Re: [nmap-svn] r36016 - in nmap: . nselib scripts

[Paulino Calderon <paulino () calderonpale com>]

I was just thinking this morning we need something like this for writing a check for the HTTPoxy vuln.

Thanks!

> On Jul 21, 2016, at 12:05 PM, commit-mailer () nmap org wrote:
>
> Author: dmiller
> Date: Thu Jul 21 10:05:25 2016
> New Revision: 36016
>
> Log:
> Add clock-skew script, datetime library
>
> Added:
>   nmap/nselib/datetime.lua
> Modified:
>   nmap/CHANGELOG
>   nmap/scripts/http-date.nse
>   nmap/scripts/http-ntlm-info.nse
>   nmap/scripts/imap-ntlm-info.nse
>   nmap/scripts/ms-sql-ntlm-info.nse
>   nmap/scripts/nntp-ntlm-info.nse
>   nmap/scripts/ntp-info.nse
>   nmap/scripts/pop3-ntlm-info.nse
>   nmap/scripts/rfc868-time.nse
>   nmap/scripts/script.db
>   nmap/scripts/smb-security-mode.nse
>   nmap/scripts/smtp-ntlm-info.nse
>   nmap/scripts/ssl-date.nse
>   nmap/scripts/telnet-ntlm-info.nse
>
> Modified: nmap/CHANGELOG
> ==============================================================================
> --- nmap/CHANGELOG    (original)
> +++ nmap/CHANGELOG    Thu Jul 21 10:05:25 2016
> @@ -1,5 +1,12 @@
> # Nmap Changelog ($Id$); -*-text-*-
>
> +o [NSE] Added the datetime library for performing date and time calculations,
> +  and as a helper to the clock-skew script.
> +
> +o [NSE] Added clock-skew for analyzing and reporting clock skew between Nmap
> +  and services that report timestamps. Reports groups of hosts with similar
> +  skews. [Daniel Miller]
> +
> o [Ncat][GH#444] Added a -z option to Ncat. Just like the -z option in
>   traditional netcat, it can be used to quicky check the status of a port. Port
>   ranges are not supported. [Abhishek Singh]
>
> Added: nmap/nselib/datetime.lua
> ==============================================================================
> --- (empty file)
> +++ nmap/nselib/datetime.lua  Thu Jul 21 10:05:25 2016
> @@ -0,0 +1,33 @@
> +--- Functions for dealing with dates and timestamps
> +--
> +-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
> +-- @class module
> +-- @name datetime
> +-- @author Daniel Miller
> +
> +local stdnse = require "stdnse"
> +local os = require "os"
> +local math = require "math"
> +_ENV = stdnse.module("datetime", stdnse.seeall)
> +
> +--- Record a time difference between the scanner and the target
> +--
> +-- The skew will be recorded in the host's registry for later retrieval and
> +-- analysis. Adjusts for network distance by subtracting half the smoothed
> +-- round-trip time.
> +--
> +--@param host The host being scanned
> +--@param timestamp The target timestamp, in seconds.
> +--@param received The local time the stamp was received, in seconds.
> +function record_skew(host, timestamp, received)
> +  local skew_tab = host.registry.datetime_skew
> +  skew_tab = skew_tab or {}
> +  -- No srtt? I suppose we'll ignore it, but this could cause problems
> +  local srtt = host.times and host.times.srtt or 0
> +  local adjusted = os.difftime(math.floor(timestamp), math.floor(received)) - srtt / 2.0
> +  skew_tab[#skew_tab + 1] = adjusted
> +  stdnse.debug2("record_skew: %s", adjusted)
> +  host.registry.datetime_skew = skew_tab
> +end
> +
> +return _ENV
>
> Modified: nmap/scripts/http-date.nse
> ==============================================================================
> --- nmap/scripts/http-date.nse        (original)
> +++ nmap/scripts/http-date.nse        Thu Jul 21 10:05:25 2016
> @@ -3,6 +3,7 @@
> local shortport = require "shortport"
> local stdnse = require "stdnse"
> local string = require "string"
> +local datetime = require "datetime"
>
> description = [[
> Gets the date from HTTP-like services. Also prints how much the date
> @@ -31,8 +32,8 @@
> portrule = shortport.http
>
> action = function(host, port)
> -  local request_time = os.time()
>   local response = http.get(host, port, "/")
> +  local request_time = os.time()
>   if not response.status or not response.header["date"] then
>     return
>   end
> @@ -47,6 +48,8 @@
>   output_tab.date = stdnse.format_timestamp(response_time, 0)
>   output_tab.delta = os.difftime(response_time, request_time)
>
