Re: [NSELIB/NSE] Updates SMB/MSRPC scripts

[David Fifield <david () bamsoftware com>]

On Fri, Oct 03, 2008 at 11:09:16AM -0500, Ron wrote:
> I've taken David's suggestions about the previous version of my  
> SMB/MSRPC libraries and incorporated them. So basically, these would be  
> the change notes:
> - Rolled together multiple ways of doing the same thing

So smb-enumusers.nse covers what you previously sent as
smb-msrpc-bruteusers.nse, smb-msrpc-enumusers.nse, and smb-enum.nse? The
new organization is logical, it's easier to predict what the scripts
will do from their names.

> - Removed smbconstants in favour of a two-way table

You can make the constants tables even more concise and expressive by
writing

local command_codes = {
SMB_COM_CREATE_DIRECTORY             = 0x00,
SMB_COM_DELETE_DIRECTORY             = 0x01,
...
}

Likewise you can say command_codes.SMB_COM_CREATE_DIRECTORY rather than
command_codes['SMB_COM_CREATE_DIRECTORY']. This is possible because all
the table keys are legal identifiers.

All the constants should be moved to the end of smb.lua--does that work?

> -- The 'referent_id' value is ignored, as far as I can tell, so this value is passed for it. No, it isn't random. :)
> REFERENT_ID = 0x50414d4e

Heh.

> As before, this will only work against Windows 2000. Once I get  
> authentication in place (which is the next big task, besides  
> fixes/improvements requested right now), it'll work against Windows 2000  
> - Windows Vista (doesn't work with NT or below, they don't have the  
> required interfaces).

Yes, as I understand it authentication for these scripts and modules is
wrapped up with the integration of the openssl module. Ron's scripts are
going to be the first test of the module, apart from Sven's own
SSH-hostkey.nse. When authentication in these scripts work and the
openssl module has gotten some exercise I think we can add them at
roughly the same time.

> So there you go, please let me know what you think and, if you want me  
> to continue, encourage me! :)

Keep up the good work! Seriously, I think that the smb and msrpc modules
are going to serve as examples of how to write other large NSE modules.

I'd like to commit this as soon as someone can independently verify that
all the scripts work against Windows 2000. I don't have a machine to
test against. The command to do it is

nmap --script=smb-enumdomains.nse,smb-enumusers.nse,smb-enumshares.nse <target>

Also try running with verbosity. For what it's worth, here's what I see
running against Windows XP:

Host script results:
|_ MSRPC: List of domains: ERROR: NT_STATUS_ACCESS_DENIED
|  MSRPC: NetShareEnumAll():
|  Couldn't enum all shares, checking for common ones
(NT_STATUS_ACCESS_DENIED)
|  Anonymous shares: IPC$
|_ Restricted shares: ADMIN$, C$
|  MSRPC: List of user accounts:
|  Enum via SAMR error: NT_STATUS_ACCESS_DENIED
|  Enum via LSA error: NT_STATUS_ACCESS_DENIED
|_ Sorry, couldn't find any account names anonymously!

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org