Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Check for MS06-025 vulnerability in Microsoft RRAS service

From: David Fifield <david () bamsoftware com>
Date: Wed, 2 Jun 2010 09:19:21 -0600
On Wed, Jun 02, 2010 at 12:57:11PM +0200, Dražen Popović wrote:

On Wed, 2010-06-02 at 00:22 +0000, Richard Miles wrote:

Thanks for the update. Nice to know that it works with limited account.

Maybe the exploitation failed with null session because you used
router as a pipe. Have you tested others?



This service can be accessed across the "router" pipe, according to the
protocol specification. But on WinXP this service is also accessible
across the "srvsvc" pipe, which is accessible for everyone with access
to port 445.

Question for nmap-dev:
  To add one scripts argument such as "smbpipe", or to add some code
that determines the remote OS (results from nmap os fingerprint or
smb-os-discovery) and chooses the pipe accordingly?


Ideally, the script makes the decision on a per-host basis. So if one
host is better using "router" and one is better using "srvsvc", they
both get the best option. Something you could do is just try both
options every time. Or if you have results from smb-os-discovery, use
that as a heuristic to choose the right one. (Sort of like how our
comm.tryssl function always tries SSL first if it's a common SSL port or
version detection has found SSL.)

An smbpipe argument is reasonable, but it probably won't be used much
except by very knowledgable users. Also, as we don't have a way to set
script arguments per-host, it would be the setting for every host.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: