do
table.insert(capstrings, cap)
end
return stdnse.strjoin(" ", capstrings)
elseif type(capa) == "string" then
stdnse.print_debug(1, "%s: '%s' for %s", SCRIPT_NAME, capa, host.ip)
return
stdnse.print_debug(1, "%s: '%s' for %s", SCRIPT_NAME, capa, host.ip)
return
else
return "server doesn't support CAPABILITIES"
return "server doesn't support CAPABILITIES"
end
end

72
scripts/informix-query.nse
View File

@@ -46,49 +46,49 @@ dependencies = { "informix-brute" }
portrule = shortport.port_or_service( { 1526, 9088, 9090, 9092 }, "informix", "tcp", "open")
action = function( host, port )
local instance = stdnse.get_script_args('informix-info.instance')
local helper
local status, data
local result = {}
local user = stdnse.get_script_args('informix-query.username')
local pass = stdnse.get_script_args('informix-query.password')
local query = stdnse.get_script_args('informix-query.query')
local db = stdnse.get_script_args('informix-query.database') or "sysmaster"
local instance = stdnse.get_script_args('informix-info.instance')
local helper
local status, data
local result = {}
local user = stdnse.get_script_args('informix-query.username')
local pass = stdnse.get_script_args('informix-query.password')
local query = stdnse.get_script_args('informix-query.query')
local db = stdnse.get_script_args('informix-query.database') or "sysmaster"
query = query or "SELECT FIRST 1 DBINFO('dbhostname') hostname, " ..
"DBINFO('version','full') version FROM systables"
query = query or "SELECT FIRST 1 DBINFO('dbhostname') hostname, " ..
"DBINFO('version','full') version FROM systables"
helper = informix.Helper:new( host, port, instance )
helper = informix.Helper:new( host, port, instance )
-- If no user was specified lookup the first user in the registry saved by
-- the informix-brute script
if ( not(user) ) then
if ( nmap.registry['informix-brute'] and nmap.registry['informix-brute'][1]["username"] ) then
user = nmap.registry['informix-brute'][1]["username"]
pass = nmap.registry['informix-brute'][1]["password"]
else
return " \n ERROR: No credentials specified (see informix-table.username and informix-table.password)"
end
end
-- If no user was specified lookup the first user in the registry saved by
-- the informix-brute script
if ( not(user) ) then
if ( nmap.registry['informix-brute'] and nmap.registry['informix-brute'][1]["username"] ) then
user = nmap.registry['informix-brute'][1]["username"]
pass = nmap.registry['informix-brute'][1]["password"]
else
return " \n ERROR: No credentials specified (see informix-table.username and informix-table.password)"
end
end
status, data = helper:Connect()
if ( not(status) ) then
return stdnse.format_output(status, data)
end
status, data = helper:Connect()
if ( not(status) ) then
return stdnse.format_output(status, data)
end
status, data = helper:Login(user, pass, nil, db)
if ( not(status) ) then return stdnse.format_output(status, data) end
status, data = helper:Login(user, pass, nil, db)
if ( not(status) ) then return stdnse.format_output(status, data) end
status, data = helper:Query(query)
if ( not(status) ) then return stdnse.format_output(status, data) end
status, data = helper:Query(query)
if ( not(status) ) then return stdnse.format_output(status, data) end
for _, rs in ipairs(data) do
table.insert( result, { "User: " .. user, "Database: " .. db, ( "Query: \"%s\"" ):format( rs.query ), name="Information" } )
local tmp = informix.Util.formatTable( rs )
tmp.name = "Results"
table.insert( result, tmp )
end
for _, rs in ipairs(data) do
table.insert( result, { "User: " .. user, "Database: " .. db, ( "Query: \"%s\"" ):format( rs.query ), name="Information" } )
local tmp = informix.Util.formatTable( rs )
tmp.name = "Results"
table.insert( result, tmp )
end
return stdnse.format_output(status, result)
return stdnse.format_output(status, result)
end

90
scripts/ip-forwarding.nse
View File

@@ -39,67 +39,67 @@ categories = {"safe", "discovery"}
local arg_target = stdnse.get_script_args(SCRIPT_NAME .. ".target")
hostrule = function(host)
if ( not(host.mac_addr) ) then
stdnse.print_debug( "%s: Failed to determine hosts remote MAC address", SCRIPT_NAME )
end
return (arg_target ~= nil and host.mac_addr ~= nil)
if ( not(host.mac_addr) ) then
stdnse.print_debug( "%s: Failed to determine hosts remote MAC address", SCRIPT_NAME )
end
return (arg_target ~= nil and host.mac_addr ~= nil)
end
icmpEchoRequest = function(ifname, host, addr)
local iface = nmap.get_interface_info(ifname)
local dnet, pcap = nmap.new_dnet(), nmap.new_socket()
local iface = nmap.get_interface_info(ifname)
local dnet, pcap = nmap.new_dnet(), nmap.new_socket()
pcap:set_timeout(5000)
pcap:pcap_open(iface.device, 128, false, ("ether src %s and icmp and ( icmp[0] = 0 or icmp[0] = 5 ) and dst %s"):format(stdnse.format_mac(host.mac_addr), iface.address))
dnet:ethernet_open(iface.device)
pcap:set_timeout(5000)
pcap:pcap_open(iface.device, 128, false, ("ether src %s and icmp and ( icmp[0] = 0 or icmp[0] = 5 ) and dst %s"):format(stdnse.format_mac(host.mac_addr), iface.address))
dnet:ethernet_open(iface.device)
local probe = packet.Frame:new()
probe.mac_src = iface.mac
probe.mac_dst = host.mac_addr
probe.ip_bin_src = packet.iptobin(iface.address)
probe.ip_bin_dst = packet.iptobin(addr)
probe.echo_id = 0x1234
probe.echo_seq = 6
probe.echo_data = "Nmap host discovery."
probe:build_icmp_echo_request()
probe:build_icmp_header()
probe:build_ip_packet()
probe:build_ether_frame()
local probe = packet.Frame:new()
probe.mac_src = iface.mac
probe.mac_dst = host.mac_addr
probe.ip_bin_src = packet.iptobin(iface.address)
probe.ip_bin_dst = packet.iptobin(addr)
probe.echo_id = 0x1234
probe.echo_seq = 6
probe.echo_data = "Nmap host discovery."
probe:build_icmp_echo_request()
probe:build_icmp_header()
probe:build_ip_packet()
probe:build_ether_frame()
dnet:ethernet_send(probe.frame_buf)
local status = pcap:pcap_receive()
dnet:ethernet_close()
return status
dnet:ethernet_send(probe.frame_buf)
local status = pcap:pcap_receive()
dnet:ethernet_close()
return status
end
local function fail(err) return ("\n ERROR: %s"):format(err or "") end
action = function(host)
local ifname = nmap.get_interface() or host.interface
if ( not(ifname) ) then
return fail("Failed to determine the network interface name")
end
local ifname = nmap.get_interface() or host.interface
if ( not(ifname) ) then
return fail("Failed to determine the network interface name")
end
local target = ipOps.ip_to_bin(arg_target)
if ( not(target) ) then
local status
status, target = dns.query(arg_target, { dtype='A' })
if ( not(status) ) then
return fail(("Failed to lookup hostname: %s"):format(arg_target))
end
else
target = arg_target
end
local target = ipOps.ip_to_bin(arg_target)
if ( not(target) ) then
local status
status, target = dns.query(arg_target, { dtype='A' })
if ( not(status) ) then
return fail(("Failed to lookup hostname: %s"):format(arg_target))
end
else
target = arg_target
end
if ( target == host.ip ) then
return ("\n ERROR: Target can not be the same as the scanned host")
end
if ( target == host.ip ) then
return ("\n ERROR: Target can not be the same as the scanned host")
end
if (icmpEchoRequest(ifname, host, target)) then
return ("\n The host has ip forwarding enabled, tried ping against (%s)"):format(arg_target)
end
if (icmpEchoRequest(ifname, host, target)) then
return ("\n The host has ip forwarding enabled, tried ping against (%s)"):format(arg_target)
end
end

78
scripts/ip-geolocation-geobytes.nse
View File

@@ -39,49 +39,49 @@ categories = {"discovery","external","safe"}
hostrule = function(host)
local is_private, err = ipOps.isPrivate( host.ip )
if is_private == nil then
stdnse.print_debug( "%s Error in Hostrule: %s.", SCRIPT_NAME, err )
return false
end
return not is_private
local is_private, err = ipOps.isPrivate( host.ip )
if is_private == nil then
stdnse.print_debug( "%s Error in Hostrule: %s.", SCRIPT_NAME, err )
return false
end
return not is_private
end
-- Limit is 20 request per hour per requesting host, when reached all table
-- values are filled with a "Limit Exceeded" value. A record in the registry is
-- made so no more requests are made to the server during one scan
action = function(host)
if nmap.registry["ip-geolocation-geobytes"] and nmap.registry["ip-geolocation-geobytes"].blocked then
stdnse.print_debug("%s: 20 requests per hour Limit Exceeded", SCRIPT_NAME)
return nil
end
local response = http.get("www.geobytes.com", 80, "/IpLocator.htm?GetLocation&template=json.txt&IpAddress="..host.ip, nil)
local stat, out = json.parse(response.body)
if stat then
local loc = out.geobytes
local output=stdnse.output_table()
if loc.city and loc.city == "Limit Exceeded" then
if not nmap.registry["ip-geolocation-geobytes"] then nmap.registry["ip-geolocation-geobytes"]={} end
nmap.registry["ip-geolocation-geobytes"].blocked = true
stdnse.print_debug("%s: 20 requests per hour Limit Exceeded", SCRIPT_NAME)
return nil
end
-- Process output
-- an empty table is returned when latitude and longitude can not be determined
if ( "table" == type(loc.latitude) or "table" == type(loc.longitude) ) then
return "Could not determine location for IP"
end
output["latitude"] = loc.latitude
output["longitude"] = loc.longitude
output["city"] = loc.city
output["region"] = loc.region
output["country"] = loc.country
return output
elseif response.body:match("Limit Exceeded") then
if not nmap.registry["ip-geolocation-geobytes"] then nmap.registry["ip-geolocation-geobytes"]={} end
nmap.registry["ip-geolocation-geobytes"].blocked = true
stdnse.print_debug("%s: 20 requests per hour Limit Exceeded", SCRIPT_NAME)
return nil
end
return nil
if nmap.registry["ip-geolocation-geobytes"] and nmap.registry["ip-geolocation-geobytes"].blocked then
stdnse.print_debug("%s: 20 requests per hour Limit Exceeded", SCRIPT_NAME)
return nil
end
local response = http.get("www.geobytes.com", 80, "/IpLocator.htm?GetLocation&template=json.txt&IpAddress="..host.ip, nil)
local stat, out = json.parse(response.body)
if stat then
local loc = out.geobytes
local output=stdnse.output_table()
if loc.city and loc.city == "Limit Exceeded" then
if not nmap.registry["ip-geolocation-geobytes"] then nmap.registry["ip-geolocation-geobytes"]={} end
nmap.registry["ip-geolocation-geobytes"].blocked = true
stdnse.print_debug("%s: 20 requests per hour Limit Exceeded", SCRIPT_NAME)
return nil
end
-- Process output
-- an empty table is returned when latitude and longitude can not be determined
if ( "table" == type(loc.latitude) or "table" == type(loc.longitude) ) then
return "Could not determine location for IP"
end
output["latitude"] = loc.latitude
output["longitude"] = loc.longitude
output["city"] = loc.city
output["region"] = loc.region
output["country"] = loc.country
return output
elseif response.body:match("Limit Exceeded") then
if not nmap.registry["ip-geolocation-geobytes"] then nmap.registry["ip-geolocation-geobytes"]={} end
nmap.registry["ip-geolocation-geobytes"].blocked = true
stdnse.print_debug("%s: 20 requests per hour Limit Exceeded", SCRIPT_NAME)
return nil
end
return nil
end

