Re: [NSE] nfs-ls script feedbacks, was: [nmap-svn] r17816 - nmap-exp/djalal/scripts

[Djalal Harouni <tixxdz () gmail com>]

On 2010-06-07 16:18:09 -0700, Fyodor wrote:
> On Thu, Jun 03, 2010 at 05:15:56PM -0700, commit-mailer () insecure org wrote:
> > Author: djalal
> >
> > Log:
> > Default action now for nfs-ls script is to list NFS exports with their access controls.
> >
> > Modified:
> >    nmap-exp/djalal/scripts/nfs-ls.nse
> >
> > Modified: nmap-exp/djalal/scripts/nfs-ls.nse
> > ==============================================================================
> > --- nmap-exp/djalal/scripts/nfs-ls.nse      (original)
> > +++ nmap-exp/djalal/scripts/nfs-ls.nse      Thu Jun  3 17:15:56 2010
> > @@ -6,25 +6,21 @@
> >  -- @output
> >  -- PORT    STATE SERVICE
> >  -- 111/tcp open  rpcbind
> > --- | nfs-ls:  
> > --- |   /home/storage/backup (1)
> > --- |     www.cqure.net
> > --- |   /home (5)
> > --- |     admin
> > --- |     lost+found
> > --- |     patrik
> > --- |     storage
> > --- |_    web
> > +-- | nfs-ls:
> > +-- |   /tmp
> > +-- |     mode: drwxrwxrwx  uid: 0  gid: 0
> > +-- |   /home/storage/backup
> > +-- |_    mode: drwxr-xr-x  uid: 0  gid: 0
Hi,

I've committed some patches to the rpc.lua and nfs-ls code.

The current output of the script is:

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-ls:
|   Arguments:
|     maxfiles: 10 (file listing output limited), time = atime
|   NFS Export /tmp:
|       drwxrwxrwx  uid:     0  gid:     0    4.0K  Jun 06 18:20:42 2010 /tmp
|       srwxr-xr-x  uid:     0  gid:     0    0.0B  Jun 10 10:08:28 2010 wpa_ctrl_22880-1
|   NFS Export /home/storage/backup:
|       drwxr-xr-x  uid:  1000  gid:   100    4.0K  Jun 10 11:42:41 2010 /home/storage/backup
|       -rw-r--r--  uid:  1000  gid:  1002    0.0B  Jun 10 08:34:32 2010 filetest
|       drwx------  uid:  1000  gid:   100   16.0K  Feb 05 17:05:34 2010 lost+found
|       drwxrwxr-x  uid:  1000  gid:   100    4.0K  Mar 27 19:08:40 2010 net_packet
|       -rw-r--r--  uid:     0  gid:     0    5.0B  Jun 10 11:32:59 2010 rootfile
|_      lrwxrwxrwx  uid:  1000  gid:  1002    8.0B  Jun 10 08:34:59 2010 symlink


these lines:
|   Arguments:
|     maxfiles: 10 (file listing output limited), time = atime
are only shown if the verbose mode is used.

This new script uses the ReadDirPlus procedure so for the moment there
is only support for NFSv3.
Also recursion through directories is beeing implemented.

The attributes show by this script are the local based system file
attributes as they are returned by: GETATTR READDIRPLUS etc procedures.
These permissions may differ from the NFS permissions which are defined
in the /etc/exports, so even if you can mount an export as uid 1000 and
the GETATTR shows that uid 1000 has read/write access you can't modify
the system if it is exported ro (readonly) by NFS exportfs.
To determine the current access rights of the user who mounted the
remote NFS export point we must use the ACCESS procedure coupled with a
bit mask of the permissions to check.

The current script takes two arguments:
nfs-ls.maxfiles: takes a number to limit the amount of file listing.
nfs-ls.mactime: "m" or "a" or "c" one of the mactimes to use in the
output.

So any feedbacks about the output (remove uid or gid) or if you can
propose a better output, or a better methode/trick to perform some of
the NFS scans, pls speak up.
Keep in mind that this script is for discovery, perhaps we'll have
another intrusive NFS script to find files by permissions, write issues etc.

thx.

> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/

-- 
tixxdz
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/