> +  datetime.record_skew(host, response_time, request_time)
> +
>   local output_str = string.format("%s; %s from local time.",
>     response.header["date"], stdnse.format_difftime(os.date("!*t", response_time), os.date("!*t", request_time)))
>
>
> Modified: nmap/scripts/http-ntlm-info.nse
> ==============================================================================
> --- nmap/scripts/http-ntlm-info.nse   (original)
> +++ nmap/scripts/http-ntlm-info.nse   Thu Jul 21 10:05:25 2016
> @@ -1,4 +1,6 @@
> local bin = require "bin"
> +local os = require "os"
> +local datetime = require "datetime"
> local http = require "http"
> local shortport = require "shortport"
> local stdnse = require "stdnse"
> @@ -74,6 +76,7 @@
>   local opts = { header = { Authorization = "NTLM " .. auth_blob } }
>
>   local response = http.get( host, port, root, opts )
> +  local recvtime = os.time()
>
>   -- Continue only if correct header (www-authenticate) and NTLM response are included
>   if response.header["www-authenticate"] and string.match(response.header["www-authenticate"], "NTLM (.*)") then
> @@ -84,6 +87,12 @@
>     -- Leverage smbauth.get_host_info_from_security_blob() for decoding
>     local ntlm_decoded = smbauth.get_host_info_from_security_blob(data)
>
> +    if ntlm_decoded.timestamp then
> +      -- 64-bit number of 100ns clicks since 1/1/1601
> +      local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600
> +      datetime.record_skew(host, unixstamp, recvtime)
> +    end
> +
>     -- Target Name will always be returned under any implementation
>     output.Target_Name = ntlm_decoded.target_realm
>
>
> Modified: nmap/scripts/imap-ntlm-info.nse
> ==============================================================================
> --- nmap/scripts/imap-ntlm-info.nse   (original)
> +++ nmap/scripts/imap-ntlm-info.nse   Thu Jul 21 10:05:25 2016
> @@ -1,4 +1,6 @@
> local comm = require "comm"
> +local os = require "os"
> +local datetime = require "datetime"
> local bin = require "bin"
> local shortport = require "shortport"
> local sslcert = require "sslcert"
> @@ -109,6 +111,7 @@
>     return nil
>   end
>
> +  local recvtime = os.time()
>   socket:close()
>
>   if string.match(response, "^A%d%d%d%d ") then
> @@ -134,6 +137,12 @@
>   -- Leverage smbauth.get_host_info_from_security_blob() for decoding
>   local ntlm_decoded = smbauth.get_host_info_from_security_blob(response_decoded)
>
> +  if ntlm_decoded.timestamp then
> +    -- 64-bit number of 100ns clicks since 1/1/1601
> +    local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600
> +    datetime.record_skew(host, unixstamp, recvtime)
> +  end
> +
>   -- Target Name will always be returned under any implementation
>   output.Target_Name = ntlm_decoded.target_realm
>
>
> Modified: nmap/scripts/ms-sql-ntlm-info.nse
> ==============================================================================
> --- nmap/scripts/ms-sql-ntlm-info.nse (original)
> +++ nmap/scripts/ms-sql-ntlm-info.nse Thu Jul 21 10:05:25 2016
> @@ -1,4 +1,6 @@
> local bin = require "bin"
> +local os = require "os"
> +local datetime = require "datetime"
> local mssql = require "mssql"
> local shortport = require "shortport"
> local stdnse = require "stdnse"
> @@ -72,6 +74,7 @@
>   end
>
>   local status, response, errorDetail = tdsstream:Receive()
> +  local recvtime = os.time()
>   tdsstream:Disconnect()
>
>   local pos, ttype = bin.unpack("C", response)
> @@ -87,6 +90,12 @@
>   -- Leverage smbauth.get_host_info_from_security_blob() for decoding
>   local ntlm_decoded = smbauth.get_host_info_from_security_blob(data)
>
> +  if ntlm_decoded.timestamp then
> +    -- 64-bit number of 100ns clicks since 1/1/1601
> +    local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600
> +    datetime.record_skew(host, unixstamp, recvtime)
> +  end
> +
>   -- Target Name will always be returned under any implementation
>   output.Target_Name = ntlm_decoded.target_realm
>
>
> Modified: nmap/scripts/nntp-ntlm-info.nse
> ==============================================================================
> --- nmap/scripts/nntp-ntlm-info.nse   (original)