44
scripts/ip-geolocation-geoplugin.nse
View File

@@ -27,37 +27,37 @@ categories = {"discovery","external","safe"}
hostrule = function(host)
local is_private, err = ipOps.isPrivate( host.ip )
if is_private == nil then
stdnse.print_debug( "%s Error in Hostrule: %s.", SCRIPT_NAME, err )
return false
end
return not is_private
local is_private, err = ipOps.isPrivate( host.ip )
if is_private == nil then
stdnse.print_debug( "%s Error in Hostrule: %s.", SCRIPT_NAME, err )
return false
end
return not is_private
end
-- No limit on requests
local geoplugin = function(ip)
local response = http.get("www.geoplugin.net", 80, "/json.gp?ip="..ip, nil)
local stat, loc = json.parse(response.body)
if not stat then return nil end
local response = http.get("www.geoplugin.net", 80, "/json.gp?ip="..ip, nil)
local stat, loc = json.parse(response.body)
if not stat then return nil end
local output = {}
table.insert(output, "coordinates (lat,lon): "..loc.geoplugin_latitude..","..loc.geoplugin_longitude)
local regionName = (loc.geoplugin_regionName == json.NULL) and "Unknown" or loc.geoplugin_regionName
table.insert(output,"state: ".. regionName ..", ".. loc.geoplugin_countryName)
local output = {}
table.insert(output, "coordinates (lat,lon): "..loc.geoplugin_latitude..","..loc.geoplugin_longitude)
local regionName = (loc.geoplugin_regionName == json.NULL) and "Unknown" or loc.geoplugin_regionName
table.insert(output,"state: ".. regionName ..", ".. loc.geoplugin_countryName)
return output
return output
end
action = function(host,port)
local output = geoplugin(host.ip)
local output = geoplugin(host.ip)
if(#output~=0) then
output.name = host.ip
if host.targetname then
output.name = output.name.." ("..host.targetname..")"
end
end
if(#output~=0) then
output.name = host.ip
if host.targetname then
output.name = output.name.." ("..host.targetname..")"
end
end
return stdnse.format_output(true,output)
return stdnse.format_output(true,output)
end

74
scripts/ip-geolocation-ipinfodb.nse
View File

@@ -34,54 +34,54 @@ categories = {"discovery","external","safe"}
hostrule = function(host)
local is_private, err = ipOps.isPrivate( host.ip )
if is_private == nil then
stdnse.print_debug( "%s not running: Error in Hostrule: %s.", SCRIPT_NAME, err )
return false
elseif is_private then
stdnse.print_debug("%s not running: Private IP address of target: %s", SCRIPT_NAME, host.ip)
return false
end
local is_private, err = ipOps.isPrivate( host.ip )
if is_private == nil then
stdnse.print_debug( "%s not running: Error in Hostrule: %s.", SCRIPT_NAME, err )
return false
elseif is_private then
stdnse.print_debug("%s not running: Private IP address of target: %s", SCRIPT_NAME, host.ip)
return false
end
local api_key = stdnse.get_script_args(SCRIPT_NAME..".apikey")
if not (type(api_key)=="string") then
stdnse.print_debug("%s not running: No IPInfoDB API key specified.", SCRIPT_NAME)
return false
end
local api_key = stdnse.get_script_args(SCRIPT_NAME..".apikey")
if not (type(api_key)=="string") then
stdnse.print_debug("%s not running: No IPInfoDB API key specified.", SCRIPT_NAME)
return false
end
return true
return true
end
-- No limit on requests. A free registration for an API key is a prerequisite
local ipinfodb = function(ip)
local api_key = stdnse.get_script_args(SCRIPT_NAME..".apikey")
local response = http.get("api.ipinfodb.com", 80, "/v3/ip-city/?key="..api_key.."&format=json".."&ip="..ip, nil)
local stat, loc = json.parse(response.body)
if not stat then
stdnse.print_debug("No response, possibly a network problem.")
return nil
end
if loc.statusMessage and loc.statusMessage == "Invalid API key." then
stdnse.print_debug(loc.statusMessage)
return nil
end
local api_key = stdnse.get_script_args(SCRIPT_NAME..".apikey")
local response = http.get("api.ipinfodb.com", 80, "/v3/ip-city/?key="..api_key.."&format=json".."&ip="..ip, nil)
local stat, loc = json.parse(response.body)
if not stat then
stdnse.print_debug("No response, possibly a network problem.")
return nil
end
if loc.statusMessage and loc.statusMessage == "Invalid API key." then
stdnse.print_debug(loc.statusMessage)
return nil
end
local output = {}
table.insert(output, "coordinates (lat,lon): "..loc.latitude..","..loc.longitude)
table.insert(output,"city: ".. loc.cityName..", ".. loc.regionName..", ".. loc.countryName)
local output = {}
table.insert(output, "coordinates (lat,lon): "..loc.latitude..","..loc.longitude)
table.insert(output,"city: ".. loc.cityName..", ".. loc.regionName..", ".. loc.countryName)
return output
return output
end
action = function(host,port)
local output = ipinfodb(host.ip)
local output = ipinfodb(host.ip)
if(#output~=0) then
output.name = host.ip
if host.targetname then
output.name = output.name.." ("..host.targetname..")"
end
end
if(#output~=0) then
output.name = host.ip
if host.targetname then
output.name = output.name.." ("..host.targetname..")"
end
end
return stdnse.format_output(true,output)
return stdnse.format_output(true,output)
end

80
scripts/iscsi-brute.nse
View File

@@ -31,60 +31,60 @@ portrule = shortport.portnumber(3260, "tcp", {"open", "open|filtered"})
Driver = {
new = function(self, host, port)
local o = {}
setmetatable(o, self)
self.__index = self
o.host = host
o.port = port
o.target = stdnse.get_script_args('iscsi-brute.target')
return o
end,
new = function(self, host, port)
local o = {}
setmetatable(o, self)
self.__index = self
o.host = host
o.port = port
o.target = stdnse.get_script_args('iscsi-brute.target')
return o
end,
connect = function( self )
self.helper = iscsi.Helper:new( self.host, self.port )
return self.helper:connect()
end,
connect = function( self )
self.helper = iscsi.Helper:new( self.host, self.port )
return self.helper:connect()
end,
login = function( self, username, password )
local status = self.helper:login( self.target, username, password, "CHAP")
login = function( self, username, password )
local status = self.helper:login( self.target, username, password, "CHAP")
if ( status ) then
return true, brute.Account:new(username, password, creds.State.VALID)
end
if ( status ) then
return true, brute.Account:new(username, password, creds.State.VALID)
end
return false, brute.Error:new( "Incorrect password" )
end,
return false, brute.Error:new( "Incorrect password" )
end,
disconnect = function( self )
self.helper:close()
end,
disconnect = function( self )
self.helper:close()
end,
}
action = function( host, port )
local target = stdnse.get_script_args('iscsi-brute.target')
if ( not(target) ) then
return "ERROR: No target specified (see iscsi-brute.target)"
end
local target = stdnse.get_script_args('iscsi-brute.target')
if ( not(target) ) then
return "ERROR: No target specified (see iscsi-brute.target)"
end
local helper = iscsi.Helper:new( host, port )
local status, err = helper:connect()
if ( not(status) ) then return false, "Failed to connect" end
local helper = iscsi.Helper:new( host, port )
local status, err = helper:connect()
if ( not(status) ) then return false, "Failed to connect" end
local response
status, response = helper:login( target )
helper:logout()
helper:close()
local response
status, response = helper:login( target )
helper:logout()
helper:close()
if ( status ) then return "No authentication required" end
if ( status ) then return "No authentication required" end
local accounts
local accounts
local engine = brute.Engine:new(Driver, host, port)
engine.options.script_name = SCRIPT_NAME
status, accounts = engine:start()
local engine = brute.Engine:new(Driver, host, port)
engine.options.script_name = SCRIPT_NAME
status, accounts = engine:start()
if ( status ) then return accounts end
if ( status ) then return accounts end
end

