smb2.lua, smb-protocols.nse, smb2-capabilities and smb2-security-mode #943

Closed
wants to merge 32 commits into
from

Conversation

Projects
None yet
2 participants
@cldrn
Member

cldrn commented Jul 12, 2017

  • smb-protocols: Lists supported SMB1/SMB2/SMB3 protocols and dialects
  • smb2-capabilities: Lists the capabilities of SMB2/SMB3 servers
  • smb2-security-mode: Reads the message signing configuration in SMB2/SMB3 servers.

More info:
http://seclists.org/nmap-dev/2017/q3/20

@dmiller-nmap

I'd really like to get this committed soon! Great stuff.

scripts/smb2-capabilities.nse
+ end
+ -- We set our overrides Dialects table with the dialect we are testing
+ overrides['Dialects'] = {dialect}
+ status, _ = smb2.negotiate_v2(smbstate, overrides)

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Jul 27, 2017

_ is global here. Just leave it off; unlike Python, Lua ignores any extra/unassigned return values.

@dmiller-nmap

dmiller-nmap Jul 27, 2017

_ is global here. Just leave it off; unlike Python, Lua ignores any extra/unassigned return values.

nselib/smb.lua
-function negotiate_protocol(smb, overrides)
+-- @param smb The SMB object associated with the connection.
+-- @param overrides Overrides table.
+-- @return (status, dialect) If status is true, the negotiated dialect in human readable form is returned as the second value.

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Jul 27, 2017

NSEdoc supports multiple @return statements. The convention for this sort of thing is:

-- @return Boolean status
-- @return The negotiated dialect in human-readable form, or an error message if status is false
@dmiller-nmap

dmiller-nmap Jul 27, 2017

NSEdoc supports multiple @return statements. The convention for this sort of thing is:

-- @return Boolean status
-- @return The negotiated dialect in human-readable form, or an error message if status is false

This comment has been minimized.

@cldrn

cldrn Jul 28, 2017

Member

Fixed.

@cldrn

cldrn Jul 28, 2017

Member

Fixed.

nselib/smb.lua
@@ -2498,7 +2561,6 @@ end
-- data is given as a string, not a file.
--
--@param host The host object
---@param data The string containing the data to be written

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Jul 27, 2017

Was this an accidental deletion?

@dmiller-nmap

dmiller-nmap Jul 27, 2017

Was this an accidental deletion?

This comment has been minimized.

@cldrn

cldrn Jul 28, 2017

Member

Yes. Fixed it. Thanks!

@cldrn

cldrn Jul 28, 2017

Member

Yes. Fixed it. Thanks!

nselib/smb2.lua
+local table = require "table"
+local match = require "match"
+local bit = require "bit"
+local nsedebug = require "nsedebug"

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Jul 27, 2017

I guess this was left in from testing; please remove it before committing.

@dmiller-nmap

dmiller-nmap Jul 27, 2017

I guess this was left in from testing; please remove it before committing.

nselib/smb2.lua
+-- get updated. I tried to be consistent with the current implementation of
+-- smb.lua but some fields may have changed name or don't exist anymore.
+--
+-- TODO:

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Jul 27, 2017

Is this TODO list current? It probably doesn't belong in the NSEdoc. Please make a separate Github Issue for each item that you think really ought to be done.

@dmiller-nmap

dmiller-nmap Jul 27, 2017

Is this TODO list current? It probably doesn't belong in the NSEdoc. Please make a separate Github Issue for each item that you think really ought to be done.

nselib/smb2.lua
+ return false, "SMB2: ERROR:Server returned less data than it was supposed to"
+ end
+ -- Make the length 24 bits
+ netbios_length = bit.band(netbios_length, 0x00FFFFFF)

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Jul 27, 2017

Please use native Lua 5.3 bit operations. The bit library is deprecated.

@dmiller-nmap

dmiller-nmap Jul 27, 2017

Please use native Lua 5.3 bit operations. The bit library is deprecated.

This comment has been minimized.

@cldrn

cldrn Jul 28, 2017

Member

Removed all calls to the bit library.

@cldrn

cldrn Jul 28, 2017

Member

Removed all calls to the bit library.

nselib/smb2.lua
+ 0x0002, -- Ciphers (2 bytes each): AES-128-GCM
+ 0x0001 -- Ciphers (2 bytes each): AES-128-CCM
+ )
+ data = data .. string.pack("<I2 I2 I4 c" .. #context_data,

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Jul 27, 2017

Instead of string.pack("XYZ c" .. #something, X, Y, Z, something), just do string.pack("XYZ", X, Y, Z) .. something; it's simpler.

@dmiller-nmap

dmiller-nmap Jul 27, 2017

Instead of string.pack("XYZ c" .. #something, X, Y, Z, something), just do string.pack("XYZ", X, Y, Z) .. something; it's simpler.

This comment has been minimized.

@cldrn

cldrn Jul 28, 2017

Member

Thanks!

@cldrn

cldrn Jul 28, 2017

Member

Thanks!

nselib/smb2.lua
+ total_data = #header+#data
+ padding_data = ""
+ while((total_data)%8 ~= 0) do
+ padding_data = padding_data .. string.pack("<c1", 0x0)

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Jul 27, 2017

Padding is simpler like this:

padding = string.rep("\0", (8 - total_data % 8) % 8)
@dmiller-nmap

dmiller-nmap Jul 27, 2017

Padding is simpler like this:

padding = string.rep("\0", (8 - total_data % 8) % 8)

This comment has been minimized.

@cldrn

cldrn Jul 28, 2017

Member

Nice one. Much simpler.

@cldrn

cldrn Jul 28, 2017

Member

Nice one. Much simpler.

scripts/smb2-capabilities.nse
+ -- we need a clean connection for each negotiate request
+ status, smbstate = smb.start(host)
+ if(status == false) then
+ return false, smbstate

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Jul 27, 2017

Don't return false from the action function. Either return nil (no output) or return an error message. I guess this was probably part of a function at one time.

@dmiller-nmap

dmiller-nmap Jul 27, 2017

Don't return false from the action function. Either return nil (no output) or return an error message. I guess this was probably part of a function at one time.

scripts/smb2-capabilities.nse
+
+ -- We check the capabilities flags. Not all of them are supported by
+ -- every dialect but we dumb check anyway.
+ if ( bit.band(smbstate['capabilities'], 0x00000001) == 0x00000001) then

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Jul 27, 2017

if smbstate.capabilities & 0x01 == 0x01 then
@dmiller-nmap

dmiller-nmap Jul 27, 2017

if smbstate.capabilities & 0x01 == 0x01 then
@cldrn

This comment has been minimized.

Show comment
Hide comment
@cldrn

cldrn Jul 28, 2017

Member

Added smb2-time.nse to this branch too. I'll create a separate PR for the vulnerability detection script based on the system uptime.

Member

cldrn commented Jul 28, 2017

Added smb2-time.nse to this branch too. I'll create a separate PR for the vulnerability detection script based on the system uptime.

@cldrn

This comment has been minimized.

Show comment
Hide comment
@cldrn

cldrn Jul 28, 2017

Member

Actually, as we want to push everything we have for SMB2 now, I've added smb2-vuln-uptime.nse in the same PR.

Member

cldrn commented Jul 28, 2017

Actually, as we want to push everything we have for SMB2 now, I've added smb2-vuln-uptime.nse in the same PR.

@nmap-bot nmap-bot closed this in ed0b960 Jul 28, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment