Re: [NSE] MSRPC Libraries (stable, I hope!)

[Ron <ron () skullsecurity net>]

David Fifield wrote:
> On Thu, Oct 30, 2008 at 08:47:36PM -0500, Ron wrote:
>
> Looks good to me. I don't see any reason not to merge these new
> improvements. What follows is a few suggestions I thought of while
> reviewing the code.
Cool! I was waiting for Brandon to get back in town, since he is the one 
that found some nasty bugs before. But now that he's back, he's 
confirmed that, while it still doesn't work properly, it fails 
gracefully, which is what I was going for.

I'll talk to you off the list about merging.

> Let me suggest a way to make the error handling more concise. There are
> a lot of places in the code that say
>
>         if(nmap.debugging() > 0) then
>                 return "ERROR: " .. msg
>         else
>                 return nil
>         end
>
> You could define a function to encapsulate this common pattern:
>
>         local function err(msg)
>                 if nmap.debugging() > 0 then
>                         return "ERROR: " .. msg
>                 else
>                         return nil
>                 end
>         end
>
> Then the code in case of error would be simply
>
>         return err(msg)
Good point. I sort of added that quick, and didn't put a lot of thought 
into it, but your way makes more sense. I'll add it later, don't want to 
risk breaking anything right now.

> I think I have an answer to this question in nselib/smb.lua:
>
>         -- If the name wasn't found in the array, do a linear search on it (TODO: Why is this happening??)
>
> It's because the table near the bottom should be called status_codes,
> not status_names (compare command_codes immediately above). As it is,
> you never fill in the table status_codes, and the table status_names
> holds what status_codes should hold.
Heh, oops. That's one of those stupid mistakes I was fighting with and 
eventually conceded defeat. :)

> smb-enumsessions.nse gives a wrong answer when I use a guest user. It
> says nobody is logged in even when someone is:
>
> $ ./nmap --datadir=. --script=smb-enumsessions.nse -PN -F --script-args smbguest=1 192.168.0.190
> ...
> Host script results:
> |  MSRPC: NetSessEnum():
> |  Users logged in:
> |  |_ <nobody>
> |_ ERROR: Couldn't enumerate network sessions: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsessenum)
>
> Compare that with the results with an authenticated user:
>
> $ ./nmap --datadir=. --script=smb-enumsessions.nse -PN -F --script-args smbuser=jrandom,smbpass=jrandom 192.168.0.190
> ...
> Host script results:
> |  MSRPC: NetSessEnum():
> |  Users logged in:
> |  |_ MAC-MINI\david since 2008-11-03 10:06:41
> |  Active SMB Sessions:
> |_ |_ JRANDOM is connected from 192.168.0.21 for [just logged in, it's probably you], idle for [not idle]
>
> The problem is the <nobody> in the first output. Is this just a case of
> Windows lying to the guest user? If so, that's understandable, it just
> needs to be documented in the script.
Oops, that one's a problem with error handling. If an error is returned, 
it still tries to print the empty list. That should probably be fixed, 
but I won't be able to until tomorrow.

Ron


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org