86
scripts/iscsi-info.nse
View File

@@ -37,60 +37,60 @@ portrule = shortport.portnumber(3260, "tcp", {"open", "open|filtered"})
-- @return result true if auth is required false if not
-- err string containing error message
local function requiresAuth( host, port, target )
local helper = iscsi.Helper:new( host, port )
local errors = iscsi.Packet.LoginResponse.Errors
local helper = iscsi.Helper:new( host, port )
local errors = iscsi.Packet.LoginResponse.Errors
local status, err = helper:connect()
if ( not(status) ) then return false, "Failed to connect" end
local status, err = helper:connect()
if ( not(status) ) then return false, "Failed to connect" end
local response
status, response = helper:login( target )
if ( not(status) ) then return false, response:getErrorMessage() end
local response
status, response = helper:login( target )
if ( not(status) ) then return false, response:getErrorMessage() end
if ( status and response:getErrorCode() == errors.SUCCESS) then
-- try to logout
status = helper:logout()
end
if ( status and response:getErrorCode() == errors.SUCCESS) then
-- try to logout
status = helper:logout()
end
status = helper:close()
status = helper:close()
return true, "Authentication successful"
return true, "Authentication successful"
end
action = function( host, port )
local helper = iscsi.Helper:new( host, port )
local helper = iscsi.Helper:new( host, port )
local status = helper:connect()
if ( not(status) ) then
stdnse.print_debug("%s: failed to connect to server", SCRIPT_NAME )
return
end
local status = helper:connect()
if ( not(status) ) then
stdnse.print_debug("%s: failed to connect to server", SCRIPT_NAME )
return
end
local records
status, records = helper:discoverTargets()
if ( not(status) ) then
stdnse.print_debug("%s: failed to discover targets", SCRIPT_NAME )
return
end
status = helper:logout()
status = helper:close()
local records
status, records = helper:discoverTargets()
if ( not(status) ) then
stdnse.print_debug("%s: failed to discover targets", SCRIPT_NAME )
return
end
status = helper:logout()
status = helper:close()
local result = {}
for _, record in ipairs(records) do
local result_part = {}
result_part.name = ("Target: %s"):format(record.name)
for _, addr in ipairs( record.addr ) do
table.insert(result_part, ("Address: %s"):format(addr) )
end
local result = {}
for _, record in ipairs(records) do
local result_part = {}
result_part.name = ("Target: %s"):format(record.name)
for _, addr in ipairs( record.addr ) do
table.insert(result_part, ("Address: %s"):format(addr) )
end
local status, err = requiresAuth( host, port, record.name )
if ( not(status) ) then
table.insert(result_part, "Authentication: " .. err )
else
table.insert(result_part, "Authentication: No authentication required")
end
table.insert(result, result_part)
end
return stdnse.format_output( true, result )
local status, err = requiresAuth( host, port, record.name )
if ( not(status) ) then
table.insert(result_part, "Authentication: " .. err )
else
table.insert(result_part, "Authentication: No authentication required")
end
table.insert(result, result_part)
end
return stdnse.format_output( true, result )
end

52
scripts/isns-info.nse
View File

@@ -37,35 +37,35 @@ categories = {"safe", "discovery"}
local function fail(err) return ("\n ERROR: %s"):format(err or "") end
action = function(host, port)
local helper = isns.Helper:new(host, port)
if ( not(helper:connect()) ) then
return fail("Failed to connect to server")
end
local helper = isns.Helper:new(host, port)
if ( not(helper:connect()) ) then
return fail("Failed to connect to server")
end
local status, portals = helper:listPortals()
if ( not(status) ) then
return
end
local status, portals = helper:listPortals()
if ( not(status) ) then
return
end
local results = {}
local restab = tab.new(2)
tab.addrow(restab, "ip", "port")
for _, portal in ipairs(portals) do
tab.addrow(restab, portal.addr, ("%d/%s"):format(portal.port, portal.proto))
end
table.insert(results, { name = "Portal", tab.dump(restab) })
local results = {}
local restab = tab.new(2)
tab.addrow(restab, "ip", "port")
for _, portal in ipairs(portals) do
tab.addrow(restab, portal.addr, ("%d/%s"):format(portal.port, portal.proto))
end
table.insert(results, { name = "Portal", tab.dump(restab) })
local status, nodes = helper:listISCINodes()
if ( not(status) ) then
return
end
local status, nodes = helper:listISCINodes()
if ( not(status) ) then
return
end
restab = tab.new(2)
tab.addrow(restab, "node", "type")
for _, portal in ipairs(nodes) do
tab.addrow(restab, portal.name, portal.type)
end
table.insert(results, { name = "iSCSI Nodes", tab.dump(restab) })
restab = tab.new(2)
tab.addrow(restab, "node", "type")
for _, portal in ipairs(nodes) do
tab.addrow(restab, portal.name, portal.type)
end
table.insert(results, { name = "iSCSI Nodes", tab.dump(restab) })
return stdnse.format_output(true, results)
return stdnse.format_output(true, results)
end

100
scripts/jdwp-exec.nse
View File

@@ -37,61 +37,61 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"exploit","intrusive"}
portrule = function(host, port)
-- JDWP will close the port if there is no valid handshake within 2
-- seconds, Service detection's NULL probe detects it as tcpwrapped.
return port.service == "tcpwrapped"
and port.protocol == "tcp" and port.state == "open"
and not(shortport.port_is_excluded(port.number,port.protocol))
-- JDWP will close the port if there is no valid handshake within 2
-- seconds, Service detection's NULL probe detects it as tcpwrapped.
return port.service == "tcpwrapped"
and port.protocol == "tcp" and port.state == "open"
and not(shortport.port_is_excluded(port.number,port.protocol))
end
action = function(host, port)
stdnse.sleep(5) -- let the remote socket recover from connect() scan
local status,socket = jdwp.connect(host,port) -- initialize the connection
if not status then
stdnse.print_debug("error, %s",socket)
return nil
end
stdnse.sleep(5) -- let the remote socket recover from connect() scan
local status,socket = jdwp.connect(host,port) -- initialize the connection
if not status then
stdnse.print_debug("error, %s",socket)
return nil
end
-- read .class file
local file = io.open(nmap.fetchfile("nselib/data/jdwp-class/JDWPExecCmd.class"), "rb")
local class_bytes = file:read("*all")
-- read .class file
local file = io.open(nmap.fetchfile("nselib/data/jdwp-class/JDWPExecCmd.class"), "rb")
local class_bytes = file:read("*all")
-- inject the class
local injectedClass
status,injectedClass = jdwp.injectClass(socket,class_bytes)
if not status then
stdnse.print_debug(1, "%s: Failed to inject class", SCRIPT_NAME)
return stdnse.format_output(false, "Failed to inject class")
end
-- find injected class method
local runMethodID = jdwp.findMethod(socket,injectedClass.id,"run",false)
-- inject the class
local injectedClass
status,injectedClass = jdwp.injectClass(socket,class_bytes)
if not status then
stdnse.print_debug(1, "%s: Failed to inject class", SCRIPT_NAME)
return stdnse.format_output(false, "Failed to inject class")
end
-- find injected class method
local runMethodID = jdwp.findMethod(socket,injectedClass.id,"run",false)
if runMethodID == nil then
stdnse.print_debug(1, "%s: Couldn't find run method", SCRIPT_NAME)
return stdnse.format_output(false, "Couldn't find run method.")
end
-- set run() method argument
local cmd = stdnse.get_script_args(SCRIPT_NAME .. '.cmd')
if cmd == nil then
return stdnse.format_output(false, "This script requires a cmd argument to be specified.")
end
local cmdID
status,cmdID = jdwp.createString(socket,0,cmd)
if not status then
stdnse.print_debug(1, "%s: Couldn't create string", SCRIPT_NAME)
return stdnse.format_output(false, cmdID)
end
local runArgs = bin.pack(">CL",0x4c,cmdID) -- 0x4c is object type tag
-- invoke run method
local result
status, result = jdwp.invokeObjectMethod(socket,0,injectedClass.instance,injectedClass.thread,injectedClass.id,runMethodID,1,runArgs)
if not status then
stdnse.print_debug(1, "%s: Couldn't invoke run method", SCRIPT_NAME)
return stdnse.format_output(false, result)
end
-- get the result string
local _,_,stringID = bin.unpack(">CL",result)
status,result = jdwp.readString(socket,0,stringID)
return stdnse.format_output(status,result)
if runMethodID == nil then
stdnse.print_debug(1, "%s: Couldn't find run method", SCRIPT_NAME)
return stdnse.format_output(false, "Couldn't find run method.")
end
-- set run() method argument
local cmd = stdnse.get_script_args(SCRIPT_NAME .. '.cmd')
if cmd == nil then
return stdnse.format_output(false, "This script requires a cmd argument to be specified.")
end
local cmdID
status,cmdID = jdwp.createString(socket,0,cmd)
if not status then
stdnse.print_debug(1, "%s: Couldn't create string", SCRIPT_NAME)
return stdnse.format_output(false, cmdID)
end
local runArgs = bin.pack(">CL",0x4c,cmdID) -- 0x4c is object type tag
-- invoke run method
local result
status, result = jdwp.invokeObjectMethod(socket,0,injectedClass.instance,injectedClass.thread,injectedClass.id,runMethodID,1,runArgs)
if not status then
stdnse.print_debug(1, "%s: Couldn't invoke run method", SCRIPT_NAME)
return stdnse.format_output(false, result)
end
-- get the result string
local _,_,stringID = bin.unpack(">CL",result)
status,result = jdwp.readString(socket,0,stringID)
return stdnse.format_output(status,result)
end

