Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

smb2.lua, smb-protocols.nse, smb2-capabilities and smb2-security-mode #943

Closed
wants to merge 32 commits into from

Conversation

@cldrn
Copy link
Member

@cldrn cldrn commented Jul 12, 2017

  • smb-protocols: Lists supported SMB1/SMB2/SMB3 protocols and dialects
  • smb2-capabilities: Lists the capabilities of SMB2/SMB3 servers
  • smb2-security-mode: Reads the message signing configuration in SMB2/SMB3 servers.

More info:
http://seclists.org/nmap-dev/2017/q3/20

Copy link

@dmiller-nmap dmiller-nmap left a comment

I'd really like to get this committed soon! Great stuff.

Loading

end
-- We set our overrides Dialects table with the dialect we are testing
overrides['Dialects'] = {dialect}
status, _ = smb2.negotiate_v2(smbstate, overrides)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

_ is global here. Just leave it off; unlike Python, Lua ignores any extra/unassigned return values.

Loading

nselib/smb.lua Outdated
function negotiate_protocol(smb, overrides)
-- @param smb The SMB object associated with the connection.
-- @param overrides Overrides table.
-- @return (status, dialect) If status is true, the negotiated dialect in human readable form is returned as the second value.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NSEdoc supports multiple @return statements. The convention for this sort of thing is:

-- @return Boolean status
-- @return The negotiated dialect in human-readable form, or an error message if status is false

Loading

Copy link
Member Author

@cldrn cldrn Jul 28, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

Loading

nselib/smb.lua Outdated
@@ -2498,7 +2561,6 @@ end
-- data is given as a string, not a file.
--
--@param host The host object
--@param data The string containing the data to be written

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this an accidental deletion?

Loading

Copy link
Member Author

@cldrn cldrn Jul 28, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. Fixed it. Thanks!

Loading

nselib/smb2.lua Outdated
local table = require "table"
local match = require "match"
local bit = require "bit"
local nsedebug = require "nsedebug"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this was left in from testing; please remove it before committing.

Loading

nselib/smb2.lua Outdated
-- get updated. I tried to be consistent with the current implementation of
-- smb.lua but some fields may have changed name or don't exist anymore.
--
-- TODO:

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this TODO list current? It probably doesn't belong in the NSEdoc. Please make a separate Github Issue for each item that you think really ought to be done.

Loading

nselib/smb2.lua Outdated
return false, "SMB2: ERROR:Server returned less data than it was supposed to"
end
-- Make the length 24 bits
netbios_length = bit.band(netbios_length, 0x00FFFFFF)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use native Lua 5.3 bit operations. The bit library is deprecated.

Loading

Copy link
Member Author

@cldrn cldrn Jul 28, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed all calls to the bit library.

Loading

nselib/smb2.lua Outdated
0x0002, -- Ciphers (2 bytes each): AES-128-GCM
0x0001 -- Ciphers (2 bytes each): AES-128-CCM
)
data = data .. string.pack("<I2 I2 I4 c" .. #context_data,

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of string.pack("XYZ c" .. #something, X, Y, Z, something), just do string.pack("XYZ", X, Y, Z) .. something; it's simpler.

Loading

Copy link
Member Author

@cldrn cldrn Jul 28, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

Loading

nselib/smb2.lua Outdated
total_data = #header+#data
padding_data = ""
while((total_data)%8 ~= 0) do
padding_data = padding_data .. string.pack("<c1", 0x0)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Padding is simpler like this:

padding = string.rep("\0", (8 - total_data % 8) % 8)

Loading

Copy link
Member Author

@cldrn cldrn Jul 28, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice one. Much simpler.

Loading

-- we need a clean connection for each negotiate request
status, smbstate = smb.start(host)
if(status == false) then
return false, smbstate

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't return false from the action function. Either return nil (no output) or return an error message. I guess this was probably part of a function at one time.

Loading


-- We check the capabilities flags. Not all of them are supported by
-- every dialect but we dumb check anyway.
if ( bit.band(smbstate['capabilities'], 0x00000001) == 0x00000001) then

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if smbstate.capabilities & 0x01 == 0x01 then

Loading

@cldrn
Copy link
Member Author

@cldrn cldrn commented Jul 28, 2017

Added smb2-time.nse to this branch too. I'll create a separate PR for the vulnerability detection script based on the system uptime.

Loading

@cldrn
Copy link
Member Author

@cldrn cldrn commented Jul 28, 2017

Actually, as we want to push everything we have for SMB2 now, I've added smb2-vuln-uptime.nse in the same PR.

Loading

@nmap-bot nmap-bot closed this in ed0b960 Jul 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants