Finally finished some scripts that I have been working on for a while. Should have had them completed long ago but was not able to get to it until tonight. The scripts make use of the new Cisco AnyConnect library that was part of the commit and test for the (almost) recent vulnerabilities outlined in this Cisco advisory. The easiest way to test the scripts is to run the SVN version of Nmap. For those that don’t feel comfortable with that the scripts and library may be found here:
I recently finished writing three Metasploit modules for capturing passwords for VNC, SQL Server and DB2 (and other DRDA based databases). Being new to the Metasploit project (from a development perspective), Ruby and Git I can honestly say it was a challenge. I probably spent more time understanding Git and Ruby than implementing the actual network services. Having contributed a lot of “client” scripts to the Nmap project I decided it was time to implement some server components and the Metasploit project seemed to be a good option. All in all, it was a fun project and the review process went very smoothly and the modules were merged quickly.
Be sure to get it at http://nmap.org/6 !
I’ve just committed an updated version of the TNS library to Nmap, adding support for running Oracle database queries from Nmap scripts. I’ve put a considerable amount of work into trying to understand how the protocol works, due to the lack of documentation, and think that I’ve finally succeeded.
In addition I’ve posted two new scripts to the nmap-dev mailing list that make use of this new functionality:
- oracle-query – runs a given query against the Oracle database server and returns the results
- oracle-hash-dump – dumps the password hashes from an Oracle database server
In case you have the possibility to test this new code against Oracle 10g and 11g, please let me know how it works out. I’ll hopefully commit the two scripts to Nmap within the next few days.
Thank’s to some great effort put into the smb libraries by the folks over at nmap-dev, porting mbenum to Nmap wasn’t as hard as I’ve imagined. A first version has been committed to subversion a while ago but I forgot to publish this blog post at the time. Feel free to try it out! If you haven’t used mbenum before it’s a tool that allows you to get a good picture of a network by querying a single system.
Mbenum or the Nmap script smb-mbenum relies on being able to query the master browser for a particular domain or workgroup. You can find the master browser by sending a netbios query for the __MSBROWSE__ name. The Nmap script broadcast-netbios-master-browser can be used to identify the master browser for your broadcast domain by sending a netbios query to the broadcast address.
While doing a security review the other day I came across Novell eDirectory running on Windows. It’s been a while since I looked at eDirectory and while it’s a lot of LDAP, the servers were also running the Netware Core Protocol (NCP). I noticed that there wasn’t any NCP support in Nmap so I decided that I would implement some basic support. I ended up writing a NCP library and the following two scripts:
- ncp-enum-users – enumerates eDirectory users
- ncp-serverinfo – lists some basic server information
The scripts should work against NCP running on both Netware, Linux and Windows. Here’s some sample output from both scripts:
| Server name: LINUX-L84T
| Tree Name: CQURE-TREE
| OS Version: 5.70 (rev 7)
| Product version: 6.50 (rev 7)
| OS Language ID: 4
| 10.0.200.33 524/udp
| 10.0.200.33 524/tcp
In addition to the NCP scripts I wrote a LDAP script (ldap-novell-getpass) that extract the plain-text password of a given user, in case the “Allow admin to retrieve passwords” option is enabled in the password policy. On success, the script returns the following result:
| Account: CN=patrik,OU=security,O=cqure
|_ Password: foobar
All of the scripts have been committed to Nmap and are available through subversion.
I’ve been working on a Nmap script for auditing MySQL databases against the CIS 1.0.2 benchmark for a while. I haven’t committed it to subversion yet, but it’s available to download for anyone who feels up to testing it. While it isn’t perfect nor does it contain all CIS controls, it provides Nmap users with the possibility to quickly scan a database to see whether it complies with the CIS recommendations or not.
Nmap 5.50 is out, make sure to check it out. It contains a lot of new NSE stuff, including support for broadcast, pre- and post-rules and most of the scripts I, and many others, have created during the last year. For more information check out the official post http://seclists.org/nmap-hackers/2011/0
My employer (Inspect it) is hiring in Stockholm (Sweden). Inspect it is looking for people that currently work with IT- and information-security or have a strong desire to do so. Applicants should have experience within one or more of the following areas:
– Penetration- and Application-security testing
– Application & System security reviews
– Incident response and IT-forensics
– Security training
If your interested or have any questions contact me directly or send an e-mail to jobs[at]inspectit[dot]se
I just finished a dedicated page for the scripts I have created for Nmap. It’s available over here and contains the name of the scripts and brief descriptions of what they do. New scripts and versions will be announced here on the blog and the page will be updated accordingly. All scripts are available for download.