78
scripts/jdwp-info.nse
View File

@@ -44,51 +44,51 @@ categories = {"default","safe","discovery"}
-- |_ System time: Sat Aug 11 15:21:44 CEST 2012
portrule = function(host, port)
-- JDWP will close the port if there is no valid handshake within 2
-- seconds, Service detection's NULL probe detects it as tcpwrapped.
return port.service == "tcpwrapped"
and port.protocol == "tcp" and port.state == "open"
and not(shortport.port_is_excluded(port.number,port.protocol))
-- JDWP will close the port if there is no valid handshake within 2
-- seconds, Service detection's NULL probe detects it as tcpwrapped.
return port.service == "tcpwrapped"
and port.protocol == "tcp" and port.state == "open"
and not(shortport.port_is_excluded(port.number,port.protocol))
end
action = function(host, port)
stdnse.sleep(5) -- let the remote socket recover from connect() scan
local status,socket = jdwp.connect(host,port) -- initialize the connection
if not status then
stdnse.print_debug("error, %s",socket)
return nil
end
stdnse.sleep(5) -- let the remote socket recover from connect() scan
local status,socket = jdwp.connect(host,port) -- initialize the connection
if not status then
stdnse.print_debug("error, %s",socket)
return nil
end
-- read .class file
local file = io.open(nmap.fetchfile("nselib/data/jdwp-class/JDWPSystemInfo.class"), "rb")
local class_bytes = file:read("*all")
-- read .class file
local file = io.open(nmap.fetchfile("nselib/data/jdwp-class/JDWPSystemInfo.class"), "rb")
local class_bytes = file:read("*all")
-- inject the class
local injectedClass
status,injectedClass = jdwp.injectClass(socket,class_bytes)
if not status then
stdnse.print_debug(1, "%s: Failed to inject class", SCRIPT_NAME)
return stdnse.format_output(false, "Failed to inject class")
end
-- find injected class method
local runMethodID = jdwp.findMethod(socket,injectedClass.id,"run",false)
-- inject the class
local injectedClass
status,injectedClass = jdwp.injectClass(socket,class_bytes)
if not status then
stdnse.print_debug(1, "%s: Failed to inject class", SCRIPT_NAME)
return stdnse.format_output(false, "Failed to inject class")
end
-- find injected class method
local runMethodID = jdwp.findMethod(socket,injectedClass.id,"run",false)
if runMethodID == nil then
stdnse.print_debug(1, "%s: Couldn't find run method", SCRIPT_NAME)
return stdnse.format_output(false, "Couldn't find run method.")
end
if runMethodID == nil then
stdnse.print_debug(1, "%s: Couldn't find run method", SCRIPT_NAME)
return stdnse.format_output(false, "Couldn't find run method.")
end
-- invoke run method
local result
status, result = jdwp.invokeObjectMethod(socket,0,injectedClass.instance,injectedClass.thread,injectedClass.id,runMethodID,0,nil)
if not status then
stdnse.print_debug(1, "%s: Couldn't invoke run method", SCRIPT_NAME)
return stdnse.format_output(false, result)
end
-- get the result string
local _,_,stringID = bin.unpack(">CL",result)
status,result = jdwp.readString(socket,0,stringID)
-- parse results
return stdnse.format_output(status,result)
-- invoke run method
local result
status, result = jdwp.invokeObjectMethod(socket,0,injectedClass.instance,injectedClass.thread,injectedClass.id,runMethodID,0,nil)
if not status then
stdnse.print_debug(1, "%s: Couldn't invoke run method", SCRIPT_NAME)
return stdnse.format_output(false, result)
end
-- get the result string
local _,_,stringID = bin.unpack(">CL",result)
status,result = jdwp.readString(socket,0,stringID)
-- parse results
return stdnse.format_output(status,result)
end

86
scripts/jdwp-inject.nse
View File

@@ -31,55 +31,55 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"exploit","intrusive"}
portrule = function(host, port)
-- JDWP will close the port if there is no valid handshake within 2
-- seconds, Service detection's NULL probe detects it as tcpwrapped.
return port.service == "tcpwrapped"
and port.protocol == "tcp" and port.state == "open"
and not(shortport.port_is_excluded(port.number,port.protocol))
-- JDWP will close the port if there is no valid handshake within 2
-- seconds, Service detection's NULL probe detects it as tcpwrapped.
return port.service == "tcpwrapped"
and port.protocol == "tcp" and port.state == "open"
and not(shortport.port_is_excluded(port.number,port.protocol))
end
action = function(host, port)
stdnse.sleep(5) -- let the remote socket recover from connect() scan
local status,socket = jdwp.connect(host,port) -- initialize the connection
if not status then
stdnse.print_debug("error, %s",socket)
return nil
end
stdnse.sleep(5) -- let the remote socket recover from connect() scan
local status,socket = jdwp.connect(host,port) -- initialize the connection
if not status then
stdnse.print_debug("error, %s",socket)
return nil
end
-- read .class file
local filename = stdnse.get_script_args(SCRIPT_NAME .. '.filename')
if filename == nil then
return stdnse.format_output(false, "This script requires a .class file to inject.")
end
local file = io.open(nmap.fetchfile(filename) or filename, "rb")
local class_bytes = file:read("*all")
-- read .class file
local filename = stdnse.get_script_args(SCRIPT_NAME .. '.filename')
if filename == nil then
return stdnse.format_output(false, "This script requires a .class file to inject.")
end
local file = io.open(nmap.fetchfile(filename) or filename, "rb")
local class_bytes = file:read("*all")
-- inject the class
local injectedClass
status,injectedClass = jdwp.injectClass(socket,class_bytes)
if not status then
stdnse.print_debug(1, "%s: Failed to inject class", SCRIPT_NAME)
return stdnse.format_output(false, "Failed to inject class")
end
-- find injected class method
local runMethodID = jdwp.findMethod(socket,injectedClass.id,"run",false)
-- inject the class
local injectedClass
status,injectedClass = jdwp.injectClass(socket,class_bytes)
if not status then
stdnse.print_debug(1, "%s: Failed to inject class", SCRIPT_NAME)
return stdnse.format_output(false, "Failed to inject class")
end
-- find injected class method
local runMethodID = jdwp.findMethod(socket,injectedClass.id,"run",false)
if runMethodID == nil then
stdnse.print_debug(1, "%s: Couldn't find run method", SCRIPT_NAME)
return stdnse.format_output(false, "Couldn't find run method.")
end
if runMethodID == nil then
stdnse.print_debug(1, "%s: Couldn't find run method", SCRIPT_NAME)
return stdnse.format_output(false, "Couldn't find run method.")
end
-- invoke run method
local result
status, result = jdwp.invokeObjectMethod(socket,0,injectedClass.instance,injectedClass.thread,injectedClass.id,runMethodID,0,nil)
if not status then
stdnse.print_debug(1, "%s: Couldn't invoke run method", SCRIPT_NAME)
return stdnse.format_output(false, result)
end
-- get the result string
local _,_,stringID = bin.unpack(">CL",result)
status,result = jdwp.readString(socket,0,stringID)
-- parse results
return stdnse.format_output(status,result)
-- invoke run method
local result
status, result = jdwp.invokeObjectMethod(socket,0,injectedClass.instance,injectedClass.thread,injectedClass.id,runMethodID,0,nil)
if not status then
stdnse.print_debug(1, "%s: Couldn't invoke run method", SCRIPT_NAME)
return stdnse.format_output(false, result)
end
-- get the result string
local _,_,stringID = bin.unpack(">CL",result)
status,result = jdwp.readString(socket,0,stringID)
-- parse results
return stdnse.format_output(status,result)
end

58
scripts/jdwp-version.nse
View File

@@ -23,36 +23,36 @@ categories = {"version"}
portrule = function(host, port)
-- JDWP will close the port if there is no valid handshake within 2
-- seconds, Service detection's NULL probe detects it as tcpwrapped.
return port.service == "tcpwrapped"
and port.protocol == "tcp" and port.state == "open"
and not(shortport.port_is_excluded(port.number,port.protocol))
-- JDWP will close the port if there is no valid handshake within 2
-- seconds, Service detection's NULL probe detects it as tcpwrapped.
return port.service == "tcpwrapped"
and port.protocol == "tcp" and port.state == "open"
and not(shortport.port_is_excluded(port.number,port.protocol))
end
action = function(host, port)
-- make sure we get at least one more packet after the JDWP-Handshake
-- response even if there is some delay; the handshake response has 14
-- bytes, so wait for 18 bytes here.
local status, result = comm.exchange(host, port, "JDWP-Handshake\0\0\0\11\0\0\0\1\0\1\1", {proto="tcp", bytes=18})
if (not status) then
return
end
-- match jdwp m|JDWP-Handshake| p/$1/ v/$3/ i/$2\n$4/
local match = {string.match(result, "^JDWP%-Handshake\0\0..\0\0\0\1\128\0\0\0\0..([^\0\n]*)\n([^\0]*)\0\0..\0\0..\0\0..([0-9._]+)\0\0..([^\0]*)")}
if match == nil or #match == 0 then
-- if we have one \128 (reply marker), it is at least not echo because the request did not contain \128
if (string.match(result,"^JDWP%-Handshake\0.*\128") ~= nil) then
port.version.name="jdwp"
port.version.product="unknown"
nmap.set_port_version(host, port)
end
return
end
port.version.name="jdwp"
port.version.product = match[1]
port.version.version = match[3]
-- port.version.extrainfo = match[2] .. "\n" .. match[4]
nmap.set_port_version(host, port)
return
-- make sure we get at least one more packet after the JDWP-Handshake
-- response even if there is some delay; the handshake response has 14
-- bytes, so wait for 18 bytes here.
local status, result = comm.exchange(host, port, "JDWP-Handshake\0\0\0\11\0\0\0\1\0\1\1", {proto="tcp", bytes=18})
if (not status) then
return
end
-- match jdwp m|JDWP-Handshake| p/$1/ v/$3/ i/$2\n$4/
local match = {string.match(result, "^JDWP%-Handshake\0\0..\0\0\0\1\128\0\0\0\0..([^\0\n]*)\n([^\0]*)\0\0..\0\0..\0\0..([0-9._]+)\0\0..([^\0]*)")}
if match == nil or #match == 0 then
-- if we have one \128 (reply marker), it is at least not echo because the request did not contain \128
if (string.match(result,"^JDWP%-Handshake\0.*\128") ~= nil) then
port.version.name="jdwp"
port.version.product="unknown"
nmap.set_port_version(host, port)
end
return
end
port.version.name="jdwp"
port.version.product = match[1]
port.version.version = match[3]
-- port.version.extrainfo = match[2] .. "\n" .. match[4]
nmap.set_port_version(host, port)
return
end