> +++ nmap/scripts/nntp-ntlm-info.nse   Thu Jul 21 10:05:25 2016
> @@ -1,4 +1,6 @@
> local comm = require "comm"
> +local os = require "os"
> +local datetime = require "datetime"
> local shortport = require "shortport"
> local stdnse = require "stdnse"
> local base64 = require "base64"
> @@ -101,6 +103,7 @@
>     end
>   end
>
> +  local recvtime = os.time()
>   socket:close()
>
>   -- Continue only if a 381 response is returned
> @@ -119,6 +122,12 @@
>   -- Leverage smbauth.get_host_info_from_security_blob() for decoding
>   local ntlm_decoded = smbauth.get_host_info_from_security_blob(response_decoded)
>
> +  if ntlm_decoded.timestamp then
> +    -- 64-bit number of 100ns clicks since 1/1/1601
> +    local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600
> +    datetime.record_skew(host, unixstamp, recvtime)
> +  end
> +
>   -- Target Name will always be returned under any implementation
>   output.Target_Name = ntlm_decoded.target_realm
>
>
> Modified: nmap/scripts/ntp-info.nse
> ==============================================================================
> --- nmap/scripts/ntp-info.nse (original)
> +++ nmap/scripts/ntp-info.nse Thu Jul 21 10:05:25 2016
> @@ -1,5 +1,8 @@
> local bin = require "bin"
> local comm = require "comm"
> +local datetime = require "datetime"
> +local os = require "os"
> +local math = require "math"
> local nmap = require "nmap"
> local shortport = require "shortport"
> local stdnse = require "stdnse"
> @@ -100,13 +103,15 @@
>
>   status, buftres = comm.exchange(host, port, treq, {timeout=TIMEOUT})
>   if status then
> -    local _, sec, frac, tstamp
> +    local recvtime = os.time()
>
> -    _, sec, frac = bin.unpack(">II", buftres, 33)
> +    local _, sec, frac = bin.unpack(">II", buftres, 33)
>     -- The NTP epoch is 1900-01-01, so subtract 70 years to bring the date into
>     -- the range Lua expects. The number of seconds at 1970-01-01 is taken from
>     -- the NTP4 reference above.
> -    tstamp = sec - 2208988800 + frac / 0x10000000
> +    local tstamp = sec - 2208988800 + frac / 0x10000000
> +
> +    datetime.record_skew(host, tstamp, recvtime)
>
>     output["receive time stamp"] = stdnse.format_timestamp(tstamp)
>   end
>
> Modified: nmap/scripts/pop3-ntlm-info.nse
> ==============================================================================
> --- nmap/scripts/pop3-ntlm-info.nse   (original)
> +++ nmap/scripts/pop3-ntlm-info.nse   Thu Jul 21 10:05:25 2016
> @@ -1,4 +1,6 @@
> local comm = require "comm"
> +local os = require "os"
> +local datetime = require "datetime"
> local bin = require "bin"
> local shortport = require "shortport"
> local stdnse = require "stdnse"
> @@ -102,6 +104,7 @@
>     return
>   end
>
> +  local recvtime = os.time()
>   socket:close()
>
>   -- Continue only if a + response is returned
> @@ -119,6 +122,12 @@
>   -- Leverage smbauth.get_host_info_from_security_blob() for decoding
>   local ntlm_decoded = smbauth.get_host_info_from_security_blob(response_decoded)
>
> +  if ntlm_decoded.timestamp then
> +    -- 64-bit number of 100ns clicks since 1/1/1601
> +    local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600
> +    datetime.record_skew(host, unixstamp, recvtime)
> +  end
> +
>   -- Target Name will always be returned under any implementation
>   output.Target_Name = ntlm_decoded.target_realm
>
>
> Modified: nmap/scripts/rfc868-time.nse
> ==============================================================================
> --- nmap/scripts/rfc868-time.nse      (original)
> +++ nmap/scripts/rfc868-time.nse      Thu Jul 21 10:05:25 2016
> @@ -1,4 +1,5 @@
> local comm = require "comm"
> +local datetime = require "datetime"
> local shortport = require "shortport"
> local stdnse = require "stdnse"
> local bin = require "bin"
> @@ -46,12 +47,14 @@
>
>     -- Make sure we don't stomp a more-likely service detection.
>     if port.version.name == "time" then
> -      local diff = os.difftime(stamp,os.time())
> +      local recvtime = os.time()
> +      local diff = os.difftime(stamp,recvtime)
>       if diff < 0 then diff = -diff end
>       -- confidence decreases by 1 for each year the time is off.
