Nmap Development mailing list archives
Re: [nmap-svn] r36016 - in nmap: . nselib scripts
From: Paulino Calderon <paulino () calderonpale com>
Date: Thu, 21 Jul 2016 12:33:14 -0500
I was just thinking this morning we need something like this for writing a check for the HTTPoxy vuln. Thanks!
On Jul 21, 2016, at 12:05 PM, commit-mailer () nmap org wrote: Author: dmiller Date: Thu Jul 21 10:05:25 2016 New Revision: 36016 Log: Add clock-skew script, datetime library Added: nmap/nselib/datetime.lua Modified: nmap/CHANGELOG nmap/scripts/http-date.nse nmap/scripts/http-ntlm-info.nse nmap/scripts/imap-ntlm-info.nse nmap/scripts/ms-sql-ntlm-info.nse nmap/scripts/nntp-ntlm-info.nse nmap/scripts/ntp-info.nse nmap/scripts/pop3-ntlm-info.nse nmap/scripts/rfc868-time.nse nmap/scripts/script.db nmap/scripts/smb-security-mode.nse nmap/scripts/smtp-ntlm-info.nse nmap/scripts/ssl-date.nse nmap/scripts/telnet-ntlm-info.nse Modified: nmap/CHANGELOG ============================================================================== --- nmap/CHANGELOG (original) +++ nmap/CHANGELOG Thu Jul 21 10:05:25 2016 @@ -1,5 +1,12 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added the datetime library for performing date and time calculations, + and as a helper to the clock-skew script. + +o [NSE] Added clock-skew for analyzing and reporting clock skew between Nmap + and services that report timestamps. Reports groups of hosts with similar + skews. [Daniel Miller] + o [Ncat][GH#444] Added a -z option to Ncat. Just like the -z option in traditional netcat, it can be used to quicky check the status of a port. Port ranges are not supported. [Abhishek Singh] Added: nmap/nselib/datetime.lua ============================================================================== --- (empty file) +++ nmap/nselib/datetime.lua Thu Jul 21 10:05:25 2016 @@ -0,0 +1,33 @@ +--- Functions for dealing with dates and timestamps +-- +-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html +-- @class module +-- @name datetime +-- @author Daniel Miller + +local stdnse = require "stdnse" +local os = require "os" +local math = require "math" +_ENV = stdnse.module("datetime", stdnse.seeall) + +--- Record a time difference between the scanner and the target +-- +-- The skew will be recorded in the host's registry for later retrieval and +-- analysis. Adjusts for network distance by subtracting half the smoothed +-- round-trip time. +-- +--@param host The host being scanned +--@param timestamp The target timestamp, in seconds. +--@param received The local time the stamp was received, in seconds. +function record_skew(host, timestamp, received) + local skew_tab = host.registry.datetime_skew + skew_tab = skew_tab or {} + -- No srtt? I suppose we'll ignore it, but this could cause problems + local srtt = host.times and host.times.srtt or 0 + local adjusted = os.difftime(math.floor(timestamp), math.floor(received)) - srtt / 2.0 + skew_tab[#skew_tab + 1] = adjusted + stdnse.debug2("record_skew: %s", adjusted) + host.registry.datetime_skew = skew_tab +end + +return _ENV Modified: nmap/scripts/http-date.nse ============================================================================== --- nmap/scripts/http-date.nse (original) +++ nmap/scripts/http-date.nse Thu Jul 21 10:05:25 2016 @@ -3,6 +3,7 @@ local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" +local datetime = require "datetime" description = [[ Gets the date from HTTP-like services. Also prints how much the date @@ -31,8 +32,8 @@ portrule = shortport.http action = function(host, port) - local request_time = os.time() local response = http.get(host, port, "/") + local request_time = os.time() if not response.status or not response.header["date"] then return end @@ -47,6 +48,8 @@ output_tab.date = stdnse.format_timestamp(response_time, 0) output_tab.delta = os.difftime(response_time, request_time) + datetime.record_skew(host, response_time, request_time) + local output_str = string.format("%s; %s from local time.", response.header["date"], stdnse.format_difftime(os.date("!