48
scripts/lexmark-config.nse
View File

@@ -55,32 +55,32 @@ portrule = shortport.portnumber({5353,9100}, "udp")
action = function( host, port )
local result = {}
local status, response = dns.query( "", { port = port.number, host = host.ip, dtype="PTR", retPkt=true} )
if ( not(status) ) then
return
end
local status, txtrecords = dns.findNiceAnswer( dns.types.TXT, response, true )
if ( not(status) ) then
return
end
local result = {}
local status, response = dns.query( "", { port = port.number, host = host.ip, dtype="PTR", retPkt=true} )
if ( not(status) ) then
return
end
local status, txtrecords = dns.findNiceAnswer( dns.types.TXT, response, true )
if ( not(status) ) then
return
end
for _, v in ipairs( txtrecords ) do
if ( v:len() > 0 ) then
if v:find("PRINTERVIDPID") then
port.version.name="hbn3"
end
if not v:find("product=") then
v = v:gsub(" ", ": ", 1)
end
table.insert( result, v )
end
end
for _, v in ipairs( txtrecords ) do
if ( v:len() > 0 ) then
if v:find("PRINTERVIDPID") then
port.version.name="hbn3"
end
if not v:find("product=") then
v = v:gsub(" ", ": ", 1)
end
table.insert( result, v )
end
end
-- set port to open
nmap.set_port_state(host, port, "open")
nmap.set_port_version(host, port)
-- set port to open
nmap.set_port_state(host, port, "open")
nmap.set_port_version(host, port)
return stdnse.format_output(true, result)
return stdnse.format_output(true, result)
end

96
scripts/metasploit-xmlrpc-brute.nse
View File

@@ -35,65 +35,65 @@ portrule = shortport.port_or_service(55553, "metasploit-xmlrpc", "tcp")
Driver =
{
new = function (self, host, port, opts)
local o = { host = host, port = port, opts = opts }
setmetatable (o,self)
self.__index = self
return o
end,
new = function (self, host, port, opts)
local o = { host = host, port = port, opts = opts }
setmetatable (o,self)
self.__index = self
return o
end,
connect = function ( self )
self.socket = nmap.new_socket()
if ( not(self.socket:connect(self.host, self.port, self.opts)) ) then
return false
end
return true
end,
connect = function ( self )
self.socket = nmap.new_socket()
if ( not(self.socket:connect(self.host, self.port, self.opts)) ) then
return false
end
return true
end,
login = function( self, username, password )
local xmlreq='<?xml version="1.0" ?><methodCall><methodName>auth.login</methodName><params><param><value><string>'..username..'</string></value></param><param><value><string>'..password.."</string></value></param></params></methodCall>\n"..string.char(0)
local status, err = self.socket:send(xmlreq)
login = function( self, username, password )
local xmlreq='<?xml version="1.0" ?><methodCall><methodName>auth.login</methodName><params><param><value><string>'..username..'</string></value></param><param><value><string>'..password.."</string></value></param></params></methodCall>\n"..string.char(0)
local status, err = self.socket:send(xmlreq)
if ( not ( status ) ) then
local err = brute.Error:new( "Unable to send handshake" )
err:setAbort(true)
return false, err
end
if ( not ( status ) ) then
local err = brute.Error:new( "Unable to send handshake" )
err:setAbort(true)
return false, err
end
-- Create a buffer and receive the first line
local response
status, response = self.socket:receive_buf("\r?\n", false)
-- Create a buffer and receive the first line
local response
status, response = self.socket:receive_buf("\r?\n", false)
if (response == nil or string.match(response,"<name>faultString</name><value><string>authentication error</string>")) then
stdnse.print_debug(2, "metasploit-xmlrpc-brute: Bad login: %s/%s", username, password)
return false, brute.Error:new( "Bad login" )
elseif (string.match(response,"<name>result</name><value><string>success</string></value>")) then
if (response == nil or string.match(response,"<name>faultString</name><value><string>authentication error</string>")) then
stdnse.print_debug(2, "metasploit-xmlrpc-brute: Bad login: %s/%s", username, password)
return false, brute.Error:new( "Bad login" )
elseif (string.match(response,"<name>result</name><value><string>success</string></value>")) then
stdnse.print_debug(1, "metasploit-xmlrpc-brute: Good login: %s/%s", username, password)
return true, brute.Account:new(username, password, creds.State.VALID)
end
stdnse.print_debug(1, "metasploit-xmlrpc-brute: WARNING: Unhandled response: %s", response)
return false, brute.Error:new( "unhandled response" )
end,
stdnse.print_debug(1, "metasploit-xmlrpc-brute: Good login: %s/%s", username, password)
return true, brute.Account:new(username, password, creds.State.VALID)
end
stdnse.print_debug(1, "metasploit-xmlrpc-brute: WARNING: Unhandled response: %s", response)
return false, brute.Error:new( "unhandled response" )
end,
disconnect = function( self )
self.socket:close()
end,
disconnect = function( self )
self.socket:close()
end,
}
action = function(host, port)
-- first determine whether we need SSL or not
local xmlreq='<?xml version="1.0" ?><methodCall><methodName>core.version</methodName></methodCall>\n'..string.char(0)
local socket, _, opts = comm.tryssl(host, port, xmlreq, { recv_first = false } )
if ( not(socket) ) then
return "\n ERROR: Failed to determine whether SSL was needed or not"
end
-- first determine whether we need SSL or not
local xmlreq='<?xml version="1.0" ?><methodCall><methodName>core.version</methodName></methodCall>\n'..string.char(0)
local socket, _, opts = comm.tryssl(host, port, xmlreq, { recv_first = false } )
if ( not(socket) ) then
return "\n ERROR: Failed to determine whether SSL was needed or not"
end
local engine = brute.Engine:new(Driver, host, port, opts)
engine.options.script_name = SCRIPT_NAME
engine.options.firstonly = true
local status, result = engine:start()
return result
local engine = brute.Engine:new(Driver, host, port, opts)
engine.options.script_name = SCRIPT_NAME
engine.options.firstonly = true
local status, result = engine:start()
return result
end

102
scripts/mongodb-brute.nse
View File

@@ -35,72 +35,72 @@ portrule = shortport.port_or_service({27017}, {"mongodb"})
Driver = {
new = function(self, host, port, options)
local o = { host = host, port = port, sock = nmap.new_socket() }
setmetatable(o, self)
self.__index = self
return o
end,
new = function(self, host, port, options)
local o = { host = host, port = port, sock = nmap.new_socket() }
setmetatable(o, self)
self.__index = self
return o
end,
connect = function(self)
return self.sock:connect(self.host, self.port)
end,
connect = function(self)
return self.sock:connect(self.host, self.port)
end,
login = function(self, username, password)
local status, resp = mongodb.login(self.sock, arg_db, username, password)
if ( status ) then
return true, brute.Account:new(username, password, creds.State.VALID)
elseif ( resp ~= "Authentication failed" ) then
local err = brute.Error:new( resp )
err:setRetry( true )
return false, err
end
return false, brute.Error:new( "Incorrect password" )
end,
login = function(self, username, password)
local status, resp = mongodb.login(self.sock, arg_db, username, password)
if ( status ) then
return true, brute.Account:new(username, password, creds.State.VALID)
elseif ( resp ~= "Authentication failed" ) then
local err = brute.Error:new( resp )
err:setRetry( true )
return false, err
end
return false, brute.Error:new( "Incorrect password" )
end,
disconnect = function(self)
return self.sock:close()
end,
disconnect = function(self)
return self.sock:close()
end,
}
local function needsAuth(host, port)
local socket = nmap.new_socket()
local status, result = socket:connect(host, port)
if ( not(status) ) then
return false, "Failed to connect to server"
end
local socket = nmap.new_socket()
local status, result = socket:connect(host, port)
if ( not(status) ) then
return false, "Failed to connect to server"
end
local packet
status, packet = mongodb.listDbQuery()
if ( not(status) ) then
return false, result
end
local packet
status, packet = mongodb.listDbQuery()
if ( not(status) ) then
return false, result
end
--- Send packet
status, result = mongodb.query(socket, packet)
if ( not(status) ) then
return false, result
end
--- Send packet
status, result = mongodb.query(socket, packet)
if ( not(status) ) then
return false, result
end
socket:close()
if ( status and result.errmsg ) then
return true
end
return false
socket:close()
if ( status and result.errmsg ) then
return true
end
return false
end
action = function(host, port)
if ( not(needsAuth(host, port)) ) then
return "No authentication needed"
end
if ( not(needsAuth(host, port)) ) then
return "No authentication needed"
end
local engine = brute.Engine:new(Driver, host, port )
local engine = brute.Engine:new(Driver, host, port )
engine.options.script_name = SCRIPT_NAME
engine.options.firstonly = true
local status, result = engine:start()
engine.options.script_name = SCRIPT_NAME
engine.options.firstonly = true
local status, result = engine:start()
return result
return result
end

