Re: [NSE] Script Submission: NTLM Information Disclosure (MS-SQL, SMTP, IMAP, POP3, Telnet, NNTP)

[nmap user <nmapuser1 () gmail com>]

Hello NMap Dev Team,

I wanted to follow up on the status of these additional NTLM Information
Disclosure scripts and if they could be committed in their current, fully
functional state.

Myself and others have been using these scripts with considerable benefit
across many penetration testing engagements -- and I believe the community
at large would also benefit from having these scripts committed and easily
available.  Similarly, I'd like to being working on additional, new NMap
contributions but need to get these closed out first.

Thanks for your time and consideration!

Sincerely,
-J


On Thu, Oct 9, 2014 at 9:52 PM, nmap user <nmapuser1 () gmail com> wrote:

> Hi Dan,
>
> I finally had some available time to review your suggestions for the
> additional NTLM Information Disclosure scripts:
>
> * Per your recommendation, the smtp-ntlm-info script has been updated to
> leverage the sslcert.isPortSupported() function vs shortport.ssl(host,port).
>
> * As you suspected, yes, using the smbauth.get_security_blob method to
> create the NTLM Type 1 authentication packet is insufficient in the ability
> to enumerate information from modern Windows operating systems (2008+).
> One option would be to modify the smbauth library, however, this may have
> unintended consequences for the many other scripts that depend on the
> current implementation.
>
> * Similarly, with the ms-sql-ntlm-info script, the mssql.LoginPacket
> function is also insufficient in creating the correct MS-TDS packet
> structure to remotely enumerate such data.  Again, making changes to this
> tricky protocol is likely to break other scripts without significant
> testing.
>
> * I observed that another contributor started working on various STARTTLS
> implementations.  Some of these appear to have been committed to the code
> base in June, however, were not include in the 6.47 version released in
> August.  I’m very hesitant to rely on code that would break the scripts for
> anything but the current SVN version.  Especially since many people
> manually add scripts to their stable, non-SVN versions.
>
> All things considered, I’d like to propose committing these scripts to
> Nmap in their current fully functional state (attached below).  Over the
> past months, myself and others have been using these with considerable
> benefit across many penetration testing engagements -- and I believe the
> community at large would also benefit from having these scripts packaged
> within the next version release, vs having to manually download and update
> the database.
>
> Thanks again for your consideration.
>
> Sincerely,
> Justin
>
>
>
> On Tue, May 20, 2014 at 8:27 PM, Daniel Miller <bonsaiviking () gmail com>
> wrote:
>
> > Justin,
> >
> > Ok, here are a few concerns (minor, but require a little work):
> >
> > 1. ms-sql-ntlm-info should use mssql.LoginPacket (sorry, the NSEdoc is a
> > bit mucked so I don't have a direct link) instead of the big bin.pack
> > structure. I'm sorry to bring it up, because I know that must have taken
> > you a while to put together. If you see anything that needs to be fixed or
> > altered in mssql.lua in order to make this work, let me know and we'll work
> > on it.
> >
> > 2. For smtp-ntlm-info, please use the function returned by
> > sslcert.isPortSupported() to do STARTTLS. Again, if you have suggestions
> > for improvements, we'll take them.
> >
> > 3. For nntp, pop3, and imap, we do not have STARTTLS support in the
> > sslcert.lua library, which means we can't do cert grabbing or ciphersuite
> > enumeration or Heartbleed detection or other cool things. I would be
> > forever indebted to you if you took the STARTTLS portions out of your
> > scripts and submitted them as patches to sslcert.lua instead.
> >
> > 4. This one doesn't do much currently, but it will serve as a focal point
> > for an overhaul in the future: please use smbauth.get_security_blob to
> > generate the NTLMSSP security blob in all the scripts. You'll still have to
> > build the flags you want. Note that smbauth.get_security_blob doesn't
> > currently provide OS version info like your scripts do. I'd really
> > appreciate some testing with the OS version info removed, but I suspect
> > that some newer versions of Windows may have a problem with it?
> >
> > Thanks again for these great scripts. I think you're right about keeping
> > them separate. I look forward to including them in Nmap soon!
> >
> > Dan
> >
> >
> > On Tue, May 13, 2014 at 12:42 PM, NMap User1 <nmapuser1 () gmail com> wrote:
> >
> > > Hi Dan,
> > >
> > > Just wanted to follow up on the status of incorporating these scripts
> > > into
> > > Nmap.  I think keeping the scripts separate would be the easiest for
> > > users,
> > > as well as developers submitting additional scripts that enumerate such
> > > information via the NTLM authentication protocol.
> > >
> > > I've re-attached the scripts to this e-mail, some of which contain minor
> > > updates:
> > > * MS-SQL
> > > * SMTP
> > > * IMAP
> > > * POP3
> > > * Telnet
> > > * NNTP
> > >
> > > Just let me know if there are any questions or how I can help.
> > >
> > > Thanks,
> > > Justin
> > >
> > >
> > > ----------------------------------------------------------------------------
> > > Hi Dan,
> > >
> > > I originally contemplated creating one large script to handle all the
> > > various protocols.  However, the name of the script wouldn't align with
> > > the
> > > traditional naming scheme ([protocol]-[name]).  Thus, it may confuse
> > > users
> > > especially when searching for protocol specific scripts, or, trying to
> > > enable all scripts for a defined protocol (e.g --script
> > > http-*,telnet-*,etc.).
> > >
> > > I'm more than happy to combine all protocols into one monolithic script
> > > if
> > > needed.  I just need some guidance from the Nmap team what the preferred
> > > method would be.
> > >
> > > Thoughts?
> > >
> > > Regards,
> > > Justin
> > >
> > >
> > > ----------------------------------------------------------------------------
> > > From: Daniel Miller [mailto:bonsaiviking () gmail com]
> > > Sent: Wednesday, April 23, 2014 1:50 PM
> > > To: NMap User1; dev () nmap org
> > > Subject: Re: [NSE] Script Submission: NTLM Information Disclosure
> > > (MS-SQL,
> > > SMTP, IMAP, POP3, Telnet, NNTP)
> > >
> > > Justin,
> > >
> > > These look really neat, and I'm sure we can integrate them somehow. Do
> > > you
> > > think that it would be possible to combine them into one script that just
> > > handles the pre-NTLM protocol handshaking depending on the service, then
> > > does the NTLM information gathering on its own? Take a look at how
> > > sslcert
> > > library (http://nmap.org/nsedoc/lib/sslcert.html) does things with the
> > > SPECIALIZED_PREPARE_TLS and StartTLS tables, for instance. Just a thought
> > > for now, since I haven't had time to take a closer look yet.
> > >
> > > Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/