there is one. Even though section 4.4 of RFC 2616 says that sending a
body in response to a HEAD request is a MUST NOT, pyllyukko sent me a
sample from a server that does--"LuCI - Lua Configuration Interface".
initial request to get a value stored in the Keep-Alive header, which is
the size of the pipeline. It then iterates, doignt hat many requests at
once until the list of requests is exhausted. The prbolem was that in
the first round, it didn't count its initial Keep-Alive probe. So if the
server said it was good for 40 requests, we would send 41 before closing
the connection. Even worse was when the initial probe returned a
"Connection: close"; the pipeline would try another request before
closing the connection for the first time.
failure. It happened when there was an error getting the a response
at the beginning of a batch in http.pipeline. The symptoms of the
bug were:
NSE: Received only 0 of 1 expected reponses.
Decreasing max pipelined requests to 0.
NSOCK (0.1870s) Write request for 0 bytes...
nmap: nsock_core.c:516: handle_write_result: Assertion `bytesleft > 0' failed.
The error was reported by Brandon Enright and pyllyukko.
parsing mostly. Response parsing is centralized, and fewer operations
are done on raw HTTP data.
The biggest user-visible change is that http.request goes back to
returning a parsed result table, not raw HTTP data. I believe this is
how the function worked in the past; it's what the NSEDoc for the
function says. The only thing that used http.request was citrixxml.lua,
and this commit alters it to match the new expectations.
The other change is that the http.pipeline function no longer accepts
the "raw" option. The only script that used that was sql-injection.nse,
and this commit modifies that script as well.
HEAD request. This makes it look like the response to the HEAD request
has a body. As a result, http-enum can wrongly surmise that HEAD
requests don't work when it hits a cache entry while testing HEAD.
# nmap --script=http-date,http-enum -PN -p 80 -d2
NSE: NSE Script Threads (2) running:
NSE: Final http cache size (373 bytes) of max size of 1000000
NSE: HTTP: Host returns proper 404 result.
NSE: Final http cache size (1905 bytes) of max size of 1000000
NSE: Finished 'http-date' (thread: 0x8535a40).
NSE: HTTP: Warning: Host returned data when performing HEAD.
NSE: Checking if a GET request is going to work out
After this change:
NSE: NSE Script Threads (2) running:
NSE: Final http cache size (373 bytes) of max size of 1000000
NSE: HTTP: Host returns proper 404 result.
NSE: Final http cache size (1905 bytes) of max size of 1000000
NSE: Finished 'http-date' (thread: 0x8e75b00).
NSE: Final http cache size (1905 bytes) of max size of 1000000
NSE: HTTP: Host supports HEAD.
the code just took each value mod 256 and stored it as a single byte.
The OID 1.3.1000.5 would encode as follows
tag len 1.3 1000%256 5
06 03 2b e8 05
What you're supposed to do is break each value into 7-bit chunks, and
set the high bit in every octet but the last. Now it is correctly
encoded as
tag len 1.3 1000 5
06 04 2b 8768 05
The length also would not have been correct for lengths over 127, and
that is fixed also.
1) I wrote a function that formats output from scripts in a consistent way. Although we haven't really come to a concensus on how it should look yet, it's easy to change when we do.
2) New script: smb-enum-groups.nse. Enumerate the local groups on a system and their membership.
now a script is limited in parallelism to working on one socket at any
time. A script can now create a worker thread that will be capable of
doing work on sockets in parallel with the parent script. See [1] for
more information.
This patch also comes with condition variables that are similar to
POSIX condition variables. They are used in the same fashion as
NSE's mutexes (nmap.mutex).
[1] http://seclists.org/nmap-dev/2009/q4/294
* Updated the way authentication works on smb -- it's significantly cleaner now
* smb-enum-shares.nse gives significantly better output now (it checks if shares are writable)
* Added a script that checks if smbv2 is enabled on a server
* Added smb-psexec, a script for executing commands on a remote Windows server. I also included some default scripts, a compiled .exe to run everything, and a ton of documentation (in the form of NSEDoc)
* Added 'override' parameters to some of the functions in smb.lua, which lets the programmer override any field in an outgoing SMB packet without modifying smb.lua.
* Lots of random code cleanups in the smb-* scripts/libraries