76
scripts/mongodb-databases.nse
View File

@@ -51,50 +51,50 @@ portrule = shortport.port_or_service({27017}, {"mongodb"})
function action(host,port)
local socket = nmap.new_socket()
local socket = nmap.new_socket()
-- set a reasonable timeout value
socket:set_timeout(10000)
-- do some exception / cleanup
local catch = function()
socket:close()
end
-- set a reasonable timeout value
socket:set_timeout(10000)
-- do some exception / cleanup
local catch = function()
socket:close()
end
local try = nmap.new_try(catch)
local try = nmap.new_try(catch)
try( socket:connect(host, port) )
try( socket:connect(host, port) )
-- uglyness to allow creds.mongodb to work, as the port is not recognized
-- as mongodb, unless a service scan was run
local ps = port.service
port.service = 'mongodb'
local c = creds.Credentials:new(creds.ALL_DATA, host, port)
for cred in c:getCredentials(creds.State.VALID + creds.State.PARAM) do
local status, err = mongodb.login(socket, "admin", cred.user, cred.pass)
if ( not(status) ) then
return err
end
end
port.service = ps
-- uglyness to allow creds.mongodb to work, as the port is not recognized
-- as mongodb, unless a service scan was run
local ps = port.service
port.service = 'mongodb'
local c = creds.Credentials:new(creds.ALL_DATA, host, port)
for cred in c:getCredentials(creds.State.VALID + creds.State.PARAM) do
local status, err = mongodb.login(socket, "admin", cred.user, cred.pass)
if ( not(status) ) then
return err
end
end
port.service = ps
local req, result, packet, err, status
--Build packet
status, packet = mongodb.listDbQuery()
if not status then return result end-- Error message
local req, result, packet, err, status
--Build packet
status, packet = mongodb.listDbQuery()
if not status then return result end-- Error message
--- Send packet
status, result = mongodb.query(socket, packet)
if not status then return result end-- Error message
--- Send packet
status, result = mongodb.query(socket, packet)
if not status then return result end-- Error message
port.version.name ='mongodb'
port.version.product='MongoDB'
nmap.set_port_version(host,port)
port.version.name ='mongodb'
port.version.product='MongoDB'
nmap.set_port_version(host,port)
local output = mongodb.queryResultToTable(result)
if err ~= nil then
stdnse.log_error(err)
end
if result ~= nil then
return stdnse.format_output(true, output )
end
local output = mongodb.queryResultToTable(result)
if err ~= nil then
stdnse.log_error(err)
end
if result ~= nil then
return stdnse.format_output(true, output )
end
end

102
scripts/ms-sql-dac.nse
View File

@@ -37,69 +37,69 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}
hostrule = function(host)
if ( mssql.Helper.WasDiscoveryPerformed( host ) ) then
return mssql.Helper.GetDiscoveredInstances( host ) ~= nil
else
local sqlBrowserPort = nmap.get_port_state( host, {number = 1434, protocol = "udp"} )
if ( (stdnse.get_script_args( {"mssql.instance-all", "mssql.instance-name", "mssql.instance-port"} ) ~= nil) or
(sqlBrowserPort and (sqlBrowserPort.state == "open" or sqlBrowserPort.state == "open|filtered")) ) then
return true
end
end
if ( mssql.Helper.WasDiscoveryPerformed( host ) ) then
return mssql.Helper.GetDiscoveredInstances( host ) ~= nil
else
local sqlBrowserPort = nmap.get_port_state( host, {number = 1434, protocol = "udp"} )
if ( (stdnse.get_script_args( {"mssql.instance-all", "mssql.instance-name", "mssql.instance-port"} ) ~= nil) or
(sqlBrowserPort and (sqlBrowserPort.state == "open" or sqlBrowserPort.state == "open|filtered")) ) then
return true
end
end
end
local function checkPort(host, port)
local s = nmap.new_socket()
s:set_timeout(5000)
local status = s:connect(host, port, "tcp")
s:close()
return status
local s = nmap.new_socket()
s:set_timeout(5000)
local status = s:connect(host, port, "tcp")
s:close()
return status
end
local function discoverDAC(host, name, result)
local condvar = nmap.condvar(result)
stdnse.print_debug(2, "Discovering DAC port on instance: %s", name)
local port = mssql.Helper.DiscoverDACPort( host, name )
if ( port ) then
if ( checkPort(host, port) ) then
table.insert(result, ("Instance: %s; DAC port: %s"):format(name, port))
else
table.insert(result, ("Instance: %s; DAC port: %s (connection failed)"):format(name, port))
end
end
condvar "signal"
local condvar = nmap.condvar(result)
stdnse.print_debug(2, "Discovering DAC port on instance: %s", name)
local port = mssql.Helper.DiscoverDACPort( host, name )
if ( port ) then
if ( checkPort(host, port) ) then
table.insert(result, ("Instance: %s; DAC port: %s"):format(name, port))
else
table.insert(result, ("Instance: %s; DAC port: %s (connection failed)"):format(name, port))
end
end
condvar "signal"
end
action = function( host )
local result, threads = {}, {}
local condvar = nmap.condvar(result)
local result, threads = {}, {}
local condvar = nmap.condvar(result)
local status, instanceList = mssql.Helper.GetTargetInstances( host )
-- if no instances were targeted, then display info on all
if ( not status ) then
if ( not mssql.Helper.WasDiscoveryPerformed( host ) ) then
mssql.Helper.Discover( host )
end
instanceList = mssql.Helper.GetDiscoveredInstances( host )
end
local status, instanceList = mssql.Helper.GetTargetInstances( host )
-- if no instances were targeted, then display info on all
if ( not status ) then
if ( not mssql.Helper.WasDiscoveryPerformed( host ) ) then
mssql.Helper.Discover( host )
end
instanceList = mssql.Helper.GetDiscoveredInstances( host )
end
for _, instance in ipairs(instanceList or {}) do
local name = instance:GetName():match("^[^\\]*\\(.*)$")
if ( name ) then
local co = stdnse.new_thread(discoverDAC, host, name, result)
threads[co] = true
end
end
for _, instance in ipairs(instanceList or {}) do
local name = instance:GetName():match("^[^\\]*\\(.*)$")
if ( name ) then
local co = stdnse.new_thread(discoverDAC, host, name, result)
threads[co] = true
end
end
while(next(threads)) do
for t in pairs(threads) do
threads[t] = ( coroutine.status(t) ~= "dead" ) and true or nil
end
if ( next(threads) ) then
condvar "wait"
end
end
while(next(threads)) do
for t in pairs(threads) do
threads[t] = ( coroutine.status(t) ~= "dead" ) and true or nil
end
if ( next(threads) ) then
condvar "wait"
end
end
return stdnse.format_output( true, result )
return stdnse.format_output( true, result )
end

86
scripts/mysql-brute.nse
View File

@@ -41,57 +41,57 @@ arg_timeout = (arg_timeout or 5) * 1000
Driver = {
new = function(self, host, port)
local o = {}
setmetatable(o, self)
self.__index = self
o.host = host
o.port = port
return o
end,
new = function(self, host, port)
local o = {}
setmetatable(o, self)
self.__index = self
o.host = host
o.port = port
return o
end,
connect = function( self )
self.socket = nmap.new_socket()
local status, err = self.socket:connect(self.host, self.port)
self.socket:set_timeout(arg_timeout)
if(not(status)) then
return false, brute.Error:new( "Couldn't connect to host: " .. err )
end
return true
end,
connect = function( self )
self.socket = nmap.new_socket()
local status, err = self.socket:connect(self.host, self.port)
self.socket:set_timeout(arg_timeout)
if(not(status)) then
return false, brute.Error:new( "Couldn't connect to host: " .. err )
end
return true
end,
login = function (self, user, pass)
local status, response = mysql.receiveGreeting(self.socket)
if(not(status)) then
return false,brute.Error:new(response)
end
stdnse.print_debug( "Trying %s/%s ...", user, pass )
status, response = mysql.loginRequest( self.socket, { authversion = "post41", charset = response.charset }, user, pass, response.salt )
if status then
-- Add credentials for other mysql scripts to use
if nmap.registry.mysqlusers == nil then
nmap.registry.mysqlusers = {}
end
nmap.registry.mysqlusers[user]=pass
return true, brute.Account:new( user, pass, creds.State.VALID)
end
return false,brute.Error:new( "Incorrect password" )
end,
login = function (self, user, pass)
local status, response = mysql.receiveGreeting(self.socket)
if(not(status)) then
return false,brute.Error:new(response)
end
stdnse.print_debug( "Trying %s/%s ...", user, pass )
status, response = mysql.loginRequest( self.socket, { authversion = "post41", charset = response.charset }, user, pass, response.salt )
if status then
-- Add credentials for other mysql scripts to use
if nmap.registry.mysqlusers == nil then
nmap.registry.mysqlusers = {}
end
nmap.registry.mysqlusers[user]=pass
return true, brute.Account:new( user, pass, creds.State.VALID)
end
return false,brute.Error:new( "Incorrect password" )
end,
disconnect = function( self )
self.socket:close()
return true
end
disconnect = function( self )
self.socket:close()
return true
end
}
action = function( host, port )
local status, result
local engine = brute.Engine:new(Driver, host, port)
engine.options.script_name = SCRIPT_NAME
local status, result
local engine = brute.Engine:new(Driver, host, port)
engine.options.script_name = SCRIPT_NAME
status, result = engine:start()
status, result = engine:start()
return result
return result
end

94
scripts/mysql-databases.nse
View File

@@ -41,58 +41,58 @@ portrule = shortport.port_or_service(3306, "mysql")
action = function( host, port )
local socket = nmap.new_socket()
local catch = function() socket:close() end
local try = nmap.new_try(catch)
local result, response, dbs = {}, nil, {}
local users = {}
local nmap_args = nmap.registry.args
local status, rows
local socket = nmap.new_socket()
local catch = function() socket:close() end
local try = nmap.new_try(catch)
local result, response, dbs = {}, nil, {}
local users = {}
local nmap_args = nmap.registry.args
local status, rows
-- set a reasonable timeout value
socket:set_timeout(5000)
-- set a reasonable timeout value
socket:set_timeout(5000)
-- first, let's see if the script has any credentials as arguments?
if nmap_args.mysqluser then
users[nmap_args.mysqluser] = nmap_args.mysqlpass or ""
-- next, let's see if mysql-brute or mysql-empty-password brought us anything
elseif nmap.registry.mysqlusers then
-- do we have root credentials?
if nmap.registry.mysqlusers['root'] then
users['root'] = nmap.registry.mysqlusers['root']
else
-- we didn't have root, so let's make sure we loop over them all
users = nmap.registry.mysqlusers
end
-- last, no dice, we don't have any credentials at all
else
stdnse.print_debug("No credentials supplied, aborting ...")
return
end
-- first, let's see if the script has any credentials as arguments?
if nmap_args.mysqluser then
users[nmap_args.mysqluser] = nmap_args.mysqlpass or ""
-- next, let's see if mysql-brute or mysql-empty-password brought us anything
elseif nmap.registry.mysqlusers then
-- do we have root credentials?
if nmap.registry.mysqlusers['root'] then
users['root'] = nmap.registry.mysqlusers['root']
else
-- we didn't have root, so let's make sure we loop over them all
users = nmap.registry.mysqlusers
end
-- last, no dice, we don't have any credentials at all
else
stdnse.print_debug("No credentials supplied, aborting ...")
return
end
--
-- Iterates over credentials, breaks once it successfully recieves results
--
for username, password in pairs(users) do
--
-- Iterates over credentials, breaks once it successfully recieves results
--
for username, password in pairs(users) do
try( socket:connect(host, port) )
try( socket:connect(host, port) )
response = try( mysql.receiveGreeting( socket ) )
status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt )
response = try( mysql.receiveGreeting( socket ) )
status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt )
if status and response.errorcode == 0 then
local status, rs = mysql.sqlQuery( socket, "show databases" )
if status then
result = mysql.formatResultset(rs, { noheaders = true })
if status and response.errorcode == 0 then
local status, rs = mysql.sqlQuery( socket, "show databases" )
if status then
result = mysql.formatResultset(rs, { noheaders = true })
-- if we got here as root, we've got them all
-- if we're here as someone else, we cant be sure
if username == 'root' then
break
end
end
end
socket:close()
end
return stdnse.format_output(true, result)
-- if we got here as root, we've got them all
-- if we're here as someone else, we cant be sure
if username == 'root' then
break
end
end
end
socket:close()
end
return stdnse.format_output(true, result)
end