*t", response_time), os.date("!*t", request_time))) Modified: nmap/scripts/http-ntlm-info.nse ============================================================================== --- nmap/scripts/http-ntlm-info.nse (original) +++ nmap/scripts/http-ntlm-info.nse Thu Jul 21 10:05:25 2016 @@ -1,4 +1,6 @@ local bin = require "bin" +local os = require "os" +local datetime = require "datetime" local http = require "http" local shortport = require "shortport" local stdnse = require "stdnse" @@ -74,6 +76,7 @@ local opts = { header = { Authorization = "NTLM " .. auth_blob } } local response = http.get( host, port, root, opts ) + local recvtime = os.time() -- Continue only if correct header (www-authenticate) and NTLM response are included if response.header["www-authenticate"] and string.match(response.header["www-authenticate"], "NTLM (.*)") then @@ -84,6 +87,12 @@ -- Leverage smbauth.get_host_info_from_security_blob() for decoding local ntlm_decoded = smbauth.get_host_info_from_security_blob(data) + if ntlm_decoded.timestamp then + -- 64-bit number of 100ns clicks since 1/1/1601 + local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600 + datetime.record_skew(host, unixstamp, recvtime) + end + -- Target Name will always be returned under any implementation output.Target_Name = ntlm_decoded.target_realm Modified: nmap/scripts/imap-ntlm-info.nse ============================================================================== --- nmap/scripts/imap-ntlm-info.nse (original) +++ nmap/scripts/imap-ntlm-info.nse Thu Jul 21 10:05:25 2016 @@ -1,4 +1,6 @@ local comm = require "comm" +local os = require "os" +local datetime = require "datetime" local bin = require "bin" local shortport = require "shortport" local sslcert = require "sslcert" @@ -109,6 +111,7 @@ return nil end + local recvtime = os.time() socket:close() if string.match(response, "^A%d%d%d%d ") then @@ -134,6 +137,12 @@ -- Leverage smbauth.get_host_info_from_security_blob() for decoding local ntlm_decoded = smbauth.get_host_info_from_security_blob(response_decoded) + if ntlm_decoded.timestamp then + -- 64-bit number of 100ns clicks since 1/1/1601 + local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600 + datetime.record_skew(host, unixstamp, recvtime) + end + -- Target Name will always be returned under any implementation output.Target_Name = ntlm_decoded.target_realm Modified: nmap/scripts/ms-sql-ntlm-info.nse ============================================================================== --- nmap/scripts/ms-sql-ntlm-info.nse (original) +++ nmap/scripts/ms-sql-ntlm-info.nse Thu Jul 21 10:05:25 2016 @@ -1,4 +1,6 @@ local bin = require "bin" +local os = require "os" +local datetime = require "datetime" local mssql = require "mssql" local shortport = require "shortport" local stdnse = require "stdnse" @@ -72,6 +74,7 @@ end local status, response, errorDetail = tdsstream:Receive() + local recvtime = os.time() tdsstream:Disconnect() local pos, ttype = bin.unpack("C", response) @@ -87,6 +90,12 @@ -- Leverage smbauth.get_host_info_from_security_blob() for decoding local ntlm_decoded = smbauth.get_host_info_from_security_blob(data) + if ntlm_decoded.timestamp then + -- 64-bit number of 100ns clicks since 1/1/1601 + local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600 + datetime.record_skew(host, unixstamp, recvtime) + end + -- Target Name will always be returned under any implementation output.Target_Name = ntlm_decoded.target_realm Modified: nmap/scripts/nntp-ntlm-info.nse ============================================================================== --- nmap/scripts/nntp-ntlm-info.nse (original) +++ nmap/scripts/nntp-ntlm-info.nse Thu Jul 21 10:05:25 2016 @@ -1,4 +1,6 @@ local comm = require "comm" +local os = require "os" +local datetime = require "datetime" local shortport = require "shortport" local stdnse = require "stdnse" local base64 = require "base64" @@ -101,6 +103,7 @@ end end + local recvtime = os.time() socket:close() -- Continue only