Nmap Development mailing list archives
Re: [NSE] new scripts and libraries: domino, informix, oracle, giop
From: Patrik Karlsson <patrik () cqure net>
Date: Fri, 20 Aug 2010 01:14:56 +0200
On 19 aug 2010, at 01.33, David Fifield wrote:
On Sun, Aug 08, 2010 at 05:31:36PM +0200, Patrik Karlsson wrote:o IBM Informix Dynamic Server - A library that supports native communication with IBM Informix Dynamic Server (informix.lua) - So far it supports authentication and queries against the DB - The following scripts make use of it: x informix-brute - uses the brute framework to perform password guessing x informix-tables- queries the database for a list of tables for each db x informix-query - makes it possible to query the database using a custom queryIn informix-brute I noticed some copy-paste errors: "Disconnects and terminates the Oracle TNS communication," "makes sure that the Oracle instance is correct."
I've taken care of them.
I know you are aware of the unknown data like this: local unknown = [[ 013c0000006400650000003d0006494545454d00006c73716c65786563000000 00000006392e32383000000c524453235230303030303000000573716c690000 00013300000000000000000001 ]] local unknown2 = [[ 6f6c0000000000000000003d746c697463700000000000010068000b 00000003 ]] I'm okay with that being in the library, but please add a comment saying where it comes from (if a packet capture, what command or procedure needs to be done to recreate it). Otherwise it's hard for anybody but you to maintain it. What you did in tns.lua is good.
Ok, I've added that.
Is there are reason that informix-brute has a wider portrule than the other scripts?
No, I've widened the other rules as well.
portrule = shortport.port_or_service( { 1526, 9088, 9090, 9092 }, "informix", "tcp", "open") portrule = shortport.port_or_service(9088, 'informix') Please commit these informix scripts.
Done, they're commited as r19896
o IBM Lotus Domino - A minimalistic Notes RPC library (nrpc.lua) - The domino-enum-users.nse makes use of this library to: x guess valid user names x download the user.id file for each user (without authentication) as described in (CVE-2006-5835). This still works in version 8.5 - There are also a bunch of other scripts that target domino: x domcon-brute - uses the brute library to perform password guessing against the Lotus Domino Remote Console x domcon-cmd - runs custom commands on the Lotus Domino Remote Console x domino-enum-passwords - runs against the Domino web interface and attempts to: 1. Enumerate the Internet password for each user (it's available to every authenticated user per default) 2. Download the user.id attached to the person document for each user - While working the domcon scripts I also wrote the library javaser.lua that performs basic java de-serialization of a byte stream. Unfortunately I found a way around it and I'm no longer using it, but it would make a good start for someone looking into communicating with a service that does java serialization.You had a good idea here of just showing what ID files are available by default, and providing a script argument to save them to a file. I don't know if this is the real format, but I couldn't get the sample hashes to load in john.
I'm guessing your missing the jumbo patch from here: http://www.openwall.com/john/contrib/john-1.7.6-jumbo-6.diff.gz
Jim Brass:(GYvlbOz2idzni5peJUdD) Warrick Brown:(GZghNctqAnJgyklUl2ml) These look good and you can commit them.
They've been commited as r19899.
o Oracle - A TNS library supporting authentication against Oracle 10g and 11g - The following script make use of it: x oracle-enum-users - uses a (patched) vulnerability to determine valid user names without authentication x oracle-brute - performs password guessing against Oracle 10g and 11g using the brute frameworkThese are good too.
Commited as r19900.
o GIOP - A GIOP library that supports a few basic operations, get, _is_a and list (giop.lua) - The following scripts make use of it: x giop-info - Queries the CORBA naming server for a list of objectsI have to say, I didn't know what GIOP was before, and after reading about it, I still don't think I know what it is. What software does this run against? You can commit it.
It runs against the CORBA naming server. I followed this example to test it out: http://download-llnw.oracle.com/javase/1.4.2/docs/guide/idl/jidlExample.html It's in as r19901.
David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
//Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] new scripts and libraries: http, (continued)
- Message not available
- Re: [NSE] new scripts and libraries: http DePriest, Jason R. (Sep 06)
- Re: [NSE] new scripts and libraries: http David Fifield (Sep 06)
- Re: [NSE] new scripts and libraries: svn Patrik Karlsson (Aug 18)
- Re: [NSE] new scripts and libraries: svn David Fifield (Aug 18)
- Re: [NSE] new scripts and libraries: svn Patrik Karlsson (Aug 18)
- Re: [NSE] new scripts and libraries: svn Patrick Donnelly (Aug 19)
- Re: [NSE] new scripts and libraries: svn Patrik Karlsson (Aug 19)
- Re: [NSE] new scripts and libraries: svn David Fifield (Aug 19)
- Re: [NSE] new scripts and libraries: domino, informix, oracle, giop Patrik Karlsson (Aug 19)
- Re: [NSE] new scripts and libraries: domino, informix, oracle, giop David Fifield (Aug 20)