Proofread and format the smb-* scripts. This was mostly done by Ron already.

2025-12-29 02:49:01 +00:00 · 2008-11-03 21:36:07 +00:00
parent 5e6e7151e9
commit e01984b2f5
8 changed files with 250 additions and 265 deletions
--- a/scripts/smb-enumshares.nse
+++ b/scripts/smb-enumshares.nse
@@ -1,23 +1,26 @@
 id = "MSRPC: List of shares"
 description = [[
-Attempts to list shares using the srvsvc.NetShareEnumAll() MSRPC function, then 
-retrieve more information about each share using srvsvc.NetShareGetInfo(). Running
-NetShareEnumAll() will work anonymously on Windows 2000, and requires a user level 
-account on any other Windows version. Calling NetShareGetInfo() requires an 
+Attempts to list shares using the <code>srvsvc.NetShareEnumAll()</code> MSRPC function, then 
+retrieve more information about each share using <code>srvsvc.NetShareGetInfo()</code>.
+
+Running
+<code>NetShareEnumAll()</code> will work anonymously on Windows 2000, and requires a user-level 
+account on any other Windows version. Calling <code>NetShareGetInfo()</code> requires an 
 administrator account on every version of Windows I tested. 

-Although NetShareEnumAll() is restricted on certain systems, actually connecting to
-a share to check if it exists will always work. So, if NetShareEnumAll() fails, a 
+Although <code>NetShareEnumAll()</code> is restricted on certain systems, actually connecting to
+a share to check if it exists will always work. So, if <code>NetShareEnumAll()</code> fails, a 
 list of common shares will be attempted. 

 After a list of shares is found, whether or not it's complete, we attempt to connect
-to each of them anonymously, which lets us divide them into "anonymous" and 
-"restricted". 
+to each of them anonymously, which lets us divide them into the classes
+"anonymous" and "restricted." 

-When possible, once the list of shares is determined, NetShareGetInfo() is called 
+When possible, once the list of shares is determined, <code>NetShareGetInfo()</code> is called 
 to get additional information on the share. Odds are this will fail, unless we're 
 doing an authenticated test. 
 ]]
+
 ---
 --@usage
 -- nmap --script smb-enumshares.nse -p445 <host>
@@ -55,35 +58,33 @@ doing an authenticated test.
 -- |     |_ Users: 0, Max: <unlimited>
 -- |_    |_ Path: C:\
 -- 
--@args  smbusername The SMB username to log in with. The form DOMAIN\username and username@DOMAIN
--                   are NOT understood. To set a domain, use the smbdomain argument. 
+--@args  smbusername The SMB username to log in with. The forms "DOMAIN\username" and "username@DOMAIN"
+--                   are not understood. To set a domain, use the <code>smbdomain</code> argument. 
 --@args  smbdomain   The domain to log in with. If you aren't in a domained environment, then anything
 --                   will (should?) be accepted by the server. 
 --@args  smbpassword The password to connect with. Be cautious with this, since some servers will lock
--                   accounts if the incorrect password is given (although it's rare for the 
--                   'administrator' account to be lockoutable, in the off chance that it is, you could
--                   get yourself in trouble). 
+--                   accounts if the incorrect password is given. Although it's rare that the
+--                   Administrator account can be locked out, in the off chance that it can, you could
+--                   get yourself in trouble. 
 --@args  smbhash     A password hash to use when logging in. This is given as a single hex string (32
--                   characters) or a pair of hex strings (2 x 32 characters, optionally separated by a 
--                   single character). These hashes are the Lanman or NTLM hash of the user's password,
--                   and are stored by systems, on the harddrive or memory. They can be retrived from memory
+--                   characters) or a pair of hex strings (both 32 characters, optionally separated by a 
+--                   single character). These hashes are the LanMan or NTLM hash of the user's password,
+--                   and are stored on disk or in memory. They can be retrieved from memory
 --                   using the fgdump or pwdump tools. 
--@args  smbguest    If this is set to 'true' or '1', a 'guest' login will be attempted if the normal one 
+--@args  smbguest    If this is set to <code>true</code> or <code>1</code>, a guest login will be attempted if the normal one 
 --                   fails. This should be harmless, but I thought I would disable it by default anyway
 --                   because I'm not entirely sure of any possible consequences. 
--@args  smbtype     The type of SMB authentication to use. By default, NTLMv1 is used, which is a pretty
+--@args  smbtype     The type of SMB authentication to use. These are the possible options:
+-- * <code>v1</code>: Sends LMv1 and NTLMv1.
+-- * <code>LMv1</code>: Sends LMv1 only.
+-- * <code>NTLMv1</code>: Sends NTLMv1 only (default).
+-- * <code>v2</code>: Sends LMv2 and NTLMv2.
+-- * <code>LMv2</code>: Sends LMv2 only.
+--                   The default, <code>NTLMv1</code>, is a pretty
 --                   decent compromise between security and compatibility. If you are paranoid, you might 
--                   want to use 'v2' or 'lmv2' for this (actually, if you're paranoid, you should be 
+--                   want to use <code>v2</code> or <code>lmv2</code> for this. (Actually, if you're paranoid, you should be 
 --                   avoiding this protocol altogether :P). If you're using an extremely old system, you 
--                   might need to set this to 'v1' or 'lm', which are less secure but more compatible. 
--
--                   If you want finer grained control, these are the possible options:
--                       * v1 -- Sends LMv1 and NTLMv1
--                       * LMv1 -- Sends LMv1 only
--                       * NTLMv1 -- Sends NTLMv1 only (default)
--                       * v2 -- Sends LMv2 and NTLMv2
--                       * LMv2 -- Sends LMv2 only
--
+--                   might need to set this to <code>v1</code> or <code>lm</code>, which are less secure but more compatible. 
 -----------------------------------------------------------------------

 author = "Ron Bowes"
@@ -111,8 +112,8 @@ end
 -- against a modern system, but will succeed against Windows 2000. 
 --
 --@param host The host object. 
--@return (status, result) If status is false, result is an error string. Otherwise, result is 
--        a list of all shares on a system. 
+--@return Status (true or false).
+--@return List of shares (if status is true) or an an error string (if status is false).
 local function samr_enum_shares(host)

 	local status, smbstate
@@ -147,10 +148,10 @@ end
 ---Attempts to connect to a list of shares as the anonymous user, returning which ones
 -- it has and doesn't have access to. 
 --
--@param host   The host object
--@param shares An array of shares to check
--@return (allowed_shares, denied_shares) Lists of shares we can and can't access, 
--        but all of which exist. 
+--@param host   The host object.
+--@param shares An array of shares to check.
+--@return List of shares we're allowed to access.
+--@return List of shares that exist but are denied to us.
 function check_shares(host, shares)
 	local smbstate
    local i
@@ -214,8 +215,8 @@ end
 -- administrative access. 
 --
 --@param host The host object. 
--@return (status, result) If status is false, result is an error string. Otherwise, result is 
--        a list of all shares on a system. 
+--@return Status (true or false).
+--@return List of shares (if status is true) or an an error string (if status is false).
 local function get_share_info(host, name)
 	local status, smbstate
 	local response = {}