Nmap Development mailing list archives
[NSE] new scripts and libraries
From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 8 Aug 2010 17:31:36 +0200
Hi all,
I hope Blackhat and Defcon was great for those of you who attended and that the nmap talk was a great success.
Unfortunately I didn't make it this year.
I've been working on some stuff during the past few weeks, and as I'm back to work tomorrow, I thought I would
"offload" it to the list.
Some of it I have already posted but I might have made changes since, so I'm including it all again.
Some of the libraries unfortunately still have chunks of (ugly) undecoded data. The foremost reason for this is the
lack of documentation.
The scripts and libraries have all undergone limited testing, but as always I welcome further testing, comments and
suggestions.
Here's a brief description of each library and script and a zip file with everything needed inside.
o Brute framework
- A smallish brute framework that provides the basic iterators and logic
- For the moment the current scripts make use of it:
x domcon-brute - see more information below
x http-brute - performs password guessing against basic authentication
x http-form-brute - performs form-based password guessing
x informix-brute - see more information below
x oracle-brute - see more information below
x svn-brute - performs password guessing against subversion
x vnc-brute - see more information below
o DRDA protocol
- I've reworked the DB2 library to support other databases such as Apache Derby and IBM Informix running DRDA instances.
- The scripts db2-brute and db2-info now show results from these databases as well
- The initial post can be found here [1]
o IBM Informix Dynamic Server
- A library that supports native communication with IBM Informix Dynamic Server (informix.lua)
- So far it supports authentication and queries against the DB
- The following scripts make use of it:
x informix-brute - uses the brute framework to perform password guessing
x informix-tables- queries the database for a list of tables for each db
x informix-query - makes it possible to query the database using a custom query
o IBM Lotus Domino
- A minimalistic Notes RPC library (nrpc.lua)
- The domino-enum-users.nse makes use of this library to:
x guess valid user names
x download the user.id file for each user (without authentication) as described in (CVE-2006-5835). This still works
in version 8.5
- There are also a bunch of other scripts that target domino:
x domcon-brute - uses the brute library to perform password guessing against the Lotus Domino Remote Console
x domcon-cmd - runs custom commands on the Lotus Domino Remote Console
x domino-enum-passwords - runs against the Domino web interface and attempts to:
1. Enumerate the Internet password for each user (it's available to every authenticated user per default)
2. Download the user.id attached to the person document for each user
- While working the domcon scripts I also wrote the library javaser.lua that performs basic java de-serialization of a
byte stream.
Unfortunately I found a way around it and I'm no longer using it, but it would make a good start for someone looking
into communicating with a service that does java serialization.
o VNC
- A smallish library that supports listing supported security types and authentication using the "VNC Authentication"
security type (vnc.lua)
- The following script make use of it:
x vnc-brute - performs password guessing against VNC based servers
x vnc-info - lists the supported security types for each VNC server
o Oracle
- A TNS library supporting authentication against Oracle 10g and 11g
- The following script make use of it:
x oracle-enum-users - uses a (patched) vulnerability to determine valid user names without authentication
x oracle-brute - performs password guessing against Oracle 10g and 11g using the brute framework
o GIOP
- A GIOP library that supports a few basic operations, get, _is_a and list (giop.lua)
- The following scripts make use of it:
x giop-info - Queries the CORBA naming server for a list of objects
In addition I've added a few new probes to the nmap-service-probes. They detect the following:
- Lotus Domino Console running on tcp/2050 (shows OS and hostname)
- IBM Informix Dynamic Server running native protocol (shows hostname, and file path)
- Database servers running the DRDA protocol
- IBM Websphere MQ (shows name of queue-manager and channel)
Ok, I think that's it for now.
//Patrik
[1] http://seclists.org/nmap-dev/2010/q3/192
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77
Attachment:
nmap_nse_20100808.zip
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] new scripts and libraries Patrik Karlsson (Aug 08)
- Re: [NSE] new scripts and libraries: service probes David Fifield (Aug 11)
- Re: [NSE] new scripts and libraries: service probes Patrik Karlsson (Aug 14)
- Re: [NSE] new scripts and libraries: service probes David Fifield (Aug 18)
- Re: [NSE] new scripts and libraries: service probes Patrik Karlsson (Aug 19)
- Re: [NSE] new scripts and libraries: service probes Patrik Karlsson (Aug 14)
- Re: [NSE] new scripts and libraries: service probes David Fifield (Aug 11)
- Re: [NSE] new scripts and libraries: brute library David Fifield (Aug 11)
- Re: [NSE] new scripts and libraries: brute library David Fifield (Aug 11)
- Re: [NSE] new scripts and libraries: brute library Ron (Aug 11)
- Re: [NSE] new scripts and libraries: brute library Ron (Aug 11)
- Re: [NSE] new scripts and libraries: brute library Patrik Karlsson (Aug 14)
- Re: [NSE] new scripts and libraries: brute library David Fifield (Aug 18)
- Re: [NSE] new scripts and libraries: brute library David Fifield (Aug 11)