Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE + NSELib] Netbios and SMB [stable!]

From: David Fifield <david () bamsoftware com>
Date: Mon, 15 Sep 2008 12:18:40 -0600
On Fri, Sep 12, 2008 at 02:33:13PM -0500, Ron wrote:

I've spent the last week or two working on a NetBIOS and SMB library.
Finally, as of right now, I have a stable version that's documented,
clean, and works against every system I tried it on (with a minor
exception -- I'll talk about it below). So, with that, I'm submitting it
to be tested/beaten up as a real script.

I included two nselib libraries:
- smb.lua
- netbios.lua

And four scripts:
- nbstat.nse (enhanced version of the current one)
- smb-os-discovery.nse (makes netbios-smb-os-discovery.nse obsolete)
- smb-security-mode.nse
- smb-enum.nse

I am going to start working on new functionality over the next few
weeks, but as of right now it's useful and works, so it seems like a
good place to submit it.


I added the new modules and scripts. Thanks! They all look well done,
especially the documentation. I tested them this morning and they are
are an improvement over what was there before.

I adjusted the categories of the SMB scripts as follows:

smb-os-discovery.nse
-categories = {"version","default"}
+categories = {"default", "discovery", "safe"}

smb-enum.nse
-categories = {"version","intrusive"}
+categories = {"discovery", "intrusive"}

smb-security-mode.nse
-categories = {"version"}
+categories = {"discovery", "safe"}

The "version" category is only for getting results like what -sV gets.
Scripts in the "version" category should produce output by assigning
port.version.name, port.version.product, and other fields, and they
shouldn't produce any normal script output. Because these new scripts
don't work that way I put them in "discovery" instead.

I saw one missed opportunity to use nselib. In smb-enum.nse you can use
stdnse.strjoin instead of the custom function string_join.


The only time it DOESN'T work is against hosts with a specific firewall
configuration -- if ports 445 and 137 are blocked, but 139 is allowed
through, it will have trouble establishing a session. A couple tricks
are tried (using the generic '*SMBSERVER' name, and using the reverse
DNS name), but if those don't work it fails. I'm going to look for a way
to fix that, but I'm not sure if it's possible short of asking the user
for the server's name.


I think asking for the server's name in a script argument is just fine.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: