The @xmloutput section documentation is not done, and I'm not sure how
to best do it, since it will be the same for all brute.lua scripts. This
is how it looks:
metasploit-msgrpc-brute:
<table key="Accounts">
<table>
<elem key="username">root</elem>
<elem key="state">Valid credentials</elem>
<elem key="password">root</elem>
</table>
</table>
<elem key="Statistics">Performed 3 guesses in 4 seconds, average tps: 0</elem>
creds-summary:
<table key="127.0.0.1">
<table key="9929/nping-echo">
<table>
<elem key="password">123456</elem>
<elem key="state">Valid credentials</elem>
</table>
</table>
<table key="55553/unknown">
<table>
<elem key="username">root</elem>
<elem key="state">Valid credentials</elem>
<elem key="password">root</elem>
</table>
</table>
</table>
In addition to fitting better (brute library is the verb, creds library
is the noun), this will allow creds.lua to use creds.Account internally
where necessary (see subsequent commits)
Also change old references to string argument "OPEN" into
creds.State.VALID.
This allows stdnse.keys to be used in a __pairs metamethod to, for
instance, yield keys in sorted order. Using next() bypasses the __pairs
metamethod that would be called when pairs() was used. Otherwise,
infinite recursion was possible.
1. export the comm.opencon function. Does all the connect/request
timeout, recv_before, and first data payload stuff that tryssl does, but
without trying SSL. Ought to save some boilerplate in some scripts
2. Make opencon use setup_connect instead of duplicating code.
3. Move a debug message about tryssl to tryssl from opencon
4. Transparently handle UDP in tryssl, in case someone does that. Debug
message about DTLS not being supported is printed, but otherwise just
connects with opencon. Previously, doing this would result in a
connection to the TCP version of the port, even if you passed in a port
table with port.protocol=="udp".
As reported by nnposter (http://seclists.org/nmap-dev/2014/q3/472) using
the rtt-based timeouts for read timeouts is not a good idea, since host
processing time can be considerably longer, especially for SSL
connections. comm.lua already allowed for different connect_ and
request_timeout values to reflect this truth, so this commit switches to
using the rtt-based timeout for the connect timeout and adding 6 seconds
to get the request timeout. This value is based on the totalwaitms value
in nmap-service-probes, and is still well short of the default 30s nsock
timeout.
Changes fall into these categories:
1. Avoid pathological string building. Loops over x = x .. "foo" can
become very slow. Instead, use strbuf.lua, table.concat, or just one
continuous concatenation; a = x .. y .. z is one operation, better than
a = x .. y; a = a .. z
2. Use hex-escaped strings instead of string.char. I find this more
readable in many cases, and it avoids a table lookup and function call.
3. Don't duplicate code. A few libraries and scripts had re-implemented
stdnse.generate_random_string or openssl.rand_bytes.
Mostly splitting function summaries (the first paragraph of NSEdoc) from
the body of the description to make the summary indexes shorter and
easier to scan.
Also fixed some unbalanced code tags like <code>foo</table>
Reported: http://seclists.org/nmap-dev/2014/q3/378
Changes the default timeout for rpc.lua from 30s to 5 times Nmap's
calculated host timeout or 10s if no timeout info is available.
ssh-hostkey was hitting an assertion failure when scanning OpenSSH 6.7.
The cause was a failure to check for a shared KEX algorithm. We just
assumed diffie-hellman-group1-sha1 would be supported, since RFC 4253
says it "MUST be supported". This adds support for group14, which is a
2048-bit modulus; key strength was likely the reason for dropping
group1. A more complete solution would be to support more KEX
algorithms, but that's beyond the scope of the bug report.
