Author Archives: Patrik Karlsson

About Patrik Karlsson

Patrik Karlsson created cqure.net in 2001 as a way of assisting security professionals around the globe with the necessary tools for improving security in IT-systems. Patrik has developed all of the tools that are published on the site, he also maintains and improves them on a somewhat regular basis.

New nmap script afp-showmount

I finished yet another Nmap script that allows for listing of AFP shares and their ACLs. The script currently does so as the public user and does not support authentication at the moment. The script is available from the nmap-script page. Here’s some sample output of the script being run against one of my test systems.

PORT    STATE SERVICE
548/tcp open  afp
| afp-showmount:
|     Yoda’s Public Folder
|       Owner: Search,Read,Write
|       Group: Search,Read
|       Everyone: Search,Read
|       User: Search,Read
|     Vader’s Public Folder
|       Owner: Search,Read,Write
|       Group: Search,Read
|       Everyone: Search,Read
|_      User: Search,Read

New nmap script lexmark-config

I have put together a new Nmap script that queries the Lexmark S300-400 series for their configuration. The script queries port 9100/udp using a small MDNS packet and receives the configuration as response. The script simply parses out the TXT records and prints them. The lexmark-config script is available from the nmap-scripts page.

kerberos-get-realm script

I created a new Nmap script today that attempts to discover the Kerberos realm and the server time. It does this by sending an incorrect AS-REQ request to the server. The Microsoft implementation of Kerberos responds with an error packet containing the correct Realm name. On systems with other implementation, the server time alone is returned. The script works against both TCP and UDP. It’s available for download at the dedicated nmap-scripts page over here.

Nmap oracle-sid-brute v0.2 released

I have created a new Nmap script that attempts to determine valid Oracle instance names by guessing names from a dictionary against the TNS-listener. It’s available, together with my other scripts, from the nmap scripts page.

Continue reading

Nmap Citrix script updated

So, my friend Ian Vitek enlightened me again. Apparently when the published application list is long it’s split up into multiple packets and the client needs to keep reading them until the magic byte at offset 31 is toggled to 1.

I have adjusted my script so that it checks for this and prints a complete list of published applications, instead of just the first packets. The script can be downloaded from here.

For more information on how to get it running, check my earlier posts or post a comment to the article.

Two more nmap scripts

Lua turned out to be quite entertaining so I have spent some time coding some more scripts for Nmap. The first script I finished was nfs-showmount.nse which can be used to query a remote server for any NFS shares:

Interesting ports on yoda.localdomain (192.168.56.50):
PORT    STATE SERVICE
111/tcp open  rpcbind

Host script results:
|  nfs-showmount:
|  /home/storage/backup 192.168.56.0/255.255.255.0 192.168.56.66/255.255.255.255
|_ /home 192.168.56.0/255.255.255.0

The next one citrix-published-applications, queries a Citrix server for any published applications:

Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-24 22:09 CET
Interesting ports on 192.168.56.5:
PORT     STATE SERVICE
1604/udp open  unknown
|  citrix-published-applications:
|  Notepad
|  iexplorer
|_ registry editor