Change to smb-os-discovery to enable it to augment SMB version detection. Closes #348

CHANGELOG

@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Update to enable smb-os-discovery to augment version detection
+  for certain SMB related services using data that the script discovers.
+  [Tom Sellers]
+
 o Improved version detection and descriptions for Microsoft and Samba
   SMB services. Also addresses certain issues with OS identification. 
   [Tom Sellers]

nselib/smb.lua

@@ -3279,6 +3279,7 @@ end
 -- * <code>date</code>: <code>"2012-09-08 09:24:30"</code>
 -- * <code>timezone</code>: <code>-7</code>
 -- * <code>timezone_str</code>: <code>UTC-7</code>
+-- * <code>port</code>: <code>445</code>
 -- The table may also contain these additional keys:
 -- * <code>fqdn</code>: <code>"Sql2008.lab.test.local"</code>
 -- * <code>domain_dns</code>: <code>"lab.test.local"</code>
@@ -3312,6 +3313,7 @@ function get_os(host)
   response['time']         = smbstate['time']
   response['timezone_str'] = smbstate['timezone_str']
   response['timezone']     = smbstate['timezone']
+  response['port']         = smbstate['port']
 
   -- Kill SMB
   stop(smbstate)

scripts/smb-os-discovery.nse

@@ -29,6 +29,9 @@ Other systems (like embedded printers) will simply leave out the information. Ot
 systems will blank out various pieces (some will send back 0 for the current
 time, for example).
 
+If this script is used in conjunction with version detection it can augment the
+standard nmap version detection information with data that this script has discovered.
+
 Retrieving the name and operating system of a server is a vital step in targeting
 an attack against it, and this script makes that retrieval easy. Additionally, if
 a penetration tester is choosing between multiple targets, the time can help identify
@@ -186,9 +189,27 @@ action = function(host)
   end
   add_to_output(output_lines, "System time", response.date or "Unknown")
 
-  return response, stdnse.format_output(true, output_lines)
+  -- Augment service version detection
+  if result.port and response.lanmanager then
+    local proto
+    if result.port == 445 or result.port == 139 then
+      proto = 'tcp'
+    else
+      proto = 'udp'
     end
 
+    local port = nmap.get_port_state(host,{number=result.port,protocol=proto})
 
+    local version, product
+    if string.match(response.lanmanager,"^Samba ") then
+      port.version.product = 'Samba smbd'
+      port.version.version = string.match(response.lanmanager,"^Samba (.*)")
+      nmap.set_port_version(host,port)
+    elseif smb.get_windows_version(response.os) then
+      port.version.product = string.format("%s %s",smb.get_windows_version(response.os), port.version.name)
+      nmap.set_port_version(host,port)
+    end
+  end
 
-
+  return response, stdnse.format_output(true, output_lines)
+end