Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] MSRPC Libraries (stable, I hope!)

From: David Fifield <david () bamsoftware com>
Date: Mon, 3 Nov 2008 11:39:37 -0700
On Thu, Oct 30, 2008 at 08:47:36PM -0500, Ron wrote:

Hey David (and all),

I made some changes the the output and committed them to my nmap-exp branch:
svn://svn.insecure.org/nmap-exp/ron/nmap-smb

Basically:
- one level of verbose/debug (-v or -d) will give you just important
stuff (failed logins, errors, etc)
- two levels of verbose/debug will give you function calls/packets being
sent
- three levels of verbose/debug will give you everything
- errors will no longer be displayed in the Nmap output unless -d is set.

This cleans things up a lot. Could you take a look and let me know if
it's better now, and tell me where else it could improve? That'd be great!


Looks good to me. I don't see any reason not to merge these new
improvements. What follows is a few suggestions I thought of while
reviewing the code.

Let me suggest a way to make the error handling more concise. There are
a lot of places in the code that say

        if(nmap.debugging() > 0) then
                return "ERROR: " .. msg
        else
                return nil
        end

You could define a function to encapsulate this common pattern:

        local function err(msg)
                if nmap.debugging() > 0 then
                        return "ERROR: " .. msg
                else
                        return nil
                end
        end

Then the code in case of error would be simply

        return err(msg)

I think I have an answer to this question in nselib/smb.lua:

        -- If the name wasn't found in the array, do a linear search on it (TODO: Why is this happening??)

It's because the table near the bottom should be called status_codes,
not status_names (compare command_codes immediately above). As it is,
you never fill in the table status_codes, and the table status_names
holds what status_codes should hold.

smb-enumsessions.nse gives a wrong answer when I use a guest user. It
says nobody is logged in even when someone is:

$ ./nmap --datadir=. --script=smb-enumsessions.nse -PN -F --script-args smbguest=1 192.168.0.190
...
Host script results:
|  MSRPC: NetSessEnum():
|  Users logged in:
|  |_ <nobody>
|_ ERROR: Couldn't enumerate network sessions: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsessenum)

Compare that with the results with an authenticated user:

$ ./nmap --datadir=. --script=smb-enumsessions.nse -PN -F --script-args smbuser=jrandom,smbpass=jrandom 192.168.0.190
...
Host script results:
|  MSRPC: NetSessEnum():
|  Users logged in:
|  |_ MAC-MINI\david since 2008-11-03 10:06:41
|  Active SMB Sessions:
|_ |_ JRANDOM is connected from 192.168.0.21 for [just logged in, it's probably you], idle for [not idle]

The problem is the <nobody> in the first output. Is this just a case of
Windows lying to the guest user? If so, that's understandable, it just
needs to be documented in the script.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: