socket support to NSE, with updates in scripts and libraries.
o [NSE] Added the ability to send and receive on unconnected sockets.
This can be used, for example, to receive UDP broadcasts without
using pcap. A number of scripts have been changed so that they can
work as prerule scripts to discover services by UDP broadcasting,
optionally add the discovered targets to the scanning queue:
- ms-sql-info
- upnp-info
- dns-service-discovery
The nmap.new_socket function can now optionally take a default
protocol and address family, which will be used if the socket is not
connected. There is a new nmap.sendto function to be used with
unconnected UDP sockets. [David, Patrik]
http://seclists.org/nmap-dev/2010/q4/83
changed the way the library reports "Must change password at next logon"
fixed bug in ms-sql-hasdbaccess that would occur if no rows were returned
[Patrik]
and language lists can be set using new keys in the "options" table
argument. These all default to the same value used before. Also, the
required "cookie" argument is now replaced by an optional "cookie"
key in the "options" table, defaulting to random bytes as the RFC
says the value should be. [Kris]
Only ssh2's fetch_host_key() uses this function, but I'm working on
a script and noticed the design flaw regarding the cookie arg (scripts
shouldn't be required to always pass this when it's specified that its
value should be random). The rest was added because the default is
just a subset of algorithms offered across implementations.
set correctly.
1. Shift the low-order bits of fc by 20 bits, not 28, because fl is a
20-bit field.
2. Use a mask in host byte order to mask fl, which is also provided in
host byte order.
3. Swap | and & in combining fc and fl.
1) Set the 'vc' ('virtual circuit') id to a non-zero value (if it's 0, the smb server will disconnect all hosts who are already connected)
2) Handle the authentication error NT_STATUS_REQUEST_NOT_ACCEPTED, which indicates that there are too many connected hosts (11 is the default on most versions of Windows, or 10 for the anonymous account). If we see the error, we wait and try again.
3) Handle the file creation error, NT_STATUS_PIPE_NOT_AVAILABLE, which appears to be caused by a race condition of some sort. It happens when a large number of connections are attempted simultaneously, and is fixed by a short backoff (50ms worked fine, but I'm using 100ms)
The end result is a significant speedup in our SMB checks without losing data.
number to guarantee it's nonzero (which some target hosts require) rather
than looping for new random numbers.
* ICMP ID values are unimportant, as long as they are nonzero
* The original code to get random numbers was exactly duplicated (new variable,
comment, loop, even whitespace) in the same function, so using a single
variable set initially (albeit differently) simplifies duplication
shouldn't. Also, because of the use of ([...]*), captures can be too
long to fill into the template. This change forces hostname and
domain name to be non-empty. This match should be made more specific
but without example content any changes would involve guessing.
