New script ftp-syst

2026-01-07 06:59:03 +00:00 · 2017-07-26 19:34:25 +00:00
parent 71c74770d0
commit f17ac01db5
3 changed files with 78 additions and 0 deletions
--- a/scripts/ftp-syst.nse
+++ b/scripts/ftp-syst.nse
@@ -0,0 +1,71 @@
+local ftp = require "ftp"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local string = require "string"
+local table = require "table"
+
+description = [[
+Sends an FTP SYST command and returns the result.
+
+The canonical response of "UNIX Type: L8" is stripped or ignored, since it is meaningless.
+
+References:
+* https://cr.yp.to/ftp/syst.html
+]]
+
+author = "Daniel Miller"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"default", "discovery", "safe"}
+
+---
+-- @output
+-- |_ftp-syst: UNIX MikroTik 6.39.2
+
+portrule = shortport.port_or_service({21,990}, {"ftp","ftps"})
+
+action = function(host, port)
+  local socket, code, message, buffer = ftp.connect(host, port)
+  if not socket then
+    stdnse.debug1("Couldn't connect: %s", code or message)
+    return nil
+  end
+  if code and code ~= 220 then
+    stdnse.debug1("banner code %d %q.", code, message)
+    return nil
+  end
+
+  local auth_done = false
+  ::TRY_AGAIN::
+  if not socket:send("SYST\r\n") then
+    return nil
+  end
+  code, message = ftp.read_reply(buffer)
+  if not code then
+    stdnse.debug1("SYST error: %s", message)
+    return nil
+  end
+  if code == 215 then
+    local stripped = message:gsub("^UNIX Type: L8 *", "")
+    if stripped ~= "" then
+      return stripped
+    else
+      return nil
+    end
+  elseif code < 300 then
+    return ("%d %s"):format(code, message)
+  elseif not auth_done and -- we haven't tried logging in yet
+    ( code == 503 -- Command SYST not accepted during Connected
+      or code == 521 -- Not logged in - Secure authentication required
+      or (code % 100) // 10 == 3 -- x3x codes are auth-related
+      ) then
+    -- Try logging in
+    local status, code, message = ftp.auth(socket, buffer, "anonymous", "IEUser@")
+    if status then
+      auth_done = true
+      goto TRY_AGAIN
+    end
+  end
+
+  ftp.close(socket)
+
+end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -127,6 +127,7 @@ Entry { filename = "ftp-bounce.nse", categories = { "default", "safe", } }
 Entry { filename = "ftp-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "ftp-libopie.nse", categories = { "intrusive", "vuln", } }
 Entry { filename = "ftp-proftpd-backdoor.nse", categories = { "exploit", "intrusive", "malware", "vuln", } }
+Entry { filename = "ftp-syst.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "ftp-vsftpd-backdoor.nse", categories = { "exploit", "intrusive", "malware", "vuln", } }
 Entry { filename = "ftp-vuln-cve2010-4221.nse", categories = { "intrusive", "vuln", } }
 Entry { filename = "ganglia-info.nse", categories = { "default", "discovery", "safe", } }