RE : [NSE script] t3 protocol

[<alessandro.zanni () bt com>]

Dan, thank you for your researches, your updates are great. I completely agree with your changes. 
I only got one error when the version description was empty (not on port 7001-7003): "weblogic-t3-info.nse:13: bad 
argument #1 to 'find' (string expected, got nil)".
So I changed the condition adding the "port.version.product ~= nil" and everything works fine now.

Alessandro ZANNI

Ps: I wanted to thanks Gil Noirot to let me use his weblogic server for these tests ;)

________________________________________
De : Daniel Miller [bonsaiviking () gmail com]
Date d'envoi : mardi 29 octobre 2013 19:49
À : Zanni,A,Alessandro,JBP15 R; dev () nmap org
Objet : Re: [NSE script] t3 protocol

On 10/28/2013 08:52 AM, alessandro.zanni () bt com wrote:
> I tried to improve my script following Daniel's advices.
>
> After some tests, I found that both server responses (HELO.. and LGIN..) don't depend if an authentication has been 
> implemented or not. I send many times the same command ("t3 1") on the same server without changing any configuration 
> and I saw most of time "LGIN:Invalid parameter" response and sometime the "HELO" response. I am not able to explain 
> why this different.
>
> However the HELO response disclose some technical information. My weblogic server response was as following:
> HELO:12.1.1.0.false
> AS:2048
> HL:19
>
> With "12.1.1.0" the weblogic version (my new script print the version of the weblogic server if an HELO response is 
> received). I couldn't determine at what correspond the "false" value. The "AS" and "HL" are quite generic (tests were 
> done with old weblogic version and these parameters never changed).
>
> I might be wrong but I think it couldn't be possible to know if the t3 protocole uses an authentication method by 
> parsing the response received, because the authentication process is implemented on the JNDI objects.
>
> Thanks,
>
> Alessandro ZANNI
Alessandro,

I did some decompiling of the free development WebLogic server, and
found that the LGIN response is being sent because our T3 header is
malformed. It needs the AS (Abbreviation Size) and HL (Header Length)
fields, too. The "false" is a boolean: hasTemporaryPatch.

I think you are right about authentication being implemented per-object.
I'll probably continue to research this, but I think the script is about
as far as it needs to be. I've attached an update with my contributions:

1. Tightened the portrule to match likely ports (TCP 7001-7003 or http
service or product contains "WebLogic")
2. Renamed the script to weblogic-t3-info
3. Made the script a version-detection script so it will run with -sV
and update the service information
4. Match the other possible return values to a T3 probe

Please test this and let us know if it works for you. I think we could
get this committed this week with a little testing.

Dan

Attachment: weblogic-t3-info.nse
Description: weblogic-t3-info.nse

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/