92
scripts/mysql-dump-hashes.nse
View File

@@ -43,60 +43,60 @@ local arg_password = stdnse.get_script_args(SCRIPT_NAME .. ".password") or ""
local function fail(err) return ("\n ERROR: %s"):format(err or "") end
local function getCredentials()
-- first, let's see if the script has any credentials as arguments?
if ( arg_username ) then
return { [arg_username] = arg_password }
-- next, let's see if mysql-brute or mysql-empty-password brought us anything
elseif nmap.registry.mysqlusers then
-- do we have root credentials?
if nmap.registry.mysqlusers['root'] then
return { ['root'] = nmap.registry.mysqlusers['root'] }
else
-- we didn't have root, so let's make sure we loop over them all
return nmap.registry.mysqlusers
end
-- last, no dice, we don't have any credentials at all
end
-- first, let's see if the script has any credentials as arguments?
if ( arg_username ) then
return { [arg_username] = arg_password }
-- next, let's see if mysql-brute or mysql-empty-password brought us anything
elseif nmap.registry.mysqlusers then
-- do we have root credentials?
if nmap.registry.mysqlusers['root'] then
return { ['root'] = nmap.registry.mysqlusers['root'] }
else
-- we didn't have root, so let's make sure we loop over them all
return nmap.registry.mysqlusers
end
-- last, no dice, we don't have any credentials at all
end
end
local function mysqlLogin(socket, username, password)
local status, response = mysql.receiveGreeting( socket )
if ( not(status) ) then
return response
end
return mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt )
local status, response = mysql.receiveGreeting( socket )
if ( not(status) ) then
return response
end
return mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt )
end
action = function(host, port)
local creds = getCredentials()
if ( not(creds) ) then
stdnse.print_debug(2, "No credentials were supplied, aborting ...")
return
end
local creds = getCredentials()
if ( not(creds) ) then
stdnse.print_debug(2, "No credentials were supplied, aborting ...")
return
end
local result = {}
for username, password in pairs(creds) do
local socket = nmap.new_socket()
if ( not(socket:connect(host, port)) ) then
return fail("Failed to connect to server")
end
local result = {}
for username, password in pairs(creds) do
local socket = nmap.new_socket()
if ( not(socket:connect(host, port)) ) then
return fail("Failed to connect to server")
end
local status, response = mysqlLogin(socket, username, password)
if ( status ) then
local query = "SELECT DISTINCT CONCAT(user, ':', password) FROM mysql.user WHERE password <> ''"
local status, rows = mysql.sqlQuery( socket, query )
socket:close()
if ( status ) then
result = mysql.formatResultset(rows, { noheaders = true })
break
end
else
socket:close()
end
end
local status, response = mysqlLogin(socket, username, password)
if ( status ) then
local query = "SELECT DISTINCT CONCAT(user, ':', password) FROM mysql.user WHERE password <> ''"
local status, rows = mysql.sqlQuery( socket, query )
socket:close()
if ( status ) then
result = mysql.formatResultset(rows, { noheaders = true })
break
end
else
socket:close()
end
end
if ( result ) then
return stdnse.format_output(true, result)
end
if ( result ) then
return stdnse.format_output(true, result)
end
end

50
scripts/mysql-empty-password.nse
View File

@@ -31,35 +31,35 @@ portrule = shortport.port_or_service(3306, "mysql")
action = function( host, port )
local socket = nmap.new_socket()
local result = {}
local users = {"", "root"}
local socket = nmap.new_socket()
local result = {}
local users = {"", "root"}
-- set a reasonable timeout value
socket:set_timeout(5000)
-- set a reasonable timeout value
socket:set_timeout(5000)
for _, v in ipairs( users ) do
local status, response = socket:connect(host, port)
if( not(status) ) then return " \n ERROR: Failed to connect to mysql server" end
for _, v in ipairs( users ) do
local status, response = socket:connect(host, port)
if( not(status) ) then return " \n ERROR: Failed to connect to mysql server" end
status, response = mysql.receiveGreeting( socket )
if ( not(status) ) then
stdnse.print_debug(3, SCRIPT_NAME)
socket:close()
return response
end
status, response = mysql.receiveGreeting( socket )
if ( not(status) ) then
stdnse.print_debug(3, SCRIPT_NAME)
socket:close()
return response
end
status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, v, nil, response.salt )
if response.errorcode == 0 then
table.insert(result, string.format("%s account has empty password", ( v=="" and "anonymous" or v ) ) )
if nmap.registry.mysqlusers == nil then
nmap.registry.mysqlusers = {}
end
nmap.registry.mysqlusers[v=="" and "anonymous" or v] = ""
end
socket:close()
end
status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, v, nil, response.salt )
if response.errorcode == 0 then
table.insert(result, string.format("%s account has empty password", ( v=="" and "anonymous" or v ) ) )
if nmap.registry.mysqlusers == nil then
nmap.registry.mysqlusers = {}
end
nmap.registry.mysqlusers[v=="" and "anonymous" or v] = ""
end
socket:close()
end
return stdnse.format_output(true, result)
return stdnse.format_output(true, result)
end

84
scripts/mysql-users.nse
View File

@@ -44,54 +44,54 @@ portrule = shortport.port_or_service(3306, "mysql")
action = function( host, port )
local socket = nmap.new_socket()
local catch = function() socket:close() end
local try = nmap.new_try(catch)
local result, response = {}, nil
local users = {}
local nmap_args = nmap.registry.args
local status, rows
local socket = nmap.new_socket()
local catch = function() socket:close() end
local try = nmap.new_try(catch)
local result, response = {}, nil
local users = {}
local nmap_args = nmap.registry.args
local status, rows
-- set a reasonable timeout value
socket:set_timeout(5000)
-- set a reasonable timeout value
socket:set_timeout(5000)
-- first, let's see if the script has any credentials as arguments?
if nmap_args.mysqluser then
users[nmap_args.mysqluser] = nmap_args.mysqlpass or ""
-- next, let's see if mysql-brute or mysql-empty-password brought us anything
elseif nmap.registry.mysqlusers then
-- do we have root credentials?
if nmap.registry.mysqlusers['root'] then
users['root'] = nmap.registry.mysqlusers['root']
else
-- we didn't have root, so let's make sure we loop over them all
users = nmap.registry.mysqlusers
end
-- last, no dice, we don't have any credentials at all
else
stdnse.print_debug("No credentials supplied, aborting ...")
return
end
-- first, let's see if the script has any credentials as arguments?
if nmap_args.mysqluser then
users[nmap_args.mysqluser] = nmap_args.mysqlpass or ""
-- next, let's see if mysql-brute or mysql-empty-password brought us anything
elseif nmap.registry.mysqlusers then
-- do we have root credentials?
if nmap.registry.mysqlusers['root'] then
users['root'] = nmap.registry.mysqlusers['root']
else
-- we didn't have root, so let's make sure we loop over them all
users = nmap.registry.mysqlusers
end
-- last, no dice, we don't have any credentials at all
else
stdnse.print_debug("No credentials supplied, aborting ...")
return
end
--
-- Iterates over credentials, breaks once it successfully recieves results
--
for username, password in pairs(users) do
--
-- Iterates over credentials, breaks once it successfully recieves results
--
for username, password in pairs(users) do
try( socket:connect(host, port) )
try( socket:connect(host, port) )
response = try( mysql.receiveGreeting( socket ) )
status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt )
response = try( mysql.receiveGreeting( socket ) )
status, response = mysql.loginRequest( socket, { authversion = "post41", charset = response.charset }, username, password, response.salt )
if status and response.errorcode == 0 then
status, rows = mysql.sqlQuery( socket, "SELECT DISTINCT user FROM mysql.user" )
if status then
result = mysql.formatResultset(rows, { noheaders = true })
end
end
socket:close()
end
if status and response.errorcode == 0 then
status, rows = mysql.sqlQuery( socket, "SELECT DISTINCT user FROM mysql.user" )
if status then
result = mysql.formatResultset(rows, { noheaders = true })
end
end
socket:close()
end
return stdnse.format_output(true, result)
return stdnse.format_output(true, result)
end

16
scripts/nat-pmp-info.nse
View File

@@ -25,14 +25,14 @@ categories = {"default", "discovery", "safe"}
portrule = shortport.port_or_service(5351, "nat-pmp", {"udp"} )
action = function(host, port)
local helper = natpmp.Helper:new(host, port)
local status, response = helper:getWANIP()
local helper = natpmp.Helper:new(host, port)
local status, response = helper:getWANIP()
if ( status ) then
nmap.set_port_state(host, port, "open")
port.version.name = "nat-pmp"
nmap.set_port_version(host, port)
if ( status ) then
nmap.set_port_state(host, port, "open")
port.version.name = "nat-pmp"
nmap.set_port_version(host, port)
return stdnse.format_output(true, ("WAN IP: %s"):format(response.ip))
end
return stdnse.format_output(true, ("WAN IP: %s"):format(response.ip))
end
end

