Re: [NSELIB/NSE] Updates SMB/MSRPC scripts

[Ron <ron () skullsecurity net>]

Hi David,

David Fifield wrote:
> On Fri, Oct 03, 2008 at 11:09:16AM -0500, Ron wrote:
> So smb-enumusers.nse covers what you previously sent as
> smb-msrpc-bruteusers.nse, smb-msrpc-enumusers.nse, and smb-enum.nse? The
> new organization is logical, it's easier to predict what the scripts
> will do from their names.
That's correct. A tiny bit of functionality was lost with smb-enum.nse,
but I think as I develop more scripts with this, it'll come back.

> > - Removed smbconstants in favour of a two-way table
>
> You can make the constants tables even more concise and expressive by
> writing
>
> local command_codes = {
> SMB_COM_CREATE_DIRECTORY             = 0x00,
> SMB_COM_DELETE_DIRECTORY             = 0x01,
> ...
> }
>
> Likewise you can say command_codes.SMB_COM_CREATE_DIRECTORY rather than
> command_codes['SMB_COM_CREATE_DIRECTORY']. This is possible because all
> the table keys are legal identifiers.
Makes sense. If I do that with the error constants, is it possible to
reverse it so I can look up the name by the code?

> All the constants should be moved to the end of smb.lua--does that work?
I put it there originally and got an error: undefined, but maybe if I
change it to your way that would go away.

> > -- The 'referent_id' value is ignored, as far as I can tell, so this value is passed for it. No, it isn't random. :)
> > REFERENT_ID = 0x50414d4e
>
> Heh.
;)

> Yes, as I understand it authentication for these scripts and modules is
> wrapped up with the integration of the openssl module. Ron's scripts are
> going to be the first test of the module, apart from Sven's own
> SSH-hostkey.nse. When authentication in these scripts work and the
> openssl module has gotten some exercise I think we can add them at
> roughly the same time.
Yup, I'll start working on the authentication as soon as I'm happy that
the basic functionality is stable. I think I'm pretty much at that
point, so expect SSL stuff soon.

> Keep up the good work! Seriously, I think that the smb and msrpc modules
> are going to serve as examples of how to write other large NSE modules.
Heh, thanks. :)

I've tried to keep to decent coding standards well developing them, and
I'm open to suggestions on how to improve things.

> I'd like to commit this as soon as someone can independently verify that
> all the scripts work against Windows 2000. I don't have a machine to
> test against. The command to do it is
>
> nmap --script=smb-enumdomains.nse,smb-enumusers.nse,smb-enumshares.nse <target>
>
> Also try running with verbosity. For what it's worth, here's what I see
> running against Windows XP:
>
> Host script results:
> |_ MSRPC: List of domains: ERROR: NT_STATUS_ACCESS_DENIED
> |  MSRPC: NetShareEnumAll():
> |  Couldn't enum all shares, checking for common ones
> (NT_STATUS_ACCESS_DENIED)
> |  Anonymous shares: IPC$
> |_ Restricted shares: ADMIN$, C$
> |  MSRPC: List of user accounts:
> |  Enum via SAMR error: NT_STATUS_ACCESS_DENIED
> |  Enum via LSA error: NT_STATUS_ACCESS_DENIED
> |_ Sorry, couldn't find any account names anonymously!
Yeah, I get the same thing running against Windows XP.

> David Fifield

Ron

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org