Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: afp-serverinfo.nse script -- new AFP library

From: David Fifield <david () bamsoftware com>
Date: Mon, 29 Mar 2010 14:33:55 -0600
On Wed, Feb 10, 2010 at 12:10:12AM -0600, Andrew Orr wrote:

I wrote an nse script that queries an AFP (Apple Filing Protocol) server  
(TCP 548) for basic server information. Mostly to practice my lua/nse,  
but it may be useful for some, so here it is.

Attached is the script itself as well as a patch to nselib/afp.lua  
against svn revision 16706 (latest as of half hour ago or so).

I'm somewhat new to lua and nse so if there is anything blatantly wrong  
with how I'm doing things please let me know. The bulk of the code is in  
afp.lua.patch. It is well commented, especially the hackish parts :)

Also if someone could test this out and let me know if it doesn't work  
on certain servers, that would be great.

@Patrik: I fixed the null byte bug and it should work on all your test  
machines now.

P.S.
Here's some example outputs from three machines, one running OS X 10.6.1  
(localhost), one running Ubuntu 9.10 and netatalk 2.0.4~beta2-5ubuntu2  
(172...) and one running on iPhone OS 3.1.2 and netatalk 2.0.4 (192...)

$ ./nmap -p 548 --script=afp-serverinfo.nse localhost 192.168.1.103  
172.16.201.131

Starting Nmap 5.21 ( http://nmap.org ) at 2010-02-09 23:43 CST
NSE: Script Scanning completed.
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00022s latency).
PORT    STATE SERVICE
548/tcp open  afp
| afp-serverinfo:
|   | Server Flags: 0x8ffb
|   |   Super Client: Yes
|   |   UUIDs: No
|   |   UTF8 Server Name: Yes
|   |   Open Directory: Yes
|   |   Reconnect: Yes
|   |   Server Notifications: No
|   |   TCP/IP: No
|   |   Server Signature: No
|   |   ServerMessages: Yes
|   |   Password Saving Prohibited: Yes
|   |   Password Changing: Yes
|   |_  Copy File: Yes
|   Server Name: thrall
|   Machine Type: MacBookPro1,1
|   AFP Versions: AFP3.3, AFP3.2, AFP3.1, AFPX03
|   UAMs: DHCAST128, DHX2, Recon1, Client Krb v2, No User Authent
|   Server Signature: 0x0000000000100080000016CB9A545306
|   Network Address 1: 192.168.1.139:548
|   Network Address 2: 10.211.55.2:548
|   Network Address 3: 10.37.129.2:548
|   Network Address 4: 172.16.52.1:548
|   Network Address 5: 172.16.201.1:548
|   Network Address 6: 192.168.1.139
|   Directory Name 1:  
afpserver/LKDC:SHA1.16D4F43CEBC3AD8C7D805EB9C667484B5A7280B0@LKDC:SHA1.16D4F43CEBC3AD8C7D805EB9C667484B5A7280B0
|_  UTF8 Server Name: thrall


Patrik,

Can you tell me how much of this functionality is covered by your recent
changes to the afp library? I would like to add this script but the
original patch had some bugs: http://seclists.org/nmap-dev/2010/q1/665.
I noticed in one place you have the comment

                -- Netatalk returns the name with 1-byte length prefix,
                -- Mac OS has a 2-byte (UTF-8) length prefix

This was one of the questions about the original patch, whether a
one-byte length field offset was off by one or whether it was really a
two-byte field. You must have solved it in at least one case.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: