Haven't seen this, and it shouldn't happen, but it's possible for a
server to send the same protocol version in the record, but a different
one in the body. This wouldn't be valid, so we should reject it.
If service scan failed to find a match, the probe responses are cached.
Now http-server-header will look through those responses before sending
a probe of its own. This should result in better detection with fewer
probes sent.
Also changed the Server header string match to case-insensitive.
The @xmloutput section documentation is not done, and I'm not sure how
to best do it, since it will be the same for all brute.lua scripts. This
is how it looks:
metasploit-msgrpc-brute:
<table key="Accounts">
<table>
<elem key="username">root</elem>
<elem key="state">Valid credentials</elem>
<elem key="password">root</elem>
</table>
</table>
<elem key="Statistics">Performed 3 guesses in 4 seconds, average tps: 0</elem>
creds-summary:
<table key="127.0.0.1">
<table key="9929/nping-echo">
<table>
<elem key="password">123456</elem>
<elem key="state">Valid credentials</elem>
</table>
</table>
<table key="55553/unknown">
<table>
<elem key="username">root</elem>
<elem key="state">Valid credentials</elem>
<elem key="password">root</elem>
</table>
</table>
</table>
In addition to fitting better (brute library is the verb, creds library
is the noun), this will allow creds.lua to use creds.Account internally
where necessary (see subsequent commits)
Also change old references to string argument "OPEN" into
creds.State.VALID.
Added use of stdnse.parse_timespec for timeout args. Used comm.lua
default timeouts in a couple cases. Corrected 2 cases of incorrect
documentation ("Default 60" when the default was 30 seconds).
1. Use "softmatched" to let Nmap print the service fingerprint for the
user to submit.
2. Run even if version detection got a good match. This allows it to be
run by-name, or to provide additional info if available. Existing match
will not be clobbered, though.
3. Use comm.lua's default timeouts. Also, no need to pass port.protocol,
since comm.tryssl will use the port table directly.
4. XML output
There's no reason we can't use other verbs besides GET and POST. Other
verbs are handled like GET requests (parameters in the URI string). Any
redirect responses will be followed with GET requests, though.
Changes fall into these categories:
1. Avoid pathological string building. Loops over x = x .. "foo" can
become very slow. Instead, use strbuf.lua, table.concat, or just one
continuous concatenation; a = x .. y .. z is one operation, better than
a = x .. y; a = a .. z
2. Use hex-escaped strings instead of string.char. I find this more
readable in many cases, and it avoids a table lookup and function call.
3. Don't duplicate code. A few libraries and scripts had re-implemented
stdnse.generate_random_string or openssl.rand_bytes.
The logic:
byte12 == ("03" or "04")
is the same as:
byte12 == "03"
so the second comparison was never able to succeed.
Additionally, some expressions were simplified, such as not formatting
numbers into strings in order to compare them.
$ svn merge -r r33518:r33513 .
and removed added scripts to the script.db.
The branch needs further refinement/testing for Windows and Mac before merging
into the trunk. There is also the latent EOF bug which is giving performance
issues.
Further work on the branch will continue in Devin's latest branch:
/nmap-exp/devin/nmap-libssh2
