Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

smb2.lua, smb-protocols.nse, smb2-capabilities and smb2-security-mode #943

Closed
wants to merge 32 commits into from

Conversation

@cldrn
Copy link
Member

commented Jul 12, 2017

  • smb-protocols: Lists supported SMB1/SMB2/SMB3 protocols and dialects
  • smb2-capabilities: Lists the capabilities of SMB2/SMB3 servers
  • smb2-security-mode: Reads the message signing configuration in SMB2/SMB3 servers.

More info:
http://seclists.org/nmap-dev/2017/q3/20

@dmiller-nmap
Copy link

left a comment

I'd really like to get this committed soon! Great stuff.

end
-- We set our overrides Dialects table with the dialect we are testing
overrides['Dialects'] = {dialect}
status, _ = smb2.negotiate_v2(smbstate, overrides)

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap Jul 27, 2017

_ is global here. Just leave it off; unlike Python, Lua ignores any extra/unassigned return values.

function negotiate_protocol(smb, overrides)
-- @param smb The SMB object associated with the connection.
-- @param overrides Overrides table.
-- @return (status, dialect) If status is true, the negotiated dialect in human readable form is returned as the second value.

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap Jul 27, 2017

NSEdoc supports multiple @return statements. The convention for this sort of thing is:

-- @return Boolean status
-- @return The negotiated dialect in human-readable form, or an error message if status is false

This comment has been minimized.

Copy link
@cldrn

cldrn Jul 28, 2017

Author Member

Fixed.

@@ -2498,7 +2561,6 @@ end
-- data is given as a string, not a file.
--
--@param host The host object
--@param data The string containing the data to be written

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap Jul 27, 2017

Was this an accidental deletion?

This comment has been minimized.

Copy link
@cldrn

cldrn Jul 28, 2017

Author Member

Yes. Fixed it. Thanks!

local table = require "table"
local match = require "match"
local bit = require "bit"
local nsedebug = require "nsedebug"

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap Jul 27, 2017

I guess this was left in from testing; please remove it before committing.

-- get updated. I tried to be consistent with the current implementation of
-- smb.lua but some fields may have changed name or don't exist anymore.
--
-- TODO:

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap Jul 27, 2017

Is this TODO list current? It probably doesn't belong in the NSEdoc. Please make a separate Github Issue for each item that you think really ought to be done.

return false, "SMB2: ERROR:Server returned less data than it was supposed to"
end
-- Make the length 24 bits
netbios_length = bit.band(netbios_length, 0x00FFFFFF)

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap Jul 27, 2017

Please use native Lua 5.3 bit operations. The bit library is deprecated.

This comment has been minimized.

Copy link
@cldrn

cldrn Jul 28, 2017

Author Member

Removed all calls to the bit library.

0x0002, -- Ciphers (2 bytes each): AES-128-GCM
0x0001 -- Ciphers (2 bytes each): AES-128-CCM
)
data = data .. string.pack("<I2 I2 I4 c" .. #context_data,

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap Jul 27, 2017

Instead of string.pack("XYZ c" .. #something, X, Y, Z, something), just do string.pack("XYZ", X, Y, Z) .. something; it's simpler.

This comment has been minimized.

Copy link
@cldrn

cldrn Jul 28, 2017

Author Member

Thanks!

total_data = #header+#data
padding_data = ""
while((total_data)%8 ~= 0) do
padding_data = padding_data .. string.pack("<c1", 0x0)

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap Jul 27, 2017

Padding is simpler like this:

padding = string.rep("\0", (8 - total_data % 8) % 8)

This comment has been minimized.

Copy link
@cldrn

cldrn Jul 28, 2017

Author Member

Nice one. Much simpler.

-- we need a clean connection for each negotiate request
status, smbstate = smb.start(host)
if(status == false) then
return false, smbstate

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap Jul 27, 2017

Don't return false from the action function. Either return nil (no output) or return an error message. I guess this was probably part of a function at one time.


-- We check the capabilities flags. Not all of them are supported by
-- every dialect but we dumb check anyway.
if ( bit.band(smbstate['capabilities'], 0x00000001) == 0x00000001) then

This comment has been minimized.

Copy link
@dmiller-nmap

dmiller-nmap Jul 27, 2017

if smbstate.capabilities & 0x01 == 0x01 then
@cldrn

This comment has been minimized.

Copy link
Member Author

commented Jul 28, 2017

Added smb2-time.nse to this branch too. I'll create a separate PR for the vulnerability detection script based on the system uptime.

@cldrn

This comment has been minimized.

Copy link
Member Author

commented Jul 28, 2017

Actually, as we want to push everything we have for SMB2 now, I've added smb2-vuln-uptime.nse in the same PR.

cldrn added 2 commits Jul 28, 2017

@nmap-bot nmap-bot closed this in ed0b960 Jul 28, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.