status code text when the variable status is not
nil. This mimics the behavior of start_session_extended.
This should provide more reliable results to smb-brute
concerning the nature of login failure reasons.
More detail has been sent to the mailing list.
Used this perl command:
$ # perl -pi -e 's/string\.len\((.*?)\)/#\1/g' *.lua
Also fixed one instance where the above command didn't correctly
translate the intended code (string.len(a .. b .. c)).
ms-sql scripts and library:
- Improved version detection
- Improved server discovery
- Add support for named pipes
- Add support for integrated authentication
- Add support for connecting to instances by name or port
- Improved script and library stability
- Improved script and library documentation
[Patrik Karlsson, Chris Woodbury]
1) Set the 'vc' ('virtual circuit') id to a non-zero value (if it's 0, the smb server will disconnect all hosts who are already connected)
2) Handle the authentication error NT_STATUS_REQUEST_NOT_ACCEPTED, which indicates that there are too many connected hosts (11 is the default on most versions of Windows, or 10 for the anonymous account). If we see the error, we wait and try again.
3) Handle the file creation error, NT_STATUS_PIPE_NOT_AVAILABLE, which appears to be caused by a race condition of some sort. It happens when a large number of connections are attempted simultaneously, and is fixed by a short backoff (50ms worked fine, but I'm using 100ms)
The end result is a significant speedup in our SMB checks without losing data.
socket:connect(host.ip, port.number)
socket:connect(host.ip, port.number, port.protocol)
to this:
socket:connect(host, port)
connect can take host and port tables now, and the default protocol is
taken from the port table if possible.
o It no longer uses the global environment to store the modules table
o It now uses loadfile() to load the configuration files, which follows best practices better
o The module() line at the top of the configuration files is no longer required, but if it exists all that happens is a warning is printed
o Worked around what appears to be a bug in one person's Nmap install where absolute paths didn't resolve properly -- I couldn't replicate, but he confirmed it was fixed
* Updated the way authentication works on smb -- it's significantly cleaner now
* smb-enum-shares.nse gives significantly better output now (it checks if shares are writable)
* Added a script that checks if smbv2 is enabled on a server
* Added smb-psexec, a script for executing commands on a remote Windows server. I also included some default scripts, a compiled .exe to run everything, and a ton of documentation (in the form of NSEDoc)
* Added 'override' parameters to some of the functions in smb.lua, which lets the programmer override any field in an outgoing SMB packet without modifying smb.lua.
* Lots of random code cleanups in the smb-* scripts/libraries
check_globals script.
Commented-out two functions which are currently unused:
svcctl_Type_tostr() and svcctl_State_tostr()
and which call currently unavailable functions:
svcctl_Type_str() and svcctl_State_str()
(see http://seclists.org/nmap-dev/2009/q3/0194.html )
Often two (or more) scripts using the same library would
overwrite the globals each was using. This would result
in (at best) an error or (at worst) a deadlock.
The patch changes the global accesses to local.
line, not "\n\n", in the SMB and MSRPC scripts and modules. There are newer
versions of these files pending review, so this is just a quick measure to let
me use first paragraphs as summaries rather than first sentences.
