Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NSE: Packet retransmit breaking rdp-ntlm-info #1682

Open
TomSellers opened this issue Aug 10, 2019 · 0 comments

Comments

@TomSellers
Copy link

commented Aug 10, 2019

I've seen some reports, which I was able to reproduce, that rdp-ntlm-info didn't work against Windows 7. While testing I noticed that some of the packets were being sent twice which was breaking the protocol negotiation. This seems to happen when scanning with -sS but not -sT.

This appears to be an issue with Nmap or NSE and how raw packets are handled.

You can observe the retransmission using Wireshark / tcpdump.

Reproduce error

sudo nmap -sS --script rdp-ntlm-info -p 3389  -n   target_ip

Workaround

sudo nmap -sT --script rdp-ntlm-info -p 3389  -n   target_ip

When running with --packet-trace I only see Nmap send the packet once (in the output) in either case.

If you view the traffic with Wireshark you can see that it is re-transmitted.

Packet 15 is the original, packet 16 is the retransmission.
image

I was able to create a simple reproducer which removes the protocol from the equation.

Command

sudo nmap -sS --script +test -p 3389 target_ip

Script

local nmap = require "nmap"
local stdnse = require "stdnse"
local shortport = require "shortport"

categories = {"safe"}

portrule = shortport.port_or_service("3389", "ms-wbt-server")

action = function( host, port )

  socket = nmap.new_socket()
  socket:set_timeout(5000)
  if ( not(socket:connect(host, port)) ) then
    return false, "Failed connecting to server"
  end

  local status, err = socket:send("If a packet hits a pocket on a socket on a port..")
  if ( not(status) ) then
    return false, err
  end

  stdnse.debug1("Sent, now waiting...")
  _, data = socket:receive()

  stdnse.debug1("Closing")
  socket:close()
  return data
end

Environment

$ nmap --version
Nmap version 7.70SVN ( https://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: nmap-liblua-5.3.5 openssl-1.1.1 libssh2-1.8.0 libz-1.2.11 nmap-libpcre-7.6 libpcap-1.8.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
Linux sammich 5.0.0-23-generic #24~18.04.1-Ubuntu SMP Mon Jul 29 16:12:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.