-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[NSE] Add rdp-ntlm-info.nse #1633
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exciting stuff! Just a couple minor change requests, and please run luacheck
once more before committing to be sure it passes. Looking forward to seeing this merged!
scripts/rdp-ntlm-info.nse
Outdated
|
||
local comm = rdp.Comm:new(host, port) | ||
if ( not(comm:connect()) ) then | ||
return false, fail("Failed to connect to server") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fail
is not defined, and we should just return nil
here. You can use stdnse.format_output(false, "message")
to output an error message in verbose/debug mode instead, if you like.
scripts/rdp-ntlm-info.nse
Outdated
end | ||
|
||
-- Request CredSSP protocol = 3 | ||
local cr = rdp.Request.ConnectionRequest:new(11) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is this 11
here? The comment mentions 3
instead. Maybe these constants could be in a table in rdp.lua
?
scripts/rdp-ntlm-info.nse
Outdated
-- Continue only if NTLMSSP response is returned | ||
local start = response:find("NTLMSSP") | ||
response = response:sub(start) | ||
if not string.match(response, "^NTLMSSP") then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If "NTLMSSP" is not in response
, then start
will be nil
, which we can check instead of using string.match()
here. If it is in response
, then after the sub()
call above, this string.match()
will always be true.
Thanks for the feedback @dmiller-nmap |
On 6/15/2019 1:20 AM, Aaron Lewis wrote:
I'm testing the lua script with nmap-7.70, but I got the following error:
|/home/tmp/nmap/bin/../share/nmap/scripts/rdp-ntlm-info.nse:59: variable 'PROTOCOL_SSL' is not declared stack traceback: [C]: in function 'error'
/home/tmp/nmap/bin/../share/nmap/nselib/strict.lua:80: in metamethod '__index' /home/tmp/nmap/bin/../share/nmap/scripts/rdp-ntlm-info.nse:59: in function
</home/tmp/nmap/bin/../share/nmap/scripts/rdp-ntlm-info.nse:52> (...tail calls...) |
With ldd command I can tell that libssl is enabled:
|# ldd /home/tmp/nmap/bin/nmap ... libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f006a83d000) ... |
Any ideas?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1633?email_source=notifications&email_token=ABRTAST2IY2RHND6WEAD2R3P2SCZDA5CNFSM4HXYRROKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXYRNSI#issuecomment-502339273>,
or mute the thread <https://github.com/notifications/unsubscribe-auth/ABRTASSALWRMMIT2IPQQERLP2SCZDANCNFSM4HXYRROA>.
Are you also using the updated 'nselib/rdp.lua' file from this PR? That should add the missing values.
https://raw.githubusercontent.com/nmap/nmap/master/nselib/rdp.lua
- Tom
|
Yes, it worked with master branch. Back then I was testing the lua script with nmap-7.70. |
This PR adds an NSE script,
rdp-ntlm-info.nse
, which enumerates information from remote RDP services that have CredSSP (NLA) authentication enabled. It is modeled after Justin Cacak's*-ntlm-info.nse
scripts. I'm not a fan of the output format and usingntlm
in the script name isn't intuitive here but I've kept them in this case in order to be consistent with his existing scripts and to enable someone to run them all using--script *-ntlm-info
.Note: No authentication is required and no logon attempts were made.
Example output
Run against a Windows 2019 server with NLA ( CredSSP ) enabled.
Here is output that also includes output from
htlm-ntlm-info.nse
so that you can compare the results.sudo nmap -sSCV --script=*-ntlm-info -p 80,3389 <target>
Against Windows 2008 with a few more services configured to use NTLM
sudo nmap -sSC --script=*-ntlm-info -p 23,25,80,3389 <target>