Nmap Development mailing list archives
Re: [NSE RFC] MS RPC libraries
From: David Fifield <david () bamsoftware com>
Date: Tue, 30 Sep 2008 12:33:56 -0600
On Sat, Sep 27, 2008 at 04:00:31PM -0500, Ron wrote:
I've put a significant amount of work into my Nmap scripts, and I finally have a new version to show for it. I added a whole bunch of functionality for making RPC calls against Windows. Currently, it only works against Windows 2000 (since only Windows 2000 allows NULL sessions), but the next thing I'm going to work on is authentication.
It's great to see so much development going on in this area. As usual, the code looks good and the documentation is outstanding. I tried the new scripts against a Windows XP machine, but all I got was Host script results: |_ MSRPC: List of user accounts: ERROR: NT_STATUS_ACCESS_DENIED |_ MSRPC: NetShareEnumAll(): ERROR: NT_STATUS_ACCESS_DENIED |_ MSRPC: List of user accounts: ERROR: NT_STATUS_ACCESS_DENIED |_ MSRPC: List of domains: ERROR: NT_STATUS_ACCESS_DENIED as you mentioned. I would like to hear from others who can try them against suitable machines. To install the scripts, download nmap-smb_tgz from http://seclists.org/nmap-dev/2008/q3/1007.html, then cd nmap tar xzf --strip-path 1 ../nmap-smb_tgz make install nmap --script-updatedb nmap --script=smb-msrpc-bruteusers.nse,smb-msrpc-enumdomains.nse,smb-msrpc-enumshares.nse,smb-msrpc-enumusers.nse <target> Here are my observations and suggestions for the new scripts and libraries. Currently the four new scripts (smb-msrpc-bruteusers.nse, smb-msrpc-enumdomains.nse, smb-msrpc-enumshares.nse, smb-msrpc-enumusers.nse) work only against Windows 2000. Is that because of a lack of authentication? Will all four work against other versions of Windows when authentication is in place? Can you summarize the amount of overlap between all the new SMB/NetBIOS/MSRPC scripts? There are nbstat.nse smb-enum.nse smb-msrpc-bruteusers.nse smb-msrpc-enumdomains.nse smb-msrpc-enumshares.nse smb-msrpc-enumusers.nse smb-os-discovery.nse smb-security-mode.nse It appears to me that smb-enum, smb-msrpc-bruteusers, and smb-msrpc-enumusers all enumerate users, for example, though they do it in different ways. Is there a way scripts with the same purpose could be combined into one, and the total number of scripts reduced? I don't know anything about these protocols. If I wanted a list of users, I wouldn't know which script to pick. It looks like this comment didn't get changed with the code: -- It's possible that the mutex wouldn't be created if there was an erro r condition. Therefore, -- I'm calling 'trylock' first to ensure we have a lock on it. I'm not s ure if that's the best -- way to do this, though... - mutex "trylock" + stdnse.print_debug(3, "SMB: Attempting to release SMB mutex (4)") mutex "done" + stdnse.print_debug(3, "SMB: SMB mutex released (4)") I would prefer to see the smbconstants.lua code folded into smb.lua, rather than being its own module. All the constants could be entered into a table, so instead of typing smbconstants.SMB_COM_NEGOTIATE you would type smb.constants.SMB_COM_NEGOTIATE. Or the SMB_COM_* and NT_STATUS_* constants could be broken into different tables. About half the length of smbconstants.lua is the long if..elseif in error_to_string. It could be made much shorter by having it use an inverse table. If you have a table mapping names to numbers, you just turn it around to map numbers to names. There's an example of creating an inverse table at http://www.lua.org/pil/4.3.5.html. There's something similar in msrpc.lua. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE RFC] MS RPC libraries Ron (Sep 27)
- Re: [NSE RFC] MS RPC libraries David Fifield (Sep 30)
- Re: [NSE RFC] MS RPC libraries Ron (Sep 30)
- Re: [NSE RFC] MS RPC libraries David Fifield (Sep 30)