If service scan failed to find a match, the probe responses are cached.
Now http-server-header will look through those responses before sending
a probe of its own. This should result in better detection with fewer
probes sent.
Also changed the Server header string match to case-insensitive.
The @xmloutput section documentation is not done, and I'm not sure how
to best do it, since it will be the same for all brute.lua scripts. This
is how it looks:
metasploit-msgrpc-brute:
<table key="Accounts">
<table>
<elem key="username">root</elem>
<elem key="state">Valid credentials</elem>
<elem key="password">root</elem>
</table>
</table>
<elem key="Statistics">Performed 3 guesses in 4 seconds, average tps: 0</elem>
creds-summary:
<table key="127.0.0.1">
<table key="9929/nping-echo">
<table>
<elem key="password">123456</elem>
<elem key="state">Valid credentials</elem>
</table>
</table>
<table key="55553/unknown">
<table>
<elem key="username">root</elem>
<elem key="state">Valid credentials</elem>
<elem key="password">root</elem>
</table>
</table>
</table>
In addition to fitting better (brute library is the verb, creds library
is the noun), this will allow creds.lua to use creds.Account internally
where necessary (see subsequent commits)
Also change old references to string argument "OPEN" into
creds.State.VALID.
This allows stdnse.keys to be used in a __pairs metamethod to, for
instance, yield keys in sorted order. Using next() bypasses the __pairs
metamethod that would be called when pairs() was used. Otherwise,
infinite recursion was possible.
Added use of stdnse.parse_timespec for timeout args. Used comm.lua
default timeouts in a couple cases. Corrected 2 cases of incorrect
documentation ("Default 60" when the default was 30 seconds).
1. Use "softmatched" to let Nmap print the service fingerprint for the
user to submit.
2. Run even if version detection got a good match. This allows it to be
run by-name, or to provide additional info if available. Existing match
will not be clobbered, though.
3. Use comm.lua's default timeouts. Also, no need to pass port.protocol,
since comm.tryssl will use the port table directly.
4. XML output
Previously, calling nmap.set_port_version would delete a service
fingerprint if it existed. Now, setting probestate to anything but
"hardmatched" will preserve the fingerprint, if it exists. This allows
scripts (like http-server-header) to use "softmatched" to set version
info but still encourage users to submit fingerprints.
1. export the comm.opencon function. Does all the connect/request
timeout, recv_before, and first data payload stuff that tryssl does, but
without trying SSL. Ought to save some boilerplate in some scripts
2. Make opencon use setup_connect instead of duplicating code.
3. Move a debug message about tryssl to tryssl from opencon
4. Transparently handle UDP in tryssl, in case someone does that. Debug
message about DTLS not being supported is printed, but otherwise just
connects with opencon. Previously, doing this would result in a
connection to the TCP version of the port, even if you passed in a port
table with port.protocol=="udp".
As reported by nnposter (http://seclists.org/nmap-dev/2014/q3/472) using
the rtt-based timeouts for read timeouts is not a good idea, since host
processing time can be considerably longer, especially for SSL
connections. comm.lua already allowed for different connect_ and
request_timeout values to reflect this truth, so this commit switches to
using the rtt-based timeout for the connect timeout and adding 6 seconds
to get the request timeout. This value is based on the totalwaitms value
in nmap-service-probes, and is still well short of the default 30s nsock
timeout.
There's no reason we can't use other verbs besides GET and POST. Other
verbs are handled like GET requests (parameters in the URI string). Any
redirect responses will be followed with GET requests, though.
std::list::size() was hanging because list traversal was broken for this
particular static list (timedout_hops). Could not reproduce with a small
test program, but another AIX user confirmed. Exhausted other options
before switching it to dynamic allocation (of the list itself, not the
elements, which are always dynamically allocated), which somehow
bypasses the problem.
Doesn't matter on most platforms because our own object (.o) files
require the symbols from libnbase, so all of them have been linked by
the time libnsock is encountered, but vasprintf and asprintf were
causing problems on platforms that need the versions defined in
libnbase.
This chunk of code in read_replies was generating valgrind errors
because reply.ttl was uninitialized:
if (host->state == HostState::COUNTING_DOWN) {
/* If this probe was past the target, skip ahead to what we think the
actual distance is. */
int distance = get_initial_ttl_guess(reply.ttl) - reply.ttl + 1;
if (distance > 0 && distance < host->current_ttl)
host->current_ttl = MIN(distance, MAX_TTL);
}
My compiler was setting the initial value to 0, which meant that
distance was always 33, clearly wrong. Setting reply.ttl in decode_reply
silences the error and causes distance to be more accurate.
This was a hassle to support on AIX (several broken implmentations) and
the move to a more portable solution (using autoconfig macros) was also
troublesome. Upon review, nse_fs.cc only uses directory and link
functions, so large files support shouldn't matter. Stripping it out.
nse_fs.cc was forcing large files support, and it was broken on AIX due
to this GCC bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=20366
Now we let autoconf handle setting the appropriate defines, and also
check for this particular bug before defining.