>       stdnse.debug1("Time difference: %d seconds (%0.2f years)", diff, diff / 31556926)
>       local confidence = 10 - diff / 31556926
>       if confidence < 0 then confidence = 0 end
> +      datetime.record_skew(host, stamp, recvtime)
>       port.version.name_confidence = confidence
>       nmap.set_port_version(host, port, "hardmatched")
>     end
>
> Modified: nmap/scripts/script.db
> ==============================================================================
> --- nmap/scripts/script.db    (original)
> +++ nmap/scripts/script.db    Thu Jul 21 10:05:25 2016
> @@ -64,6 +64,7 @@
> Entry { filename = "citrix-enum-servers-xml.nse", categories = { "discovery", "safe", } }
> Entry { filename = "citrix-enum-servers.nse", categories = { "discovery", "safe", } }
> Entry { filename = "clamav-exec.nse", categories = { "exploit", "vuln", } }
> +Entry { filename = "clock-skew.nse", categories = { "default", "safe", } }
> Entry { filename = "couchdb-databases.nse", categories = { "discovery", "safe", } }
> Entry { filename = "couchdb-stats.nse", categories = { "discovery", "safe", } }
> Entry { filename = "creds-summary.nse", categories = { "auth", "default", "safe", } }
>
> Modified: nmap/scripts/smb-security-mode.nse
> ==============================================================================
> --- nmap/scripts/smb-security-mode.nse        (original)
> +++ nmap/scripts/smb-security-mode.nse        Thu Jul 21 10:05:25 2016
> @@ -1,4 +1,6 @@
> local bit = require "bit"
> +local os = require "os"
> +local datetime = require "datetime"
> local smb = require "smb"
> local stdnse = require "stdnse"
> local string = require "string"
> @@ -101,6 +103,9 @@
>     smb.stop(state)
>     return stdnse.format_output(false, err)
>   end
> +  if state.time then
> +    datetime.record_skew(host, state.time, os.time())
> +  end
>
>   local security_mode = state['security_mode']
>
>
> Modified: nmap/scripts/smtp-ntlm-info.nse
> ==============================================================================
> --- nmap/scripts/smtp-ntlm-info.nse   (original)
> +++ nmap/scripts/smtp-ntlm-info.nse   Thu Jul 21 10:05:25 2016
> @@ -1,3 +1,5 @@
> +local datetime = require "datetime"
> +local os = require "os"
> local smtp = require "smtp"
> local bin = require "bin"
> local shortport = require "shortport"
> @@ -125,6 +127,7 @@
>   if not response then
>     return
>   end
> +  local recvtime = os.time()
>
>   socket:close()
>
> @@ -143,6 +146,13 @@
>
>   local ntlm_decoded = smbauth.get_host_info_from_security_blob(response_decoded)
>
> +  if ntlm_decoded.timestamp and ntlm_decoded.timestamp > 0 then
> +    stdnse.debug1("timestamp is %s", ntlm_decoded.timestamp)
> +    -- 64-bit number of 100ns clicks since 1/1/1601
> +    local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600
> +    datetime.record_skew(host, unixstamp, recvtime)
> +  end
> +
>   -- Target Name will always be returned under any implementation
>   output.Target_Name = ntlm_decoded.target_realm
>
>
> Modified: nmap/scripts/ssl-date.nse
> ==============================================================================
> --- nmap/scripts/ssl-date.nse (original)
> +++ nmap/scripts/ssl-date.nse Thu Jul 21 10:05:25 2016
> @@ -7,6 +7,7 @@
> local string = require "string"
> local sslcert = require "sslcert"
> local tls = require "tls"
> +local datetime = require "datetime"
>
> description = [[
> Retrieves a target host's time and date from its TLS ServerHello response.
> @@ -201,6 +202,7 @@
>     end
>   end
>
> +  datetime.record_skew(host, tm.target, tm.scanner)
>   local output = {
>                  date = stdnse.format_timestamp(tm.target, 0),
>                  delta = tm.delta,
>
> Modified: nmap/scripts/telnet-ntlm-info.nse
> ==============================================================================
> --- nmap/scripts/telnet-ntlm-info.nse (original)
> +++ nmap/scripts/telnet-ntlm-info.nse Thu Jul 21 10:05:25 2016
> @@ -1,3 +1,5 @@
> +local datetime = require "datetime"
> +local os = require "os"
> local bin = require "bin"
> local comm = require "comm"
> local shortport = require "shortport"
> @@ -87,6 +89,7 @@
>     return nil
>   end
>
> +  local recvtime = os.time()
>   socket:close()
>
>   -- Continue only if NTLMSSP response is returned.
> @@ -100,6 +103,12 @@
>   -- Leverage smbauth.get_host_info_from_security_blob() for decoding
>   local ntlm_decoded = smbauth.get_host_info_from_security_blob(data)
>
> +  if ntlm_decoded.timestamp then
> +    -- 64-bit number of 100ns clicks since 1/1/1601
> +    local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600
> +    datetime.record_skew(host, unixstamp, recvtime)
> +  end
> +
>   -- Target Name will always be returned under any implementation
>   output.Target_Name = ntlm_decoded.target_realm
>
>
> _______________________________________________
> Sent through the svn mailing list
> https://nmap.org/mailman/listinfo/svn

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/