20
scripts/ncp-enum-users.nse
View File

@@ -35,20 +35,20 @@ categories = {"auth", "safe"}
portrule = shortport.port_or_service(524, "ncp", "tcp")
action = function(host, port)
local helper = ncp.Helper:new(host,port)
local helper = ncp.Helper:new(host,port)
local status, resp = helper:connect()
if ( not(status) ) then return stdnse.format_output(false, resp) end
local status, resp = helper:connect()
if ( not(status) ) then return stdnse.format_output(false, resp) end
status, resp = helper:search("[Root]", "User", "*")
if ( not(status) ) then return stdnse.format_output(false, resp) end
status, resp = helper:search("[Root]", "User", "*")
if ( not(status) ) then return stdnse.format_output(false, resp) end
local output = {}
local output = {}
for _, entry in ipairs(resp) do
table.insert(output, entry.name)
end
for _, entry in ipairs(resp) do
table.insert(output, entry.name)
end
return stdnse.format_output(true, output)
return stdnse.format_output(true, output)
end

14
scripts/ncp-serverinfo.nse
View File

@@ -37,15 +37,15 @@ categories = {"default", "discovery", "safe"}
portrule = shortport.port_or_service(524, "ncp", "tcp")
action = function(host, port)
local helper = ncp.Helper:new(host,port)
local helper = ncp.Helper:new(host,port)
local status, resp = helper:connect()
if ( not(status) ) then return stdnse.format_output(false, resp) end
local status, resp = helper:connect()
if ( not(status) ) then return stdnse.format_output(false, resp) end
status, resp = helper:getServerInfo()
if ( not(status) ) then return stdnse.format_output(false, resp) end
status, resp = helper:getServerInfo()
if ( not(status) ) then return stdnse.format_output(false, resp) end
helper:close()
helper:close()
return stdnse.format_output(true, resp)
return stdnse.format_output(true, resp)
end

32
scripts/ndmp-fs-info.nse
View File

@@ -47,24 +47,24 @@ local function fail(err) return ("\n ERROR: %s"):format(err or "") end
action = function(host, port)
local helper = ndmp.Helper:new(host, port)
local status, msg = helper:connect()
if ( not(status) ) then return fail("Failed to connect to server") end
local helper = ndmp.Helper:new(host, port)
local status, msg = helper:connect()
if ( not(status) ) then return fail("Failed to connect to server") end
status, msg = helper:getFsInfo()
if ( not(status) ) then return fail("Failed to get filesystem information from server") end
helper:close()
status, msg = helper:getFsInfo()
if ( not(status) ) then return fail("Failed to get filesystem information from server") end
helper:close()
local result = tab.new(3)
tab.addrow(result, "FS", "Logical device", "Physical device")
local result = tab.new(3)
tab.addrow(result, "FS", "Logical device", "Physical device")
for _, item in ipairs(msg.fsinfo) do
if ( item.fs_logical_device and #item.fs_logical_device ~= 0 ) then
if ( item and item.fs_type and item.fs_logical_device and item.fs_physical_device ) then
tab.addrow(result, item.fs_type, item.fs_logical_device:gsub("?", " "), item.fs_physical_device)
end
end
end
for _, item in ipairs(msg.fsinfo) do
if ( item.fs_logical_device and #item.fs_logical_device ~= 0 ) then
if ( item and item.fs_type and item.fs_logical_device and item.fs_physical_device ) then
tab.addrow(result, item.fs_type, item.fs_logical_device:gsub("?", " "), item.fs_physical_device)
end
end
end
return "\n" .. tab.dump(result)
return "\n" .. tab.dump(result)
end

50
scripts/ndmp-version.nse
View File

@@ -29,35 +29,35 @@ portrule = shortport.version_port_or_service(10000, "ndmp", "tcp")
local function fail(err) return ("\n ERROR: %s"):format(err or "") end
local function vendorLookup(vendor)
if ( vendor:match("VERITAS") ) then
return "Symantec/Veritas Backup Exec ndmp"
else
return vendor
end
if ( vendor:match("VERITAS") ) then
return "Symantec/Veritas Backup Exec ndmp"
else
return vendor
end
end
action = function(host, port)
local helper = ndmp.Helper:new(host, port)
local status, err = helper:connect()
if ( not(status) ) then return fail("Failed to connect to server") end
local helper = ndmp.Helper:new(host, port)
local status, err = helper:connect()
if ( not(status) ) then return fail("Failed to connect to server") end
local hi, si
status, hi = helper:getHostInfo()
if ( not(status) ) then return fail("Failed to get host information from server") end
local hi, si
status, hi = helper:getHostInfo()
if ( not(status) ) then return fail("Failed to get host information from server") end
status, si = helper:getServerInfo()
if ( not(status) ) then return fail("Failed to get server information from server") end
helper:close()
status, si = helper:getServerInfo()
if ( not(status) ) then return fail("Failed to get server information from server") end
helper:close()
local major, minor, build, smajor, sminor = hi.hostinfo.osver:match("Major Version=(%d+) Minor Version=(%d+) Build Number=(%d+) ServicePack Major=(%d+) ServicePack Minor=(%d+)")
port.version.name = "ndmp"
port.version.product = vendorLookup(si.serverinfo.vendor)
port.version.ostype = hi.hostinfo.ostype
if ( hi.hostinfo.hostname ) then
port.version.extrainfo = ("Name: %s; "):format(hi.hostinfo.hostname)
end
if ( major and minor and build and smajor and sminor ) then
port.version.extrainfo = port.version.extrainfo .. ("OS ver: %d.%d; OS Build: %d; OS Service Pack: %d"):format(major, minor, build, smajor)
end
nmap.set_port_version(host, port)
local major, minor, build, smajor, sminor = hi.hostinfo.osver:match("Major Version=(%d+) Minor Version=(%d+) Build Number=(%d+) ServicePack Major=(%d+) ServicePack Minor=(%d+)")
port.version.name = "ndmp"
port.version.product = vendorLookup(si.serverinfo.vendor)
port.version.ostype = hi.hostinfo.ostype
if ( hi.hostinfo.hostname ) then
port.version.extrainfo = ("Name: %s; "):format(hi.hostinfo.hostname)
end
if ( major and minor and build and smajor and sminor ) then
port.version.extrainfo = port.version.extrainfo .. ("OS ver: %d.%d; OS Build: %d; OS Service Pack: %d"):format(major, minor, build, smajor)
end
nmap.set_port_version(host, port)
end

42
scripts/netbus-auth-bypass.nse
View File

@@ -31,28 +31,28 @@ portrule = shortport.port_or_service (12345, "netbus", {"tcp"})
action = function( host, port )
local socket = nmap.new_socket()
local status, err = socket:connect(host.ip, port.number)
if not status then
return
end
local buffer, _ = stdnse.make_buffer(socket, "\r")
buffer() --discard banner
local socket = nmap.new_socket()
local status, err = socket:connect(host.ip, port.number)
if not status then
return
end
local buffer, _ = stdnse.make_buffer(socket, "\r")
buffer() --discard banner
-- The first argument of Password is the super-login bit.
-- On vulnerable servers any password will do as long as
-- we send the super-login bit. Regular NetBus has only
-- one password. Thus, if we can login with two different
-- passwords using super-login, the server is vulnerable.
-- The first argument of Password is the super-login bit.
-- On vulnerable servers any password will do as long as
-- we send the super-login bit. Regular NetBus has only
-- one password. Thus, if we can login with two different
-- passwords using super-login, the server is vulnerable.
socket:send("Password;1;\r") --password: empty
if buffer() ~= "Access;1" then
return
end
socket:send("Password;1; \r") --password: space
if buffer() == "Access;1" then
return "Vulnerable"
end
return "Not vulnerable, but password is empty"
socket:send("Password;1;\r") --password: empty
if buffer() ~= "Access;1" then
return
end
socket:send("Password;1; \r") --password: space
if buffer() == "Access;1" then
return "Vulnerable"
end
return "Not vulnerable, but password is empty"
end

54
scripts/netbus-brute.nse
View File

@@ -26,33 +26,33 @@ dependencies = {"netbus-version"}
portrule = shortport.port_or_service (12345, "netbus", {"tcp"})
action = function( host, port )
local try = nmap.new_try()
local passwords = try(unpwdb.passwords())
local socket = nmap.new_socket()
local status, err = socket:connect(host.ip, port.number)
if not status then
return
end
local buffer, err = stdnse.make_buffer(socket, "\r")
local _ = buffer() --skip the banner
for password in passwords do
local foo = string.format("Password;0;%s\r", password)
socket:send(foo)
local login = buffer()
if login == "Access;1" then
-- Store the password for other netbus scripts
local key = string.format("%s:%d", host.ip, port.number)
if not nmap.registry.netbuspasswords then
nmap.registry.netbuspasswords = {}
end
nmap.registry.netbuspasswords[key] = password
if password == "" then
return "<empty>"
end
return string.format("%s", password)
end
end
socket:close()
local try = nmap.new_try()
local passwords = try(unpwdb.passwords())
local socket = nmap.new_socket()
local status, err = socket:connect(host.ip, port.number)
if not status then
return
end
local buffer, err = stdnse.make_buffer(socket, "\r")
local _ = buffer() --skip the banner
for password in passwords do
local foo = string.format("Password;0;%s\r", password)
socket:send(foo)
local login = buffer()
if login == "Access;1" then
-- Store the password for other netbus scripts
local key = string.format("%s:%d", host.ip, port.number)
if not nmap.registry.netbuspasswords then
nmap.registry.netbuspasswords = {}
end
nmap.registry.netbuspasswords[key] = password
if password == "" then
return "<empty>"
end
return string.format("%s", password)
end
end
socket:close()
end

Some files were not shown because too many files have changed in this diff Show More