if a 381 response is returned @@ -119,6 +122,12 @@ -- Leverage smbauth.get_host_info_from_security_blob() for decoding local ntlm_decoded = smbauth.get_host_info_from_security_blob(response_decoded) + if ntlm_decoded.timestamp then + -- 64-bit number of 100ns clicks since 1/1/1601 + local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600 + datetime.record_skew(host, unixstamp, recvtime) + end + -- Target Name will always be returned under any implementation output.Target_Name = ntlm_decoded.target_realm Modified: nmap/scripts/ntp-info.nse ============================================================================== --- nmap/scripts/ntp-info.nse (original) +++ nmap/scripts/ntp-info.nse Thu Jul 21 10:05:25 2016 @@ -1,5 +1,8 @@ local bin = require "bin" local comm = require "comm" +local datetime = require "datetime" +local os = require "os" +local math = require "math" local nmap = require "nmap" local shortport = require "shortport" local stdnse = require "stdnse" @@ -100,13 +103,15 @@ status, buftres = comm.exchange(host, port, treq, {timeout=TIMEOUT}) if status then - local _, sec, frac, tstamp + local recvtime = os.time() - _, sec, frac = bin.unpack(">II", buftres, 33) + local _, sec, frac = bin.unpack(">II", buftres, 33) -- The NTP epoch is 1900-01-01, so subtract 70 years to bring the date into -- the range Lua expects. The number of seconds at 1970-01-01 is taken from -- the NTP4 reference above. - tstamp = sec - 2208988800 + frac / 0x10000000 + local tstamp = sec - 2208988800 + frac / 0x10000000 + + datetime.record_skew(host, tstamp, recvtime) output["receive time stamp"] = stdnse.format_timestamp(tstamp) end Modified: nmap/scripts/pop3-ntlm-info.nse ============================================================================== --- nmap/scripts/pop3-ntlm-info.nse (original) +++ nmap/scripts/pop3-ntlm-info.nse Thu Jul 21 10:05:25 2016 @@ -1,4 +1,6 @@ local comm = require "comm" +local os = require "os" +local datetime = require "datetime" local bin = require "bin" local shortport = require "shortport" local stdnse = require "stdnse" @@ -102,6 +104,7 @@ return end + local recvtime = os.time() socket:close() -- Continue only if a + response is returned @@ -119,6 +122,12 @@ -- Leverage smbauth.get_host_info_from_security_blob() for decoding local ntlm_decoded = smbauth.get_host_info_from_security_blob(response_decoded) + if ntlm_decoded.timestamp then + -- 64-bit number of 100ns clicks since 1/1/1601 + local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600 + datetime.record_skew(host, unixstamp, recvtime) + end + -- Target Name will always be returned under any implementation output.Target_Name = ntlm_decoded.target_realm Modified: nmap/scripts/rfc868-time.nse ============================================================================== --- nmap/scripts/rfc868-time.nse (original) +++ nmap/scripts/rfc868-time.nse Thu Jul 21 10:05:25 2016 @@ -1,4 +1,5 @@ local comm = require "comm" +local datetime = require "datetime" local shortport = require "shortport" local stdnse = require "stdnse" local bin = require "bin" @@ -46,12 +47,14 @@ -- Make sure we don't stomp a more-likely service detection. if port.version.name == "time" then - local diff = os.difftime(stamp,os.time()) + local recvtime = os.time() + local diff = os.difftime(stamp,recvtime) if diff < 0 then diff = -diff end -- confidence decreases by 1 for each year the time is off. stdnse.debug1("Time difference: %d seconds (%0.2f years)", diff, diff / 31556926) local confidence = 10 - diff / 31556926 if confidence < 0 then confidence = 0 end + datetime.record_skew(host, stamp, recvtime) port.version.name_confidence = confidence nmap.set_port_version(host, port, "hardmatched") end Modified: nmap/scripts/script.db ============================================================================== --- nmap/scripts/script.db (original) +++ nmap/scripts/script.db Thu Jul 21 10:05:25 2016 @@ -64,6 +64,7 @@ Entry { filename = "citrix-enum-servers-xml.nse", categories = { "discovery", "safe", } } Entry { filename = "citrix-enum-servers.nse", categories = { "discovery", "safe", } } Entry { filename = "clamav-exec.nse", categories = { "exploit", "vuln", } } +Entry { filename = "clock-skew.nse", categories = { "default", "safe", } } Entry { filename = "couchdb-databases.nse", categories = { "discovery", "safe", } } Entry { filename = "couchdb-stats.nse", categories = { "discovery", "safe", } } Entry { filename = "creds-summary.nse", categories = { "auth", "default", "safe", } } Modified: nmap/scripts/smb-security-mode.nse ============================================================================== --- nmap/scripts/smb-security-mode.nse (original) +++ nmap/scripts/smb-security-mode.nse Thu Jul 21 10:05:25 2016 @@ -1,4 +1,6 @@ local bit = require "bit" +local os = require "os" +local datetime = require "datetime" local smb = require "smb" local stdnse = require "stdnse" local string = require "string" @@ -101,6 +103,9 @@ smb.stop(state) return stdnse.format_output(false, err) end + if state.time then + datetime.record_skew(host, state.time, os.time()) + end local security_mode = state['security_mode'] Modified: nmap/scripts/smtp-ntlm-info.nse ============================================================================== --- nmap/scripts/smtp-ntlm-info.nse (original) +++ nmap/scripts/smtp-ntlm-info.nse Thu Jul 21 10:05:25 2016 @@ -1,3 +1,5 @@ +local datetime = require "datetime" +local os = require "os" local smtp = require "smtp" local bin = require "bin" local shortport = require "shortport" @@ -125,6 +127,7 @@ if not response then return end + local recvtime = os.time() socket:close() @@ -143,6 +146,13 @@ local ntlm_decoded = smbauth.get_host_info_from_security_blob(response_decoded) + if ntlm_decoded.timestamp and ntlm_decoded.timestamp > 0 then + stdnse.debug1("timestamp is %s", ntlm_decoded.timestamp) + -- 64-bit number of 100ns clicks since 1/1/1601 + local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600 + datetime.record_skew(host, unixstamp, recvtime) + end + -- Target Name will always be returned under any implementation output.Target_Name = ntlm_decoded.target_realm Modified: nmap/scripts/ssl-date.nse ============================================================================== --- nmap/scripts/ssl-date.nse (original) +++ nmap/scripts/ssl-date.nse Thu Jul 21 10:05:25 2016 @@ -7,6 +7,7 @@ local string = require "string" local sslcert = require "sslcert" local tls = require "tls" +local datetime = require "datetime" description = [[ Retrieves a target host's time and date from its TLS ServerHello response. @@ -201,6 +202,7 @@ end end + datetime.record_skew(host, tm.target, tm.scanner) local output = { date = stdnse.format_timestamp(tm.target, 0), delta = tm.delta, Modified: nmap/scripts/telnet-ntlm-info.nse ============================================================================== --- nmap/scripts/telnet-ntlm-info.nse (original) +++ nmap/scripts/telnet-ntlm-info.nse Thu Jul 21 10:05:25 2016 @@ -1,3 +1,5 @@ +local datetime = require "datetime" +local os = require "os" local bin = require "bin" local comm = require "comm" local shortport = require "shortport" @@ -87,6 +89,7 @@ return nil end + local recvtime = os.time() socket:close() -- Continue only if NTLMSSP response is returned. @@ -100,6 +103,12 @@ -- Leverage smbauth.get_host_info_from_security_blob() for decoding local ntlm_decoded = smbauth.get_host_info_from_security_blob(data) + if ntlm_decoded.timestamp then + -- 64-bit number of 100ns clicks since 1/1/1601 + local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600 + datetime.record_skew(host, unixstamp, recvtime) + end + -- Target Name will always be returned under any implementation output.Target_Name = ntlm_decoded.target_realm _______________________________________________ Sent through the svn mailing list https://nmap.org/mailman/listinfo/svn
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [nmap-svn] r36016 - in nmap: . nselib scripts Paulino Calderon (Jul 21)